[SCM] Samba Shared Repository - branch v4-9-test updated
Karolin Seeger
kseeger at samba.org
Thu Feb 21 15:18:02 UTC 2019
The branch, v4-9-test has been updated
via 2f5823c5015 waf: Check for libnscd
via d85f9fdc8ac tldap: avoid more use after free errors
via 5995d5b91bf tldap: avoid a use after free crash
via c0858bc990c s3:vfs: Correctly check if OFD locks should be enabled or not
via 53d2623b2fd s3:vfs: Initialize pid to 0 in test_netatalk_lock()
via eb425d50447 s4: torture: vfs_fruit. Change test_fruit_locking_conflict() to match the vfs_fruit working server code.
via b650db4d06a s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code.
via 6f697b9c68a netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg
via 7644bb26be0 smbd: uid: Don't crash if 'force group' is added to an existing share connection.
via eac00de2a09 s3: tests: Add regression test for smbd crash on share force group change with existing connection.
via 44f49283cb8 printing: check lp_load_printers() prior to pcap cache update
via 3ec3f9dcb3f printing: drop pcap_cache_loaded() guard around load_printers()
via 455099bd9dd s3-smbd: use fruit:model string for mDNS registration
from c7b04443226 ldb: Bump ldb version to 1.4.5
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-test
- Log -----------------------------------------------------------------
commit 2f5823c50159cf7eebf3ca5aa283eaf4ba49c033
Author: Christof Schmitt <cs at samba.org>
Date: Tue Feb 12 12:28:32 2019 -0700
waf: Check for libnscd
The check was in the old autoconf, but not in waf. As the code is still
in source3/lib/util_nscd.c, add the check for libnscd to allow building
and using the code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13787
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Wed Feb 13 17:58:33 CET 2019 on sn-devel-144
(cherry picked from commit 3a793497796395ffa3efda5807bdb1ca8e09e35b)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-9-test): Thu Feb 21 16:17:23 CET 2019 on sn-devel-144
commit d85f9fdc8acb35d682e6965a16b00b364eda5abb
Author: Ralph Boehme <slow at samba.org>
Date: Tue Feb 5 14:08:56 2019 +0100
tldap: avoid more use after free errors
See the previous commit for an explanation. :)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13776
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Feb 6 10:19:12 CET 2019 on sn-devel-144
(cherry picked from commit bf91ee0a9727cc392583fe84ad069204be758515)
commit 5995d5b91bf60010064b6a8593bb3548ac80fb12
Author: Ralph Boehme <slow at samba.org>
Date: Tue Feb 5 13:56:53 2019 +0100
tldap: avoid a use after free crash
I saw the following crash in tldap in the winbindd idmap child on a
member server after messing with the LDAP server on the DC:
0 0x00007f77ea9a307a in __GI___waitpid (pid=9815, stat_loc=stat_loc at entry=0x7ffe77569eb0, options=options at entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:29
1 0x00007f77ea91bfbb in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:148
2 0x00007f77edd8c24b in smb_panic_s3 (why=0x7f77f08e6e88 "Bad talloc magic value - access after free") at ../source3/lib/util.c:828
3 0x00007f77f15afe85 in smb_panic (why=0x7f77f08e6e88 "Bad talloc magic value - access after free") at ../lib/util/fault.c:170
4 0x00007f77f08e2678 in talloc_abort (reason=0x7f77f08e6e88 "Bad talloc magic value - access after free") at ../lib/talloc/talloc.c:472
5 0x00007f77f08e268b in talloc_abort_access_after_free () at ../lib/talloc/talloc.c:477
6 0x00007f77f08e2710 in talloc_chunk_from_ptr (ptr=0x55da7605a020) at ../lib/talloc/talloc.c:494
7 0x00007f77f08e4a19 in _talloc_free (ptr=0x55da7605a020, location=0x7f77e181474d "../source3/lib/tldap.c:1918") at ../lib/talloc/talloc.c:1716
8 0x00007f77e180b65c in tldap_search_all_done (subreq=0x55da7605a020) at ../source3/lib/tldap.c:1918
9 0x00007f77f0af0fd0 in _tevent_req_notify_callback (req=0x55da7605a020, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:125
10 0x00007f77f0af10a5 in tevent_req_finish (req=0x55da7605a020, state=TEVENT_REQ_USER_ERROR, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:162
11 0x00007f77f0af1113 in _tevent_req_error (req=0x55da7605a020, error=9780923860630110289, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:180
12 0x00007f77e180781a in tevent_req_ldap_error (req=0x55da7605a020, rc=...) at ../source3/lib/tldap.c:47
13 0x00007f77e180b2c4 in tldap_search_done (subreq=0x55da76058280) at ../source3/lib/tldap.c:1813
14 0x00007f77f0af0fd0 in _tevent_req_notify_callback (req=0x55da76058280, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:125
15 0x00007f77f0af10a5 in tevent_req_finish (req=0x55da76058280, state=TEVENT_REQ_USER_ERROR, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:162
16 0x00007f77f0af11cd in tevent_req_trigger (ev=0x55da760526c0, im=0x55da76058360, private_data=0x55da76058280) at ../lib/tevent/tevent_req.c:219
17 0x00007f77f0af0378 in tevent_common_loop_immediate (ev=0x55da760526c0) at ../lib/tevent/tevent_immediate.c:135
18 0x00007f77f0af8b8f in epoll_event_loop_once (ev=0x55da760526c0, location=0x7f77f0af92b0 "../lib/tevent/tevent_req.c:269") at ../lib/tevent/tevent_epoll.c:911
19 0x00007f77f0af5925 in std_event_loop_once (ev=0x55da760526c0, location=0x7f77f0af92b0 "../lib/tevent/tevent_req.c:269") at ../lib/tevent/tevent_standard.c:114
20 0x00007f77f0aef201 in _tevent_loop_once (ev=0x55da760526c0, location=0x7f77f0af92b0 "../lib/tevent/tevent_req.c:269") at ../lib/tevent/tevent.c:725
21 0x00007f77f0af1361 in tevent_req_poll (req=0x55da7605eed0, ev=0x55da760526c0) at ../lib/tevent/tevent_req.c:269
22 0x00007f77e180fec9 in tldap_gensec_bind (ctx=0x55da76051ec0, creds=0x55da76052250, target_service=0x7f77e18164b3 "ldap", target_hostname=0x55da7605d182 "dc1.sdom1.site", target_principal=0x0, lp_ctx=0x55da76052180, gensec_features=6) at ../source3/lib/tldap_gensec_bind.c:358
23 0x00007f77e1810d21 in idmap_ad_get_tldap_ctx (mem_ctx=0x55da76050510, domname=0x55da76051d50 "sdom1", pld=0x55da76050518) at ../source3/winbindd/idmap_ad.c:326
24 0x00007f77e1811056 in idmap_ad_context_create (mem_ctx=0x55da76059c00, dom=0x55da76059c00, domname=0x55da76051d50 "sdom1", pctx=0x7ffe7756a5f8) at ../source3/winbindd/idmap_ad.c:374
25 0x00007f77e18119c0 in idmap_ad_get_context (dom=0x55da76059c00, pctx=0x7ffe7756a640) at ../source3/winbindd/idmap_ad.c:554
26 0x00007f77e181275b in idmap_ad_sids_to_unixids (dom=0x55da76059c00, ids=0x55da760518a0) at ../source3/winbindd/idmap_ad.c:784
27 0x00007f77e1813217 in idmap_ad_sids_to_unixids_retry (dom=0x55da76059c00, ids=0x55da760518a0) at ../source3/winbindd/idmap_ad.c:947
28 0x000055da7459ce05 in _wbint_Sids2UnixIDs (p=0x7ffe7756a870, r=0x55da76050860) at ../source3/winbindd/winbindd_dual_srv.c:202
29 0x000055da7460aa5e in api_wbint_Sids2UnixIDs (p=0x7ffe7756a870) at default/librpc/gen_ndr/srv_winbind.c:391
30 0x000055da7459c7f4 in winbindd_dual_ndrcmd (domain=0x0, state=0x7ffe7756abb8) at ../source3/winbindd/winbindd_dual_ndr.c:369
31 0x000055da7459828c in child_process_request (child=0x55da74874bc0 <static_idmap_child>, state=0x7ffe7756abb8) at ../source3/winbindd/winbindd_dual.c:666
32 0x000055da7459ae58 in child_handler (ev=0x55da7602c2b0, fde=0x55da7603f8a0, flags=1, private_data=0x7ffe7756abb0) at ../source3/winbindd/winbindd_dual.c:1567
33 0x00007f77f0af85f1 in epoll_event_loop (epoll_ev=0x55da76048b00, tvalp=0x7ffe7756aab0) at ../lib/tevent/tevent_epoll.c:728
34 0x00007f77f0af8c29 in epoll_event_loop_once (ev=0x55da7602c2b0, location=0x55da74628b08 "../source3/winbindd/winbindd_dual.c:1766") at ../lib/tevent/tevent_epoll.c:930
35 0x00007f77f0af5925 in std_event_loop_once (ev=0x55da7602c2b0, location=0x55da74628b08 "../source3/winbindd/winbindd_dual.c:1766") at ../lib/tevent/tevent_standard.c:114
36 0x00007f77f0aef201 in _tevent_loop_once (ev=0x55da7602c2b0, location=0x55da74628b08 "../source3/winbindd/winbindd_dual.c:1766") at ../lib/tevent/tevent.c:725
37 0x000055da7459b9e9 in fork_domain_child (child=0x55da74874bc0 <static_idmap_child>) at ../source3/winbindd/winbindd_dual.c:1766
38 0x000055da74596e96 in wb_child_request_waited (subreq=0x0) at ../source3/winbindd/winbindd_dual.c:188
39 0x00007f77f0af0fd0 in _tevent_req_notify_callback (req=0x55da7604f820, location=0x7f77f0af90f8 "../lib/tevent/tevent_queue.c:355") at ../lib/tevent/tevent_req.c:125
40 0x00007f77f0af10a5 in tevent_req_finish (req=0x55da7604f820, state=TEVENT_REQ_DONE, location=0x7f77f0af90f8 "../lib/tevent/tevent_queue.c:355") at ../lib/tevent/tevent_req.c:162
41 0x00007f77f0af10cd in _tevent_req_done (req=0x55da7604f820, location=0x7f77f0af90f8 "../lib/tevent/tevent_queue.c:355") at ../lib/tevent/tevent_req.c:168
42 0x00007f77f0af0cc1 in tevent_queue_wait_trigger (req=0x55da7604f820, private_data=0x0) at ../lib/tevent/tevent_queue.c:355
43 0x00007f77f0af06f2 in tevent_queue_immediate_trigger (ev=0x55da7602c2b0, im=0x55da760466a0, private_data=0x55da76046580) at ../lib/tevent/tevent_queue.c:149
44 0x00007f77f0af0378 in tevent_common_loop_immediate (ev=0x55da7602c2b0) at ../lib/tevent/tevent_immediate.c:135
45 0x00007f77f0af8b8f in epoll_event_loop_once (ev=0x55da7602c2b0, location=0x55da74612630 "../source3/winbindd/winbindd.c:1803") at ../lib/tevent/tevent_epoll.c:911
46 0x00007f77f0af5925 in std_event_loop_once (ev=0x55da7602c2b0, location=0x55da74612630 "../source3/winbindd/winbindd.c:1803") at ../lib/tevent/tevent_standard.c:114
47 0x00007f77f0aef201 in _tevent_loop_once (ev=0x55da7602c2b0, location=0x55da74612630 "../source3/winbindd/winbindd.c:1803") at ../lib/tevent/tevent.c:725
48 0x000055da74561431 in main (argc=2, argv=0x7ffe7756c968) at ../source3/winbindd/winbindd.c:1803
subreq is a child of the state of req which will already be free by the
callback of req.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13776
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 9465292d4109f710f8fcd141a076f5c8278577bc)
commit c0858bc990ccda3ed498501e1bc009a7adbcbb83
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jan 30 18:45:34 2019 +0100
s3:vfs: Correctly check if OFD locks should be enabled or not
Also the smb.conf options should only be checked once and a reload of
the config should not switch to a different locking mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13770
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Feb 9 03:43:50 CET 2019 on sn-devel-144
(cherry picked from commit 7ff94b18e2e39567ef7a208084cc5c914c39d3bd)
commit 53d2623b2fdb744cb8633372ddb4d2a786062627
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jan 30 18:09:52 2019 +0100
s3:vfs: Initialize pid to 0 in test_netatalk_lock()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13770
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2ff2594b2bd878928cec30bc72a95a6d38bee154)
commit eb425d50447f25b349d478a3e89829d0fbf9ccaf
Author: Jeremy Allison <jra at samba.org>
Date: Wed Feb 6 18:01:52 2019 -0800
s4: torture: vfs_fruit. Change test_fruit_locking_conflict() to match the vfs_fruit working server code.
Originally added for BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584
to demonstrate a lock order violation, this test
exposed problems in the mapping of SMB1/2 share modes
and open modes to NetATalk modes once we moved to OFD locks.
Change the test slightly (and add comments)
so it demonstrates working NetATalk share modes
on an open file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13770
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Feb 8 23:26:46 CET 2019 on sn-devel-144
(cherry picked from commit 28990e4ba23695ecf264117efad90cc4e573302e)
commit b650db4d06a88a128f7459268eb4986e612a056f
Author: Jeremy Allison <jra at samba.org>
Date: Wed Feb 6 17:49:16 2019 -0800
s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code.
This exhibited itself as a problem with OFD locks reported
as:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13770
However, due to underlying bugs in the vfs_fruit
code the file locks were not being properly applied.
There are two problems in fruit_check_access().
Problem #1:
Inside fruit_check_access() we have:
flags = fcntl(fsp->fh->fd, F_GETFL);
..
if (flags & (O_RDONLY|O_RDWR)) {
We shouldn't be calling fcntl(fsp->fh->fd, ..) directly.
fsp->fh->fd may be a made up number from an underlying
VFS module that has no meaning to a system call.
Secondly, in all POSIX systems - O_RDONLY is defined as
*zero*. O_RDWR = 2.
Which means flags & (O_RDONLY|O_RDWR) becomes (flags & 2),
not what we actually thought.
Problem #2:
deny_mode is *not* a bitmask, it's a set of discrete values.
Inside fruit_check_access() we have:
if (deny_mode & DENY_READ) and also (deny_mode & DENY_WRITE)
However, deny modes are defined as:
/* deny modes */
define DENY_DOS 0
define DENY_ALL 1
define DENY_WRITE 2
define DENY_READ 3
define DENY_NONE 4
define DENY_FCB 7
so if deny_mode = DENY_WRITE, or if deny_mode = DENY_READ
then it's going to trigger both the if (deny_mode & DENY_READ)
*and* the (deny_mode & DENY_WRITE) conditions.
These problems allowed the original test test_netatalk_lock code to
pass (which was added for BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584
to demonstrate the lock order violation).
This patch refactors the fruit_check_access()
code to be much simpler (IMHO) to understand.
Firstly, pass in the SMB1/2 share mode, not old
DOS deny modes.
Secondly, read all the possible NetAtalk locks
into local variables:
netatalk_already_open_for_reading
netatalk_already_open_with_deny_read
netatalk_already_open_for_writing
netatalk_already_open_with_deny_write
Then do the share mode/access mode checks
with the requested values against any stored
netatalk modes/access modes.
Finally add in NetATalk compatible locks
that represent our share modes/access modes
into the file, with an early return if we don't
have FILE_READ_DATA (in which case we can't
write locks anyway).
The patch is easier to understand by looking
at the completed patched fruit_check_access()
function, rather than trying to look at the
diff.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
(cherry picked from commit 3204dc66f6801a7c8c87c48f601e0ebdee9e3d40)
commit 6f697b9c68ac9cbc3d88d204475f10314091ed62
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Thu Dec 20 16:47:00 2018 +1300
netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg
python[3]-gpgme is deprecated since ubuntu 1804 and debian 9.
use python[3]-gpg instead, and adapt the API.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13728
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 84069c8a5476a47d45ab946d82abb0d6c04635c3)
commit 7644bb26be027b62d7388a6995355915cf1f14a1
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jan 18 14:24:30 2019 -0800
smbd: uid: Don't crash if 'force group' is added to an existing share connection.
smbd could crash if "force group" is added to a
share definition whilst an existing connection
to that share exists. In that case, don't change
the existing credentials for force group, only
do so for new connections.
Remove knownfail from regression test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Jan 25 16:31:27 CET 2019 on sn-devel-144
(cherry picked from commit e37f9956c1f2416408bad048a4618f6366086b6a)
commit eac00de2a0975fe1ab6ea84784087c010b94e74c
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jan 24 10:15:56 2019 -0800
s3: tests: Add regression test for smbd crash on share force group change with existing connection.
Mark as known fail for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7b21b4c1f538650f23ec77fb3c02fe1e224d89aa)
commit 44f49283cb8059bac269175efb0ea8c75b639e7c
Author: David Disseldorp <ddiss at samba.org>
Date: Tue Jan 29 01:55:04 2019 +0100
printing: check lp_load_printers() prior to pcap cache update
Avoid explicit and housekeeping timer triggered printcap cache updates
if lp_load_printers() is disabled.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13766
Signed-off-by: David Disseldorp <ddiss at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Fri Feb 1 19:25:03 CET 2019 on sn-devel-144
(cherry picked from commit 6a77237c50dd258521f356af0b5dc9942dd5592e)
commit 3ec3f9dcb3f7c28ac9a0d9b0f36446766e6e47ea
Author: David Disseldorp <ddiss at samba.org>
Date: Tue Jan 29 01:50:15 2019 +0100
printing: drop pcap_cache_loaded() guard around load_printers()
Add the pcap_cache_loaded() check to load_printers() and return early
if it returns false. This simplifies callers in preparation for checking
lp_load_printers() in the printcap cache update code-path.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13766
Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
(cherry picked from commit 0ae7c3144a30910adb1e54cf46d54d42a1036839)
commit 455099bd9dd51487153ff271dafc29f77c21b76c
Author: Günther Deschner <gd at samba.org>
Date: Tue Jan 15 14:26:17 2019 +0100
s3-smbd: use fruit:model string for mDNS registration
With this change we now allow to modify the icon to represent Samba in
Finder. Possible values are at least:
fruit:model = iMac
fruit:model = MacBook
fruit:model = MacPro
fruit:model = Xserve
fruit:model = RackMac
Prior to this change we only displayed the correct icon when a mac
client negotiated the apple create context over SMB.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13746
Based on proposed patch from Rouven WEILER <Rouven_Weiler at gmx.net>
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Tue Jan 15 21:27:20 CET 2019 on sn-devel-144
(cherry picked from commit 538ce72f1b2fa78450e3b711e58bd0e238faf466)
-----------------------------------------------------------------------
Summary of changes:
python/samba/netcmd/user.py | 86 +++++++---
selftest/selftesthelpers.py | 1 +
selftest/target/Samba3.pm | 6 +
source3/include/proto.h | 2 +-
source3/lib/tldap.c | 1 -
source3/lib/tldap_util.c | 2 -
source3/lib/util.c | 7 +-
source3/modules/vfs_default.c | 14 +-
source3/modules/vfs_fruit.c | 204 +++++++++++-------------
source3/printing/load.c | 4 +-
source3/printing/pcap.c | 5 +
source3/printing/queue_process.c | 6 +-
source3/printing/spoolssd.c | 8 +-
source3/script/tests/test_force_group_change.sh | 73 +++++++++
source3/selftest/tests.py | 3 +
source3/smbd/avahi_register.c | 27 ++++
source3/smbd/files.c | 9 ++
source3/smbd/uid.c | 35 +++-
source3/wscript | 3 +
source3/wscript_build | 1 +
source4/torture/vfs/fruit.c | 26 ++-
21 files changed, 354 insertions(+), 169 deletions(-)
create mode 100755 source3/script/tests/test_force_group_change.sh
Changeset truncated at 500 lines:
diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py
index 5af76c9be7d..437866c0a42 100644
--- a/python/samba/netcmd/user.py
+++ b/python/samba/netcmd/user.py
@@ -21,6 +21,7 @@ import samba.getopt as options
import ldb
import pwd
import os
+import io
import re
import tempfile
import difflib
@@ -56,15 +57,56 @@ from samba.netcmd import (
)
from samba.compat import text_type
-try:
- import io
- import gpgme
- gpgme_support = True
- decrypt_samba_gpg_help = "Decrypt the SambaGPG password as cleartext source"
-except ImportError as e:
- gpgme_support = False
- decrypt_samba_gpg_help = "Decrypt the SambaGPG password not supported, " + \
- "python-gpgme required"
+
+# python[3]-gpgme is abandoned since ubuntu 1804 and debian 9
+# have to use python[3]-gpg instead
+# The API is different, need to adapt.
+
+def _gpgme_decrypt(encrypted_bytes):
+ """
+ Use python[3]-gpgme to decrypt GPG.
+ """
+ ctx = gpgme.Context()
+ ctx.armor = True # use ASCII-armored
+ out = io.BytesIO()
+ ctx.decrypt(io.BytesIO(encrypted_bytes), out)
+ return out.getvalue()
+
+
+def _gpg_decrypt(encrypted_bytes):
+ """
+ Use python[3]-gpg to decrypt GPG.
+ """
+ ciphertext = gpg.Data(string=encrypted_bytes)
+ ctx = gpg.Context(armor=True)
+ # plaintext, result, verify_result
+ plaintext, _, _ = ctx.decrypt(ciphertext)
+ return plaintext
+
+
+gpg_decrypt = None
+
+if not gpg_decrypt:
+ try:
+ import gpgme
+ gpg_decrypt = _gpgme_decrypt
+ except ImportError:
+ pass
+
+if not gpg_decrypt:
+ try:
+ import gpg
+ gpg_decrypt = _gpg_decrypt
+ except ImportError:
+ pass
+
+if gpg_decrypt:
+ decrypt_samba_gpg_help = ("Decrypt the SambaGPG password as "
+ "cleartext source")
+else:
+ decrypt_samba_gpg_help = ("Decrypt the SambaGPG password not supported, "
+ "python[3]-gpgme or python[3]-gpg required")
+
disabled_virtual_attributes = {
}
@@ -1024,13 +1066,8 @@ class GetPasswordCommand(Command):
#
sgv = get_package("Primary:SambaGPG", min_idx=-1)
if sgv is not None and unicodePwd is not None:
- ctx = gpgme.Context()
- ctx.armor = True
- cipher_io = io.BytesIO(sgv)
- plain_io = io.BytesIO()
try:
- ctx.decrypt(cipher_io, plain_io)
- cv = plain_io.getvalue()
+ cv = gpg_decrypt(sgv)
#
# We only use the password if it matches
# the current nthash stored in the unicodePwd
@@ -1042,14 +1079,13 @@ class GetPasswordCommand(Command):
nthash = tmp.get_nt_hash()
if nthash == unicodePwd:
calculated["Primary:CLEARTEXT"] = cv
- except gpgme.GpgmeError as e1:
- (major, minor, msg) = e1.args
- if major == gpgme.ERR_BAD_SECKEY:
- msg = "ERR_BAD_SECKEY: " + msg
- else:
- msg = "MAJOR:%d, MINOR:%d: %s" % (major, minor, msg)
- self.outf.write("WARNING: '%s': SambaGPG can't be decrypted into CLEARTEXT: %s\n" % (
- username or account_name, msg))
+
+ except Exception as e:
+ self.outf.write(
+ "WARNING: '%s': SambaGPG can't be decrypted "
+ "into CLEARTEXT: %s\n" % (
+ username or account_name, e))
+
def get_utf8(a, b, username):
try:
@@ -1458,7 +1494,7 @@ samba-tool user getpassword --filter=samaccountname=TestUser3 --attributes=msDS-
sambaopts=None, versionopts=None):
self.lp = sambaopts.get_loadparm()
- if decrypt_samba_gpg and not gpgme_support:
+ if decrypt_samba_gpg and not gpg_decrypt:
raise CommandError(decrypt_samba_gpg_help)
if filter is None and username is None:
@@ -1800,7 +1836,7 @@ samba-tool user syncpasswords --terminate \\
if H is None:
H = "ldapi://%s" % os.path.abspath(self.lp.private_path("ldap_priv/ldapi"))
- if decrypt_samba_gpg and not gpgme_support:
+ if decrypt_samba_gpg and not gpg_decrypt:
raise CommandError(decrypt_samba_gpg_help)
password_attrs = self.parse_attributes(attributes)
diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py
index 0d8014c7d13..6e73f9f2673 100644
--- a/selftest/selftesthelpers.py
+++ b/selftest/selftesthelpers.py
@@ -197,3 +197,4 @@ smbcquotas = binpath('smbcquotas')
smbget = binpath('smbget')
rpcclient = binpath('rpcclient')
smbcacls = binpath('smbcacls')
+smbcontrol = binpath('smbcontrol')
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 314aae55bc5..47b9c8cbc48 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -904,6 +904,12 @@ sub setup_fileserver
force group = everyone
write list = force_user
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
+[force_group_test]
+ path = $share_dir
+ comment = force group test
+# force group = everyone
+
[smbget]
path = $smbget_sharedir
comment = smb username is [%U]
diff --git a/source3/include/proto.h b/source3/include/proto.h
index fea4ba51be5..7ddf627fff0 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -362,7 +362,7 @@ void set_namearray(name_compare_entry **ppname_array, const char *namelist);
void free_namearray(name_compare_entry *name_array);
bool fcntl_lock(int fd, int op, off_t offset, off_t count, int type);
bool fcntl_getlock(int fd, int op, off_t *poffset, off_t *pcount, int *ptype, pid_t *ppid);
-int map_process_lock_to_ofd_lock(int op, bool *use_ofd_locks);
+int map_process_lock_to_ofd_lock(int op);
bool is_myname(const char *s);
void ra_lanman_string( const char *native_lanman );
const char *get_remote_arch_str(void);
diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c
index bfb24ee8661..d6c6e8859a6 100644
--- a/source3/lib/tldap.c
+++ b/source3/lib/tldap.c
@@ -1920,7 +1920,6 @@ static void tldap_search_all_done(struct tevent_req *subreq)
rc = tldap_search_recv(subreq, state, &msg);
/* No TALLOC_FREE(subreq), this is multi-step */
if (tevent_req_ldap_error(req, rc)) {
- TALLOC_FREE(subreq);
return;
}
diff --git a/source3/lib/tldap_util.c b/source3/lib/tldap_util.c
index 508c6c02f80..54a9eb30bbe 100644
--- a/source3/lib/tldap_util.c
+++ b/source3/lib/tldap_util.c
@@ -457,7 +457,6 @@ static void tldap_fetch_rootdse_done(struct tevent_req *subreq)
rc = tldap_search_recv(subreq, state, &msg);
if (tevent_req_ldap_error(req, rc)) {
- TALLOC_FREE(subreq);
return;
}
@@ -739,7 +738,6 @@ static void tldap_search_paged_done(struct tevent_req *subreq)
rc = tldap_search_recv(subreq, state, &state->result);
if (tevent_req_ldap_error(req, rc)) {
- TALLOC_FREE(subreq);
return;
}
diff --git a/source3/lib/util.c b/source3/lib/util.c
index 394fa5fd191..df1474e99de 100644
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -1071,7 +1071,7 @@ bool fcntl_getlock(int fd, int op, off_t *poffset, off_t *pcount, int *ptype, pi
}
#if defined(HAVE_OFD_LOCKS)
-int map_process_lock_to_ofd_lock(int op, bool *use_ofd_locks)
+int map_process_lock_to_ofd_lock(int op)
{
switch (op) {
case F_GETLK:
@@ -1087,16 +1087,13 @@ int map_process_lock_to_ofd_lock(int op, bool *use_ofd_locks)
op = F_OFD_SETLKW;
break;
default:
- *use_ofd_locks = false;
return -1;
}
- *use_ofd_locks = true;
return op;
}
#else /* HAVE_OFD_LOCKS */
-int map_process_lock_to_ofd_lock(int op, bool *use_ofd_locks)
+int map_process_lock_to_ofd_lock(int op)
{
- *use_ofd_locks = false;
return op;
}
#endif /* HAVE_OFD_LOCKS */
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 082b70f5a98..ce5efd82a64 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -2380,11 +2380,8 @@ static bool vfswrap_lock(vfs_handle_struct *handle, files_struct *fsp, int op, o
START_PROFILE(syscall_fcntl_lock);
- if (fsp->use_ofd_locks || !lp_parm_bool(SNUM(fsp->conn),
- "smbd",
- "force process locks",
- false)) {
- op = map_process_lock_to_ofd_lock(op, &fsp->use_ofd_locks);
+ if (fsp->use_ofd_locks) {
+ op = map_process_lock_to_ofd_lock(op);
}
result = fcntl_lock(fsp->fh->fd, op, offset, count, type);
@@ -2408,11 +2405,8 @@ static bool vfswrap_getlock(vfs_handle_struct *handle, files_struct *fsp, off_t
START_PROFILE(syscall_fcntl_getlock);
- if (fsp->use_ofd_locks || !lp_parm_bool(SNUM(fsp->conn),
- "smbd",
- "force process locks",
- false)) {
- op = map_process_lock_to_ofd_lock(op, &fsp->use_ofd_locks);
+ if (fsp->use_ofd_locks) {
+ op = map_process_lock_to_ofd_lock(op);
}
result = fcntl_getlock(fsp->fh->fd, op, poffset, pcount, ptype, ppid);
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index 90fcd5d5d34..773186af42c 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -2647,7 +2647,7 @@ static bool test_netatalk_lock(files_struct *fsp, off_t in_offset)
off_t offset = in_offset;
off_t len = 1;
int type = F_WRLCK;
- pid_t pid;
+ pid_t pid = 0;
result = SMB_VFS_GETLOCK(fsp, &offset, &len, &type, &pid);
if (result == false) {
@@ -2664,156 +2664,146 @@ static bool test_netatalk_lock(files_struct *fsp, off_t in_offset)
static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
files_struct *fsp,
uint32_t access_mask,
- uint32_t deny_mode)
+ uint32_t share_mode)
{
NTSTATUS status = NT_STATUS_OK;
- bool open_for_reading, open_for_writing, deny_read, deny_write;
off_t off;
- bool have_read = false;
- int flags;
+ bool share_for_read = (share_mode & FILE_SHARE_READ);
+ bool share_for_write = (share_mode & FILE_SHARE_WRITE);
+ bool netatalk_already_open_for_reading = false;
+ bool netatalk_already_open_for_writing = false;
+ bool netatalk_already_open_with_deny_read = false;
+ bool netatalk_already_open_with_deny_write = false;
/* FIXME: hardcoded data fork, add resource fork */
enum apple_fork fork_type = APPLE_FORK_DATA;
- DEBUG(10, ("fruit_check_access: %s, am: %s/%s, dm: %s/%s\n",
+ DBG_DEBUG("fruit_check_access: %s, am: %s/%s, sm: 0x%x\n",
fsp_str_dbg(fsp),
access_mask & FILE_READ_DATA ? "READ" :"-",
access_mask & FILE_WRITE_DATA ? "WRITE" : "-",
- deny_mode & DENY_READ ? "DENY_READ" : "-",
- deny_mode & DENY_WRITE ? "DENY_WRITE" : "-"));
+ share_mode);
if (fsp->fh->fd == -1) {
return NT_STATUS_OK;
}
- flags = fcntl(fsp->fh->fd, F_GETFL);
- if (flags == -1) {
- DBG_ERR("fcntl get flags [%s] fd [%d] failed [%s]\n",
- fsp_str_dbg(fsp), fsp->fh->fd, strerror(errno));
- return map_nt_error_from_unix(errno);
- }
-
- if (flags & (O_RDONLY|O_RDWR)) {
- /*
- * Applying fcntl read locks requires an fd opened for
- * reading. This means we won't be applying locks for
- * files openend write-only, but what can we do...
- */
- have_read = true;
- }
+ /* Read NetATalk opens and deny modes on the file. */
+ netatalk_already_open_for_reading = test_netatalk_lock(fsp,
+ access_to_netatalk_brl(fork_type,
+ FILE_READ_DATA));
- /*
- * Check read access and deny read mode
- */
- if ((access_mask & FILE_READ_DATA) || (deny_mode & DENY_READ)) {
- /* Check access */
- open_for_reading = test_netatalk_lock(
- fsp, access_to_netatalk_brl(fork_type, FILE_READ_DATA));
+ netatalk_already_open_with_deny_read = test_netatalk_lock(fsp,
+ denymode_to_netatalk_brl(fork_type,
+ DENY_READ));
- deny_read = test_netatalk_lock(
- fsp, denymode_to_netatalk_brl(fork_type, DENY_READ));
+ netatalk_already_open_for_writing = test_netatalk_lock(fsp,
+ access_to_netatalk_brl(fork_type,
+ FILE_WRITE_DATA));
- DEBUG(10, ("read: %s, deny_write: %s\n",
- open_for_reading == true ? "yes" : "no",
- deny_read == true ? "yes" : "no"));
+ netatalk_already_open_with_deny_write = test_netatalk_lock(fsp,
+ denymode_to_netatalk_brl(fork_type,
+ DENY_WRITE));
- if (((access_mask & FILE_READ_DATA) && deny_read)
- || ((deny_mode & DENY_READ) && open_for_reading)) {
- return NT_STATUS_SHARING_VIOLATION;
- }
+ /* If there are any conflicts - sharing violation. */
+ if ((access_mask & FILE_READ_DATA) &&
+ netatalk_already_open_with_deny_read) {
+ return NT_STATUS_SHARING_VIOLATION;
+ }
- /* Set locks */
- if ((access_mask & FILE_READ_DATA) && have_read) {
- struct byte_range_lock *br_lck = NULL;
+ if (!share_for_read &&
+ netatalk_already_open_for_reading) {
+ return NT_STATUS_SHARING_VIOLATION;
+ }
- off = access_to_netatalk_brl(fork_type, FILE_READ_DATA);
- br_lck = do_lock(
- handle->conn->sconn->msg_ctx, fsp,
- fsp->op->global->open_persistent_id, 1, off,
- READ_LOCK, POSIX_LOCK, false,
- &status, NULL);
+ if ((access_mask & FILE_WRITE_DATA) &&
+ netatalk_already_open_with_deny_write) {
+ return NT_STATUS_SHARING_VIOLATION;
+ }
- TALLOC_FREE(br_lck);
+ if (!share_for_write &&
+ netatalk_already_open_for_writing) {
+ return NT_STATUS_SHARING_VIOLATION;
+ }
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- }
+ if (!(access_mask & FILE_READ_DATA)) {
+ /*
+ * Nothing we can do here, we need read access
+ * to set locks.
+ */
+ return NT_STATUS_OK;
+ }
- if ((deny_mode & DENY_READ) && have_read) {
- struct byte_range_lock *br_lck = NULL;
+ /* Set NetAtalk locks matching our access */
+ if (access_mask & FILE_READ_DATA) {
+ struct byte_range_lock *br_lck = NULL;
- off = denymode_to_netatalk_brl(fork_type, DENY_READ);
- br_lck = do_lock(
- handle->conn->sconn->msg_ctx, fsp,
- fsp->op->global->open_persistent_id, 1, off,
- READ_LOCK, POSIX_LOCK, false,
- &status, NULL);
+ off = access_to_netatalk_brl(fork_type, FILE_READ_DATA);
+ br_lck = do_lock(
+ handle->conn->sconn->msg_ctx, fsp,
+ fsp->op->global->open_persistent_id, 1, off,
+ READ_LOCK, POSIX_LOCK, false,
+ &status, NULL);
- TALLOC_FREE(br_lck);
+ TALLOC_FREE(br_lck);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
- /*
- * Check write access and deny write mode
- */
- if ((access_mask & FILE_WRITE_DATA) || (deny_mode & DENY_WRITE)) {
- /* Check access */
- open_for_writing = test_netatalk_lock(
- fsp, access_to_netatalk_brl(fork_type, FILE_WRITE_DATA));
+ if (!share_for_read) {
+ struct byte_range_lock *br_lck = NULL;
- deny_write = test_netatalk_lock(
- fsp, denymode_to_netatalk_brl(fork_type, DENY_WRITE));
+ off = denymode_to_netatalk_brl(fork_type, DENY_READ);
+ br_lck = do_lock(
+ handle->conn->sconn->msg_ctx, fsp,
+ fsp->op->global->open_persistent_id, 1, off,
+ READ_LOCK, POSIX_LOCK, false,
+ &status, NULL);
- DEBUG(10, ("write: %s, deny_write: %s\n",
- open_for_writing == true ? "yes" : "no",
- deny_write == true ? "yes" : "no"));
+ TALLOC_FREE(br_lck);
- if (((access_mask & FILE_WRITE_DATA) && deny_write)
- || ((deny_mode & DENY_WRITE) && open_for_writing)) {
- return NT_STATUS_SHARING_VIOLATION;
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
+ }
- /* Set locks */
- if ((access_mask & FILE_WRITE_DATA) && have_read) {
- struct byte_range_lock *br_lck = NULL;
+ if (access_mask & FILE_WRITE_DATA) {
+ struct byte_range_lock *br_lck = NULL;
- off = access_to_netatalk_brl(fork_type, FILE_WRITE_DATA);
- br_lck = do_lock(
- handle->conn->sconn->msg_ctx, fsp,
- fsp->op->global->open_persistent_id, 1, off,
- READ_LOCK, POSIX_LOCK, false,
- &status, NULL);
+ off = access_to_netatalk_brl(fork_type, FILE_WRITE_DATA);
+ br_lck = do_lock(
+ handle->conn->sconn->msg_ctx, fsp,
+ fsp->op->global->open_persistent_id, 1, off,
+ READ_LOCK, POSIX_LOCK, false,
+ &status, NULL);
- TALLOC_FREE(br_lck);
+ TALLOC_FREE(br_lck);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- if ((deny_mode & DENY_WRITE) && have_read) {
- struct byte_range_lock *br_lck = NULL;
+ }
--
Samba Shared Repository
More information about the samba-cvs
mailing list