[SCM] Samba Shared Repository - branch v4-15-test updated

Jule Anger janger at samba.org
Fri Nov 19 08:12:02 UTC 2021


The branch, v4-15-test has been updated
       via  bf9fdf5b455 cmdline: Make -P work in clustered mode
       via  f1c064e792a cmdline: Add a callback to set the machine account details
       via  575e620ad6c lib: Add required includes to source3/include/secrets.h
       via  3309ab5fa02 selftest: Add reproducer for bug 14908
       via  4d68d797f18 s3:modules:recycle - fix crash in recycle_unlink_internal
      from  9bcba58e4d4 CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test


- Log -----------------------------------------------------------------
commit bf9fdf5b45531749d5e533fe91dd957d64f81d6b
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Nov 17 12:27:27 2021 +0100

    cmdline: Make -P work in clustered mode
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Wed Nov 17 18:29:09 UTC 2021 on sn-devel-184
    
    (cherry picked from commit cdc0268c1987f36ab400ea01df88d55c02dccfdb)
    
    Autobuild-User(v4-15-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-15-test): Fri Nov 19 08:11:05 UTC 2021 on sn-devel-184

commit f1c064e792ae1b9d3cc57380205246dc21e8bb3c
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Nov 17 12:25:58 2021 +0100

    cmdline: Add a callback to set the machine account details
    
    source3 clients need to work in clustered mode, the default
    cli_credentials_set_machine_account() only looks at the local
    secrets.tdb file
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 63c80f25da8829a7bd3244afea29c13f699efac1)

commit 575e620ad6cf57634c3357f8677f8beaf7c12caa
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Nov 17 12:25:05 2021 +0100

    lib: Add required includes to source3/include/secrets.h
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit d6270525699fbc856b217cf18ece7f1d063b144d)

commit 3309ab5fa0245ca791e66c585c131abb82d24a8b
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Nov 17 16:34:07 2021 +0100

    selftest: Add reproducer for bug 14908
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 9faa3173193ddcb95905993d960cc10d4366524e)

commit 4d68d797f187358e6b328550999ddff5bf755df0
Author: Andrew Walker <awalker at ixsystems.com>
Date:   Thu Oct 28 16:01:42 2021 -0400

    s3:modules:recycle - fix crash in recycle_unlink_internal
    
    Original logic for separating path from base name assumed
    that we were using same string to determine offset when
    getting the parent dir name (smb_fname->base_name).
    
    Simplify by using parent_dirname() to split the path
    from base name.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14888
    
    Signed-off-by: Andrew Walker <awalker at ixsystems.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Sat Oct 30 04:34:53 UTC 2021 on sn-devel-184
    
    (cherry picked from commit be3a47e22ad6be204f4a7d6070f82f990c17e6fb)

-----------------------------------------------------------------------

Summary of changes:
 lib/cmdline/cmdline.c                            | 16 ++++++++++++--
 lib/cmdline/cmdline.h                            |  4 ++++
 lib/cmdline/cmdline_s3.c                         | 28 ++++++++++++++++++++++++
 lib/cmdline/wscript                              |  2 +-
 source3/include/secrets.h                        |  3 +++
 source3/modules/vfs_recycle.c                    | 17 +++++---------
 source3/script/tests/test_net_machine_account.sh | 22 +++++++++++++++++++
 source3/selftest/tests.py                        |  9 ++++++++
 8 files changed, 86 insertions(+), 15 deletions(-)
 create mode 100755 source3/script/tests/test_net_machine_account.sh


Changeset truncated at 500 lines:

diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c
index 63e81bc0a7f..0c0b3ead7da 100644
--- a/lib/cmdline/cmdline.c
+++ b/lib/cmdline/cmdline.c
@@ -30,6 +30,11 @@ static struct cli_credentials *cmdline_creds;
 static samba_cmdline_load_config cmdline_load_config_fn;
 static struct samba_cmdline_daemon_cfg cmdline_daemon_cfg;
 
+static NTSTATUS (*cli_credentials_set_machine_account_fn)(
+	struct cli_credentials *cred,
+	struct loadparm_context *lp_ctx) =
+	cli_credentials_set_machine_account;
+
 /* PRIVATE */
 bool samba_cmdline_set_talloc_ctx(TALLOC_CTX *mem_ctx)
 {
@@ -122,6 +127,13 @@ struct samba_cmdline_daemon_cfg *samba_cmdline_get_daemon_cfg(void)
 	return &cmdline_daemon_cfg;
 }
 
+void samba_cmdline_set_machine_account_fn(
+	NTSTATUS (*fn) (struct cli_credentials *cred,
+			struct loadparm_context *lp_ctx))
+{
+	cli_credentials_set_machine_account_fn = fn;
+}
+
 void samba_cmdline_burn(int argc, char *argv[])
 {
 	bool found = false;
@@ -792,8 +804,8 @@ static void popt_common_credentials_callback(poptContext popt_ctx,
 		if (machine_account_pending) {
 			NTSTATUS status;
 
-			status = cli_credentials_set_machine_account(creds,
-								     lp_ctx);
+			status = cli_credentials_set_machine_account_fn(
+				creds, lp_ctx);
 			if (!NT_STATUS_IS_OK(status)) {
 				fprintf(stderr,
 					"Failed to set machine account: %s\n",
diff --git a/lib/cmdline/cmdline.h b/lib/cmdline/cmdline.h
index 1f85da0099e..5cd58c3ddbb 100644
--- a/lib/cmdline/cmdline.h
+++ b/lib/cmdline/cmdline.h
@@ -131,6 +131,10 @@ struct poptOption *samba_cmdline_get_popt(enum smb_cmdline_popt_options opt);
  */
 struct samba_cmdline_daemon_cfg *samba_cmdline_get_daemon_cfg(void);
 
+void samba_cmdline_set_machine_account_fn(
+	NTSTATUS (*fn) (struct cli_credentials *cred,
+			struct loadparm_context *lp_ctx));
+
 /**
  * @brief Burn secrets on the command line.
  *
diff --git a/lib/cmdline/cmdline_s3.c b/lib/cmdline/cmdline_s3.c
index 639d403aed3..6e2c154c756 100644
--- a/lib/cmdline/cmdline_s3.c
+++ b/lib/cmdline/cmdline_s3.c
@@ -26,6 +26,7 @@
 #include "auth/credentials/credentials.h"
 #include "dynconfig/dynconfig.h"
 #include "cmdline_private.h"
+#include "source3/include/secrets.h"
 
 static bool _require_smbconf;
 static enum samba_cmdline_config_type _config_type;
@@ -84,6 +85,31 @@ static bool _samba_cmdline_load_config_s3(void)
 	return true;
 }
 
+static NTSTATUS _samba_cmd_set_machine_account_s3(
+	struct cli_credentials *cred,
+	struct loadparm_context *lp_ctx)
+{
+	struct db_context *db_ctx = secrets_db_ctx();
+	NTSTATUS status;
+
+	if (db_ctx == NULL) {
+		DBG_WARNING("failed to open secrets.tdb to obtain our "
+			    "trust credentials for %s\n",
+			    lpcfg_workgroup(lp_ctx));;
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	status = cli_credentials_set_machine_account_db_ctx(
+		cred, lp_ctx, db_ctx);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_WARNING("cli_credentials_set_machine_account_db_ctx "
+			    "failed: %s\n",
+			    nt_errstr(status));
+	}
+
+	return status;
+}
+
 bool samba_cmdline_init(TALLOC_CTX *mem_ctx,
 			enum samba_cmdline_config_type config_type,
 			bool require_smbconf)
@@ -119,6 +145,8 @@ bool samba_cmdline_init(TALLOC_CTX *mem_ctx,
 	}
 
 	samba_cmdline_set_load_config_fn(_samba_cmdline_load_config_s3);
+	samba_cmdline_set_machine_account_fn(
+		_samba_cmd_set_machine_account_s3);
 
 	return true;
 }
diff --git a/lib/cmdline/wscript b/lib/cmdline/wscript
index 9c50b47a41c..6b816c859c1 100644
--- a/lib/cmdline/wscript
+++ b/lib/cmdline/wscript
@@ -19,7 +19,7 @@ def build(bld):
 
     bld.SAMBA_SUBSYSTEM('CMDLINE_S3',
                         source='cmdline_s3.c',
-                        deps='cmdline')
+                        deps='cmdline secrets3')
 
     bld.SAMBA_SUBSYSTEM('CMDLINE_S4',
                         source='cmdline_s4.c',
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index 2478561cee7..1abfbb07e89 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -20,6 +20,9 @@
 #ifndef _SECRETS_H
 #define _SECRETS_H
 
+#include "replace.h"
+#include "librpc/gen_ndr/security.h"
+
 /* the first one is for the hashed password (NT4 style) the latter
    for plaintext (ADS)
 */
diff --git a/source3/modules/vfs_recycle.c b/source3/modules/vfs_recycle.c
index 7cbc938a57c..b794ebc2d8c 100644
--- a/source3/modules/vfs_recycle.c
+++ b/source3/modules/vfs_recycle.c
@@ -572,17 +572,10 @@ static int recycle_unlink_internal(vfs_handle_struct *handle,
 	 */
 
 	/* extract filename and path */
-	base = strrchr(full_fname->base_name, '/');
-	if (base == NULL) {
-		base = full_fname->base_name;
-		path_name = SMB_STRDUP("/");
-		ALLOC_CHECK(path_name, done);
-	}
-	else {
-		path_name = SMB_STRDUP(full_fname->base_name);
-		ALLOC_CHECK(path_name, done);
-		path_name[base - smb_fname->base_name] = '\0';
-		base++;
+	if (!parent_dirname(talloc_tos(), full_fname->base_name, &path_name, &base)) {
+		rc = -1;
+		errno = ENOMEM;
+		goto done;
 	}
 
 	/* original filename with path */
@@ -717,7 +710,7 @@ static int recycle_unlink_internal(vfs_handle_struct *handle,
 				 recycle_touch_mtime(handle));
 
 done:
-	SAFE_FREE(path_name);
+	TALLOC_FREE(path_name);
 	SAFE_FREE(temp_name);
 	SAFE_FREE(final_name);
 	TALLOC_FREE(full_fname);
diff --git a/source3/script/tests/test_net_machine_account.sh b/source3/script/tests/test_net_machine_account.sh
new file mode 100755
index 00000000000..69844443bf6
--- /dev/null
+++ b/source3/script/tests/test_net_machine_account.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+# Reproducer for https://bugzilla.samba.org/show_bug.cgi?id=14908
+
+if [ $# -lt 2 ]; then
+    echo "Usage: $0 NET CONFFILE SERVER_IP"
+    exit 1
+fi
+
+NET="$1"; shift
+CONFFILE="$1"; shift
+SERVER_IP="$1"; shift
+
+export UID_WRAPPER_ROOT=1
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+failed=0
+
+testit "net_ads_user" $VALGRIND $NET rpc user --configfile="$CONFFILE" -S "$SERVER_IP" -P || failed=`expr $failed + 1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 10dd5042e46..32f02396004 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1289,6 +1289,15 @@ plantestsuite(
      "",
      "-b $PREFIX/clusteredmember/unclists/tmp.txt -N 5 -o 10"])
 
+plantestsuite(
+    "samba3.net_machine_account",
+    "clusteredmember",
+    [os.path.join(samba3srcdir,
+                  "script/tests/test_net_machine_account.sh"),
+     "bin/net",
+     "$SERVERCONFFILE",
+     "$SERVER_IP"])
+
 plantestsuite(
     "samba3.net_lookup_ldap",
     "ad_dc:local",


-- 
Samba Shared Repository



More information about the samba-cvs mailing list