[SCM] Samba Shared Repository - branch v4-1-stable updated
Karolin Seeger
kseeger at samba.org
Fri Sep 27 12:40:52 CEST 2013
The branch, v4-1-stable has been updated
via fcf3fd6 VERSION: Disable git snapshots for the 4.1.0rc4 release.
via 0d483e2 VERSION: Disable git snapshots for the 4.1.0rc4 release.
via 09c540e WHATSNEW: Update changes since rc3.
via 74cac5c dsdb: Convert the full string from UTF16 to UTF8, including embedded NULLs
via 2c98a54 dbcheck: Add back the elements that were wrongly removed from CN=Deleted Objects
via 2c4f2c5 pydsdb: Raise a more useful exception when dsdb_wellknown_dn fails.
via c3e5353 pydsdb: Give KeyError when we fail a schema lookup in python
via f0e374f dbcheck: Ensure to always increase the error_count
via e7eb397 selftst: add tests based on 4.1.0rc3 to check for zero invocationID in replPropertyMetaData
via 2fdacdd selftest: Add release-4-1-0rc3 saved provision
via bdab150 selftest: Only run referenceprovision and ldapcmp for the 4.0.0 test
via 476e03e selftest: Add script to assist in writing out a tree undump.sh can restore
via 3f2907f dbcheck: Look for and fix the all-zero invocationID in replPropertyMetaData
via 80c3c30 dsdb: Refuse to replicate an all-zero invocationID GUID in replPropertyMetaData
via f5c378e smb.conf: Fill out the ntvfs handler smb.conf page from source4/NEWS
via bb4d9a2 Remove NEWS file containing confusing information
via ee8a3ed Remove confusing TODO file
via 39efc6f dsdb: Use WERR_DS_ATT_NOT_DEF_IN_SCHEMA for failed schema lookups
via b5b15ff dsdb-repl_meta_data: Make handling of Deleted Objects DN clearer in delete
via 5c63561 dsdb-repl_meta_data: Do not re-delete the Deleted Objects DN during replication
via 66f843e dsdb: Refuse to return an all-zero invocationID
via 8158673 dsdb-repl_meta_data: Check for a NULL invocationID and do not proceed
via 4ef85c7 python/drs: Ensure to pass in the local invocationID during the domain join
via b5866b1 WHATSNEW: Add changes since 4.1.0rc3.
via fd1583b torture3: Trigger a nasty cleanup bug in smbd
via 3a5ae0c smbd: Fix flawed share_mode_stale_pid API
via 9cfc001 smbd: Rename parameter "i" to "idx"
via 252a2bc smbd: Don't store in-memory only flags in locking.tdb
via 1706214 smbd: Simplify find_oplock_types
via 4182c97 python-samba-tool fsmo: Do not give an error on a successful role transfer
via 7f066b2 Fix bug 10162 - POSIX ACL mapping failing when setting DENY ACE's from Windows.
via 9343c99 docs: point out side-effects of global "valid users" setting.
via 78240de VERSION: Set version to 4.1.0rc4.
via 676b5de libcli: continue to read from the socket even if the size is 0
via a75cbcd s3: libsmb - 10150 - Not all OEM servers support the ALTNAME info level.
via c69e7c3 s3: libsmb : Bug 10150 - Not all OEM servers support the ALTNAME info level.
via 4e5e7e4 s3: libsmb SMB2 wrapper layer. cli_smb2_get_ea_list_path() failed to close file on exit.
via ee469fa libcli/smb: only check the SMB2 session setup signature if required and valid
via f851d26 libcli/smb: fix non mendatory signing against some vendor SMB2 servers.
via 007ed89 Fix is_legal_name() to not emit character conversion error messages.
via 8fd1e54 s3: libsmb : The short name length is only a one byte field.
via 9a29d7e libcli/smb: use SMB1 MID=0 for the initial Negprot
via 1e969dc s3:smb2_find: Return that timestamps do not exist as directories
via ebfa34b docs: Fix typos.
via def64cc Raise the level of a debug.
via 4674cca WHATSNEW: Start to add changes since 4.1.0rc3.
via 69cf874 docs: document "acl allow execute always"
via 434ca3f s3:smbd: ease file server upgrades from 3.6 and earlier with "acl allow execute aways"
via 3f749ac loadparm: add new parameter "acl allow execute always"
via c4166d0 dbwrap_ctdb: Treat empty records as non-existing
via 7d791d5 VERSION: Bump version number up to 4.1.0...
via dd444e6 VERSION: Disable git snapshots for the 4.1.0rc3 release.
via 3beda4c WHATSNEW: Update changes since 4.1.0rc2.
from 6a03c81 VERSION: Disable git snapshots for the 4.1.0rc3 release.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable
- Log -----------------------------------------------------------------
commit fcf3fd6478090e7bebb65d142edbd097ab260fc4
Merge: 6a03c817b3a0ef278d10893eafd327ee20bdca58 0d483e25ce4aa53ad3968e947f88b175c8addc1b
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Sep 27 12:35:31 2013 +0200
VERSION: Disable git snapshots for the 4.1.0rc4 release.
Merge commit 'origin/v4-1-test^' into v4-1-stable
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 61 +-
.../smbdotconf/protocol/aclallowexecutealways.xml | 26 +
docs-xml/smbdotconf/security/validusers.xml | 10 +
docs-xml/smbdotconf/vfs/ntvfshandler.xml | 13 +
lib/param/param_functions.c | 1 +
lib/param/param_table.c | 10 +
libcli/smb/smbXcli_base.c | 43 +-
python/samba/dbchecker.py | 135 +
python/samba/drs_utils.py | 8 +-
python/samba/join.py | 2 +-
python/samba/netcmd/drs.py | 4 +-
python/samba/netcmd/fsmo.py | 14 +-
selftest/tests.py | 1 +
source3/client/client.c | 11 +-
source3/include/proto.h | 1 +
source3/include/smb.h | 3 +
source3/lib/ctdbd_conn.c | 8 +
source3/lib/dbwrap/dbwrap_ctdb.c | 10 +
source3/librpc/idl/open_files.idl | 10 +-
source3/libsmb/cli_smb2_fnum.c | 6 +-
source3/locking/locking.c | 47 +-
source3/locking/proto.h | 2 +-
source3/locking/share_mode_lock.c | 24 +
source3/modules/vfs_shadow_copy2.c | 3 -
source3/param/loadparm.c | 1 +
source3/rpc_server/spoolss/srv_spoolss_nt.c | 2 +-
source3/selftest/tests.py | 1 +
source3/smbd/mangle_hash2.c | 20 +-
source3/smbd/open.c | 35 +-
source3/smbd/posix_acls.c | 2 +-
source3/smbd/smb2_find.c | 13 +
source3/torture/proto.h | 1 +
source3/torture/test_cleanup.c | 70 +
source3/torture/torture.c | 1 +
source4/NEWS | 496 -
source4/TODO | 276 -
source4/dsdb/common/util.c | 10 +
source4/dsdb/pydsdb.c | 26 +-
source4/dsdb/repl/replicated_objects.c | 9 +
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 27 +-
source4/dsdb/schema/schema_syntax.c | 58 +-
source4/libcli/dgram/dgramsocket.c | 2 +-
source4/libnet/py_net.c | 17 +-
source4/selftest/provisions/dump.sh | 48 +
.../release-4-1-0rc3/etc/smb.conf.template | 17 +
.../provisions/release-4-1-0rc3/private/dns.keytab | Bin 0 -> 1037 bytes
...DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump |29028 +++++++++++++
...DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump |43468 +++++++++++++++++++
...DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump | 928 +
...DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump | 488 +
...DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump | 12 +
.../private/dns/sam.ldb.d/metadata.tdb.dump | 8 +
.../release-4-1-0rc3/private/dns/sam.ldb.dump | 36 +
.../private/dns_update_list | 0
.../release-4-1-0rc3/private/hklm.ldb.dump | 80 +
.../release-4-1-0rc3/private/idmap.ldb.dump | 48 +
.../provisions/release-4-1-0rc3/private/named.conf | 18 +
.../release-4-1-0rc3/private/named.conf.update | 7 +
.../provisions/release-4-1-0rc3/private/named.txt | 45 +
.../release-4-1-0rc3/private/privilege.ldb.dump | 156 +
.../release-4-1-0rc3/private/randseed.tdb.dump | 0
...DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump |29104 +++++++++++++
...DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump |43812 ++++++++++++++++++++
...DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump | 928 +
...DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump | 488 +
...DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump | 6600 +++
.../private/sam.ldb.d/metadata.tdb.dump | 8 +
.../release-4-1-0rc3/private/sam.ldb.dump | 36 +
.../private/schannel_store.tdb.dump | 0
.../release-4-1-0rc3/private/secrets.keytab | Bin 0 -> 1482 bytes
.../release-4-1-0rc3/private/secrets.ldb.dump | 48 +
.../release-4-1-0rc3/private/secrets.tdb.dump | 16 +
.../release-4-1-0rc3/private/share.ldb.dump | 32 +
.../private/smbd.tmp/msg/names.tdb.dump | 52 +
.../private/spn_update_list | 0
.../release-4-1-0rc3/private/wins_config.ldb.dump | 4 +
testprogs/blackbox/dbcheck-oldrelease.sh | 18 +-
78 files changed, 156164 insertions(+), 891 deletions(-)
create mode 100644 docs-xml/smbdotconf/protocol/aclallowexecutealways.xml
delete mode 100644 source4/NEWS
delete mode 100644 source4/TODO
create mode 100755 source4/selftest/provisions/dump.sh
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/etc/smb.conf.template
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/dns.keytab
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/dns/sam.ldb.d/CN%3DCONFIGURATION,DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/dns/sam.ldb.d/CN%3DSCHEMA,CN%3DCONFIGURATION,DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/dns/sam.ldb.d/DC%3DDOMAINDNSZONES,DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/dns/sam.ldb.d/DC%3DFORESTDNSZONES,DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/dns/sam.ldb.d/DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/dns/sam.ldb.d/metadata.tdb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/dns/sam.ldb.dump
copy source4/selftest/provisions/{release-4-0-0 => release-4-1-0rc3}/private/dns_update_list (100%)
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/hklm.ldb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/idmap.ldb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/named.conf
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/named.conf.update
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/named.txt
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/privilege.ldb.dump
copy buildtools/wafsamba/__init__.py => source4/selftest/provisions/release-4-1-0rc3/private/randseed.tdb.dump (100%)
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/sam.ldb.d/CN%3DCONFIGURATION,DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/sam.ldb.d/CN%3DSCHEMA,CN%3DCONFIGURATION,DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/sam.ldb.d/DC%3DDOMAINDNSZONES,DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/sam.ldb.d/DC%3DFORESTDNSZONES,DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/sam.ldb.d/DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/sam.ldb.d/metadata.tdb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/sam.ldb.dump
copy buildtools/wafsamba/__init__.py => source4/selftest/provisions/release-4-1-0rc3/private/schannel_store.tdb.dump (100%)
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/secrets.keytab
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/secrets.ldb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/secrets.tdb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/share.ldb.dump
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/smbd.tmp/msg/names.tdb.dump
copy source4/selftest/provisions/{release-4-0-0 => release-4-1-0rc3}/private/spn_update_list (100%)
create mode 100644 source4/selftest/provisions/release-4-1-0rc3/private/wins_config.ldb.dump
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index acbd226..74fa8d6 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=3
+SAMBA_VERSION_RC_RELEASE=4
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index eeb6307..c01cb70 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the third release candidate of Samba 4.1. This is *not*
+This is the fourth release candidate of Samba 4.1. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -138,6 +138,7 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
+ acl allow execute always New False
password level Removed
set directory Removed
use ntdb New No
@@ -165,6 +166,64 @@ o David Disseldorp <ddiss at samba.org>
SMB2 FSCTL_SRV_COPYCHUNK request.
+CHANGES SINCE 4.1.0rc3
+======================
+
+o Michael Adam <obnox at samba.org>
+ * BUG 10134: Add "acl allow execute always" parameter.
+
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 10139: Valid utf8 filenames cause "invalid conversion error"
+ messages.
+ * BUG 10145: Samba SMB2 client code reads the wrong short name length in a
+ directory listing reply.
+ * BUG 10149: cli_smb2_get_ea_list_path() failed to close file on exit.
+ * BUG 10150: Not all OEM servers support the ALTNAME info level.
+
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 8077: dsdb: Convert the full string from UTF16 to UTF8, including
+ embedded NULLs.
+ * BUG 9461: python-samba-tool fsmo: Do not give an error on a successful
+ role transfer.
+ * BUG 10157: Regression causes replication failure with Windows 2008R2 and
+ deletes Deleted Objects.
+
+
+o Günther Deschner <gd at samba.org>
+ * BUG 10147: Better document potential implications of a globally used
+ "valid users".
+
+
+o Korobkin <korobkin+samba at gmail.com>
+ * BUG 10118: Raise the level of a debug when unable to open a printer.
+
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 10008: dbwrap_ctdb: Treat empty records as non-existing.
+ * BUG 10138: smbd: Always clean up share modes after hard crash.
+
+
+o Daniel Liberman <danielvl at gmail.com>
+ * BUG 10162: Fix POSIX ACL mapping when setting DENY ACE's from Windows.
+
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 10144: libcli/smb: Use SMB1 MID=0 for the initial Negprot.
+ * BUG 10146: libcli/smb: Only check the SMB2 session setup signature if
+ required and valid.
+
+
+o Matthieu Patou <mat at matws.net>
+ * BUG 10158: Netbios related samba process consumes 100% CPU.
+
+
+o Christof Schmitt <christof.schmitt at us.ibm.com>
+ * BUG 10137: vfs_shadow_copy2: Display previous versions correctly over
+ SMB2.
+
+
CHANGES SINCE 4.1.0rc2
======================
diff --git a/docs-xml/smbdotconf/protocol/aclallowexecutealways.xml b/docs-xml/smbdotconf/protocol/aclallowexecutealways.xml
new file mode 100644
index 0000000..49d2c48
--- /dev/null
+++ b/docs-xml/smbdotconf/protocol/aclallowexecutealways.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="acl allow execute always"
+ context="S"
+ type="boolean"
+ advanced="1" wizard="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This boolean parameter controls the behaviour of <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> when receiving a protocol request of "open for execution"
+ from a Windows client.
+ With Samba 3.6 and older, the execution right in the ACL was not checked, so a client
+ could execute a file even if it did not have execute rights on the file. In Samba 4.0,
+ this has been fixed, so that by default, i.e. when this parameter is set to "False",
+ "open for execution" is now denied when execution permissions are not present.
+ </para>
+ <para>
+ If this parameter is set to "True", Samba does not check execute permissions on
+ "open for execution", thus re-establishing the behaviour of Samba 3.6.
+ This can be useful to smoothen upgrades from older Samba versions to 4.0 and newer.
+ This setting is not not meant to be used as a permanent setting, but as a temporary relief:
+ It is recommended to fix the permissions in the ACLs and reset this parameter to the
+ default after a certain transition period.
+ </para>
+</description>
+<value type="default">False</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/validusers.xml b/docs-xml/smbdotconf/security/validusers.xml
index 313739d..ec3e11e 100644
--- a/docs-xml/smbdotconf/security/validusers.xml
+++ b/docs-xml/smbdotconf/security/validusers.xml
@@ -19,6 +19,16 @@
The current servicename is substituted for <parameter moreinfo="none">%S</parameter>.
This is useful in the [homes] section.
</para>
+
+ <para><emphasis>Note: </emphasis>When used in the [global] section this
+ parameter may have unwanted side effects. For example: If samba is configured as a MASTER BROWSER (see
+ <parameter moreinfo="none">local master</parameter>,
+ <parameter moreinfo="none">os level</parameter>,
+ <parameter moreinfo="none">domain master</parameter>,
+ <parameter moreinfo="none">preferred master</parameter>) this option
+ will prevent workstations from being able to browse the network.
+ </para>
+
</description>
<related>invalid users</related>
diff --git a/docs-xml/smbdotconf/vfs/ntvfshandler.xml b/docs-xml/smbdotconf/vfs/ntvfshandler.xml
index aa3bce5..92b5c6d 100644
--- a/docs-xml/smbdotconf/vfs/ntvfshandler.xml
+++ b/docs-xml/smbdotconf/vfs/ntvfshandler.xml
@@ -6,6 +6,19 @@
<description>
<para>This specifies the NTVFS handlers for this share.</para>
+ <itemizedlist>
+ <listitem><para>posix: Maps POSIX FS semantics to NT semantics</para></listitem>
+ <listitem><para>unixuid: Sets up user credentials based on POSIX gid/uid.</para></listitem>
+ <listitem><para>cifs: Proxies a remote CIFS FS. Mainly useful for testing.</para></listitem>
+ <listitem><para>nbench: Filter module that saves data useful to the nbench benchmark suite.</para></listitem>
+ <listitem><para>ipc: Allows using SMB for inter process communication. Only used for the IPC$ share.</para></listitem>
+ <listitem><para>posix: Maps POSIX FS semantics to NT semantics</para></listitem>
+ <listitem><para>print: Allows printing over SMB. This is
+ LANMAN-style printing, not the be confused with the spoolss
+ DCE/RPC interface used by later versions of
+ Windows.</para></listitem>
+ </itemizedlist>
+
<para>Note that this option is only used when the NTVFS file server
is in use. It is not used with the (default)
s3fs file server.
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index fed2e95..61f0044 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -132,6 +132,7 @@ FN_LOCAL_BOOL(afs_share, bAfs_Share)
FN_LOCAL_BOOL(acl_check_permissions, bAclCheckPermissions)
FN_LOCAL_BOOL(acl_group_control, bAclGroupControl)
FN_LOCAL_BOOL(acl_map_full_control, bAclMapFullControl)
+FN_LOCAL_BOOL(acl_allow_execute_always, bAclAllowExecuteAlways)
FN_LOCAL_INTEGER(defaultcase, iDefaultCase)
FN_LOCAL_INTEGER(minprintspace, iMinPrintSpace)
FN_LOCAL_INTEGER(printing, iPrinting)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 1b1497c..7b32998 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -904,6 +904,16 @@ static struct parm_struct parm_table[] = {
.flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
},
{
+ .label = "acl allow execute always",
+ .type = P_BOOL,
+ .p_class = P_LOCAL,
+ .offset = LOCAL_VAR(bAclAllowExecuteAlways),
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
+ },
+
+ {
.label = "create mask",
.type = P_OCTAL,
.p_class = P_LOCAL,
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index f8ebf0b..14d4cc3 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -737,6 +737,14 @@ static uint16_t smb1cli_alloc_mid(struct smbXcli_conn *conn)
size_t num_pending = talloc_array_length(conn->pending);
uint16_t result;
+ if (conn->protocol == PROTOCOL_NONE) {
+ /*
+ * This is what windows sends on the SMB1 Negprot request
+ * and some vendors reuse the SMB1 MID as SMB2 sequence number.
+ */
+ return 0;
+ }
+
while (true) {
size_t i;
@@ -4732,12 +4740,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
struct smbXcli_conn *conn = session->conn;
uint16_t no_sign_flags;
uint8_t session_key[16];
+ bool check_signature = true;
+ uint32_t hdr_flags;
NTSTATUS status;
if (conn == NULL) {
return NT_STATUS_INVALID_PARAMETER_MIX;
}
+ if (recv_iov[0].iov_len != SMB2_HDR_BODY) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
if (session->smb2->session_flags & no_sign_flags) {
@@ -4829,11 +4843,30 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
return NT_STATUS_NO_MEMORY;
}
- status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
- session->conn->protocol,
- recv_iov, 3);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ check_signature = conn->mandatory_signing;
+
+ hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS);
+ if (hdr_flags & SMB2_HDR_FLAG_SIGNED) {
+ /*
+ * Sadly some vendors don't sign the
+ * final SMB2 session setup response
+ *
+ * At least Windows and Samba are always doing this
+ * if there's a session key available.
+ *
+ * We only check the signature if it's mandatory
+ * or SMB2_HDR_FLAG_SIGNED is provided.
+ */
+ check_signature = true;
+ }
+
+ if (check_signature) {
+ status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
+ session->conn->protocol,
+ recv_iov, 3);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
}
session->smb2->should_sign = false;
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 8b175c2..4281e6b 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -18,6 +18,8 @@
#
import ldb
+import samba
+import time
from samba import dsdb
from samba import common
from samba.dcerpc import misc
@@ -59,6 +61,8 @@ class dbcheck(object):
self.seize_fsmo_role = False
self.move_to_lost_and_found = False
self.fix_instancetype = False
+ self.fix_replmetadata_zero_invocationid = False
+ self.fix_deleted_deleted_objects = False
self.reset_well_known_acls = reset_well_known_acls
self.reset_all_well_known_acls = False
self.in_transaction = in_transaction
@@ -97,6 +101,21 @@ class dbcheck(object):
else:
self.write_ncs = None
+ res = self.samdb.search(base="", scope=ldb.SCOPE_BASE, attrs=['namingContexts'])
+ try:
+ ncs = res[0]["namingContexts"]
+ self.deleted_objects_containers = []
+ for nc in ncs:
+ try:
+ dn = self.samdb.get_wellknown_dn(ldb.Dn(self.samdb, nc),
+ dsdb.DS_GUID_DELETED_OBJECTS_CONTAINER)
+ self.deleted_objects_containers.append(dn)
+ except KeyError:
+ pass
+ except KeyError:
+ pass
+ except IndexError:
+ pass
def check_database(self, DN=None, scope=ldb.SCOPE_SUBTREE, controls=[], attrs=['*']):
'''perform a database check, returning the number of errors found'''
@@ -816,6 +835,110 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
self.report("Fixed attribute '%s' of '%s'\n" % (sd_attr, dn))
self.samdb.set_session_info(self.system_session_info)
+
+ def has_replmetadata_zero_invocationid(self, dn, repl_meta_data):
+ repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob,
+ str(repl_meta_data))
+ ctr = repl.ctr
+ found = False
+ for o in ctr.array:
+ # Search for a zero invocationID
+ if o.originating_invocation_id != misc.GUID("00000000-0000-0000-0000-000000000000"):
+ continue
+
+ found = True
+ self.report('''ERROR: on replPropertyMetaData of %s, the instanceType on attribute 0x%08x,
+ version %d changed at %s is 00000000-0000-0000-0000-000000000000,
+ but should be non-zero. Proposed fix is to set to our invocationID (%s).'''
+ % (dn, o.attid, o.version,
+ time.ctime(samba.nttime2unix(o.originating_change_time)),
+ self.samdb.get_invocation_id()))
+
+ return found
+
+
+ def err_replmetadata_zero_invocationid(self, dn, attr, repl_meta_data):
+ repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob,
+ str(repl_meta_data))
+ ctr = repl.ctr
+ now = samba.unix2nttime(int(time.time()))
+ found = False
+ for o in ctr.array:
+ # Search for a zero invocationID
+ if o.originating_invocation_id != misc.GUID("00000000-0000-0000-0000-000000000000"):
+ continue
+
+ found = True
+ seq = self.samdb.sequence_number(ldb.SEQ_NEXT)
+ o.version = o.version + 1
+ o.originating_change_time = now
+ o.originating_invocation_id = misc.GUID(self.samdb.get_invocation_id())
+ o.originating_usn = seq
+ o.local_usn = seq
+
+ if found:
+ replBlob = ndr_pack(repl)
+ msg = ldb.Message()
+ msg.dn = dn
+
+ if not self.confirm_all('Fix %s on %s by setting originating_invocation_id on some elements to our invocationID %s?'
+ % (attr, dn, self.samdb.get_invocation_id()), 'fix_replmetadata_zero_invocationid'):
+ self.report('Not fixing %s on %s\n' % (attr, dn))
+ return
+
+ nmsg = ldb.Message()
+ nmsg.dn = dn
+ nmsg[attr] = ldb.MessageElement(replBlob, ldb.FLAG_MOD_REPLACE, attr)
+ if self.do_modify(nmsg, ["local_oid:1.3.6.1.4.1.7165.4.3.14:0"],
+ "Failed to fix attribute %s" % attr):
+ self.report("Fixed attribute '%s' of '%s'\n" % (attr, dn))
+
+
+ def is_deleted_deleted_objects(self, obj):
+ faulty = False
+ if "description" not in obj:
+ self.report("ERROR: description not present on Deleted Objects container %s" % obj.dn)
+ faulty = True
+ if "showInAdvancedViewOnly" not in obj:
+ self.report("ERROR: showInAdvancedViewOnly not present on Deleted Objects container %s" % obj.dn)
+ faulty = True
+ if "objectCategory" not in obj:
+ self.report("ERROR: objectCategory not present on Deleted Objects container %s" % obj.dn)
+ faulty = True
+ if "isCriticalSystemObject" not in obj:
+ self.report("ERROR: isCriticalSystemObject not present on Deleted Objects container %s" % obj.dn)
+ faulty = True
+ if "isRecycled" in obj:
+ self.report("ERROR: isRecycled present on Deleted Objects container %s" % obj.dn)
+ faulty = True
+ return faulty
+
+
+ def err_deleted_deleted_objects(self, obj):
+ nmsg = ldb.Message()
+ nmsg.dn = dn = obj.dn
+
+ if "description" not in obj:
+ nmsg["description"] = ldb.MessageElement("Container for deleted objects", ldb.FLAG_MOD_REPLACE, "description")
+ if "showInAdvancedViewOnly" not in obj:
+ nmsg["showInAdvancedViewOnly"] = ldb.MessageElement("TRUE", ldb.FLAG_MOD_REPLACE, "showInAdvancedViewOnly")
+ if "objectCategory" not in obj:
+ nmsg["objectCategory"] = ldb.MessageElement("CN=Container,%s" % self.schema_dn, ldb.FLAG_MOD_REPLACE, "objectCategory")
+ if "isCriticalSystemObject" not in obj:
+ nmsg["isCriticalSystemObject"] = ldb.MessageElement("TRUE", ldb.FLAG_MOD_REPLACE, "isCriticalSystemObject")
+ if "isRecycled" in obj:
+ nmsg["isRecycled"] = ldb.MessageElement("TRUE", ldb.FLAG_MOD_DELETE, "isRecycled")
+
+ if not self.confirm_all('Fix Deleted Objects container %s by restoring default attributes?'
+ % (dn), 'fix_deleted_deleted_objects'):
+ self.report('Not fixing missing/incorrect attributes on %s\n' % (dn))
+ return
+
+ if self.do_modify(nmsg, ["relax:0"],
+ "Failed to fix Deleted Objects container %s" % dn):
+ self.report("Fixed Deleted Objects container '%s'\n" % (dn))
+
+
def is_fsmo_role(self, dn):
if dn == self.samdb.domain_dn:
return True
@@ -901,6 +1024,12 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
continue
if str(attrname).lower() == 'replpropertymetadata':
+ if self.has_replmetadata_zero_invocationid(dn, obj[attrname]):
+ error_count += 1
+ self.err_replmetadata_zero_invocationid(dn, attrname, obj[attrname])
+ # We don't continue, as we may also have other fixes for this attribute
+ # based on what other attributes we see.
+
list_attrs_from_md = self.process_metadata(obj[attrname])
got_repl_property_meta_data = True
continue
@@ -978,6 +1107,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
if str(attrname).lower() == "instancetype":
calculated_instancetype = self.calculate_instancetype(dn)
if len(obj["instanceType"]) != 1 or obj["instanceType"][0] != str(calculated_instancetype):
+ error_count += 1
self.err_wrong_instancetype(obj, calculated_instancetype)
show_dn = True
@@ -1027,6 +1157,11 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
else:
raise
+ if dn in self.deleted_objects_containers and '*' in attrs:
+ if self.is_deleted_deleted_objects(obj):
+ self.err_deleted_deleted_objects(obj)
+ error_count += 1
+
return error_count
################################################################
diff --git a/python/samba/drs_utils.py b/python/samba/drs_utils.py
index 6e2cfea..4983749 100644
--- a/python/samba/drs_utils.py
+++ b/python/samba/drs_utils.py
@@ -147,12 +147,16 @@ def drs_DsBind(drs):
class drs_Replicate(object):
'''DRS replication calls'''
- def __init__(self, binding_string, lp, creds, samdb):
+ def __init__(self, binding_string, lp, creds, samdb, invocation_id):
self.drs = drsuapi.drsuapi(binding_string, lp, creds)
(self.drs_handle, self.supported_extensions) = drs_DsBind(self.drs)
self.net = Net(creds=creds, lp=lp)
self.samdb = samdb
- self.replication_state = self.net.replicate_init(self.samdb, lp, self.drs)
+ if not isinstance(invocation_id, misc.GUID):
+ raise RuntimeError("Must supply GUID for invocation_id")
+ if invocation_id == misc.GUID("00000000-0000-0000-0000-000000000000"):
+ raise RuntimeError("Must not set GUID 00000000-0000-0000-0000-000000000000 as invocation_id")
+ self.replication_state = self.net.replicate_init(self.samdb, lp, self.drs, invocation_id)
def drs_get_rodc_partial_attribute_set(self):
'''get a list of attributes for RODC replication'''
diff --git a/python/samba/join.py b/python/samba/join.py
index b2f4da4..fcdd4ec 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -790,7 +790,7 @@ class dc_join(object):
binding_options += ",print"
--
Samba Shared Repository
More information about the samba-cvs
mailing list