[SCM] Samba Shared Repository - branch v4-10-test updated
Stefan Metzmacher
metze at samba.org
Wed Oct 16 16:45:06 UTC 2019
The branch, v4-10-test has been updated
via 3ad42536f87 s3:libads: Do not turn on canonicalization flag for MIT Kerberos
via d533a588b62 lib:krb5_wrap: Do not create a temporary file for MEMORY keytabs
via 8939186345f spnego: fix server handling of no optimistic exchange
via 68d91436d85 python/tests/gensec: add spnego downgrade python tests
via 3a06edfe4fa python/tests/gensec: make it possible to add knownfail tests for gensec.update()
via 5c411a2f9f5 selftest: add tests for no optimistic spnego exchange
via a403e4d63e0 spnego: add client option to omit sending an optimistic token
via 9d2d4cf9c93 selftest: s3: add a test for spnego downgrade from krb5 to ntlm
via 24a43d7c742 s3:libsmb: Do not check the SPNEGO neg token for KRB5
via f340056428a spnego: ignore server mech_types list
via de0841138e6 testprogs: Add test for 'net ads join createcomputer='
via f65a755bdd1 s3:libads: Just change the machine password if account already exists
via 9d984cebde3 s3:libnet: Improve debug messages
via 1e384434960 s3:libads: Fix creating machine account using LDAP
via ac8c51fbb56 s3:libads: Don't set supported encryption types during account creation
via f5216b70c37 s3:libads: Fix detection if acount already exists in ads_find_machine_count()
via 60c5d1d3de6 s3:libads: Use a talloc_asprintf in ads_find_machine_acct()
via ddd4a6af621 s3:libads: Cleanup error code paths in ads_create_machine_acct()
via 39959813881 s3:libnet: Require sealed LDAP SASL connections for joining
via 377483859c0 s3:libads: Use ldap_add_ext_s() in ads_gen_add()
via c68763bff35 testprogs: Fix failure count in test_net_ads.sh
via eafb3a20b9d s3: smbclient: Stop an SMB2-connection from blundering into SMB1-specific calls.
via 59c3bd1b15d ctdb-vacuum: Process all records not deleted on a remote node
via fc89f8f54ba s3:libsmb: Link libsmb against pthread
via 0fe766a4f62 nsswitch: Link stress-nss-libwbclient against pthread
via 308c2c9cd48 waf:replace: Do not link against libpthread if not necessary
via cade53a1558 third_party: Link uid_wrapper against pthread
via e405ed01b02 third_party: Link nss_wrapper against pthread
via 171ff620cd0 third_party: Only link cmocka against librt if really needed
via 93ab3efe769 pthreadpool: Only link pthreadpool against librt if we have to
via a1309d360b9 replace: Only link against librt if really needed
via b0362fd07f8 s3:waf: Do not check for nanosleep() as we don't use it anywhere
from 1ad8c6f4b08 winbind: provide passwd struct for group sid with ID_TYPE_BOTH mapping (again)
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-test
- Log -----------------------------------------------------------------
commit 3ad42536f873f21cc2db774ca3ea694ca7142253
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 9 16:32:47 2019 +0200
s3:libads: Do not turn on canonicalization flag for MIT Kerberos
This partially reverts 303b7e59a286896888ee2473995fc50bb2b5ce5e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155
Pair-Programmed-With: Isaac Boukris <iboukris at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 123584294cfd153acc2d9a5be9d71c395c847a25)
Autobuild-User(v4-10-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-10-test): Wed Oct 16 16:43:59 UTC 2019 on sn-devel-144
commit d533a588b62829688824824da681cb360a399651
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 9 20:11:03 2019 +0200
lib:krb5_wrap: Do not create a temporary file for MEMORY keytabs
The autobuild cleanup script fails with:
The tree has 3 new uncommitted files!!!
git clean -n
Would remove MEMORY:tmp_smb_creds_SK98Lv
Would remove MEMORY:tmp_smb_creds_kornU6
Would remove MEMORY:tmp_smb_creds_ljR828
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit d888655244b4d8ec7a69a042e0ff3c074585b0de)
commit 8939186345ff9da6f96b5a244bcd44f098d5b60c
Author: Isaac Boukris <iboukris at gmail.com>
Date: Wed Sep 4 17:04:12 2019 +0300
spnego: fix server handling of no optimistic exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
commit 68d91436d854306a1a6577b121248ef7c0bdb588
Author: Isaac Boukris <iboukris at gmail.com>
Date: Fri Oct 11 00:20:16 2019 +0300
python/tests/gensec: add spnego downgrade python tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3a06edfe4fa267152b72b87d37e6256d56a8aaa6
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 11 13:23:17 2019 +0200
python/tests/gensec: make it possible to add knownfail tests for gensec.update()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5c411a2f9f534ce034aa346f634d3ac2747c1552
Author: Isaac Boukris <iboukris at gmail.com>
Date: Wed Sep 4 16:39:43 2019 +0300
selftest: add tests for no optimistic spnego exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a403e4d63e0de5cdd9fd13643835e050dae6b736
Author: Isaac Boukris <iboukris at gmail.com>
Date: Wed Sep 4 16:31:21 2019 +0300
spnego: add client option to omit sending an optimistic token
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9d2d4cf9c93684ddb0dda0ed51febc6a2a2132c4
Author: Isaac Boukris <iboukris at gmail.com>
Date: Mon Oct 7 23:51:19 2019 +0300
selftest: s3: add a test for spnego downgrade from krb5 to ntlm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 24a43d7c7429fd89938bed410d2a433c61c5f9d7
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 10 16:18:21 2019 +0200
s3:libsmb: Do not check the SPNEGO neg token for KRB5
The list is not protected and this could be a downgrade attack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Pair-Programmed-With: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f340056428a6bbae2ebe245af3bbd7a44c1c50c9
Author: Isaac Boukris <iboukris at gmail.com>
Date: Thu Oct 3 13:09:29 2019 +0300
spnego: ignore server mech_types list
We should not use the mech list sent by the server in the last
'negotiate' packet in CIFS protocol, as it is not protected and
may be subject to downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit de0841138e6def10a370e6b0630a9ca36a4870c4
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 22 16:31:30 2019 +0200
testprogs: Add test for 'net ads join createcomputer='
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Oct 9 08:26:17 UTC 2019 on sn-devel-184
(cherry picked from commit 459b43e5776180dc1540cd845b72ff78747ecd6f)
commit f65a755bdd16527dd84708fa77199f6162b19584
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 8 14:40:04 2019 +0200
s3:libads: Just change the machine password if account already exists
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 14f320fa1e40ecc3a43dabb0cecd57430270a521)
commit 9d984cebde3516a42173b77664c5d79b96ad3bbc
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 14 10:15:19 2019 +0200
s3:libnet: Improve debug messages
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 39b8c8b30a5d5bd70f8da3a02cf77f7592788b94)
commit 1e38443496098a94f405d2a8c346428d0c378bbd
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 13 16:34:34 2019 +0200
s3:libads: Fix creating machine account using LDAP
This implements the same behaviour as Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit ce7762935051c862ecdd3e82d93096aac61dd292)
commit ac8c51fbb5611d5bd2c34cb5693a32238ef64cac
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 14 12:17:20 2019 +0200
s3:libads: Don't set supported encryption types during account creation
This is already handled by libnet_join_post_processing_ads_modify()
which calls libnet_join_set_etypes() if encrytion types should be set.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit b755a6438022579dab1a403c81d60b1ed7efca38)
commit f5216b70c373e3acffc1d75f6efa3e8d273a41fe
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 14 13:01:19 2019 +0200
s3:libads: Fix detection if acount already exists in ads_find_machine_count()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 4f389c1f78cdc2424795e3b2a1ce43818c400c2d)
commit 60c5d1d3de6c8a44f716349805a8ac0dc935d97d
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 21 12:22:32 2019 +0200
s3:libads: Use a talloc_asprintf in ads_find_machine_acct()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 35f3e4aed1f1c2ba1c8dc50921f238937f343357)
commit ddd4a6af621799c4d7e38373733ec1bb1c168a9e
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 13 16:30:07 2019 +0200
s3:libads: Cleanup error code paths in ads_create_machine_acct()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 8ed993789f93624b7b60dd5314fe5472e69e903a)
commit 399598138815c38ea992c97a3a65b82fb849c6f4
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 13 17:41:40 2019 +0200
s3:libnet: Require sealed LDAP SASL connections for joining
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit b84abb3a46211dc84e52ef95750627e4dd081f2f)
commit 377483859c0c3b9543262471c2487c0ea35c4c82
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 13 17:06:58 2019 +0200
s3:libads: Use ldap_add_ext_s() in ads_gen_add()
ldap_add_s() is marked as deprecated.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 456322a61319a10aaedda5244488ea4e5aa5cb64)
commit c68763bff350765ca90382e8d9d6c21911e54e22
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 8 14:35:38 2019 +0200
testprogs: Fix failure count in test_net_ads.sh
There are missing ` at the end of the line.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 320b5be4dce95d8dac4b3c0847faf5b730754a37)
commit eafb3a20b9df8ecc208ba6f37c24873da68077e1
Author: Jeremy Allison <jra at samba.org>
Date: Thu Oct 3 14:02:13 2019 -0700
s3: smbclient: Stop an SMB2-connection from blundering into SMB1-specific calls.
Fix in the same way this was done in SMBC_opendir_ctx() for libsmbclient.
This fix means the admin no longer has to remember to set 'min client protocol ='
when connecting to an SMB2-only server (MacOSX for example) and trying to
list shares.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14152
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ea82bca8cef0d736305a7a40b3198fc55ea66af8)
commit 59c3bd1b15dad8de86748456a8671ff4fd1a06eb
Author: Amitay Isaacs <amitay at gmail.com>
Date: Mon Sep 30 16:34:35 2019 +1000
ctdb-vacuum: Process all records not deleted on a remote node
This currently skips the last record.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14147
RN: Avoid potential data loss during recovery after vacuuming error
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>
(cherry picked from commit 33f1c9d9654fbdcb99c23f9d23c4bbe2cc596b98)
commit fc89f8f54ba07a36ca8193f3ec7b51eede9f9728
Author: Isaac Boukris <iboukris at gmail.com>
Date: Tue Oct 15 17:01:48 2019 +0300
s3:libsmb: Link libsmb against pthread
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 7259197bf716f8b81dea74beefe6ee3b1239f172)
commit 0fe766a4f62959c18b1acabfc7de3ece31ccb860
Author: Isaac Boukris <iboukris at gmail.com>
Date: Tue Oct 15 13:52:42 2019 +0300
nsswitch: Link stress-nss-libwbclient against pthread
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit d473f1e38c2822746030516269b4d70032cf9b2e)
commit 308c2c9cd48f6ff9dfae71ee4c2525f68e227aea
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 23 16:53:12 2019 +0200
waf:replace: Do not link against libpthread if not necessary
On Linux we should avoid linking everything against libpthread. Symbols
used my most application are provided by glibc and code which deals with
threads has to explicitly link against libpthread. This avoids setting
LDFLAGS=-pthread globally.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 9499db075b72b147e2ff9bb78e9d5edbaac14e69)
commit cade53a155838d85999efeb3da6525674977e2f8
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 23 17:40:13 2019 +0200
third_party: Link uid_wrapper against pthread
uid_wrapper uses pthread_atfork() which is only provided by libpthread. │····················
So we need an explicit dependency.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit bd0cd8e13234d684da77a65f6fdaea2572625369)
commit e405ed01b02cc10838c4a9828d43fc99eaeb50c9
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 23 17:39:29 2019 +0200
third_party: Link nss_wrapper against pthread
nss_wrapper uses pthread_atfork() which is only provided by libpthread.
So we need an explicit dependency.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 68d8a02ef57cce29e4ff3ef1b792adfc10d0b916)
commit 171ff620cd0fd29e15585b137ef03d1b7af988ba
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 23 17:04:57 2019 +0200
third_party: Only link cmocka against librt if really needed
cmocka also uses clock_gettime().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 36e8d715bc8dc1e8466f5a5c9798df76310b7572)
commit 93ab3efe7697669e9a551a5f8aec9bd4b27ff970
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 23 16:10:35 2019 +0200
pthreadpool: Only link pthreadpool against librt if we have to
This calls clock_gettime() which is available in glibc on Linux. If the
wscript in libreplace detected that librt is needed for clock_gettime()
we have to link against it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 4b28239d13b17e42eb5aa4b405342f46347f3de4)
commit a1309d360b9aef76c4dede9be6a0343874577a4e
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 23 15:14:24 2019 +0200
replace: Only link against librt if really needed
fdatasync() and clock_gettime() are provided by glibc on Linux, so there
is no need to link against librt. Checks have been added so if there are
platforms which require it are still functional.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 480152dd6729d4c58faca6f3e4fa91ff4614c272)
commit b0362fd07f87080f29ffee15874e381bc4481fe2
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 23 15:18:55 2019 +0200
s3:waf: Do not check for nanosleep() as we don't use it anywhere
We use usleep() in the meantime.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 952e1812fa9bdc1bac2a7ae5ebb5532f1ea31447)
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/spnego.c | 55 ++++-
ctdb/server/ctdb_vacuum.c | 2 +-
lib/krb5_wrap/krb5_samba.c | 16 +-
lib/pthreadpool/wscript_build | 7 +-
lib/replace/wscript | 34 ++-
libgpo/pygpo.c | 2 +-
nsswitch/wscript_build | 2 +-
python/samba/tests/gensec.py | 34 ++-
selftest/target/Samba3.pm | 9 +
source3/client/client.c | 4 +
source3/lib/netapi/joindomain.c | 5 +-
source3/libads/ads_proto.h | 13 +-
source3/libads/ads_struct.c | 14 +-
source3/libads/krb5_setpw.c | 15 ++
source3/libads/ldap.c | 339 +++++++++++++++++++++++++-----
source3/libnet/libnet_join.c | 31 ++-
source3/libsmb/cliconnect.c | 50 -----
source3/libsmb/namequery_dc.c | 2 +-
source3/libsmb/wscript | 1 +
source3/printing/nt_printing_ads.c | 6 +-
source3/script/tests/test_smbd_no_krb5.sh | 46 ++++
source3/selftest/tests.py | 4 +
source3/utils/net_ads.c | 13 +-
source3/winbindd/winbindd_ads.c | 5 +-
source3/winbindd/winbindd_cm.c | 5 +-
source3/wscript | 1 -
source4/selftest/tests.py | 4 +
testprogs/blackbox/test_net_ads.sh | 36 +++-
third_party/cmocka/wscript | 7 +-
third_party/nss_wrapper/wscript | 2 +-
third_party/uid_wrapper/wscript | 2 +-
31 files changed, 604 insertions(+), 162 deletions(-)
create mode 100755 source3/script/tests/test_smbd_no_krb5.sh
Changeset truncated at 500 lines:
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 0b3fbdce7ac..ddbe03c5d6b 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -136,6 +136,7 @@ struct spnego_state {
bool done_mic_check;
bool simulate_w2k;
+ bool no_optimistic;
/*
* The following is used to implement
@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
"spnego", "simulate_w2k", false);
+ spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings,
+ "spnego",
+ "client_no_optimistic",
+ false);
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
@@ -511,7 +516,11 @@ static NTSTATUS gensec_spnego_client_negTokenInit_start(
}
n->mech_idx = 0;
- n->mech_types = spnego_in->negTokenInit.mechTypes;
+
+ /* Do not use server mech list as it isn't protected. Instead, get all
+ * supported mechs (excluding SPNEGO). */
+ n->mech_types = gensec_security_oids(gensec_security, n,
+ GENSEC_OID_SPNEGO);
if (n->mech_types == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -658,13 +667,30 @@ static NTSTATUS gensec_spnego_client_negTokenInit_finish(
DATA_BLOB *out)
{
struct spnego_data spnego_out;
- const char *my_mechs[] = {NULL, NULL};
+ const char * const *mech_types = NULL;
bool ok;
- my_mechs[0] = spnego_state->neg_oid;
+ if (n->mech_types == NULL) {
+ DBG_WARNING("No mech_types list\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ for (mech_types = n->mech_types; *mech_types != NULL; mech_types++) {
+ int cmp = strcmp(*mech_types, spnego_state->neg_oid);
+
+ if (cmp == 0) {
+ break;
+ }
+ }
+
+ if (*mech_types == NULL) {
+ DBG_ERR("Can't find selected sub mechanism in mech_types\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
- spnego_out.negTokenInit.mechTypes = my_mechs;
+ spnego_out.negTokenInit.mechTypes = mech_types;
spnego_out.negTokenInit.reqFlags = data_blob_null;
spnego_out.negTokenInit.reqFlagsPadding = 0;
spnego_out.negTokenInit.mechListMIC = data_blob_null;
@@ -676,7 +702,7 @@ static NTSTATUS gensec_spnego_client_negTokenInit_finish(
}
ok = spnego_write_mech_types(spnego_state,
- my_mechs,
+ mech_types,
&spnego_state->mech_types);
if (!ok) {
DBG_ERR("failed to write mechTypes\n");
@@ -1295,6 +1321,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step(
spnego_state->mic_requested = true;
}
+ if (sub_in.length == 0) {
+ spnego_state->no_optimistic = true;
+ }
+
/*
* Note that 'cur_sec' is temporary memory, but
* cur_sec->oid points to a const string in the
@@ -1923,6 +1953,21 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
* blob and NT_STATUS_OK.
*/
state->sub.status = NT_STATUS_OK;
+ } else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
+ spnego_state->no_optimistic) {
+ /*
+ * Skip optimistic token per conf.
+ */
+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ } else if (spnego_state->state_position == SPNEGO_SERVER_START &&
+ state->sub.in.length == 0 && spnego_state->no_optimistic) {
+ /*
+ * If we didn't like the mechanism for which the client sent us
+ * an optimistic token, or if he didn't send any, don't call
+ * the sub mechanism just yet.
+ */
+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->no_optimistic = false;
} else {
/*
* MORE_PROCESSING_REQUIRED =>
diff --git a/ctdb/server/ctdb_vacuum.c b/ctdb/server/ctdb_vacuum.c
index 9d086917f3c..04a4cf08977 100644
--- a/ctdb/server/ctdb_vacuum.c
+++ b/ctdb/server/ctdb_vacuum.c
@@ -814,7 +814,7 @@ static void ctdb_process_delete_list(struct ctdb_db_context *ctdb_db,
*/
records = (struct ctdb_marshall_buffer *)outdata.dptr;
rec = (struct ctdb_rec_data_old *)&records->data[0];
- while (records->count-- > 1) {
+ while (records->count-- > 0) {
TDB_DATA reckey, recdata;
struct ctdb_ltdb_header *rechdr;
struct delete_record_data *dd;
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index abdcb308728..6ce1d09952e 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2002,21 +2002,21 @@ krb5_error_code smb_krb5_kinit_keyblock_ccache(krb5_context ctx,
krb_options);
#elif defined(HAVE_KRB5_GET_INIT_CREDS_KEYTAB)
{
-#define SMB_CREDS_KEYTAB "MEMORY:tmp_smb_creds_XXXXXX"
- char tmp_name[sizeof(SMB_CREDS_KEYTAB)];
+#define SMB_CREDS_KEYTAB "MEMORY:tmp_kinit_keyblock_ccache"
+ char tmp_name[64] = {0};
krb5_keytab_entry entry;
krb5_keytab keytab;
- mode_t mask;
+ int rc;
memset(&entry, 0, sizeof(entry));
entry.principal = principal;
*(KRB5_KT_KEY(&entry)) = *keyblock;
- memcpy(tmp_name, SMB_CREDS_KEYTAB, sizeof(SMB_CREDS_KEYTAB));
- mask = umask(S_IRWXO | S_IRWXG);
- mktemp(tmp_name);
- umask(mask);
- if (tmp_name[0] == 0) {
+ rc = snprintf(tmp_name, sizeof(tmp_name),
+ "%s-%p",
+ SMB_CREDS_KEYTAB,
+ &my_creds);
+ if (rc < 0) {
return KRB5_KT_BADNAME;
}
code = krb5_kt_resolve(ctx, tmp_name, &keytab);
diff --git a/lib/pthreadpool/wscript_build b/lib/pthreadpool/wscript_build
index 57df25548b1..70aa7cbf041 100644
--- a/lib/pthreadpool/wscript_build
+++ b/lib/pthreadpool/wscript_build
@@ -1,12 +1,17 @@
#!/usr/bin/env python
if bld.env.WITH_PTHREADPOOL:
+ extra_libs=''
+
+ # Link to librt if needed for clock_gettime()
+ if bld.CONFIG_SET('HAVE_LIBRT'): extra_libs += ' rt'
+
bld.SAMBA_SUBSYSTEM('PTHREADPOOL',
source='''pthreadpool.c
pthreadpool_pipe.c
pthreadpool_tevent.c
''',
- deps='pthread rt replace tevent-util')
+ deps='pthread replace tevent-util' + extra_libs)
else:
bld.SAMBA_SUBSYSTEM('PTHREADPOOL',
source='''pthreadpool_sync.c
diff --git a/lib/replace/wscript b/lib/replace/wscript
index a7fd25d15bc..b5919835c0b 100644
--- a/lib/replace/wscript
+++ b/lib/replace/wscript
@@ -457,11 +457,28 @@ def configure(conf):
conf.CHECK_C_PROTOTYPE('dlopen', 'void *dlopen(const char* filename, unsigned int flags)',
define='DLOPEN_TAKES_UNSIGNED_FLAGS', headers='dlfcn.h dl.h')
- if conf.CHECK_FUNCS_IN('fdatasync', 'rt', checklibc=True):
+ #
+ # Check for clock_gettime and fdatasync
+ #
+ # First check libc to avoid linking libreplace against librt.
+ #
+ if conf.CHECK_FUNCS('fdatasync'):
# some systems are missing the declaration
conf.CHECK_DECLS('fdatasync')
+ else:
+ if conf.CHECK_FUNCS_IN('fdatasync', 'rt'):
+ # some systems are missing the declaration
+ conf.CHECK_DECLS('fdatasync')
+
+ has_clock_gettime = False
+ if conf.CHECK_FUNCS('clock_gettime'):
+ has_clock_gettime = True
- if conf.CHECK_FUNCS_IN('clock_gettime', 'rt', checklibc=True):
+ if not has_clock_gettime:
+ if conf.CHECK_FUNCS_IN('clock_gettime', 'rt', checklibc=True):
+ has_clock_gettime = True
+
+ if has_clock_gettime:
for c in ['CLOCK_MONOTONIC', 'CLOCK_PROCESS_CPUTIME_ID', 'CLOCK_REALTIME']:
conf.CHECK_CODE('''
#if TIME_WITH_SYS_TIME
@@ -534,6 +551,11 @@ def configure(conf):
PTHREAD_CFLAGS='error'
PTHREAD_LDFLAGS='error'
+ if PTHREAD_LDFLAGS == 'error':
+ # Check if pthread_attr_init() is provided by libc first!
+ if conf.CHECK_FUNCS('pthread_attr_init'):
+ PTHREAD_CFLAGS='-D_REENTRANT'
+ PTHREAD_LDFLAGS=''
if PTHREAD_LDFLAGS == 'error':
if conf.CHECK_FUNCS_IN('pthread_attr_init', 'pthread'):
PTHREAD_CFLAGS='-D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS'
@@ -546,10 +568,7 @@ def configure(conf):
if conf.CHECK_FUNCS_IN('pthread_attr_init', 'c_r'):
PTHREAD_CFLAGS='-D_THREAD_SAFE -pthread'
PTHREAD_LDFLAGS='-pthread'
- if PTHREAD_LDFLAGS == 'error':
- if conf.CHECK_FUNCS('pthread_attr_init'):
- PTHREAD_CFLAGS='-D_REENTRANT'
- PTHREAD_LDFLAGS='-lpthread'
+
# especially for HP-UX, where the CHECK_FUNC macro fails to test for
# pthread_attr_init. On pthread_mutex_lock it works there...
if PTHREAD_LDFLAGS == 'error':
@@ -815,6 +834,7 @@ def build(bld):
extra_libs = ''
if bld.CONFIG_SET('HAVE_LIBBSD'): extra_libs += ' bsd'
+ if bld.CONFIG_SET('HAVE_LIBRT'): extra_libs += ' rt'
bld.SAMBA_SUBSYSTEM('LIBREPLACE_HOSTCC',
REPLACE_HOSTCC_SOURCE,
@@ -855,7 +875,7 @@ def build(bld):
# at the moment:
# hide_symbols=bld.BUILTIN_LIBRARY('replace'),
private_library=True,
- deps='crypt dl nsl socket rt attr' + extra_libs)
+ deps='crypt dl nsl socket attr' + extra_libs)
replace_test_cflags = ''
if bld.CONFIG_SET('HAVE_WNO_FORMAT_TRUNCATION'):
diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c
index cd107318860..4db8cad7ca4 100644
--- a/libgpo/pygpo.c
+++ b/libgpo/pygpo.c
@@ -212,7 +212,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds)
return -1;
}
- self->ads_ptr = ads_init(realm, workgroup, ldap_server);
+ self->ads_ptr = ads_init(realm, workgroup, ldap_server, ADS_SASL_PLAIN);
if (self->ads_ptr == NULL) {
return -1;
}
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index 6acc4a19b9b..861ed2f23bf 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -20,7 +20,7 @@ bld.SAMBA_BINARY('nsstest',
if bld.CONFIG_SET('HAVE_PTHREAD'):
bld.SAMBA_BINARY('stress-nss-libwbclient',
source='stress-nss-libwbclient.c',
- deps='wbclient',
+ deps='wbclient pthread',
install=False
)
diff --git a/python/samba/tests/gensec.py b/python/samba/tests/gensec.py
index b5ce51de756..47bb6c82a01 100644
--- a/python/samba/tests/gensec.py
+++ b/python/samba/tests/gensec.py
@@ -47,11 +47,17 @@ class GensecTests(samba.tests.TestCase):
def test_info_uninitialized(self):
self.assertRaises(RuntimeError, self.gensec.session_info)
- def _test_update(self, mech, client_mech=None):
+ def _test_update(self, mech, client_mech=None, client_only_opt=None):
"""Test GENSEC by doing an exchange with ourselves using GSSAPI against a KDC"""
"""Start up a client and server GENSEC instance to test things with"""
+ if client_only_opt:
+ orig_client_opt = self.lp_ctx.get(client_only_opt)
+ if not orig_client_opt:
+ orig_client_opt = ''
+ self.lp_ctx.set(client_only_opt, "yes")
+
self.gensec_client = gensec.Security.start_client(self.settings)
self.gensec_client.set_credentials(self.get_credentials())
self.gensec_client.want_feature(gensec.FEATURE_SEAL)
@@ -60,6 +66,9 @@ class GensecTests(samba.tests.TestCase):
else:
self.gensec_client.start_mech_by_sasl_name(mech)
+ if client_only_opt:
+ self.lp_ctx.set(client_only_opt, "no")
+
self.gensec_server = gensec.Security.start_server(settings=self.settings,
auth_context=auth.AuthContext(lp_ctx=self.lp_ctx))
creds = Credentials()
@@ -78,15 +87,28 @@ class GensecTests(samba.tests.TestCase):
"""Run the actual call loop"""
while True:
if not client_finished:
+ if client_only_opt:
+ self.lp_ctx.set(client_only_opt, "yes")
print("running client gensec_update")
- (client_finished, client_to_server) = self.gensec_client.update(server_to_client)
+ try:
+ (client_finished, client_to_server) = self.gensec_client.update(server_to_client)
+ except samba.NTSTATUSError as nt:
+ raise AssertionError(nt)
+ if client_only_opt:
+ self.lp_ctx.set(client_only_opt, "no")
if not server_finished:
print("running server gensec_update")
- (server_finished, server_to_client) = self.gensec_server.update(client_to_server)
+ try:
+ (server_finished, server_to_client) = self.gensec_server.update(client_to_server)
+ except samba.NTSTATUSError as nt:
+ raise AssertionError(nt)
if client_finished and server_finished:
break
+ if client_only_opt:
+ self.lp_ctx.set(client_only_opt, orig_client_opt)
+
self.assertTrue(server_finished)
self.assertTrue(client_finished)
@@ -115,6 +137,12 @@ class GensecTests(samba.tests.TestCase):
def test_update_spnego(self):
self._test_update("GSS-SPNEGO")
+ def test_update_spnego_downgrade(self):
+ self._test_update("GSS-SPNEGO", "spnego", "gensec:gssapi_krb5")
+
+ def test_update_no_optimistic_spnego(self):
+ self._test_update("GSS-SPNEGO", "spnego", "spnego:client_no_optimistic")
+
def test_update_w2k_spnego_client(self):
self.lp_ctx.set("spnego:simulate_w2k", "yes")
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 70f535e1a49..75960dbc790 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1679,6 +1679,7 @@ sub provision($$$$$$$$$)
my $dfqconffile="$libdir/dfq.conf";
my $errorinjectconf="$libdir/error_inject.conf";
my $delayinjectconf="$libdir/delay_inject.conf";
+ my $globalinjectconf="$libdir/global_inject.conf";
my $nss_wrapper_pl = "$ENV{PERL} $self->{srcdir}/third_party/nss_wrapper/nss_wrapper.pl";
my $nss_wrapper_passwd = "$privatedir/passwd";
@@ -1860,6 +1861,8 @@ sub provision($$$$$$$$$)
#it just means we ALLOW one to be configured.
allow insecure wide links = yes
+ include = $globalinjectconf
+
# Begin extra options
$extra_options
# End extra options
@@ -2358,6 +2361,12 @@ sub provision($$$$$$$$$)
}
close(DFQCONF);
+ unless (open(DELAYCONF, ">$globalinjectconf")) {
+ warn("Unable to open $globalinjectconf");
+ return undef;
+ }
+ close(DELAYCONF);
+
##
## create a test account
##
diff --git a/source3/client/client.c b/source3/client/client.c
index 3a31463cdbb..701cd4e7d96 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -4916,6 +4916,10 @@ static bool browse_host(bool sort)
return false;
}
+ if (smbXcli_conn_protocol(cli->conn) > PROTOCOL_NT1) {
+ return false;
+ }
+
ret = cli_RNetShareEnum(cli, browse_fn, NULL);
if (ret == -1) {
NTSTATUS status = cli_nt_error(cli);
diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
index ff2154ba803..8d0752f4531 100644
--- a/source3/lib/netapi/joindomain.c
+++ b/source3/lib/netapi/joindomain.c
@@ -411,7 +411,10 @@ WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx,
dc = strip_hostname(info->dc_unc);
- ads = ads_init(info->domain_name, info->domain_name, dc);
+ ads = ads_init(info->domain_name,
+ info->domain_name,
+ dc,
+ ADS_SASL_PLAIN);
if (!ads) {
return WERR_GEN_FAILURE;
}
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index 154bf67f964..495ef5d3325 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -32,6 +32,12 @@
#ifndef _LIBADS_ADS_PROTO_H_
#define _LIBADS_ADS_PROTO_H_
+enum ads_sasl_state_e {
+ ADS_SASL_PLAIN = 0,
+ ADS_SASL_SIGN,
+ ADS_SASL_SEAL,
+};
+
/* The following definitions come from libads/ads_struct.c */
char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse);
@@ -39,7 +45,8 @@ char *ads_build_dn(const char *realm);
char *ads_build_domain(const char *dn);
ADS_STRUCT *ads_init(const char *realm,
const char *workgroup,
- const char *ldap_server);
+ const char *ldap_server,
+ enum ads_sasl_state_e sasl_state);
bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
void ads_destroy(ADS_STRUCT **ads);
@@ -107,8 +114,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, const char *machine_
const char **spns);
ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
const char *machine_name,
+ const char *machine_password,
const char *org_unit,
- uint32_t etype_list);
+ uint32_t etype_list,
+ const char *dns_domain_name);
ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
const char *org_unit, bool *moved);
int ads_count_replies(ADS_STRUCT *ads, void *res);
diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
index 3ab682c0e38..043a1b21247 100644
--- a/source3/libads/ads_struct.c
+++ b/source3/libads/ads_struct.c
@@ -132,7 +132,8 @@ char *ads_build_domain(const char *dn)
*/
ADS_STRUCT *ads_init(const char *realm,
const char *workgroup,
- const char *ldap_server)
+ const char *ldap_server,
+ enum ads_sasl_state_e sasl_state)
{
ADS_STRUCT *ads;
int wrap_flags;
@@ -152,6 +153,17 @@ ADS_STRUCT *ads_init(const char *realm,
wrap_flags = 0;
}
+ switch (sasl_state) {
+ case ADS_SASL_PLAIN:
+ break;
+ case ADS_SASL_SIGN:
+ wrap_flags |= ADS_AUTH_SASL_SIGN;
+ break;
+ case ADS_SASL_SEAL:
+ wrap_flags |= ADS_AUTH_SASL_SEAL;
+ break;
+ }
+
ads->auth.flags = wrap_flags;
/* Start with the configured page size when the connection is new,
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index 67bc2f4640d..028b0dcfa65 100644
--- a/source3/libads/krb5_setpw.c
--
Samba Shared Repository
More information about the samba-cvs
mailing list