[SCM] Samba Shared Repository - branch v4-15-stable updated
Jule Anger
janger at samba.org
Mon Aug 9 13:44:41 UTC 2021
The branch, v4-15-stable has been updated
via 16fb5c685a5 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc2 release.
via d872e7f0cd7 WHATSNEW: Add release notes for Samba 4.15.0rc2.
via 4467a0ba7f0 smbd: only open full fd for directories if needed
via 4f3b6f6b311 smbd: drop requirement for full open for READ_CONTROL_ACCESS, WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS
via 9b8e795df6f s3: smbd: Don't leak meta-data about the containing directory of the share root.
via 3acccfc764d s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage.
via fccedb4d94a configure: Do not put arguments into double quotes
via c933b88dbe1 samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry"
via c33b18ec92e lib:cmdline: Use lp_load_global() for servers
via 2a21ecf1f91 s3:smbd: really support AES-256* in the server
via 13839721f06 s4:torture/smb2: add tests to check all signing and encryption algorithms
via e606987911e gnutls: allow gnutls_aead_cipher_encryptv2 with gcm before 3.6.15
via 047cbaad5d9 gitlab: Use shorter names for Samba AD DC env with MIT KRB5
via f2b2ecec7fc s3:winbindd: Add a check for the path length of 'winbindd socket directory'
via 68bd2229bd4 WHATSNEW: mention the offline domain join feature
via 8380f21aadd libcli/smb: allow unexpected padding in SMB2 READ responses
via 170b8195507 libcli/smb: make smb2cli_ioctl_parse_buffer() available as smb2cli_parse_dyn_buffer()
via b644b297bf8 s3:smbd: implement FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8
via 0be68189ffc s3:smbd: introduce a body_size variable in smbd_smb2_request_read_done
via 570b3ced84a s4:torture/smb2: add smb2.read.bug14607 test
via 81eeb1c6708 VERSION: Bump version up to 4.15.0rc2...
from 6a6f6044771 VERSION: Disable GIT_SNAPSHOT for the Samba 4.15.0rc1 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-main.yml | 12 +-
VERSION | 2 +-
WHATSNEW.txt | 35 +++-
configure | 2 +-
lib/cmdline/cmdline.h | 9 +
lib/cmdline/cmdline_s3.c | 2 +-
libcli/smb/smb2_signing.c | 54 +++--
libcli/smb/smb2cli_ioctl.c | 123 ++----------
libcli/smb/smb2cli_read.c | 22 +-
libcli/smb/smbXcli_base.c | 91 +++++++++
libcli/smb/smbXcli_base.h | 9 +
libcli/smb/smb_constants.h | 2 +
script/autobuild.py | 6 +-
selftest/target/Samba3.pm | 1 +
source3/printing/samba-bgqd.c | 58 +++++-
source3/smbd/dir.c | 25 +++
source3/smbd/dosmode.c | 23 ++-
source3/smbd/globals.h | 4 +
source3/smbd/open.c | 31 ++-
source3/smbd/smb2_ioctl.c | 10 +
source3/smbd/smb2_read.c | 14 +-
source3/smbd/smb2_sesssetup.c | 6 +
source3/winbindd/winbindd.c | 25 +++
source4/torture/smb2/read.c | 136 +++++++++++++
source4/torture/smb2/session.c | 436 ++++++++++++++++++++++++++++++++++++++++
wscript_configure_system_gnutls | 10 +-
26 files changed, 976 insertions(+), 172 deletions(-)
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 1aee591b068..0979c007dc6 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -331,10 +331,10 @@ samba-ad-dc-ntvfs:
samba-admem-mit:
extends: .needs_samba-mit-build
-samba-ad-dc-4a-mitkrb5:
+samba-addc-mit-4a:
extends: .needs_samba-mit-build
-samba-ad-dc-4b-mitkrb5:
+samba-addc-mit-4b:
extends: .needs_samba-mit-build
# This task is run first to ensure we compile before we start the
@@ -389,7 +389,7 @@ samba-ad-dc-1:
samba-nt4:
extends: .needs_samba-nt4-build-private
-samba-ad-dc-1-mitkrb5:
+samba-addc-mit-1:
extends: .needs_samba-mit-build-private
samba-no-opath1:
@@ -421,15 +421,15 @@ pages:
- samba-ctdb
- samba-ad-dc-ntvfs
- samba-admem-mit
- - samba-ad-dc-4a-mitkrb5
- - samba-ad-dc-4b-mitkrb5
+ - samba-addc-mit-4a
+ - samba-addc-mit-4b
- samba-ad-back1
- samba-ad-back2
- samba-fileserver
- samba-ad-dc-1
- samba-nt4
- samba-schemaupgrade
- - samba-ad-dc-1-mitkrb5
+ - samba-addc-mit-1
- samba-fips
- samba-no-opath1
- samba-no-opath2
diff --git a/VERSION b/VERSION
index 787b2dd26b0..ba0f12ea840 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=1
+SAMBA_VERSION_RC_RELEASE=2
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a5190766e5e..074767e3251 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the first release candidate of Samba 4.15. This is *not*
+This is the second release candidate of Samba 4.15. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -154,6 +154,18 @@ to redirect ticket requests to the right DC. This is e.g. needed for one way
trusts. The options `winbind use krb5 enterprise principals` and
`winbind scan trusted domains` will be deprecated in one of the next releases.
+Support for Offline Domain Join (ODJ)
+-------------------------------------
+
+The net utility is now able to support the offline domain join feature
+as known from the Windows djoin.exe command for many years. Samba's
+implementation is accessible via the "net offlinejoin" subcommand. It
+can provision computers and request offline joining for both Windows
+and Unix machines. It is also possible to provision computers from
+Windows (using djoin.exe) and use the generated data in Samba's net
+utility. The existing options for the provisioning and joining steps
+are documented in the net(8) manpage.
+
REMOVED FEATURES
================
@@ -196,6 +208,27 @@ smb.conf changes
winbind scan trusted domains Changed No
+CHANGES SINCE 4.15.0rc1
+=======================
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 14768: smbd/winbind should load the registry if configured
+ * BUG 14777: do not quote passed argument of configure script
+ * BUG 14779: Winbind should not start if the socket path is too long
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
+ * BUG 14764: aes-256-gcm and aes-256-ccm doesn't work in the server
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 14700: file owner not available when file unredable
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
+ * BUG 14759: 4.15rc can leak meta-data about the directory containing the
+ share path
+
+
KNOWN ISSUES
============
diff --git a/configure b/configure
index a6ca50feb47..2b0ffb0dae1 100755
--- a/configure
+++ b/configure
@@ -13,5 +13,5 @@ export JOBS
unset LD_PRELOAD
cd . || exit 1
-$PYTHON $WAF configure "$@" || exit 1
+$PYTHON $WAF configure $@ || exit 1
cd $PREVPATH
diff --git a/lib/cmdline/cmdline.h b/lib/cmdline/cmdline.h
index 8c816c5bce3..3c0c9e8c18d 100644
--- a/lib/cmdline/cmdline.h
+++ b/lib/cmdline/cmdline.h
@@ -59,6 +59,15 @@ enum smb_cmdline_popt_options {
* The function will also setup fault handler, set logging to STDERR by
* default, setup talloc logging and the panic handler.
*
+ * The function also setups a callback for loading the smb.conf file, the
+ * config file will be parsed after the commandline options have been parsed
+ * by popt. This is done by one of the following options parser:
+ *
+ * POPT_COMMON_DEBUG_ONLY
+ * POPT_COMMON_OPTION_ONLY
+ * POPT_COMMON_CONFIG_ONLY
+ * POPT_COMMON_SAMBA
+ *
* @param[in] mem_ctx The talloc memory context to use for allocating memory.
* This should be a long living context till the client
* exits.
diff --git a/lib/cmdline/cmdline_s3.c b/lib/cmdline/cmdline_s3.c
index 31250b1996e..70fd768a648 100644
--- a/lib/cmdline/cmdline_s3.c
+++ b/lib/cmdline/cmdline_s3.c
@@ -56,7 +56,7 @@ static bool _samba_cmdline_load_config_s3(void)
ok = lp_load_client(config_file);
break;
case SAMBA_CMDLINE_CONFIG_SERVER:
- ok = lp_load_initial_only(config_file);
+ ok = lp_load_global(config_file);
break;
}
diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index 830f3bf1570..fdb69e90a07 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -324,7 +324,7 @@ static NTSTATUS smb2_signing_gmac(gnutls_aead_cipher_hd_t cipher_hnd,
{
size_t tag_size = _tag_size;
int rc;
-#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2)
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
rc = gnutls_aead_cipher_encryptv2(cipher_hnd,
iv, iv_size,
@@ -336,7 +336,7 @@ static NTSTATUS smb2_signing_gmac(gnutls_aead_cipher_hd_t cipher_hnd,
}
return NT_STATUS_OK;
-#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
+#else /* ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM */
TALLOC_CTX *tmp_ctx = NULL;
size_t atext_size = 0;
uint8_t *atext = NULL;
@@ -387,7 +387,7 @@ static NTSTATUS smb2_signing_gmac(gnutls_aead_cipher_hd_t cipher_hnd,
}
return NT_STATUS_OK;
-#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
+#endif /* ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM */
}
static NTSTATUS smb2_signing_calc_signature(struct smb2_signing_key *signing_key,
@@ -808,6 +808,9 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
struct iovec *vector,
int count)
{
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
+ bool use_encryptv2 = false;
+#endif
uint16_t cipher_id;
uint8_t *tf;
size_t a_total;
@@ -851,18 +854,30 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
case SMB2_ENCRYPTION_AES128_CCM:
algo = GNUTLS_CIPHER_AES_128_CCM;
iv_size = SMB2_AES_128_CCM_NONCE_SIZE;
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM
+ use_encryptv2 = true;
+#endif
break;
case SMB2_ENCRYPTION_AES128_GCM:
algo = GNUTLS_CIPHER_AES_128_GCM;
iv_size = gnutls_cipher_get_iv_size(algo);
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
+ use_encryptv2 = true;
+#endif
break;
case SMB2_ENCRYPTION_AES256_CCM:
algo = GNUTLS_CIPHER_AES_256_CCM;
iv_size = SMB2_AES_128_CCM_NONCE_SIZE;
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM
+ use_encryptv2 = true;
+#endif
break;
case SMB2_ENCRYPTION_AES256_GCM:
algo = GNUTLS_CIPHER_AES_256_GCM;
iv_size = gnutls_cipher_get_iv_size(algo);
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
+ use_encryptv2 = true;
+#endif
break;
default:
return NT_STATUS_INVALID_PARAMETER;
@@ -903,8 +918,8 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
0,
16 - iv_size);
-#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2)
- {
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
+ if (use_encryptv2) {
uint8_t tag[tag_size];
giovec_t auth_iov[1];
@@ -928,8 +943,8 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
}
memcpy(tf + SMB2_TF_SIGNATURE, tag, tag_size);
- }
-#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
+ } else
+#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
{
size_t ptext_size = m_total;
uint8_t *ptext = NULL;
@@ -1007,7 +1022,6 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
TALLOC_FREE(ptext);
TALLOC_FREE(ctext);
}
-#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
DBG_INFO("Encrypted SMB2 message\n");
@@ -1020,6 +1034,9 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
struct iovec *vector,
int count)
{
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
+ bool use_encryptv2 = false;
+#endif
uint16_t cipher_id;
uint8_t *tf;
uint16_t flags;
@@ -1073,18 +1090,30 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
case SMB2_ENCRYPTION_AES128_CCM:
algo = GNUTLS_CIPHER_AES_128_CCM;
iv_size = SMB2_AES_128_CCM_NONCE_SIZE;
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM
+ use_encryptv2 = true;
+#endif
break;
case SMB2_ENCRYPTION_AES128_GCM:
algo = GNUTLS_CIPHER_AES_128_GCM;
iv_size = gnutls_cipher_get_iv_size(algo);
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
+ use_encryptv2 = true;
+#endif
break;
case SMB2_ENCRYPTION_AES256_CCM:
algo = GNUTLS_CIPHER_AES_256_CCM;
iv_size = SMB2_AES_128_CCM_NONCE_SIZE;
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM
+ use_encryptv2 = true;
+#endif
break;
case SMB2_ENCRYPTION_AES256_GCM:
algo = GNUTLS_CIPHER_AES_256_GCM;
iv_size = gnutls_cipher_get_iv_size(algo);
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
+ use_encryptv2 = true;
+#endif
break;
default:
return NT_STATUS_INVALID_PARAMETER;
@@ -1122,8 +1151,8 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
}
/* gnutls_aead_cipher_encryptv2() has a bug in version 3.6.10 */
-#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2)
- {
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
+ if (use_encryptv2) {
giovec_t auth_iov[1];
auth_iov[0] = (giovec_t) {
@@ -1144,8 +1173,8 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
goto out;
}
- }
-#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
+ } else
+#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
{
size_t ctext_size = m_total + tag_size;
uint8_t *ctext = NULL;
@@ -1229,7 +1258,6 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
TALLOC_FREE(ptext);
TALLOC_FREE(ctext);
}
-#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
DBG_INFO("Decrypted SMB2 message\n");
diff --git a/libcli/smb/smb2cli_ioctl.c b/libcli/smb/smb2cli_ioctl.c
index f9abcc57bab..d638b281678 100644
--- a/libcli/smb/smb2cli_ioctl.c
+++ b/libcli/smb/smb2cli_ioctl.c
@@ -160,97 +160,6 @@ struct tevent_req *smb2cli_ioctl_send(TALLOC_CTX *mem_ctx,
return req;
}
-static NTSTATUS smb2cli_ioctl_parse_buffer(uint32_t dyn_offset,
- const DATA_BLOB dyn_buffer,
- uint32_t min_offset,
- uint32_t buffer_offset,
- uint32_t buffer_length,
- uint32_t max_length,
- uint32_t *next_offset,
- DATA_BLOB *buffer)
-{
- uint32_t offset;
- bool oob;
-
- *buffer = data_blob_null;
- *next_offset = dyn_offset;
-
- if (buffer_offset == 0) {
- /*
- * If the offset is 0, we better ignore
- * the buffer_length field.
- */
- return NT_STATUS_OK;
- }
-
- if (buffer_length == 0) {
- /*
- * If the length is 0, we better ignore
- * the buffer_offset field.
- */
- return NT_STATUS_OK;
- }
-
- if ((buffer_offset % 8) != 0) {
- /*
- * The offset needs to be 8 byte aligned.
- */
- return NT_STATUS_INVALID_NETWORK_RESPONSE;
- }
-
- /*
- * We used to enforce buffer_offset to be
- * an exact match of the expected minimum,
- * but the NetApp Ontap 7.3.7 SMB server
- * gets the padding wrong and aligns the
- * input_buffer_offset by a value of 8.
- *
- * So we just enforce that the offset is
- * not lower than the expected value.
- */
- SMB_ASSERT(min_offset >= dyn_offset);
- if (buffer_offset < min_offset) {
- return NT_STATUS_INVALID_NETWORK_RESPONSE;
- }
-
- /*
- * Make [input|output]_buffer_offset relative to "dyn_buffer"
- */
- offset = buffer_offset - dyn_offset;
- oob = smb_buffer_oob(dyn_buffer.length, offset, buffer_length);
- if (oob) {
- return NT_STATUS_INVALID_NETWORK_RESPONSE;
- }
-
- /*
- * Give the caller a hint what we consumed,
- * the caller may need to add possible padding.
- */
- *next_offset = buffer_offset + buffer_length;
-
- if (max_length == 0) {
- /*
- * If max_input_length is 0 we ignore the
- * input_buffer_length, because Windows 2008 echos the
- * DCERPC request from the requested input_buffer to
- * the response input_buffer.
- *
- * We just use the same logic also for max_output_length...
- */
- buffer_length = 0;
- }
-
- if (buffer_length > max_length) {
- return NT_STATUS_INVALID_NETWORK_RESPONSE;
- }
-
- *buffer = (DATA_BLOB) {
- .data = dyn_buffer.data + offset,
- .length = buffer_length,
- };
- return NT_STATUS_OK;
-}
-
static void smb2cli_ioctl_done(struct tevent_req *subreq)
{
struct tevent_req *req =
@@ -352,14 +261,14 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq)
input_min_offset = dyn_ofs;
input_next_offset = dyn_ofs;
- error = smb2cli_ioctl_parse_buffer(dyn_ofs,
- dyn_buffer,
- input_min_offset,
- input_buffer_offset,
- input_buffer_length,
- state->max_input_length,
- &input_next_offset,
- &state->out_input_buffer);
+ error = smb2cli_parse_dyn_buffer(dyn_ofs,
+ dyn_buffer,
+ input_min_offset,
+ input_buffer_offset,
+ input_buffer_length,
+ state->max_input_length,
+ &input_next_offset,
+ &state->out_input_buffer);
if (tevent_req_nterror(req, error)) {
return;
}
@@ -370,14 +279,14 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq)
*/
output_min_offset = NDR_ROUND(input_next_offset, 8);
output_next_offset = 0; /* this variable is completely ignored */
- error = smb2cli_ioctl_parse_buffer(dyn_ofs,
- dyn_buffer,
- output_min_offset,
- output_buffer_offset,
- output_buffer_length,
- state->max_output_length,
- &output_next_offset,
- &state->out_output_buffer);
+ error = smb2cli_parse_dyn_buffer(dyn_ofs,
+ dyn_buffer,
+ output_min_offset,
+ output_buffer_offset,
+ output_buffer_length,
+ state->max_output_length,
+ &output_next_offset,
+ &state->out_output_buffer);
if (tevent_req_nterror(req, error)) {
return;
}
diff --git a/libcli/smb/smb2cli_read.c b/libcli/smb/smb2cli_read.c
index 8110b65d432..c7f48741b87 100644
--- a/libcli/smb/smb2cli_read.c
+++ b/libcli/smb/smb2cli_read.c
@@ -90,8 +90,13 @@ static void smb2cli_read_done(struct tevent_req *subreq)
tevent_req_data(req,
struct smb2cli_read_state);
NTSTATUS status;
+ NTSTATUS error;
struct iovec *iov;
+ const uint8_t dyn_ofs = SMB2_HDR_BODY + 0x10;
+ DATA_BLOB dyn_buffer = data_blob_null;
uint8_t data_offset;
+ DATA_BLOB data_buffer = data_blob_null;
+ uint32_t next_offset = 0; /* this variable is completely ignored */
static const struct smb2cli_req_expected_response expected[] = {
{
--
Samba Shared Repository
More information about the samba-cvs
mailing list