[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Tue Jun 27 01:20:04 UTC 2017
The branch, master has been updated
via 37db3d2 WHATSNEW: Fix typo...
via 8ee4f82 auth/ntlmssp: enforce NTLMSSP_NEGOTIATE_NTLM2 for the NTLMv2 client case
via acc1659 s3: smbd: fix regression with non-wide symlinks to directories over SMB3.
via f1f388e s3: smbd: Add regression test for non-wide symlinks to directories fail over SMB3.
from bcfa12c ctdb-protocol: Do not pass tdb open flags to DB attach controls
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 37db3d22e2cffae61398f5452fbe24b55a7da15b
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Jun 26 13:18:50 2017 +0200
WHATSNEW: Fix typo...
and add some new/changed parameters.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Jun 27 03:19:19 CEST 2017 on sn-devel-144
commit 8ee4f8236830eb3fa1b273fa6927792a800f86bd
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 24 13:16:03 2017 +0200
auth/ntlmssp: enforce NTLMSSP_NEGOTIATE_NTLM2 for the NTLMv2 client case
Some servers may not announce the NTLMSSP_NEGOTIATE_NTLM2
(a.k.a. NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) bit.
But if we're acting as a client using NTLMv2 we need to
enforce this flag, because it's not really a negotiationable
in that case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12862
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit acc16592b451905dabc093f1d261e93cd3b59520
Author: Daniel Kobras <d.kobras at science-computing.de>
Date: Fri Jun 23 15:39:21 2017 +0200
s3: smbd: fix regression with non-wide symlinks to directories over SMB3.
The errno returned by open() is ambiguous when called with flags O_NOFOLLOW and
O_DIRECTORY on a symlink. With ELOOP, we know for certain that we've tried to
open a symlink. With ENOTDIR, we might have hit a symlink, and need to perform
further checks to be sure. Adjust non_widelink_open() accordingly. This fixes
a regression where symlinks to directories within the same share were no
longer followed for some call paths on systems returning ENOTDIR in the above
case.
Also remove the knownfail added in previous commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12860
Signed-off-by: Daniel Kobras <d.kobras at science-computing.de>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f1f388ef80a6516c2f44b7778420f8ffe28c6471
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jun 23 11:12:22 2017 -0700
s3: smbd: Add regression test for non-wide symlinks to directories fail over SMB3.
Mark as knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12860
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 52 +++++++++++++++--------------
auth/ntlmssp/ntlmssp_util.c | 21 ++++++++++++
selftest/target/Samba3.pm | 8 +++++
source3/script/tests/test_smbclient_s3.sh | 55 +++++++++++++++++++++++++++++++
source3/smbd/open.c | 24 ++++++++++++--
5 files changed, 133 insertions(+), 27 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8b646f9..cca7e0b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -51,7 +51,7 @@ value 1024-1300 to 49152-65535. This port range is not only used by a
Samba AD DC but also applies to all other server roles including NT4-style
domain controllers. The new value has been defined by Microsoft in Windows
Server 2008 and newer versions. To make it easier for Administrators to control
-those port ranges we use the same default and make it configureable with the
+those port ranges we use the same default and make it configurable with the
option: 'rpc server dynamic port range'.
The 'rpc server port' option sets the first available port from the new
@@ -76,7 +76,6 @@ authentication, SMB and RPC authorization is covered, however password
changes are not at this stage, and this support is not currently
backed by a testsuite.
-
Query record for open file or directory
---------------------------------------
@@ -85,29 +84,6 @@ queried through the 'net tdb locking' command. In clustered Samba this
can be useful to determine the file or directory triggering
corresponding "hot" record warnings in ctdb.
-
-Parameter changes
------------------
-
-The "strict sync" global parameter has been changed from
-a default of "no" to "yes". This means smbd will by default
-obey client requests to synchronize unwritten data in operating
-system buffers safely onto disk. This is a safer default setting
-for modern SMB1/2/3 clients.
-
-smb.conf changes
-================
-
- Parameter Name Description Default
- -------------- ----------- -------
- auth event notification New parameter no
- auth methods Deprecated
- map untrusted to domain New value/ auto
- Default changed/
- Deprecated
- profile acls Deprecated
- strict sync Default changed yes
-
Removal of lpcfg_register_defaults_hook()
-----------------------------------------
@@ -137,6 +113,32 @@ the talloc_autofree_context() (which is inherently thread-unsafe)
and still be valgrind-clean on exit. Modules that don't need to
free long-lived data on exist should use the NULL talloc context.
+Parameter changes
+-----------------
+
+The "strict sync" global parameter has been changed from
+a default of "no" to "yes". This means smbd will by default
+obey client requests to synchronize unwritten data in operating
+system buffers safely onto disk. This is a safer default setting
+for modern SMB1/2/3 clients.
+
+smb.conf changes
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ allow unsafe cluster upgrade New parameter no
+ auth event notification New parameter no
+ auth methods Deprecated
+ map untrusted to domain New value/ auto
+ Default changed/
+ Deprecated
+ mit kdc command New parameter
+ profile acls Deprecated
+ rpc server dynamic port range New parameter 49152-65535
+ strict sync Default changed yes
+
+
KNOWN ISSUES
============
diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c
index 4ae6101..9c7325a 100644
--- a/auth/ntlmssp/ntlmssp_util.c
+++ b/auth/ntlmssp/ntlmssp_util.c
@@ -75,6 +75,27 @@ NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
{
uint32_t missing_flags = ntlmssp_state->required_flags;
+ if (ntlmssp_state->use_ntlmv2) {
+ /*
+ * Using NTLMv2 as a client implies
+ * using NTLMSSP_NEGOTIATE_NTLM2
+ * (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
+ *
+ * Note that 'use_ntlmv2' is only set
+ * true in the client case.
+ *
+ * Even if the server has a bug and does not announce
+ * it, we need to assume it's present.
+ *
+ * Note that we also have the flag
+ * in ntlmssp_state->required_flags,
+ * see gensec_ntlmssp_client_start().
+ *
+ * See bug #12862.
+ */
+ flags |= NTLMSSP_NEGOTIATE_NTLM2;
+ }
+
if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index d93d98e..6854d7c 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1355,6 +1355,9 @@ sub provision($$$$$$$$$)
my $nosymlinks_shrdir="$shrdir/nosymlinks";
push(@dirs,$nosymlinks_shrdir);
+ my $local_symlinks_shrdir="$shrdir/local_symlinks";
+ push(@dirs,$local_symlinks_shrdir);
+
# this gets autocreated by winbindd
my $wbsockdir="$prefix_abs/winbindd";
@@ -1976,6 +1979,11 @@ sub provision($$$$$$$$$)
path = $nosymlinks_shrdir
follow symlinks = no
+[local_symlinks]
+ copy = tmp
+ path = $local_symlinks_shrdir
+ follow symlinks = yes
+
[kernel_oplocks]
copy = tmp
kernel oplocks = yes
diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
index 050dd81..1c5a13d 100755
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@@ -1215,6 +1215,57 @@ EOF
fi
}
+# Test we can follow normal symlinks.
+# Bug: https://bugzilla.samba.org/show_bug.cgi?id=12860
+# Note - this needs to be tested over SMB3, not SMB1.
+
+test_local_symlinks()
+{
+# Setup test dirs.
+ LOCAL_RAWARGS="${CONFIGURATION} -mSMB3"
+ LOCAL_ADDARGS="${LOCAL_RAWARGS} $*"
+
+ test_dir="$LOCAL_PATH/local_symlinks/test"
+
+ slink_name="$test_dir/sym_name"
+ slink_target_dir="$test_dir/dir1"
+
+ rm -rf $test_dir
+
+ mkdir -p $test_dir
+ mkdir $slink_target_dir
+ ln -s $slink_target_dir $slink_name
+
+# Can we cd into the symlink name and ls ?
+ tmpfile=$PREFIX/smbclient_interactive_prompt_commands
+ cat > $tmpfile <<EOF
+cd test\\sym_name
+ls
+quit
+EOF
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/local_symlinks -I $SERVER_IP $LOCAL_ADDARGS < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=`eval $cmd`
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret -ne 0 ] ; then
+ echo "$out"
+ echo "failed accessing local_symlinks with error $ret"
+ false
+ return
+ fi
+
+ echo "$out" | grep 'NT_STATUS_'
+ ret=$?
+ if [ $ret -eq 0 ] ; then
+ echo "$out"
+ echo "failed - got an NT_STATUS error"
+ false
+ return
+ fi
+}
+
test_server_os_message()
{
tmpfile=$PREFIX/smbclient_interactive_prompt_commands
@@ -1348,6 +1399,10 @@ testit "follow symlinks = no" \
test_nosymlinks || \
failed=`expr $failed + 1`
+testit "follow local symlinks" \
+ test_local_symlinks || \
+ failed=`expr $failed + 1`
+
testit "server os message" \
test_server_os_message || \
failed=`expr $failed + 1`
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index e68e2ac..fa74f48 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -581,7 +581,18 @@ static int non_widelink_open(struct connection_struct *conn,
if (fd == -1) {
saved_errno = link_errno_convert(errno);
- if (saved_errno == ELOOP) {
+ /*
+ * Trying to open a symlink to a directory with O_NOFOLLOW and
+ * O_DIRECTORY can return either of ELOOP and ENOTDIR. So
+ * ENOTDIR really means: might be a symlink, but we're not sure.
+ * In this case, we just assume there's a symlink. If we were
+ * wrong, process_symlink_open() will return EINVAL. We check
+ * this below, and fall back to returning the initial
+ * saved_errno.
+ *
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=12860
+ */
+ if (saved_errno == ELOOP || saved_errno == ENOTDIR) {
if (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) {
/* Never follow symlinks on posix open. */
goto out;
@@ -591,7 +602,7 @@ static int non_widelink_open(struct connection_struct *conn,
goto out;
}
/*
- * We have a symlink. Follow in userspace
+ * We may have a symlink. Follow in userspace
* to ensure it's under the share definition.
*/
fd = process_symlink_open(conn,
@@ -602,6 +613,15 @@ static int non_widelink_open(struct connection_struct *conn,
mode,
link_depth);
if (fd == -1) {
+ if (saved_errno == ENOTDIR &&
+ errno == EINVAL) {
+ /*
+ * O_DIRECTORY on neither a directory,
+ * nor a symlink. Just return
+ * saved_errno from initial open()
+ */
+ goto out;
+ }
saved_errno =
link_errno_convert(errno);
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list