[SCM] Samba Shared Repository - branch v4-15-stable updated
Jule Anger
janger at samba.org
Wed Dec 8 14:39:29 UTC 2021
The branch, v4-15-stable has been updated
via 0c85a0adaa5 VERSION: Disable GIT_SNAPSHOT for the 4.15.3 release.
via ccddc464bd0 WHATSNEW: Add release notes for Samba 4.15.3.
via 5e846fcf74e smbd: s3-dsgetdcname: handle num_ips == 0
via 18c76813587 libcli:auth: Allow to connect to netlogon server offering only AES
via b1f0aa5c22f s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds()
via aca47d48f51 s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel()
via 16d886511f1 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds()
via 2b9882a4c2f s3:libsmb: Remove trailing white spaces from passchange.c
via 460cf672e65 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport()
via 1b5b96d5a24 s3:libnet: Remove tailing whitespaces in libnet_join.c
via 0801cae3df8 s3:rpcclient: Remove trailing white spaces in rpcclient.c
via ea845570516 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open()
via e72d611c78d s3:rpc_client: Remove trailing white spaces from cli_pipe.c
via fea324d9cc4 testprogs: Add rpcclient schannel tests
via cd9783148b8 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
via 5db0cb09e94 CVE-2020-25717: s3-auth: fix MIT Realm regression
via 6f7e39b0611 smb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTERFACE_INFO
via c22480e2640 s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO should work on noperm share
via f57b3ecccc1 smb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file ids
via 2306c9e7d18 s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO gives INVALID_PARAMETER with invalid file ids
via a68e2904eae smb2_ioctl: return BUFFER_TOO_SMALL in smbd_smb2_request_ioctl_done()
via 2c4c3867933 s4:torture/smb2: test FSCTL_QUERY_NETWORK_INTERFACE_INFO with BUFFER_TOO_SMALL
via 9e182796362 smb2_server: skip tcon check and chdir_current_service() for FSCTL_VALIDATE_NEGOTIATE_INFO
via 2209a095dda smb2_server: decouple IOCTL check from signing/encryption states
via 4c8c39a7b55 smb2_server: make sure in_ctl_code = IVAL(body, 0x04); reads valid bytes
via 685250e6298 s4:torture/smb2: add smb2.ioctl.bug14788.VALIDATE_NEGOTIATE
via eba52e21acb libcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon*
via dc59b392111 s3:winbind: Fix possible NULL pointer dereference
via 9aa03f402b7 CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts
via 9f4c89d0d3f CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it
via 1142f18ff1d CVE-2021-3670 ldap_server: Remove duplicate print of LDAP search details
via 4f1dbaf60b8 CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing
via 6b5cb85c2cc CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero
via 12702424935 CVE-2021-3670 ldap_server: Set timeout on requests based on MaxQueryDuration
via 5d39c5b54b9 CVE-2021-3670 tests/krb5/test_ldap.py: Add test for LDAP timeouts
via bf9fdf5b455 cmdline: Make -P work in clustered mode
via f1c064e792a cmdline: Add a callback to set the machine account details
via 575e620ad6c lib: Add required includes to source3/include/secrets.h
via 3309ab5fa02 selftest: Add reproducer for bug 14908
via 4d68d797f18 s3:modules:recycle - fix crash in recycle_unlink_internal
via 9bcba58e4d4 CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails
via 5d5e5a1f355 CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs
via ae21fe9c01b CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss
via 3f009a620a3 CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts
via ebe18e23ba6 CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials
via 38ddd41e9c6 CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain
via ad6af1bb831 s3: smbd: Ensure in the directory scanning loops inside rmdir_internals() we don't overwrite the 'ret' variable.
via 728c9b83564 s3: smbtorture3: Add test for setting delete on close on a directory, then creating a file within to see if delete succeeds.
via 89903ed1e32 s3: smbd: dirfsp is being used uninitialized inside rmdir_internals().
via 6aae2575b38 smbd: get rid of get_file_handle_for_metadata()
via c357c1b2024 lib/cmdline: setup default file logging for servers
via 47c00820819 lib/cmdline: remember config_type in samba_cmdline_init()
via 38736e88728 lib/cmdline: fix indentation
via 371c723e4d8 lib/debug: in debug_set_logfile() call reopen_logs_internal()
via cda7fb2a057 lib/debug: fix fd check before dup'ing to stderr
via 9462c39eab8 winbindd: remove is_default_dyn_LOGFILEBASE() logic
via 006aa720c54 samba-bgqd: fix startup and logging
via c9b5ca53eba source3: move lib/substitute.c functions out of proto.h
via 0d3842697b4 IPA DC: add missing checks
via f15232d28ec auth:creds: Guess the username first via getpwuid(my_id)
via db4e342291f s3:winbindd: fix "allow trusted domains = no" regression
via 962b7b0f92d s3-winexe: Fix winexe core dump (use-after-free)
via f926586544e vfs_fruit: remove a fsp check from ad_fset()
via 3a34628266f lib/dbwrap: reset deleted record to tdb_null
via 8bb5f0911a8 CI: add a test for bug 14882
via a16283466ba s3/libsmb: check for global parametric option "libsmb:client_guid"
via a549dc219cb s3: docs-xml: Clarify the "delete veto files" paramter.
via 5023dbc04bf s3: smbd: Fix logic in can_delete_directory_fsp() to cope with dangling symlinks.
via 4793c4d5307 s3: smbd: Fix logic in rmdir_internals() to cope with dangling symlinks.
via e00fe095e8c s3: smbd: Fix rmdir_internals() to do an early return if lp_delete_veto_files() is not set.
via 0dba0917fd9 s3: VFS: xattr_tdb. Allow unlinkat to cope with dangling symlinks.
via 7a4173809a8 s3: VFS: streams_depot. Allow unlinkat to cope with dangling symlinks.
via 359517877d6 s3: smbd: Add two tests showing the ability to delete a directory containing a dangling symlink over SMB2 depends on "delete veto files" setting.
via 9f76641627f s3: smbd: Fix recursive directory delete of a directory containing veto file and msdfs links.
via dab3fa1d8c2 s3: smbd: Add two tests showing recursive directory delete of a directory containing veto file and msdfs links over SMB2.
via 71792ae9886 bootstrap: Debian 11 has liburing-dev
via 6ea70022f20 bootstrap: Add Debian 11
via 651d79f109b lib:cmdline: Fix -k option which doesn't expect anything
via d700a676cad testprogs: Use new cmdline option for kerberos
via c99eecaf2fb lib: handle NTTIME_THAW in nt_time_to_full_timespec()
via 204f1488e2c torture: add a test for NTTIME_FREEZE and NTTIME_THAW
via 6e42b2a1670 lib: add a test for null_nttime(NTTIME_THAW)
via bfb893f5efc lib: update null_nttime() of -1: -1 is NTTIME_FREEZE
via 0b7c1089d12 lib: use NTTIME_FREEZE in a null_nttime() test
via 60adfb19d9d lib: fix null_nttime() tests
via 0acbd644fcd lib: add NTTIME_THAW
via bdc33fa61f8 VERSION: Bump version up to Samba 4.15.3...
from 7d0c030d423 VERSION: Disable GIT_SNAPSHOT for the 4.15.2 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-main.yml | 8 +-
VERSION | 2 +-
WHATSNEW.txt | 122 ++++++-
auth/credentials/credentials.c | 13 +
auth/gensec/schannel.c | 1 +
bootstrap/.gitlab-ci.yml | 3 +
bootstrap/config.py | 7 +
bootstrap/generated-dists/Vagrantfile | 7 +
.../{centos7 => debian11}/Dockerfile | 2 +-
.../{debian10 => debian11}/bootstrap.sh | 1 +
.../{centos7 => debian11}/locale.sh | 0
.../{debian10 => debian11}/packages.yml | 1 +
bootstrap/sha1sum.txt | 2 +-
docs-xml/smbdotconf/filename/deletevetofiles.xml | 9 +-
examples/winexe/winexe.c | 30 +-
lib/cmdline/cmdline.c | 18 +-
lib/cmdline/cmdline.h | 4 +
lib/cmdline/cmdline_s3.c | 30 +-
lib/cmdline/cmdline_s4.c | 16 +
lib/cmdline/wscript | 2 +-
lib/dbwrap/dbwrap.c | 9 +-
lib/ldb/ldb_key_value/ldb_kv.c | 2 +
lib/ldb/ldb_key_value/ldb_kv.h | 10 +
lib/ldb/ldb_key_value/ldb_kv_index.c | 41 +++
lib/ldb/ldb_key_value/ldb_kv_search.c | 33 +-
lib/util/debug.c | 5 +-
lib/util/tests/time.c | 5 +-
lib/util/time.c | 8 +-
lib/util/time.h | 1 +
libcli/auth/netlogon_creds_cli.c | 48 ++-
libcli/smb/smb2cli_tcon.c | 183 ++++++++--
libcli/smb/smbXcli_base.h | 20 ++
nsswitch/nsstest.c | 2 +-
python/samba/tests/krb5/kdc_base_test.py | 42 +++
python/samba/tests/krb5/test_idmap_nss.py | 232 ++++++++++++
python/samba/tests/usage.py | 1 +
selftest/target/Samba.pm | 2 +-
selftest/target/Samba3.pm | 44 ++-
source3/auth/auth_generic.c | 1 +
source3/auth/auth_ntlmssp.c | 1 +
source3/auth/auth_util.c | 35 +-
source3/auth/user_krb5.c | 9 +
source3/include/proto.h | 33 --
source3/include/secrets.h | 3 +
source3/lib/adouble.c | 7 -
source3/lib/substitute.c | 1 +
source3/lib/substitute.h | 63 ++++
source3/libnet/libnet_join.c | 43 ++-
source3/libsmb/clientgen.c | 9 +-
source3/libsmb/dsgetdcname.c | 4 +
source3/libsmb/passchange.c | 16 +-
source3/modules/vfs_expand_msdfs.c | 1 +
source3/modules/vfs_full_audit.c | 1 +
source3/modules/vfs_recycle.c | 18 +-
source3/modules/vfs_streams_depot.c | 10 +
source3/modules/vfs_unityed_media.c | 1 +
source3/modules/vfs_virusfilter_utils.c | 1 +
source3/modules/vfs_xattr_tdb.c | 10 +
source3/nmbd/nmbd.c | 1 +
source3/nmbd/nmbd_synclists.c | 1 +
source3/param/loadparm.c | 1 +
source3/passdb/passdb.c | 1 +
source3/passdb/pdb_ldap.c | 1 +
source3/printing/print_generic.c | 1 +
source3/printing/printing.c | 1 +
source3/printing/samba-bgqd.c | 35 +-
source3/rpc_client/cli_netlogon.c | 51 ++-
source3/rpc_client/cli_pipe.c | 54 ++-
source3/rpc_client/cli_pipe.h | 9 +
source3/rpc_client/cli_pipe_schannel.c | 7 +-
source3/rpc_server/lsa/srv_lsa_nt.c | 2 +
source3/rpc_server/netlogon/srv_netlog_nt.c | 1 +
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 1 +
source3/rpcclient/rpcclient.c | 53 ++-
.../tests/test_delete_veto_files_only_rmdir.sh | 183 ++++++++++
source3/script/tests/test_net_machine_account.sh | 22 ++
.../script/tests/test_smbXsrv_client_dead_rec.sh | 76 ++++
source3/script/tests/test_veto_rmdir.sh | 217 +++++++++++
source3/selftest/tests.py | 37 ++
source3/smbd/close.c | 106 ++++--
source3/smbd/dir.c | 55 ++-
source3/smbd/dosmode.c | 119 +------
source3/smbd/ipc.c | 1 +
source3/smbd/lanman.c | 1 +
source3/smbd/message.c | 1 +
source3/smbd/msdfs.c | 1 +
source3/smbd/process.c | 1 +
source3/smbd/reply.c | 1 +
source3/smbd/server.c | 1 +
source3/smbd/service.c | 1 +
source3/smbd/sesssetup.c | 1 +
source3/smbd/share_access.c | 1 +
source3/smbd/smb2_ioctl.c | 19 +
source3/smbd/smb2_server.c | 31 +-
source3/smbd/smb2_sesssetup.c | 1 +
source3/smbd/trans2.c | 1 +
source3/smbd/uid.c | 1 +
source3/torture/proto.h | 1 +
source3/torture/test_smb2.c | 136 +++++++
source3/torture/torture.c | 5 +
source3/utils/net_rpc.c | 8 +
source3/utils/net_sam.c | 1 +
source3/winbindd/idmap_nss.c | 26 +-
source3/winbindd/wb_getpwsid.c | 1 +
source3/winbindd/winbindd.c | 10 +-
source3/winbindd/winbindd_cm.c | 45 ++-
source3/winbindd/winbindd_util.c | 5 +-
source4/dsdb/samdb/ldb_modules/anr.c | 73 +++-
source4/dsdb/samdb/ldb_modules/operational.c | 2 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 +-
source4/dsdb/tests/python/large_ldap.py | 63 ++++
source4/ldap_server/ldap_backend.c | 136 +++++--
source4/ldap_server/ldap_server.c | 4 +-
source4/selftest/tests.py | 45 ++-
source4/torture/smb2/ioctl.c | 396 +++++++++++++++++++++
source4/torture/smb2/timestamps.c | 208 +++++++++++
testprogs/blackbox/test_kpasswd_heimdal.sh | 6 +-
testprogs/blackbox/test_kpasswd_mit.sh | 2 +-
testprogs/blackbox/test_rpcclient_schannel.sh | 94 +++++
119 files changed, 3173 insertions(+), 438 deletions(-)
copy bootstrap/generated-dists/{centos7 => debian11}/Dockerfile (92%)
copy bootstrap/generated-dists/{debian10 => debian11}/bootstrap.sh (98%)
copy bootstrap/generated-dists/{centos7 => debian11}/locale.sh (100%)
copy bootstrap/generated-dists/{debian10 => debian11}/packages.yml (97%)
create mode 100755 python/samba/tests/krb5/test_idmap_nss.py
create mode 100644 source3/lib/substitute.h
create mode 100755 source3/script/tests/test_delete_veto_files_only_rmdir.sh
create mode 100755 source3/script/tests/test_net_machine_account.sh
create mode 100755 source3/script/tests/test_smbXsrv_client_dead_rec.sh
create mode 100755 source3/script/tests/test_veto_rmdir.sh
create mode 100755 testprogs/blackbox/test_rpcclient_schannel.sh
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 0cbcc17c94c..125b3901832 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -42,7 +42,7 @@ variables:
# Set this to the contents of bootstrap/sha1sum.txt
# which is generated by bootstrap/template.py --render
#
- SAMBA_CI_CONTAINER_TAG: 733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0
+ SAMBA_CI_CONTAINER_TAG: dd2b9a1848eed2d200e1a525695e40f06c23d888
#
# We use the ubuntu1804 image as default as
# it matches what we have on sn-devel-184.
@@ -58,6 +58,7 @@ variables:
SAMBA_CI_CONTAINER_IMAGE_ubuntu2004: ubuntu2004
SAMBA_CI_CONTAINER_IMAGE_debian9: debian9
SAMBA_CI_CONTAINER_IMAGE_debian10: debian10
+ SAMBA_CI_CONTAINER_IMAGE_debian11: debian11
SAMBA_CI_CONTAINER_IMAGE_opensuse151: opensuse151
SAMBA_CI_CONTAINER_IMAGE_opensuse152: opensuse152
SAMBA_CI_CONTAINER_IMAGE_fedora33: fedora33
@@ -569,6 +570,11 @@ debian10-samba-o3:
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_debian10}
+debian11-samba-o3:
+ extends: .samba-o3-template
+ variables:
+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_debian11}
+
opensuse151-samba-o3:
extends: .samba-o3-template
variables:
diff --git a/VERSION b/VERSION
index 06669ad9d90..a1b01a89332 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=15
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6632cf1c294..05eb72be9e0 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,122 @@
+ ==============================
+ Release Notes for Samba 4.15.3
+ December 08, 2021
+ ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+Important Notes
+===============
+
+There have been a few regressions in the security release 4.15.2:
+
+o CVE-2020-25717: A user on the domain can become root on domain members.
+ https://www.samba.org/samba/security/CVE-2020-25717.html
+ PLEASE [RE-]READ!
+ The instructions have been updated and some workarounds
+ initially adviced for 4.15.2 are no longer required and
+ should be reverted in most cases.
+
+o BUG-14902: User with multiple spaces (eg Fred<space><space>Nurk) become
+ un-deletable. While this release should fix this bug, it is
+ adviced to have a look at the bug report for more detailed
+ information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.
+
+Changes since 4.15.2
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 14878: Recursive directory delete with veto files is broken in 4.15.0.
+ * BUG 14879: A directory containing dangling symlinks cannot be deleted by
+ SMB2 alone when they are the only entry in the directory.
+ * BUG 14892: SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used
+ uninitialized in rmdir_internals().
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
+ * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
+ side effects for the local nt token.
+ * BUG 14902: User with multiple spaces (eg Fred<space><space>Nurk) become
+ un-deletable.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk.
+ * BUG 14882: smbXsrv_client_global record validation leads to crash if
+ existing record points at non-existing process.
+ * BUG 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call.
+ * BUG 14897: Samba process doesn't log to logfile.
+ * BUG 14907: set_ea_dos_attribute() fallback calling
+ get_file_handle_for_metadata() triggers locking.tdb assert.
+ * BUG 14922: Kerberos authentication on standalone server in MIT realm
+ broken.
+ * BUG 14923: Segmentation fault when joining the domain.
+
+o Alexander Bokovoy <ab at samba.org>
+ * BUG 14903: Support for ROLE_IPA_DC is incomplete.
+
+o Günther Deschner <gd at samba.org>
+ * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore
+ * BUG 14893: winexe crashes since 4.15.0 after popt parsing.
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 14908: net ads status -P broken in a clustered environment.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before
+ smbd_smb2_ioctl_send.
+ * BUG 14882: smbXsrv_client_global record validation leads to crash if
+ existing record points at non-existing process.
+ * BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
+ * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
+ side effects for the local nt token.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore.
+ * BUG 14883: smbclient login without password using '-N' fails with
+ NT_STATUS_INVALID_PARAMETER on Samba AD DC.
+ * BUG 14912: A schannel client incorrectly detects a downgrade connecting to
+ an AES only server.
+ * BUG 14921: Possible null pointer dereference in winbind.
+
+o Andreas Schneider <asn at cryptomilk.org>
+ * BUG 14846: Fix -k legacy option for client tools like smbclient, rpcclient,
+ net, etc.
+
+o Martin Schwenke <martin at meltin.net>
+ * BUG 14872: Add Debian 11 CI bootstrap support.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
+ * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
+ side effects for the local nt token.
+
+o Andrew Walker <awalker at ixsystems.com>
+ * BUG 14888: Crash in recycle_unlink_internal().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.15.2
November 9, 2021
@@ -102,8 +221,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 02a3cf3b354..c5a6ba6940c 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -30,6 +30,7 @@
#include "tevent.h"
#include "param/param.h"
#include "system/filesys.h"
+#include "system/passwd.h"
/**
* Create a new credentials structure
@@ -1159,6 +1160,7 @@ _PUBLIC_ bool cli_credentials_guess(struct cli_credentials *cred,
{
const char *error_string;
const char *env = NULL;
+ struct passwd *pwd = NULL;
bool ok;
if (lp_ctx != NULL) {
@@ -1168,6 +1170,17 @@ _PUBLIC_ bool cli_credentials_guess(struct cli_credentials *cred,
}
}
+ pwd = getpwuid(getuid());
+ if (pwd != NULL) {
+ size_t len = strlen(pwd->pw_name);
+
+ if (len > 0 && len <= 1024) {
+ (void)cli_credentials_parse_string(cred,
+ pwd->pw_name,
+ CRED_GUESS_ENV);
+ }
+ }
+
env = getenv("LOGNAME");
if (env != NULL) {
size_t len = strlen(env);
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 0cdae141ead..6ebbe8f3179 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
case ROLE_ACTIVE_DIRECTORY_DC:
+ case ROLE_IPA_DC:
return NT_STATUS_OK;
default:
return NT_STATUS_NOT_IMPLEMENTED;
diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml
index 5e5856b1e90..33534f5f1dd 100644
--- a/bootstrap/.gitlab-ci.yml
+++ b/bootstrap/.gitlab-ci.yml
@@ -103,6 +103,9 @@ ubuntu2004:
debian10:
extends: .build_image_template
+debian11:
+ extends: .build_image_template
+
fedora33:
extends: .build_image_template
diff --git a/bootstrap/config.py b/bootstrap/config.py
index ba4304bb9f8..fd75a771252 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -399,6 +399,13 @@ DEB_DISTS = {
'liburing-dev': '', # not available
}
},
+ 'debian11': {
+ 'docker_image': 'debian:11',
+ 'vagrant_box': 'debian/bullseye64',
+ 'replace': {
+ 'language-pack-en': '', # included in locales
+ }
+ },
'ubuntu1604': {
'docker_image': 'ubuntu:16.04',
'vagrant_box': 'ubuntu/xenial64',
diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile
index 42da0161e40..780320ec7c8 100644
--- a/bootstrap/generated-dists/Vagrantfile
+++ b/bootstrap/generated-dists/Vagrantfile
@@ -31,6 +31,13 @@ Vagrant.configure("2") do |config|
v.vm.provision :shell, path: "debian10/locale.sh"
end
+ config.vm.define "debian11" do |v|
+ v.vm.box = "debian/bullseye64"
+ v.vm.hostname = "debian11"
+ v.vm.provision :shell, path: "debian11/bootstrap.sh"
+ v.vm.provision :shell, path: "debian11/locale.sh"
+ end
+
config.vm.define "fedora33" do |v|
v.vm.box = "fedora/33-cloud-base"
v.vm.hostname = "fedora33"
diff --git a/bootstrap/generated-dists/centos7/Dockerfile b/bootstrap/generated-dists/debian11/Dockerfile
similarity index 92%
copy from bootstrap/generated-dists/centos7/Dockerfile
copy to bootstrap/generated-dists/debian11/Dockerfile
index 2f171ad1c62..6a16324f201 100644
--- a/bootstrap/generated-dists/centos7/Dockerfile
+++ b/bootstrap/generated-dists/debian11/Dockerfile
@@ -3,7 +3,7 @@
# See also bootstrap/config.py
#
-FROM centos:7
+FROM debian:11
# pass in with --build-arg while build
ARG SHA1SUM
diff --git a/bootstrap/generated-dists/debian10/bootstrap.sh b/bootstrap/generated-dists/debian11/bootstrap.sh
similarity index 98%
copy from bootstrap/generated-dists/debian10/bootstrap.sh
copy to bootstrap/generated-dists/debian11/bootstrap.sh
index 84f5f6855b7..07d6209c072 100755
--- a/bootstrap/generated-dists/debian10/bootstrap.sh
+++ b/bootstrap/generated-dists/debian11/bootstrap.sh
@@ -70,6 +70,7 @@ apt-get -y install \
libtasn1-dev \
libtracker-sparql-2.0-dev \
libunwind-dev \
+ liburing-dev \
lmdb-utils \
locales \
lsb-release \
diff --git a/bootstrap/generated-dists/centos7/locale.sh b/bootstrap/generated-dists/debian11/locale.sh
similarity index 100%
copy from bootstrap/generated-dists/centos7/locale.sh
copy to bootstrap/generated-dists/debian11/locale.sh
diff --git a/bootstrap/generated-dists/debian10/packages.yml b/bootstrap/generated-dists/debian11/packages.yml
similarity index 97%
copy from bootstrap/generated-dists/debian10/packages.yml
copy to bootstrap/generated-dists/debian11/packages.yml
index 32f37eeb013..6d3c2385339 100644
--- a/bootstrap/generated-dists/debian10/packages.yml
+++ b/bootstrap/generated-dists/debian11/packages.yml
@@ -59,6 +59,7 @@ packages:
- libtasn1-dev
- libtracker-sparql-2.0-dev
- libunwind-dev
+ - liburing-dev
- lmdb-utils
- locales
- lsb-release
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index e433f698b68..11369ced5f7 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0
+dd2b9a1848eed2d200e1a525695e40f06c23d888
diff --git a/docs-xml/smbdotconf/filename/deletevetofiles.xml b/docs-xml/smbdotconf/filename/deletevetofiles.xml
index 581dc05396d..570d4ac60a0 100644
--- a/docs-xml/smbdotconf/filename/deletevetofiles.xml
+++ b/docs-xml/smbdotconf/filename/deletevetofiles.xml
@@ -4,9 +4,12 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option is used when Samba is attempting to
- delete a directory that contains one or more vetoed directories
- (see the <smbconfoption name="veto files"/>
- option). If this option is set to <constant>no</constant> (the default) then if a vetoed
+ delete a directory that contains one or more vetoed files
+ or directories or non-visible files or directories (such
+ as dangling symlinks that point nowhere).
+ (see the <smbconfoption name="veto files"/>, <smbconfoption name="hide special files"/>,
+ <smbconfoption name="hide unreadable"/>, <smbconfoption name="hide unwriteable files"/>
+ options). If this option is set to <constant>no</constant> (the default) then if a vetoed
directory contains any non-vetoed files or directories then the
directory delete will fail. This is usually what you want.</para>
diff --git a/examples/winexe/winexe.c b/examples/winexe/winexe.c
index 3e0813a4091..8a17107617c 100644
--- a/examples/winexe/winexe.c
+++ b/examples/winexe/winexe.c
@@ -220,8 +220,6 @@ static void parse_args(int argc, const char *argv[],
*port_str = '\0';
}
- poptFreeContext(pc);
-
if (options->runas == NULL && options->runas_file != NULL) {
struct cli_credentials *runas_cred;
const char *user;
@@ -253,9 +251,19 @@ static void parse_args(int argc, const char *argv[],
options->credentials = samba_cmdline_get_creds();
- options->hostname = argv_new[0] + 2;
+ options->hostname = talloc_strdup(mem_ctx, argv_new[0] + 2);
+ if (options->hostname == NULL) {
+ DBG_ERR("Out of memory\n");
+ exit(1);
+ }
options->port = port;
- options->cmd = argv_new[1];
+ options->cmd = talloc_strdup(mem_ctx, argv_new[1]);
+ if (options->cmd == NULL) {
+ DBG_ERR("Out of memory\n");
+ exit(1);
+ }
+
+ poptFreeContext(pc);
options->flags = flag_interactive;
if (flag_reinstall) {
@@ -393,11 +401,16 @@ static NTSTATUS winexe_svc_install(
bool need_conf = false;
NTSTATUS status;
WERROR werr;
+ const char *remote_name = smbXcli_conn_remote_name(cli->conn);
+ const struct sockaddr_storage *remote_sockaddr =
+ smbXcli_conn_remote_sockaddr(cli->conn);
status = cli_rpc_pipe_open_noauth_transport(
cli,
NCACN_NP,
&ndr_table_svcctl,
+ remote_name,
+ remote_sockaddr,
&rpccli);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("cli_rpc_pipe_open_noauth_transport failed: %s\n",
@@ -408,7 +421,7 @@ static NTSTATUS winexe_svc_install(
status = dcerpc_svcctl_OpenSCManagerW(
rpccli->binding_handle,
frame,
- smbXcli_conn_remote_name(cli->conn),
+ remote_name,
NULL,
SEC_FLAG_MAXIMUM_ALLOWED,
&scmanager_handle,
@@ -709,11 +722,16 @@ static NTSTATUS winexe_svc_uninstall(
struct SERVICE_STATUS service_status;
NTSTATUS status;
WERROR werr;
+ const char *remote_name = smbXcli_conn_remote_name(cli->conn);
+ const struct sockaddr_storage *remote_sockaddr =
+ smbXcli_conn_remote_sockaddr(cli->conn);
status = cli_rpc_pipe_open_noauth_transport(
cli,
NCACN_NP,
&ndr_table_svcctl,
+ remote_name,
+ remote_sockaddr,
&rpccli);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("cli_rpc_pipe_open_noauth_transport failed: %s\n",
@@ -724,7 +742,7 @@ static NTSTATUS winexe_svc_uninstall(
status = dcerpc_svcctl_OpenSCManagerW(
rpccli->binding_handle,
frame,
- smbXcli_conn_remote_name(cli->conn),
+ remote_name,
NULL,
SEC_FLAG_MAXIMUM_ALLOWED,
&scmanager_handle,
diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c
index 40292a6a332..0c0b3ead7da 100644
--- a/lib/cmdline/cmdline.c
+++ b/lib/cmdline/cmdline.c
@@ -30,6 +30,11 @@ static struct cli_credentials *cmdline_creds;
static samba_cmdline_load_config cmdline_load_config_fn;
static struct samba_cmdline_daemon_cfg cmdline_daemon_cfg;
+static NTSTATUS (*cli_credentials_set_machine_account_fn)(
+ struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx) =
+ cli_credentials_set_machine_account;
+
/* PRIVATE */
bool samba_cmdline_set_talloc_ctx(TALLOC_CTX *mem_ctx)
{
@@ -122,6 +127,13 @@ struct samba_cmdline_daemon_cfg *samba_cmdline_get_daemon_cfg(void)
return &cmdline_daemon_cfg;
}
+void samba_cmdline_set_machine_account_fn(
+ NTSTATUS (*fn) (struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx))
+{
+ cli_credentials_set_machine_account_fn = fn;
+}
+
void samba_cmdline_burn(int argc, char *argv[])
{
bool found = false;
@@ -792,8 +804,8 @@ static void popt_common_credentials_callback(poptContext popt_ctx,
if (machine_account_pending) {
NTSTATUS status;
- status = cli_credentials_set_machine_account(creds,
- lp_ctx);
+ status = cli_credentials_set_machine_account_fn(
+ creds, lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
fprintf(stderr,
"Failed to set machine account: %s\n",
@@ -1251,7 +1263,7 @@ static struct poptOption popt_legacy_s3[] = {
{
.longName = "kerberos",
.shortName = 'k',
- .argInfo = POPT_ARG_STRING,
+ .argInfo = POPT_ARG_NONE,
.val = 'k',
.descrip = "DEPRECATED: Migrate to --use-kerberos",
},
diff --git a/lib/cmdline/cmdline.h b/lib/cmdline/cmdline.h
index 1f85da0099e..5cd58c3ddbb 100644
--- a/lib/cmdline/cmdline.h
--
Samba Shared Repository
More information about the samba-cvs
mailing list