[SCM] Samba Shared Repository - branch master updated
Ralph Böhme
slow at samba.org
Thu Oct 8 16:30:03 UTC 2020
The branch, master has been updated
via f696d29fcca s3: smbd: Fix SMB1 reply_mv() to handle wildcards.
via f75e633fde8 s3: smbd: Add a 'const char *src_orginal_lcomp' (last component) parameter to rename_internals().
via 90bce2c0920 s3: smbd: Fix SMB1 reply_unlink() to handle wildcards.
via 4ba1428334c s3: smbd: Pure reformatting of unlink_internals() to make it obvious when I add a parameter.
via e4fd7bc7064 s3: smbd: SMB1 reply_copy. Check untouched last component for wildcards in src and dst.
via 43d30ddb1bd s3: selftest: Add new SMB1-only wildcard rename regression test.
via f3281e0befb s3: selftest: Add new SMB1-only wildcard unlink regression test.
via 728dd396f81 nsswitch: Add an async DNS kerberos locator plugin.
from c587685dde2 docs: fix default value of spoolss:architecture
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f696d29fcca81ccd6a8ad3296a6ffc1780e560b4
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 5 12:16:32 2020 -0700
s3: smbd: Fix SMB1 reply_mv() to handle wildcards.
Pass in the original source last component to rename_internals()
from reply_mv().
Change the wildcard detection in rename_internals() to
look at the correct thing for the source path.
This is now correctly set only from the unmangled last component
of the source path sent to reply_mv().
We now pass:
Samba3.smbtorture_s3.crypt_client.SMB1-WILD-MANGLE-RENAME(nt4_dc_smb1)
samba3.smbtorture_s3.plain.SMB1-WILD-MANGLE-RENAME(fileserver_smb1)
so remove the knownfail.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Oct 8 16:29:27 UTC 2020 on sn-devel-184
commit f75e633fde8dcc8662f1949b0f81d605d7d44ef6
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 5 12:07:18 2020 -0700
s3: smbd: Add a 'const char *src_orginal_lcomp' (last component) parameter to rename_internals().
Not yet used. Passing as NULL means explicitly no wildcards
in the source name. There's only one place where we have to handle
wildcards here and that is from SMB1 reply_mv().
Could have used a bool here as in unlink_internals() but
using a string here makes the parameters more symmetrical
around src and destination values.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 90bce2c0920d0f2dc2e3aebef0f563eda99fdaac
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 5 11:40:41 2020 -0700
s3: smbd: Fix SMB1 reply_unlink() to handle wildcards.
Add a 'bool have_wcard' to unlink_internals().
Move the wildcard detection out of unlink_internals() as it
was looking at the wrong thing.
This is now correctly set only from the unmangled last component
of the path sent to reply_unlink().
We now pass:
Samba3.smbtorture_s3.crypt_client.SMB1-WILD-MANGLE-UNLINK(nt4_dc_smb1)
samba3.smbtorture_s3.plain.SMB1-WILD-MANGLE-UNLINK(fileserver_smb1)
so remove the knownfail.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 4ba1428334cfaa33c72c68947ed1afb1b985cb9e
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 5 11:31:16 2020 -0700
s3: smbd: Pure reformatting of unlink_internals() to make it obvious when I add a parameter.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e4fd7bc70641d94fa7fc1178b06a717b4ea75d14
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 5 11:27:30 2020 -0700
s3: smbd: SMB1 reply_copy. Check untouched last component for wildcards in src and dst.
Not doing a test for this as wildcard SMB1copy() is evil and
should be removed. It's the same fix I'm doing for unlink
and rename, so this shouldn't be an issue.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 43d30ddb1bd8b3638f48758a3d2a8eebcbef77fd
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 5 10:52:46 2020 -0700
s3: selftest: Add new SMB1-only wildcard rename regression test.
samba3.smbtorture_s3.crypt_client.SMB1-WILD-MANGLE-RENAME(nt4_dc_smb1)
samba3.smbtorture_s3.plain.SMB1-WILD-MANGLE-RENAME(fileserver_smb1)
knownfail for now.
The recent wildcard changes broke something that used to work.
Consider a directory with 2 files:
dir/
foo
fo*
The 'fo*' file has a mangled name of FSHCRD~2.
SMB1rename("dir/FSHCRD~2", "dir/ba*") will rename *both* files
as the new 'rename has wildcard' check is done after
the name unmangle.
SMB2 doesn't allow wildcard renames so doesn't have this problem.
Fix to follow.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f3281e0befb43224010f2940230a5a2b54fea4c4
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 5 10:29:16 2020 -0700
s3: selftest: Add new SMB1-only wildcard unlink regression test.
samba3.smbtorture_s3.crypt_client.SMB1-WILD-MANGLE-UNLINK(nt4_dc_smb1)
samba3.smbtorture_s3.plain.SMB1-WILD-MANGLE-UNLINK(fileserver_smb1)
knownfail for now.
The recent wildcard changes broke something that used to work.
Consider a directory with 2 files:
dir/
a
*
The '*' file has a mangled name of _2X68P~X.
SMB1unlink("_2X68P~X") will delete *both* files
as the new 'unlink has wildcard' check is done after
the name unmangle.
SMB2 doesn't suffer from this problem, as it doesn't
allow wildcard unlinks.
Fix to follow.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 728dd396f81a4a9e48c4828586574c3743db0d5c
Author: Jeremy Allison <jra at samba.org>
Date: Fri Sep 25 13:42:46 2020 -0700
nsswitch: Add an async DNS kerberos locator plugin.
Used in production on a large customer site.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
nsswitch/krb5_plugin/async_dns_krb5_locator.c | 445 ++++++++++++++++++++++++++
nsswitch/wscript_build | 17 +
selftest/skip | 2 +
source3/printing/nt_printing.c | 2 +-
source3/selftest/tests.py | 4 +-
source3/smbd/nttrans.c | 1 +
source3/smbd/proto.h | 8 +-
source3/smbd/reply.c | 76 +++--
source3/smbd/trans2.c | 4 +-
source3/torture/torture.c | 359 +++++++++++++++++++++
10 files changed, 895 insertions(+), 23 deletions(-)
create mode 100644 nsswitch/krb5_plugin/async_dns_krb5_locator.c
Changeset truncated at 500 lines:
diff --git a/nsswitch/krb5_plugin/async_dns_krb5_locator.c b/nsswitch/krb5_plugin/async_dns_krb5_locator.c
new file mode 100644
index 00000000000..959d730a954
--- /dev/null
+++ b/nsswitch/krb5_plugin/async_dns_krb5_locator.c
@@ -0,0 +1,445 @@
+/*
+ Unix SMB/CIFS implementation.
+ Async DNS kerberos locator plugin
+ Copyright (C) Guenther Deschner 2007-2008
+ Copyright (C) Jeremy Allison 2020.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "../../source3/include/includes.h"
+#include "../../source3/libsmb/namequery.h"
+
+#ifndef DEBUG_KRB5
+#undef DEBUG_KRB5
+#endif
+
+/* Uncomment to debug. */
+/* #define DEBUG_KRB5 1 */
+
+#if defined(HAVE_KRB5) && defined(HAVE_KRB5_LOCATE_PLUGIN_H)
+
+#ifdef HAVE_COM_ERR_H
+#include <com_err.h>
+#endif
+
+#include <krb5.h>
+#include <krb5/locate_plugin.h>
+
+#ifndef KRB5_PLUGIN_NO_HANDLE
+#define KRB5_PLUGIN_NO_HANDLE KRB5_KDC_UNREACH /* Heimdal */
+#endif
+
+struct singleton_realm_kdc_list_cache {
+ char *realm;
+ struct samba_sockaddr *kdc_list;
+ size_t num_kdcs;
+};
+
+static struct singleton_realm_kdc_list_cache *scache;
+
+static const char *get_service_from_locate_service_type(enum locate_service_type svc)
+{
+ switch (svc) {
+ case locate_service_kdc:
+ case locate_service_master_kdc:
+ return "88";
+ case locate_service_kadmin:
+ case locate_service_krb524:
+ /* not supported */
+ return NULL;
+ case locate_service_kpasswd:
+ return "464";
+ default:
+ break;
+ }
+ return NULL;
+
+}
+
+#ifdef DEBUG_KRB5
+static const char *locate_service_type_name(enum locate_service_type svc)
+{
+ switch (svc) {
+ case locate_service_kdc:
+ return "locate_service_kdc";
+ case locate_service_master_kdc:
+ return "locate_service_master_kdc";
+ case locate_service_kadmin:
+ return "locate_service_kadmin";
+ case locate_service_krb524:
+ return "locate_service_krb524";
+ case locate_service_kpasswd:
+ return "locate_service_kpasswd";
+ default:
+ break;
+ }
+ return NULL;
+}
+
+static const char *socktype_name(int socktype)
+{
+ switch (socktype) {
+ case SOCK_STREAM:
+ return "SOCK_STREAM";
+ case SOCK_DGRAM:
+ return "SOCK_DGRAM";
+ default:
+ break;
+ }
+ return "unknown";
+}
+
+static const char *family_name(int family)
+{
+ switch (family) {
+ case AF_UNSPEC:
+ return "AF_UNSPEC";
+ case AF_INET:
+ return "AF_INET";
+#if defined(HAVE_IPV6)
+ case AF_INET6:
+ return "AF_INET6";
+#endif
+ default:
+ break;
+ }
+ return "unknown";
+}
+#endif
+
+/**
+ * Check input parameters, return KRB5_PLUGIN_NO_HANDLE for unsupported ones
+ *
+ * @param svc
+ * @param realm string
+ * @param socktype integer
+ * @param family integer
+ *
+ * @return integer.
+ */
+
+static int smb_krb5_adns_locator_lookup_sanity_check(
+ enum locate_service_type svc,
+ const char *realm,
+ int socktype,
+ int family)
+{
+ if (!realm || strlen(realm) == 0) {
+ return EINVAL;
+ }
+
+ switch (svc) {
+ case locate_service_kdc:
+ case locate_service_master_kdc:
+ break;
+ case locate_service_kadmin:
+ case locate_service_krb524:
+ case locate_service_kpasswd:
+ return KRB5_PLUGIN_NO_HANDLE;
+ default:
+ return EINVAL;
+ }
+
+ switch (family) {
+ case AF_UNSPEC:
+ case AF_INET:
+#if defined(HAVE_IPV6)
+ case AF_INET6:
+#endif
+ break;
+ default:
+ return EINVAL;
+ }
+
+ switch (socktype) {
+ case SOCK_STREAM:
+ case SOCK_DGRAM:
+ case 0: /* Heimdal uses that */
+ break;
+ default:
+ return EINVAL;
+ }
+
+ return 0;
+}
+
+/**
+ * Call back into the MIT libraries with each address
+ * we found. Assume AD-DC's always support both UDP and
+ * TCP port 88 for KDC service.
+ */
+
+static krb5_error_code smb_krb5_adns_locator_call_cbfunc(
+ struct samba_sockaddr *kdcs,
+ size_t num_kdcs,
+ const char *service,
+ int socktype,
+ int (*cbfunc)(void *, int, struct sockaddr *),
+ void *cbdata)
+{
+ int ret = 0;
+ size_t i;
+
+ for (i = 0; i < num_kdcs; i++) {
+ struct sockaddr *sa = NULL;
+
+ if (kdcs[i].u.ss.ss_family == AF_INET) {
+ struct sockaddr_in *sin = &kdcs[i].u.in;
+ sin->sin_family = AF_INET;
+ sin->sin_port = htons(88);
+ sa = &kdcs[i].u.sa;
+ }
+#if defined(HAVE_IPV6)
+ if (kdcs[i].u.ss.ss_family == AF_INET6) {
+ struct sockaddr_in6 *sin6 = &kdcs[i].u.in6;
+ sin6->sin6_family = AF_INET6;
+ sin6->sin6_port = htons(88);
+ sa = &kdcs[i].u.sa;
+ }
+#else
+ else {
+ return KRB5_PLUGIN_NO_HANDLE;
+ }
+#endif
+
+#ifdef DEBUG_KRB5
+ {
+ char addr[INET6_ADDRSTRLEN];
+ fprintf(stderr, "[%5u]: "
+ "smb_krb5_adns_locator_call_cbfunc: "
+ "IP[%zu] %s\n",
+ (unsigned int)getpid(),
+ i,
+ print_sockaddr(addr,
+ sizeof(addr),
+ &kdcs[i].u.ss));
+ }
+#endif
+
+ /* Assume all AD-DC's do both UDP and TCP on port 88. */
+ ret = cbfunc(cbdata, socktype, sa);
+ if (ret) {
+#ifdef DEBUG_KRB5
+ fprintf(stderr, "[%5u]: "
+ "smb_krb5_adns_locator_call_cbfunc: "
+ "failed to call callback: %s (%d)\n",
+ (unsigned int)getpid(),
+ error_message(ret),
+ ret);
+#endif
+ break;
+ }
+ }
+ return ret;
+}
+
+/**
+ * PUBLIC INTERFACE: locate init
+ *
+ * @param context krb5_context
+ * @param privata_data pointer to private data pointer
+ *
+ * @return krb5_error_code.
+ */
+
+static krb5_error_code smb_krb5_adns_locator_init(krb5_context context,
+ void **private_data)
+{
+ static bool loaded_config;
+ if (!loaded_config) {
+ lp_load_global(get_dyn_CONFIGFILE());
+ loaded_config = true;
+ }
+#ifdef DEBUG_KRB5
+ fprintf(stderr,"[%5u]: smb_krb5_adns_locator_init\n",
+ (unsigned int)getpid());
+#endif
+ return 0;
+}
+
+/**
+ * PUBLIC INTERFACE: close locate
+ *
+ * @param private_data pointer to private data
+ *
+ * @return void.
+ */
+
+static void smb_krb5_adns_locator_close(void *private_data)
+{
+#ifdef DEBUG_KRB5
+ fprintf(stderr,"[%5u]: smb_krb5_adns_locator_close\n",
+ (unsigned int)getpid());
+#endif
+ return;
+}
+
+/**
+ * PUBLIC INTERFACE: locate lookup
+ *
+ * @param private_data pointer to private data
+ * @param svc enum locate_service_type.
+ * @param realm string
+ * @param socktype integer
+ * @param family integer
+ * @param cbfunc callback function to send back entries
+ * @param cbdata void pointer to cbdata
+ *
+ * @return krb5_error_code.
+ */
+
+static krb5_error_code smb_krb5_adns_locator_lookup(void *private_data,
+ enum locate_service_type svc,
+ const char *realm,
+ int socktype,
+ int family,
+ int (*cbfunc)(void *, int, struct sockaddr *),
+ void *cbdata)
+{
+ krb5_error_code ret;
+ const char *service = get_service_from_locate_service_type(svc);
+
+#ifdef DEBUG_KRB5
+ fprintf(stderr,"[%5u]: smb_krb5_adns_locator_lookup: called for '%s' "
+ "svc: '%s' (%d) "
+ "socktype: '%s' (%d), family: '%s' (%d)\n",
+ (unsigned int)getpid(),
+ realm,
+ locate_service_type_name(svc),
+ svc,
+ socktype_name(socktype),
+ socktype,
+ family_name(family),
+ family);
+#endif
+ ret = smb_krb5_adns_locator_lookup_sanity_check(svc,
+ realm,
+ socktype,
+ family);
+ if (ret) {
+#ifdef DEBUG_KRB5
+ fprintf(stderr, "[%5u]: smb_krb5_adns_locator_lookup: "
+ "returning ret: %s (%d)\n",
+ (unsigned int)getpid(),
+ error_message(ret),
+ ret);
+#endif
+ return ret;
+ }
+
+ /*
+ * If is a subsequent lookup for the same realm
+ * and we have a cache for this already, don't re-do
+ * the DNS SRV -> A/AAAA lookups.
+ *
+ * kinit does this a lot, it looks for UDP then TCP.
+ */
+
+ if ((scache == NULL) || strcmp(realm, scache->realm) != 0) {
+ /* Cache is NULL or a different realm lookup. */
+ NTSTATUS status;
+
+ /*
+ * We have a new lookup to do. As it's a singleton
+ * cache make sure we have no old cache.
+ */
+ TALLOC_FREE(scache);
+
+ scache = talloc_zero(NULL,
+ struct singleton_realm_kdc_list_cache);
+ if (scache == NULL) {
+ return KRB5_PLUGIN_NO_HANDLE;
+ }
+ scache->realm = talloc_strdup(scache, realm);
+ if (scache->realm == NULL) {
+ TALLOC_FREE(scache);
+ return KRB5_PLUGIN_NO_HANDLE;
+ }
+
+ status = get_kdc_list(scache,
+ realm,
+ NULL,
+ &scache->kdc_list,
+ &scache->num_kdcs);
+ if (!NT_STATUS_IS_OK(status)) {
+#ifdef DEBUG_KRB5
+ fprintf(stderr, "[%5u]: "
+ "smb_krb5_adns_locator_lookup: "
+ "get_kdc_list() for realm %s failed "
+ "with %s\n",
+ (unsigned int)getpid(),
+ realm,
+ nt_errstr(status));
+#endif
+ TALLOC_FREE(scache);
+ return KRB5_PLUGIN_NO_HANDLE;
+ }
+ if (scache->num_kdcs == 0) {
+ TALLOC_FREE(scache);
+ return KRB5_PLUGIN_NO_HANDLE;
+ }
+ }
+#ifdef DEBUG_KRB5
+ else {
+ fprintf(stderr, "[%5u]: "
+ "smb_krb5_adns_locator_lookup: "
+ "returning cached data for realm %s\n",
+ (unsigned int)getpid(),
+ realm);
+ }
+#endif
+ /*
+ * If we get here we know scache contains the right
+ * realm and non-null address list.
+ */
+
+#ifdef DEBUG_KRB5
+ fprintf(stderr, "[%5u]: smb_krb5_adns_locator_lookup: "
+ "got %zu IP addresses for realm %s\n",
+ (unsigned int)getpid(),
+ scache->num_kdcs,
+ scache->realm);
+#endif
+
+ /*
+ * Don't free kdc list on success, we're
+ * always returning from the cache.
+ */
+ return smb_krb5_adns_locator_call_cbfunc(scache->kdc_list,
+ scache->num_kdcs,
+ service,
+ socktype,
+ cbfunc,
+ cbdata);
+}
+
+#ifdef HEIMDAL_KRB5_LOCATE_PLUGIN_H
+#define SMB_KRB5_LOCATOR_SYMBOL_NAME resolve /* Heimdal */
+#else
+#define SMB_KRB5_LOCATOR_SYMBOL_NAME service_locator /* MIT */
+#endif
+
+const krb5plugin_service_locate_ftable SMB_KRB5_LOCATOR_SYMBOL_NAME = {
+ .minor_version = 0,
+ .init = smb_krb5_adns_locator_init,
+ .fini = smb_krb5_adns_locator_close,
+#ifdef KRB5_PLUGIN_LOCATE_VERSION_2
+ .old_lookup = smb_krb5_adns_locator_lookup,
+#else
+ .lookup = smb_krb5_adns_locator_lookup,
+#endif
+};
+
+#endif
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index b754c168425..e612377962c 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -112,6 +112,23 @@ if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
realname='winbind_krb5_locator.so',
install_path='${MODULESDIR}/krb5')
+if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
+ bld.SAMBA_LIBRARY('async_dns_krb5_locator',
+ source='krb5_plugin/async_dns_krb5_locator.c',
+ deps='''
+ talloc
+ addns
+ samba_intl
+ libsmb
+ smbconf
+ KRBCLIENT
+ smbd_base
+ krb5
+ com_err
+ ''',
+ realname='async_dns_krb5_locator.so',
+ install_path='${MODULESDIR}/krb5')
+
if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
bld.SAMBA_LIBRARY('winbind_krb5_localauth',
source='krb5_plugin/winbind_krb5_localauth.c',
diff --git a/selftest/skip b/selftest/skip
index d13cf7cd18b..5bdc10648da 100644
--- a/selftest/skip
+++ b/selftest/skip
@@ -61,6 +61,8 @@
^samba3.smbtorture_s3.plain.BAD-NBT-SESSION\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
^samba3.smbtorture_s3.plain.SMB2-SESSION-REAUTH\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
^samba3.smbtorture_s3.plain.SMB2-SESSION-RECONNECT\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.SMB1-WILD-MANGLE-UNLINK\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.SMB1-WILD-MANGLE-RENAME\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
^samba3.*base.charset
^samba3.*raw.context
^samba3.*raw.ioctl
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index fc4e552e213..2296b92b8b0 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -2037,7 +2037,7 @@ static NTSTATUS driver_unlink_internals(connection_struct *conn,
goto err_out;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list