[SCM] Samba Shared Repository - branch v4-8-test updated
Karolin Seeger
kseeger at samba.org
Thu Feb 21 16:43:02 UTC 2019
The branch, v4-8-test has been updated
via 080dae06412 waf: Check for libnscd
via e60d5ca3a7b tldap: avoid more use after free errors
via 24c71628c34 tldap: avoid a use after free crash
via 2f8bd74b67c s3:vfs: Correctly check if OFD locks should be enabled or not
via b9120174c66 s3:vfs: Initialize pid to 0 in test_netatalk_lock()
via 0b15de2db78 s4: torture: vfs_fruit. Change test_fruit_locking_conflict() to match the vfs_fruit working server code.
via aec654431dd s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code.
via 3a50ce1cc9d netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg
via 83d82e735bb smbd: uid: Don't crash if 'force group' is added to an existing share connection.
via b3638852508 s3: tests: Add regression test for smbd crash on share force group change with existing connection.
via 8c8457150c5 printing: check lp_load_printers() prior to pcap cache update
via 32d6bf67801 printing: drop pcap_cache_loaded() guard around load_printers()
via 6e0514d273e s3-smbd: use fruit:model string for mDNS registration
from 22d5649e895 ldb: Bump ldb version to 1.3.7
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test
- Log -----------------------------------------------------------------
commit 080dae0641293547cb88e4d39e7a9266d4decb0e
Author: Christof Schmitt <cs at samba.org>
Date: Tue Feb 12 12:28:32 2019 -0700
waf: Check for libnscd
The check was in the old autoconf, but not in waf. As the code is still
in source3/lib/util_nscd.c, add the check for libnscd to allow building
and using the code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13787
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Wed Feb 13 17:58:33 CET 2019 on sn-devel-144
(cherry picked from commit 3a793497796395ffa3efda5807bdb1ca8e09e35b)
Autobuild-User(v4-8-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-8-test): Thu Feb 21 17:42:07 CET 2019 on sn-devel-144
commit e60d5ca3a7b4b962e012c4ee8f0ff9062c534af4
Author: Ralph Boehme <slow at samba.org>
Date: Tue Feb 5 14:08:56 2019 +0100
tldap: avoid more use after free errors
See the previous commit for an explanation. :)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13776
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Feb 6 10:19:12 CET 2019 on sn-devel-144
(cherry picked from commit bf91ee0a9727cc392583fe84ad069204be758515)
commit 24c71628c3415089b34fe998ff923db7cc6165c6
Author: Ralph Boehme <slow at samba.org>
Date: Tue Feb 5 13:56:53 2019 +0100
tldap: avoid a use after free crash
I saw the following crash in tldap in the winbindd idmap child on a
member server after messing with the LDAP server on the DC:
0 0x00007f77ea9a307a in __GI___waitpid (pid=9815, stat_loc=stat_loc at entry=0x7ffe77569eb0, options=options at entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:29
1 0x00007f77ea91bfbb in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:148
2 0x00007f77edd8c24b in smb_panic_s3 (why=0x7f77f08e6e88 "Bad talloc magic value - access after free") at ../source3/lib/util.c:828
3 0x00007f77f15afe85 in smb_panic (why=0x7f77f08e6e88 "Bad talloc magic value - access after free") at ../lib/util/fault.c:170
4 0x00007f77f08e2678 in talloc_abort (reason=0x7f77f08e6e88 "Bad talloc magic value - access after free") at ../lib/talloc/talloc.c:472
5 0x00007f77f08e268b in talloc_abort_access_after_free () at ../lib/talloc/talloc.c:477
6 0x00007f77f08e2710 in talloc_chunk_from_ptr (ptr=0x55da7605a020) at ../lib/talloc/talloc.c:494
7 0x00007f77f08e4a19 in _talloc_free (ptr=0x55da7605a020, location=0x7f77e181474d "../source3/lib/tldap.c:1918") at ../lib/talloc/talloc.c:1716
8 0x00007f77e180b65c in tldap_search_all_done (subreq=0x55da7605a020) at ../source3/lib/tldap.c:1918
9 0x00007f77f0af0fd0 in _tevent_req_notify_callback (req=0x55da7605a020, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:125
10 0x00007f77f0af10a5 in tevent_req_finish (req=0x55da7605a020, state=TEVENT_REQ_USER_ERROR, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:162
11 0x00007f77f0af1113 in _tevent_req_error (req=0x55da7605a020, error=9780923860630110289, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:180
12 0x00007f77e180781a in tevent_req_ldap_error (req=0x55da7605a020, rc=...) at ../source3/lib/tldap.c:47
13 0x00007f77e180b2c4 in tldap_search_done (subreq=0x55da76058280) at ../source3/lib/tldap.c:1813
14 0x00007f77f0af0fd0 in _tevent_req_notify_callback (req=0x55da76058280, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:125
15 0x00007f77f0af10a5 in tevent_req_finish (req=0x55da76058280, state=TEVENT_REQ_USER_ERROR, location=0x7f77e1813e50 "../source3/lib/tldap.c:47") at ../lib/tevent/tevent_req.c:162
16 0x00007f77f0af11cd in tevent_req_trigger (ev=0x55da760526c0, im=0x55da76058360, private_data=0x55da76058280) at ../lib/tevent/tevent_req.c:219
17 0x00007f77f0af0378 in tevent_common_loop_immediate (ev=0x55da760526c0) at ../lib/tevent/tevent_immediate.c:135
18 0x00007f77f0af8b8f in epoll_event_loop_once (ev=0x55da760526c0, location=0x7f77f0af92b0 "../lib/tevent/tevent_req.c:269") at ../lib/tevent/tevent_epoll.c:911
19 0x00007f77f0af5925 in std_event_loop_once (ev=0x55da760526c0, location=0x7f77f0af92b0 "../lib/tevent/tevent_req.c:269") at ../lib/tevent/tevent_standard.c:114
20 0x00007f77f0aef201 in _tevent_loop_once (ev=0x55da760526c0, location=0x7f77f0af92b0 "../lib/tevent/tevent_req.c:269") at ../lib/tevent/tevent.c:725
21 0x00007f77f0af1361 in tevent_req_poll (req=0x55da7605eed0, ev=0x55da760526c0) at ../lib/tevent/tevent_req.c:269
22 0x00007f77e180fec9 in tldap_gensec_bind (ctx=0x55da76051ec0, creds=0x55da76052250, target_service=0x7f77e18164b3 "ldap", target_hostname=0x55da7605d182 "dc1.sdom1.site", target_principal=0x0, lp_ctx=0x55da76052180, gensec_features=6) at ../source3/lib/tldap_gensec_bind.c:358
23 0x00007f77e1810d21 in idmap_ad_get_tldap_ctx (mem_ctx=0x55da76050510, domname=0x55da76051d50 "sdom1", pld=0x55da76050518) at ../source3/winbindd/idmap_ad.c:326
24 0x00007f77e1811056 in idmap_ad_context_create (mem_ctx=0x55da76059c00, dom=0x55da76059c00, domname=0x55da76051d50 "sdom1", pctx=0x7ffe7756a5f8) at ../source3/winbindd/idmap_ad.c:374
25 0x00007f77e18119c0 in idmap_ad_get_context (dom=0x55da76059c00, pctx=0x7ffe7756a640) at ../source3/winbindd/idmap_ad.c:554
26 0x00007f77e181275b in idmap_ad_sids_to_unixids (dom=0x55da76059c00, ids=0x55da760518a0) at ../source3/winbindd/idmap_ad.c:784
27 0x00007f77e1813217 in idmap_ad_sids_to_unixids_retry (dom=0x55da76059c00, ids=0x55da760518a0) at ../source3/winbindd/idmap_ad.c:947
28 0x000055da7459ce05 in _wbint_Sids2UnixIDs (p=0x7ffe7756a870, r=0x55da76050860) at ../source3/winbindd/winbindd_dual_srv.c:202
29 0x000055da7460aa5e in api_wbint_Sids2UnixIDs (p=0x7ffe7756a870) at default/librpc/gen_ndr/srv_winbind.c:391
30 0x000055da7459c7f4 in winbindd_dual_ndrcmd (domain=0x0, state=0x7ffe7756abb8) at ../source3/winbindd/winbindd_dual_ndr.c:369
31 0x000055da7459828c in child_process_request (child=0x55da74874bc0 <static_idmap_child>, state=0x7ffe7756abb8) at ../source3/winbindd/winbindd_dual.c:666
32 0x000055da7459ae58 in child_handler (ev=0x55da7602c2b0, fde=0x55da7603f8a0, flags=1, private_data=0x7ffe7756abb0) at ../source3/winbindd/winbindd_dual.c:1567
33 0x00007f77f0af85f1 in epoll_event_loop (epoll_ev=0x55da76048b00, tvalp=0x7ffe7756aab0) at ../lib/tevent/tevent_epoll.c:728
34 0x00007f77f0af8c29 in epoll_event_loop_once (ev=0x55da7602c2b0, location=0x55da74628b08 "../source3/winbindd/winbindd_dual.c:1766") at ../lib/tevent/tevent_epoll.c:930
35 0x00007f77f0af5925 in std_event_loop_once (ev=0x55da7602c2b0, location=0x55da74628b08 "../source3/winbindd/winbindd_dual.c:1766") at ../lib/tevent/tevent_standard.c:114
36 0x00007f77f0aef201 in _tevent_loop_once (ev=0x55da7602c2b0, location=0x55da74628b08 "../source3/winbindd/winbindd_dual.c:1766") at ../lib/tevent/tevent.c:725
37 0x000055da7459b9e9 in fork_domain_child (child=0x55da74874bc0 <static_idmap_child>) at ../source3/winbindd/winbindd_dual.c:1766
38 0x000055da74596e96 in wb_child_request_waited (subreq=0x0) at ../source3/winbindd/winbindd_dual.c:188
39 0x00007f77f0af0fd0 in _tevent_req_notify_callback (req=0x55da7604f820, location=0x7f77f0af90f8 "../lib/tevent/tevent_queue.c:355") at ../lib/tevent/tevent_req.c:125
40 0x00007f77f0af10a5 in tevent_req_finish (req=0x55da7604f820, state=TEVENT_REQ_DONE, location=0x7f77f0af90f8 "../lib/tevent/tevent_queue.c:355") at ../lib/tevent/tevent_req.c:162
41 0x00007f77f0af10cd in _tevent_req_done (req=0x55da7604f820, location=0x7f77f0af90f8 "../lib/tevent/tevent_queue.c:355") at ../lib/tevent/tevent_req.c:168
42 0x00007f77f0af0cc1 in tevent_queue_wait_trigger (req=0x55da7604f820, private_data=0x0) at ../lib/tevent/tevent_queue.c:355
43 0x00007f77f0af06f2 in tevent_queue_immediate_trigger (ev=0x55da7602c2b0, im=0x55da760466a0, private_data=0x55da76046580) at ../lib/tevent/tevent_queue.c:149
44 0x00007f77f0af0378 in tevent_common_loop_immediate (ev=0x55da7602c2b0) at ../lib/tevent/tevent_immediate.c:135
45 0x00007f77f0af8b8f in epoll_event_loop_once (ev=0x55da7602c2b0, location=0x55da74612630 "../source3/winbindd/winbindd.c:1803") at ../lib/tevent/tevent_epoll.c:911
46 0x00007f77f0af5925 in std_event_loop_once (ev=0x55da7602c2b0, location=0x55da74612630 "../source3/winbindd/winbindd.c:1803") at ../lib/tevent/tevent_standard.c:114
47 0x00007f77f0aef201 in _tevent_loop_once (ev=0x55da7602c2b0, location=0x55da74612630 "../source3/winbindd/winbindd.c:1803") at ../lib/tevent/tevent.c:725
48 0x000055da74561431 in main (argc=2, argv=0x7ffe7756c968) at ../source3/winbindd/winbindd.c:1803
subreq is a child of the state of req which will already be free by the
callback of req.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13776
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 9465292d4109f710f8fcd141a076f5c8278577bc)
commit 2f8bd74b67cda93a4bc8918cd6b1f950aa109b00
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jan 30 18:45:34 2019 +0100
s3:vfs: Correctly check if OFD locks should be enabled or not
Also the smb.conf options should only be checked once and a reload of
the config should not switch to a different locking mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13770
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Feb 9 03:43:50 CET 2019 on sn-devel-144
(cherry picked from commit 7ff94b18e2e39567ef7a208084cc5c914c39d3bd)
commit b9120174c6699696ffe08ec1b969544d9f340f8d
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jan 30 18:09:52 2019 +0100
s3:vfs: Initialize pid to 0 in test_netatalk_lock()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13770
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2ff2594b2bd878928cec30bc72a95a6d38bee154)
commit 0b15de2db78cf6a6adbb9763e18100552bcf9508
Author: Jeremy Allison <jra at samba.org>
Date: Wed Feb 6 18:01:52 2019 -0800
s4: torture: vfs_fruit. Change test_fruit_locking_conflict() to match the vfs_fruit working server code.
Originally added for BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584
to demonstrate a lock order violation, this test
exposed problems in the mapping of SMB1/2 share modes
and open modes to NetATalk modes once we moved to OFD locks.
Change the test slightly (and add comments)
so it demonstrates working NetATalk share modes
on an open file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13770
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Feb 8 23:26:46 CET 2019 on sn-devel-144
(cherry picked from commit 28990e4ba23695ecf264117efad90cc4e573302e)
commit aec654431dd8117c78da3b658f2dd5ee221b621f
Author: Jeremy Allison <jra at samba.org>
Date: Wed Feb 6 17:49:16 2019 -0800
s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility code.
This exhibited itself as a problem with OFD locks reported
as:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13770
However, due to underlying bugs in the vfs_fruit
code the file locks were not being properly applied.
There are two problems in fruit_check_access().
Problem #1:
Inside fruit_check_access() we have:
flags = fcntl(fsp->fh->fd, F_GETFL);
..
if (flags & (O_RDONLY|O_RDWR)) {
We shouldn't be calling fcntl(fsp->fh->fd, ..) directly.
fsp->fh->fd may be a made up number from an underlying
VFS module that has no meaning to a system call.
Secondly, in all POSIX systems - O_RDONLY is defined as
*zero*. O_RDWR = 2.
Which means flags & (O_RDONLY|O_RDWR) becomes (flags & 2),
not what we actually thought.
Problem #2:
deny_mode is *not* a bitmask, it's a set of discrete values.
Inside fruit_check_access() we have:
if (deny_mode & DENY_READ) and also (deny_mode & DENY_WRITE)
However, deny modes are defined as:
/* deny modes */
define DENY_DOS 0
define DENY_ALL 1
define DENY_WRITE 2
define DENY_READ 3
define DENY_NONE 4
define DENY_FCB 7
so if deny_mode = DENY_WRITE, or if deny_mode = DENY_READ
then it's going to trigger both the if (deny_mode & DENY_READ)
*and* the (deny_mode & DENY_WRITE) conditions.
These problems allowed the original test test_netatalk_lock code to
pass (which was added for BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584
to demonstrate the lock order violation).
This patch refactors the fruit_check_access()
code to be much simpler (IMHO) to understand.
Firstly, pass in the SMB1/2 share mode, not old
DOS deny modes.
Secondly, read all the possible NetAtalk locks
into local variables:
netatalk_already_open_for_reading
netatalk_already_open_with_deny_read
netatalk_already_open_for_writing
netatalk_already_open_with_deny_write
Then do the share mode/access mode checks
with the requested values against any stored
netatalk modes/access modes.
Finally add in NetATalk compatible locks
that represent our share modes/access modes
into the file, with an early return if we don't
have FILE_READ_DATA (in which case we can't
write locks anyway).
The patch is easier to understand by looking
at the completed patched fruit_check_access()
function, rather than trying to look at the
diff.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
(cherry picked from commit 3204dc66f6801a7c8c87c48f601e0ebdee9e3d40)
commit 3a50ce1cc9d634b384ba5dc4a60d2feeeb616182
Author: Joe Guo <joeg at catalyst.net.nz>
Date: Thu Dec 20 16:47:00 2018 +1300
netcmd/user: python[3]-gpgme unsupported and replaced by python[3]-gpg
python[3]-gpgme is deprecated since ubuntu 1804 and debian 9.
use python[3]-gpg instead, and adapt the API.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13728
Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 84069c8a5476a47d45ab946d82abb0d6c04635c3)
commit 83d82e735bb6399142b7e18cf83aa81abefeba33
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jan 18 14:24:30 2019 -0800
smbd: uid: Don't crash if 'force group' is added to an existing share connection.
smbd could crash if "force group" is added to a
share definition whilst an existing connection
to that share exists. In that case, don't change
the existing credentials for force group, only
do so for new connections.
Remove knownfail from regression test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Jan 25 16:31:27 CET 2019 on sn-devel-144
(cherry picked from commit e37f9956c1f2416408bad048a4618f6366086b6a)
commit b363885250897b37820e08a335e5a043dff2a272
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jan 24 10:15:56 2019 -0800
s3: tests: Add regression test for smbd crash on share force group change with existing connection.
Mark as known fail for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7b21b4c1f538650f23ec77fb3c02fe1e224d89aa)
commit 8c8457150c53045a81207c340cc8694ac60f28bf
Author: David Disseldorp <ddiss at samba.org>
Date: Tue Jan 29 01:55:04 2019 +0100
printing: check lp_load_printers() prior to pcap cache update
Avoid explicit and housekeeping timer triggered printcap cache updates
if lp_load_printers() is disabled.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13766
Signed-off-by: David Disseldorp <ddiss at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Fri Feb 1 19:25:03 CET 2019 on sn-devel-144
(cherry picked from commit 6a77237c50dd258521f356af0b5dc9942dd5592e)
commit 32d6bf67801e66cf7472788a520c270f454d924d
Author: David Disseldorp <ddiss at samba.org>
Date: Tue Jan 29 01:50:15 2019 +0100
printing: drop pcap_cache_loaded() guard around load_printers()
Add the pcap_cache_loaded() check to load_printers() and return early
if it returns false. This simplifies callers in preparation for checking
lp_load_printers() in the printcap cache update code-path.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13766
Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
(cherry picked from commit 0ae7c3144a30910adb1e54cf46d54d42a1036839)
commit 6e0514d273e3fe5e85a48ee4b1c3e3f066f1b6c3
Author: Günther Deschner <gd at samba.org>
Date: Tue Jan 15 14:26:17 2019 +0100
s3-smbd: use fruit:model string for mDNS registration
With this change we now allow to modify the icon to represent Samba in
Finder. Possible values are at least:
fruit:model = iMac
fruit:model = MacBook
fruit:model = MacPro
fruit:model = Xserve
fruit:model = RackMac
Prior to this change we only displayed the correct icon when a mac
client negotiated the apple create context over SMB.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13746
Based on proposed patch from Rouven WEILER <Rouven_Weiler at gmx.net>
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Tue Jan 15 21:27:20 CET 2019 on sn-devel-144
(cherry picked from commit 538ce72f1b2fa78450e3b711e58bd0e238faf466)
-----------------------------------------------------------------------
Summary of changes:
python/samba/netcmd/user.py | 85 +++++++---
selftest/selftesthelpers.py | 1 +
selftest/target/Samba3.pm | 6 +
source3/include/proto.h | 2 +-
source3/lib/tldap.c | 1 -
source3/lib/tldap_util.c | 2 -
source3/lib/util.c | 7 +-
source3/modules/vfs_default.c | 14 +-
source3/modules/vfs_fruit.c | 204 +++++++++++-------------
source3/printing/load.c | 4 +-
source3/printing/pcap.c | 5 +
source3/printing/queue_process.c | 6 +-
source3/printing/spoolssd.c | 8 +-
source3/script/tests/test_force_group_change.sh | 73 +++++++++
source3/selftest/tests.py | 3 +
source3/smbd/avahi_register.c | 27 ++++
source3/smbd/files.c | 9 ++
source3/smbd/uid.c | 35 +++-
source3/wscript | 3 +
source3/wscript_build | 1 +
source4/torture/vfs/fruit.c | 26 ++-
21 files changed, 354 insertions(+), 168 deletions(-)
create mode 100755 source3/script/tests/test_force_group_change.sh
Changeset truncated at 500 lines:
diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py
index a82ac76fddb..04f7d1a5577 100644
--- a/python/samba/netcmd/user.py
+++ b/python/samba/netcmd/user.py
@@ -21,6 +21,7 @@ import samba.getopt as options
import ldb
import pwd
import os
+import io
import re
import tempfile
import difflib
@@ -56,15 +57,56 @@ from samba.netcmd import (
)
-try:
- import io
- import gpgme
- gpgme_support = True
- decrypt_samba_gpg_help = "Decrypt the SambaGPG password as cleartext source"
-except ImportError as e:
- gpgme_support = False
- decrypt_samba_gpg_help = "Decrypt the SambaGPG password not supported, " + \
- "python-gpgme required"
+
+# python[3]-gpgme is abandoned since ubuntu 1804 and debian 9
+# have to use python[3]-gpg instead
+# The API is different, need to adapt.
+
+def _gpgme_decrypt(encrypted_bytes):
+ """
+ Use python[3]-gpgme to decrypt GPG.
+ """
+ ctx = gpgme.Context()
+ ctx.armor = True # use ASCII-armored
+ out = io.BytesIO()
+ ctx.decrypt(io.BytesIO(encrypted_bytes), out)
+ return out.getvalue()
+
+
+def _gpg_decrypt(encrypted_bytes):
+ """
+ Use python[3]-gpg to decrypt GPG.
+ """
+ ciphertext = gpg.Data(string=encrypted_bytes)
+ ctx = gpg.Context(armor=True)
+ # plaintext, result, verify_result
+ plaintext, _, _ = ctx.decrypt(ciphertext)
+ return plaintext
+
+
+gpg_decrypt = None
+
+if not gpg_decrypt:
+ try:
+ import gpgme
+ gpg_decrypt = _gpgme_decrypt
+ except ImportError:
+ pass
+
+if not gpg_decrypt:
+ try:
+ import gpg
+ gpg_decrypt = _gpg_decrypt
+ except ImportError:
+ pass
+
+if gpg_decrypt:
+ decrypt_samba_gpg_help = ("Decrypt the SambaGPG password as "
+ "cleartext source")
+else:
+ decrypt_samba_gpg_help = ("Decrypt the SambaGPG password not supported, "
+ "python[3]-gpgme or python[3]-gpg required")
+
disabled_virtual_attributes = {
}
@@ -1022,13 +1064,8 @@ class GetPasswordCommand(Command):
#
sgv = get_package("Primary:SambaGPG", min_idx=-1)
if sgv is not None and unicodePwd is not None:
- ctx = gpgme.Context()
- ctx.armor = True
- cipher_io = io.BytesIO(sgv)
- plain_io = io.BytesIO()
try:
- ctx.decrypt(cipher_io, plain_io)
- cv = plain_io.getvalue()
+ cv = gpg_decrypt(sgv)
#
# We only use the password if it matches
# the current nthash stored in the unicodePwd
@@ -1040,13 +1077,13 @@ class GetPasswordCommand(Command):
nthash = tmp.get_nt_hash()
if nthash == unicodePwd:
calculated["Primary:CLEARTEXT"] = cv
- except gpgme.GpgmeError as (major, minor, msg):
- if major == gpgme.ERR_BAD_SECKEY:
- msg = "ERR_BAD_SECKEY: " + msg
- else:
- msg = "MAJOR:%d, MINOR:%d: %s" % (major, minor, msg)
- self.outf.write("WARNING: '%s': SambaGPG can't be decrypted into CLEARTEXT: %s\n" % (
- username or account_name, msg))
+
+ except Exception as e:
+ self.outf.write(
+ "WARNING: '%s': SambaGPG can't be decrypted "
+ "into CLEARTEXT: %s\n" % (
+ username or account_name, e))
+
def get_utf8(a, b, username):
try:
@@ -1455,7 +1492,7 @@ samba-tool user getpassword --filter=samaccountname=TestUser3 --attributes=msDS-
sambaopts=None, versionopts=None):
self.lp = sambaopts.get_loadparm()
- if decrypt_samba_gpg and not gpgme_support:
+ if decrypt_samba_gpg and not gpg_decrypt:
raise CommandError(decrypt_samba_gpg_help)
if filter is None and username is None:
@@ -1797,7 +1834,7 @@ samba-tool user syncpasswords --terminate \\
if H is None:
H = "ldapi://%s" % os.path.abspath(self.lp.private_path("ldap_priv/ldapi"))
- if decrypt_samba_gpg and not gpgme_support:
+ if decrypt_samba_gpg and not gpg_decrypt:
raise CommandError(decrypt_samba_gpg_help)
password_attrs = self.parse_attributes(attributes)
diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py
index 8b885b59419..77313cb2ba6 100644
--- a/selftest/selftesthelpers.py
+++ b/selftest/selftesthelpers.py
@@ -196,3 +196,4 @@ smbcquotas = binpath('smbcquotas')
smbget = binpath('smbget')
rpcclient = binpath('rpcclient')
smbcacls = binpath('smbcacls')
+smbcontrol = binpath('smbcontrol')
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index e30d1a4c7c8..ac75d9347e1 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -928,6 +928,12 @@ sub setup_fileserver($$)
force group = everyone
write list = force_user
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
+[force_group_test]
+ path = $share_dir
+ comment = force group test
+# force group = everyone
+
[smbget]
path = $smbget_sharedir
comment = smb username is [%U]
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 2bc5ab2f532..54c1b08a61b 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -362,7 +362,7 @@ void set_namearray(name_compare_entry **ppname_array, const char *namelist);
void free_namearray(name_compare_entry *name_array);
bool fcntl_lock(int fd, int op, off_t offset, off_t count, int type);
bool fcntl_getlock(int fd, int op, off_t *poffset, off_t *pcount, int *ptype, pid_t *ppid);
-int map_process_lock_to_ofd_lock(int op, bool *use_ofd_locks);
+int map_process_lock_to_ofd_lock(int op);
bool is_myname(const char *s);
void ra_lanman_string( const char *native_lanman );
const char *get_remote_arch_str(void);
diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c
index 40064fdeeed..263680b077c 100644
--- a/source3/lib/tldap.c
+++ b/source3/lib/tldap.c
@@ -1915,7 +1915,6 @@ static void tldap_search_all_done(struct tevent_req *subreq)
rc = tldap_search_recv(subreq, state, &msg);
/* No TALLOC_FREE(subreq), this is multi-step */
if (tevent_req_ldap_error(req, rc)) {
- TALLOC_FREE(subreq);
return;
}
diff --git a/source3/lib/tldap_util.c b/source3/lib/tldap_util.c
index 89f812b97e0..accdbe41d96 100644
--- a/source3/lib/tldap_util.c
+++ b/source3/lib/tldap_util.c
@@ -459,7 +459,6 @@ static void tldap_fetch_rootdse_done(struct tevent_req *subreq)
rc = tldap_search_recv(subreq, state, &msg);
if (tevent_req_ldap_error(req, rc)) {
- TALLOC_FREE(subreq);
return;
}
@@ -741,7 +740,6 @@ static void tldap_search_paged_done(struct tevent_req *subreq)
rc = tldap_search_recv(subreq, state, &state->result);
if (tevent_req_ldap_error(req, rc)) {
- TALLOC_FREE(subreq);
return;
}
diff --git a/source3/lib/util.c b/source3/lib/util.c
index 5f786f95d3e..cd9df464cca 100644
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -1070,7 +1070,7 @@ bool fcntl_getlock(int fd, int op, off_t *poffset, off_t *pcount, int *ptype, pi
}
#if defined(HAVE_OFD_LOCKS)
-int map_process_lock_to_ofd_lock(int op, bool *use_ofd_locks)
+int map_process_lock_to_ofd_lock(int op)
{
switch (op) {
case F_GETLK:
@@ -1086,16 +1086,13 @@ int map_process_lock_to_ofd_lock(int op, bool *use_ofd_locks)
op = F_OFD_SETLKW;
break;
default:
- *use_ofd_locks = false;
return -1;
}
- *use_ofd_locks = true;
return op;
}
#else /* HAVE_OFD_LOCKS */
-int map_process_lock_to_ofd_lock(int op, bool *use_ofd_locks)
+int map_process_lock_to_ofd_lock(int op)
{
- *use_ofd_locks = false;
return op;
}
#endif /* HAVE_OFD_LOCKS */
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index a9c87e444fe..586d8b1fb2d 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -2500,11 +2500,8 @@ static bool vfswrap_lock(vfs_handle_struct *handle, files_struct *fsp, int op, o
START_PROFILE(syscall_fcntl_lock);
- if (fsp->use_ofd_locks || !lp_parm_bool(SNUM(fsp->conn),
- "smbd",
- "force process locks",
- false)) {
- op = map_process_lock_to_ofd_lock(op, &fsp->use_ofd_locks);
+ if (fsp->use_ofd_locks) {
+ op = map_process_lock_to_ofd_lock(op);
}
result = fcntl_lock(fsp->fh->fd, op, offset, count, type);
@@ -2528,11 +2525,8 @@ static bool vfswrap_getlock(vfs_handle_struct *handle, files_struct *fsp, off_t
START_PROFILE(syscall_fcntl_getlock);
- if (fsp->use_ofd_locks || !lp_parm_bool(SNUM(fsp->conn),
- "smbd",
- "force process locks",
- false)) {
- op = map_process_lock_to_ofd_lock(op, &fsp->use_ofd_locks);
+ if (fsp->use_ofd_locks) {
+ op = map_process_lock_to_ofd_lock(op);
}
result = fcntl_getlock(fsp->fh->fd, op, poffset, pcount, ptype, ppid);
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index f7e0bbce2ce..23e450a15ea 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -2647,7 +2647,7 @@ static bool test_netatalk_lock(files_struct *fsp, off_t in_offset)
off_t offset = in_offset;
off_t len = 1;
int type = F_WRLCK;
- pid_t pid;
+ pid_t pid = 0;
result = SMB_VFS_GETLOCK(fsp, &offset, &len, &type, &pid);
if (result == false) {
@@ -2664,156 +2664,146 @@ static bool test_netatalk_lock(files_struct *fsp, off_t in_offset)
static NTSTATUS fruit_check_access(vfs_handle_struct *handle,
files_struct *fsp,
uint32_t access_mask,
- uint32_t deny_mode)
+ uint32_t share_mode)
{
NTSTATUS status = NT_STATUS_OK;
- bool open_for_reading, open_for_writing, deny_read, deny_write;
off_t off;
- bool have_read = false;
- int flags;
+ bool share_for_read = (share_mode & FILE_SHARE_READ);
+ bool share_for_write = (share_mode & FILE_SHARE_WRITE);
+ bool netatalk_already_open_for_reading = false;
+ bool netatalk_already_open_for_writing = false;
+ bool netatalk_already_open_with_deny_read = false;
+ bool netatalk_already_open_with_deny_write = false;
/* FIXME: hardcoded data fork, add resource fork */
enum apple_fork fork_type = APPLE_FORK_DATA;
- DEBUG(10, ("fruit_check_access: %s, am: %s/%s, dm: %s/%s\n",
+ DBG_DEBUG("fruit_check_access: %s, am: %s/%s, sm: 0x%x\n",
fsp_str_dbg(fsp),
access_mask & FILE_READ_DATA ? "READ" :"-",
access_mask & FILE_WRITE_DATA ? "WRITE" : "-",
- deny_mode & DENY_READ ? "DENY_READ" : "-",
- deny_mode & DENY_WRITE ? "DENY_WRITE" : "-"));
+ share_mode);
if (fsp->fh->fd == -1) {
return NT_STATUS_OK;
}
- flags = fcntl(fsp->fh->fd, F_GETFL);
- if (flags == -1) {
- DBG_ERR("fcntl get flags [%s] fd [%d] failed [%s]\n",
- fsp_str_dbg(fsp), fsp->fh->fd, strerror(errno));
- return map_nt_error_from_unix(errno);
- }
-
- if (flags & (O_RDONLY|O_RDWR)) {
- /*
- * Applying fcntl read locks requires an fd opened for
- * reading. This means we won't be applying locks for
- * files openend write-only, but what can we do...
- */
- have_read = true;
- }
+ /* Read NetATalk opens and deny modes on the file. */
+ netatalk_already_open_for_reading = test_netatalk_lock(fsp,
+ access_to_netatalk_brl(fork_type,
+ FILE_READ_DATA));
- /*
- * Check read access and deny read mode
- */
- if ((access_mask & FILE_READ_DATA) || (deny_mode & DENY_READ)) {
- /* Check access */
- open_for_reading = test_netatalk_lock(
- fsp, access_to_netatalk_brl(fork_type, FILE_READ_DATA));
+ netatalk_already_open_with_deny_read = test_netatalk_lock(fsp,
+ denymode_to_netatalk_brl(fork_type,
+ DENY_READ));
- deny_read = test_netatalk_lock(
- fsp, denymode_to_netatalk_brl(fork_type, DENY_READ));
+ netatalk_already_open_for_writing = test_netatalk_lock(fsp,
+ access_to_netatalk_brl(fork_type,
+ FILE_WRITE_DATA));
- DEBUG(10, ("read: %s, deny_write: %s\n",
- open_for_reading == true ? "yes" : "no",
- deny_read == true ? "yes" : "no"));
+ netatalk_already_open_with_deny_write = test_netatalk_lock(fsp,
+ denymode_to_netatalk_brl(fork_type,
+ DENY_WRITE));
- if (((access_mask & FILE_READ_DATA) && deny_read)
- || ((deny_mode & DENY_READ) && open_for_reading)) {
- return NT_STATUS_SHARING_VIOLATION;
- }
+ /* If there are any conflicts - sharing violation. */
+ if ((access_mask & FILE_READ_DATA) &&
+ netatalk_already_open_with_deny_read) {
+ return NT_STATUS_SHARING_VIOLATION;
+ }
- /* Set locks */
- if ((access_mask & FILE_READ_DATA) && have_read) {
- struct byte_range_lock *br_lck = NULL;
+ if (!share_for_read &&
+ netatalk_already_open_for_reading) {
+ return NT_STATUS_SHARING_VIOLATION;
+ }
- off = access_to_netatalk_brl(fork_type, FILE_READ_DATA);
- br_lck = do_lock(
- handle->conn->sconn->msg_ctx, fsp,
- fsp->op->global->open_persistent_id, 1, off,
- READ_LOCK, POSIX_LOCK, false,
- &status, NULL);
+ if ((access_mask & FILE_WRITE_DATA) &&
+ netatalk_already_open_with_deny_write) {
+ return NT_STATUS_SHARING_VIOLATION;
+ }
- TALLOC_FREE(br_lck);
+ if (!share_for_write &&
+ netatalk_already_open_for_writing) {
+ return NT_STATUS_SHARING_VIOLATION;
+ }
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- }
+ if (!(access_mask & FILE_READ_DATA)) {
+ /*
+ * Nothing we can do here, we need read access
+ * to set locks.
+ */
+ return NT_STATUS_OK;
+ }
- if ((deny_mode & DENY_READ) && have_read) {
- struct byte_range_lock *br_lck = NULL;
+ /* Set NetAtalk locks matching our access */
+ if (access_mask & FILE_READ_DATA) {
+ struct byte_range_lock *br_lck = NULL;
- off = denymode_to_netatalk_brl(fork_type, DENY_READ);
- br_lck = do_lock(
- handle->conn->sconn->msg_ctx, fsp,
- fsp->op->global->open_persistent_id, 1, off,
- READ_LOCK, POSIX_LOCK, false,
- &status, NULL);
+ off = access_to_netatalk_brl(fork_type, FILE_READ_DATA);
+ br_lck = do_lock(
+ handle->conn->sconn->msg_ctx, fsp,
+ fsp->op->global->open_persistent_id, 1, off,
+ READ_LOCK, POSIX_LOCK, false,
+ &status, NULL);
- TALLOC_FREE(br_lck);
+ TALLOC_FREE(br_lck);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
- /*
- * Check write access and deny write mode
- */
- if ((access_mask & FILE_WRITE_DATA) || (deny_mode & DENY_WRITE)) {
- /* Check access */
- open_for_writing = test_netatalk_lock(
- fsp, access_to_netatalk_brl(fork_type, FILE_WRITE_DATA));
+ if (!share_for_read) {
+ struct byte_range_lock *br_lck = NULL;
- deny_write = test_netatalk_lock(
- fsp, denymode_to_netatalk_brl(fork_type, DENY_WRITE));
+ off = denymode_to_netatalk_brl(fork_type, DENY_READ);
+ br_lck = do_lock(
+ handle->conn->sconn->msg_ctx, fsp,
+ fsp->op->global->open_persistent_id, 1, off,
+ READ_LOCK, POSIX_LOCK, false,
+ &status, NULL);
- DEBUG(10, ("write: %s, deny_write: %s\n",
- open_for_writing == true ? "yes" : "no",
- deny_write == true ? "yes" : "no"));
+ TALLOC_FREE(br_lck);
- if (((access_mask & FILE_WRITE_DATA) && deny_write)
- || ((deny_mode & DENY_WRITE) && open_for_writing)) {
- return NT_STATUS_SHARING_VIOLATION;
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
+ }
- /* Set locks */
- if ((access_mask & FILE_WRITE_DATA) && have_read) {
- struct byte_range_lock *br_lck = NULL;
+ if (access_mask & FILE_WRITE_DATA) {
+ struct byte_range_lock *br_lck = NULL;
- off = access_to_netatalk_brl(fork_type, FILE_WRITE_DATA);
- br_lck = do_lock(
- handle->conn->sconn->msg_ctx, fsp,
- fsp->op->global->open_persistent_id, 1, off,
- READ_LOCK, POSIX_LOCK, false,
- &status, NULL);
+ off = access_to_netatalk_brl(fork_type, FILE_WRITE_DATA);
+ br_lck = do_lock(
+ handle->conn->sconn->msg_ctx, fsp,
+ fsp->op->global->open_persistent_id, 1, off,
+ READ_LOCK, POSIX_LOCK, false,
+ &status, NULL);
- TALLOC_FREE(br_lck);
+ TALLOC_FREE(br_lck);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- if ((deny_mode & DENY_WRITE) && have_read) {
- struct byte_range_lock *br_lck = NULL;
+ }
- off = denymode_to_netatalk_brl(fork_type, DENY_WRITE);
--
Samba Shared Repository
More information about the samba-cvs
mailing list