[SCM] Samba Shared Repository - branch v4-9-test updated
Karolin Seeger
kseeger at samba.org
Mon Jul 8 16:25:07 UTC 2019
The branch, v4-9-test has been updated
via f7a5adf0256 s4/libnet: Fix joining a Windows pre-2008R2 DC
via ea481544d2f vfs:glusterfs_fuse: treat ENOATTR as ENOENT
via e126fdaa0c4 vfs:glusterfs: treat ENOATTR as ENOENT
via 00dbe9ff5a5 dsdb: Handle DB corner-case where PSO container doesn't exist
via 948b60d21ef s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_check()
via a47fd552e12 s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
via 3bcaef67d29 s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
via 88a60f59c13 WHATSNEW: Fix typo.
from 63547807f51 VERSION: Bump version up to 4.9.12...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-test
- Log -----------------------------------------------------------------
commit f7a5adf02565e4d9e78e4dc85214d4c434c68a27
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Jul 1 17:06:31 2019 +1200
s4/libnet: Fix joining a Windows pre-2008R2 DC
From v4.8 onwards, Samba may not be able join a DC older than 2008R2
because the Windows DC doesn't support GET_TGT.
If the dsdb repl_md code can't resolve a link target it returns an
error, and the calling code (e.g. drs_util.py) should retry with
GET_TGT. However, GET_TGT is only supported on Windows 2008R2 and later,
so if you try to join an earlier Windows DC, the join will throw an
error that you can't work-around.
We can avoid this problem by setting the same DSDB flag that GET_TGT
sets to indicate that the link targets are as up-to-date as possible,
and so there's no point retrying. Missing targets are still logged, so
this at least allows the admin to fix up any problems after the join
completed.
I've only done this for the join case (problems during periodic
replication are probably still worth escalating to an error).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14021
RN: From Samba v4.8 onwards, joining a Windows 2003 or 2008 (non-R2) AD
DC may not have worked. When this problem occurred, the following
message would be displayed:
'Failed to commit objects: DOS code 0x000021bf'
This particular issue has now been resolved. Note that there may still
be other potential problems that occur when joining an older Windows DC.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b3a2508f2ad79e2f1007464da7dbe918933038a0)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-9-test): Mon Jul 8 16:24:32 UTC 2019 on sn-devel-144
commit ea481544d2fdb5c9e48d901ee3c0514d5c3400d8
Author: Michael Adam <obnox at samba.org>
Date: Thu Jun 20 15:14:57 2019 +0200
vfs:glusterfs_fuse: treat ENOATTR as ENOENT
The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.
Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.
This patch changes the glusterfs_fuse vfs module to treat ENOATTR as
ENOENT to be fully functional again with latest gluster.
- Without this patch, samba against a new gluster will work correctly,
but the get_real_filename optimization for a non-existing entry
is lost.
- With this patch, Samba will not work correctly any more against
very old gluster servers: Those (correctly) returned ENOATTR
always, which Samba originally interpreted as EOPNOTSUPP, triggering
the expensive directory scan. With this patch, ENOATTR is
interpreted as ENOENT, the authoritative answer that the requested
entry does not exist, which is wrong unless it really does not exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Fri Jun 28 12:52:03 UTC 2019 on sn-devel-184
(cherry picked from commit fee8cf326bfe240d3a8720569eab43f474349aff)
commit e126fdaa0c488dfee017eb0fc701643ede2d8b49
Author: Michael Adam <obnox at samba.org>
Date: Thu Jun 20 15:14:57 2019 +0200
vfs:glusterfs: treat ENOATTR as ENOENT
The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.
Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.
This patch changes the glusterfs vfs module to treat ENOATTR as ENOENT
to be fully functional again with latest gluster.
- Without this patch, samba against a new gluster will work correctly,
but the get_real_filename optimization for a non-existing entry
is lost.
- With this patch, Samba will not work correctly any more against
very old gluster servers: Those (correctly) returned ENOATTR
always, which Samba originally interpreted as EOPNOTSUPP, triggering
the expensive directory scan. With this patch, ENOATTR is
interpreted as ENOENT, the authoritative answer that the requested
entry does not exist, which is wrong unless it really does not exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 8899eb21d48b7077328ae560490f9fb9715a6b83)
commit 00dbe9ff5a538eb35001fb43dd431c5fde4e145f
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Jun 25 10:10:17 2019 +1200
dsdb: Handle DB corner-case where PSO container doesn't exist
A 2003 AD DB with functional level set to >= 2008 was non-functional
due to the PSO checks.
We already check the functional level is >= 2008 before checking for the
PSO container. However, users could change their functional level
without ensuring their DB conforms to the corresponding base schema.
The objectclass DSDB module should prevent the PSO container from ever
being deleted. So the only way we should be able to hit this case is
through upgrading the functional level (but not the underlying schema
objects). If so, log a low-priority message and continue without errors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14008
RN: Previously, AD operations such as user authentication could fail
completely with the message 'Error 32 determining PSOs in system' logged
on the samba server. This problem would only affect a domain that was
created using a pre-2008 AD base schema and then had its functional
level manually raised to 2008 or greater. This issue has now been
resolved.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 295bf73e9b24b1f2b4594320a6501dc7410d4b43)
commit 948b60d21ef70366886e9cde6f6a01548279c38c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 27 13:12:14 2019 +0200
s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_check()
The gensec schannel module already asserts that at least
AUTH_LEVEL_INTEGRITY is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0b6e37c9e801435e094194dd60d9213b4868c3de)
commit a47fd552e123690e3ca5ad95c06172d4ae64be07
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 27 12:38:43 2019 +0200
s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.
Note: NETLOGON_NEG_SCHANNEL is an alias to NEG_AUTHENTICATED_RPC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit fa5215ce5b93fb032df341e718d7011e619f0916)
commit 3bcaef67d293e034cb985b3f85d698fcda92631a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 27 12:38:43 2019 +0200
s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ead9b93ce5c2c67bbdb778232805d6d9e70112fc)
commit 88a60f59c1362204fc59e7d862b6968ace290e25
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jul 4 09:48:05 2019 +0200
WHATSNEW: Fix typo.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 2 +-
source3/modules/vfs_glusterfs.c | 2 +-
source3/modules/vfs_glusterfs_fuse.c | 2 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 52 +++------------------------
source4/dsdb/samdb/ldb_modules/operational.c | 12 +++++++
source4/libnet/libnet_vampire.c | 9 +++++
source4/rpc_server/netlogon/dcerpc_netlogon.c | 15 --------
7 files changed, 29 insertions(+), 65 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4c28ae2b424..ce6c279e10b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -11,7 +11,7 @@ db_module.h in order to fix bug #12478. Unfortunately, the ldb version was not
raised. Samba >= 4.9.10 is no longer able to build with ldb 1.4.6. This version
includes the new ldb version. Please note that there are just the version bumps
in ldb and Samba, no code change. If you don't build Samba with an external ldb
-library, you can ignore this release and keep using 4.9.11.
+library, you can ignore this release and keep using 4.9.10.
Changes since 4.9.10:
diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index f7c3c6d8dc8..6a886adec09 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -1469,7 +1469,7 @@ static int vfs_gluster_get_real_filename(struct vfs_handle_struct *handle,
GLUSTER_NAME_MAX + 1);
if (ret == -1) {
if (errno == ENOATTR) {
- errno = EOPNOTSUPP;
+ errno = ENOENT;
}
return -1;
}
diff --git a/source3/modules/vfs_glusterfs_fuse.c b/source3/modules/vfs_glusterfs_fuse.c
index d92f5e2b08b..51515aa0df4 100644
--- a/source3/modules/vfs_glusterfs_fuse.c
+++ b/source3/modules/vfs_glusterfs_fuse.c
@@ -45,7 +45,7 @@ static int vfs_gluster_fuse_get_real_filename(struct vfs_handle_struct *handle,
ret = getxattr(path, key_buf, val_buf, GLUSTER_NAME_MAX + 1);
if (ret == -1) {
if (errno == ENOATTR) {
- errno = EOPNOTSUPP;
+ errno = ENOENT;
}
return -1;
}
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 9b9947455ed..d799ba4feef 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -927,7 +927,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
srv_flgs |= NETLOGON_NEG_SUPPORTS_AES;
}
- if (lp_server_schannel() != false) {
+ if (in_neg_flags & NETLOGON_NEG_SCHANNEL) {
srv_flgs |= NETLOGON_NEG_SCHANNEL;
}
@@ -968,17 +968,6 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
goto out;
}
- if ( (lp_server_schannel() == true) &&
- ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
-
- /* schannel must be used, but client did not offer it. */
- DEBUG(0,("%s: schannel required but client failed "
- "to offer it. Client was %s\n",
- fn, r->in.account_name));
- status = NT_STATUS_ACCESS_DENIED;
- goto out;
- }
-
status = get_md4pw(&mach_pwd,
r->in.account_name,
r->in.secure_channel_type,
@@ -1072,36 +1061,6 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p,
return _netr_ServerAuthenticate3(p, &a);
}
-/*************************************************************************
- * If schannel is required for this call test that it actually is available.
- *************************************************************************/
-static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info,
- const char *computer_name,
- bool integrity, bool privacy)
-{
- if (auth_info && auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
- if (!privacy && !integrity) {
- return NT_STATUS_OK;
- }
-
- if ((!privacy && integrity) &&
- auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
- return NT_STATUS_OK;
- }
-
- if ((privacy || integrity) &&
- auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
- return NT_STATUS_OK;
- }
- }
-
- /* test didn't pass */
- DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
- computer_name));
-
- return NT_STATUS_ACCESS_DENIED;
-}
-
/*************************************************************************
*************************************************************************/
@@ -1121,11 +1080,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
}
if (schannel_global_required) {
- status = schannel_check_required(&p->auth,
- computer_name,
- false, false);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+ DBG_ERR("[%s] is not using schannel\n",
+ computer_name);
+ return NT_STATUS_ACCESS_DENIED;
}
}
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index cdcec1c1046..173b09eeb61 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -994,6 +994,7 @@ static int get_pso_count(struct ldb_module *module, TALLOC_CTX *mem_ctx,
struct ldb_result *res = NULL;
struct ldb_context *ldb = ldb_module_get_ctx(module);
+ *pso_count = 0;
domain_dn = ldb_get_default_basedn(ldb);
psc_dn = ldb_dn_new_fmt(mem_ctx, ldb,
"CN=Password Settings Container,CN=System,%s",
@@ -1007,6 +1008,17 @@ static int get_pso_count(struct ldb_module *module, TALLOC_CTX *mem_ctx,
LDB_SCOPE_ONELEVEL, attrs,
DSDB_FLAG_NEXT_MODULE, parent,
"(objectClass=msDS-PasswordSettings)");
+
+ /*
+ * Just ignore PSOs if the container doesn't exist. This is a weird
+ * corner-case where the AD DB was created from a pre-2008 base schema,
+ * and then the FL was manually upgraded.
+ */
+ if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ DBG_NOTICE("No Password Settings Container exists\n");
+ return LDB_SUCCESS;
+ }
+
if (ret != LDB_SUCCESS) {
return ret;
}
diff --git a/source4/libnet/libnet_vampire.c b/source4/libnet/libnet_vampire.c
index c4ef6086331..fb53b3d485e 100644
--- a/source4/libnet/libnet_vampire.c
+++ b/source4/libnet/libnet_vampire.c
@@ -659,6 +659,15 @@ WERROR libnet_vampire_cb_store_chunk(void *private_data,
return WERR_INVALID_PARAMETER;
}
+ /*
+ * If the peer DC doesn't support GET_TGT (req v10), then the link
+ * targets are as up-to-date as they're ever gonna be. (Without this,
+ * cases where we'd normally retry with GET_TGT cause the join to fail)
+ */
+ if (c->req_level < 10) {
+ dsdb_repl_flags |= DSDB_REPL_FLAG_TARGETS_UPTODATE;
+ }
+
if (req_replica_flags & DRSUAPI_DRS_CRITICAL_ONLY || is_exop) {
/*
* If we only replicate the critical objects, or this
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index e96cd08ce2d..31dc38c2ee0 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -136,8 +136,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
bool reject_des_client = !allow_nt4_crypto;
bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
- int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
- bool reject_none_rpc = (schannel == true);
ZERO_STRUCTP(r->out.return_credentials);
*r->out.rid = 0;
@@ -217,10 +215,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
negotiate_flags = *r->in.negotiate_flags & server_flags;
- if (negotiate_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
- reject_none_rpc = false;
- }
-
if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
reject_des_client = false;
}
@@ -267,15 +261,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
*/
*r->out.negotiate_flags = negotiate_flags;
- if (reject_none_rpc) {
- /* schannel must be used, but client did not offer it. */
- DEBUG(0,("%s: schannel required but client failed "
- "to offer it. Client was %s\n",
- __func__,
- log_escape(mem_ctx, r->in.account_name)));
- return NT_STATUS_ACCESS_DENIED;
- }
-
switch (r->in.secure_channel_type) {
case SEC_CHAN_WKSTA:
case SEC_CHAN_DNS_DOMAIN:
--
Samba Shared Repository
More information about the samba-cvs
mailing list