[SCM] Samba Shared Repository - branch v4-14-stable updated
Jule Anger
janger at samba.org
Mon Apr 4 12:49:14 UTC 2022
The branch, v4-14-stable has been updated
via 744c4b0cc69 VERSION: Disable GIT_SNAPSHOT for the 4.14.13 release.
via d7358482055 WHATSNEW: Add release notes for Samba 4.14.13.
via 7ebf719e19e builtools: Make abi_gen.sh less prone to errors
via 56018a50e76 s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos
via 50df8eb5921 WHATSNEW: Mention our matrix room as well
via abd61ad8995 WHATSNEW: IRC is irc.libera.chat according to https://www.samba.org/samba/irc.html
via 1a1b789b2fe s4:kdc: redirect pre-authentication failured to an RWDC
via 68f55294eb0 HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in HDB_ERR_NOT_FOUND_HERE
via 3ae7ead5fd5 s3:libsmb: Fix errno for failed authentication in SMBC_server_internal()
via 2a9a5185553 s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names
via 65498505cbf auth: let auth logging prefer user_info->orig_client.{account,domain}_name if available
via f4179deb273 s4:auth: rename user_info->mapped_state to user_info->cracknames_called
via 8fa656cdeed winbindd: don't set mapped_state in winbindd_dual_auth_passdb()
via 9b631f4efeb nsswitch: let test_wbinfo.sh also test wbinfo -a $USERNAME@$DOMAIN
via 57401a170aa s3:auth: make_user_info_map() should not set mapped_state
via 311a4cc141a s4:auth: fix confusing DEBUG message in authsam_want_check()
via 8bdf62eb2d3 s4:auth: check for user_info->mapped.account_name if it needs to be filled
via 9981c6731d0 s4:rpc_server/samr: don't set mapped_state in auth_usersupplied_info for audit logging
via e0222e2fd8b s4:kdc: don't set mapped_state in auth_usersupplied_info for audit logging
via 7ef4c442c63 s4:dsdb: don't set mapped_state in auth_usersupplied_info for audit logging
via 1d8369c9232 s4:smb_server: don't set mapped_state explicitly in auth_usersupplied_info
via 9d4b98aa568 auth/ntlmssp: don't set mapped_state explicitly in auth_usersupplied_info
via 1ead3a4d0dd s4:auth: encrypt_user_info() should set password_state instead of mapped_state
via dd91493ed62 s4:auth: a simple bind uses the DCs name as workstation
via e7a0e1db90d s3:rpc_client: let rpccli_netlogon_network_logon() fallback to workstation = lp_netbios_name()
via c331fc104e7 rodc: Add tests for simple BIND alongside NTLMSSP binds
via 1a0d92a9bef s4:auth_sam: use USER_INFO_INTERACTIVE_LOGON as inducation for an interactive logon
via f0891c0a891 s3:auth: let make_user_info_netlogon_interactive() set USER_INFO_INTERACTIVE_LOGON
via 2472d44f9c9 dsdb/tests: add test_login_basics_simple()
via 50954766056 dsdb/tests: prepare BasePasswordTestCase for simple bind tests
via 275f57f3796 dsdb/tests: introduce assertLoginSuccess
via 845d3674286 dsdb/tests: make use of assertLoginFailure helper
via 6e43d4ca919 dsdb/tests: let all BasePasswordTestCase tests provide self.host_url[_ldaps]
via 657c7c9a34b dsdb/tests: passwords.py don't need to import BasePasswordTestCase
via 5ca48372032 python:tests: let insta_creds() also copy the bind_dn from the template
via 0e793fe124b s3: smbd: Fix our leases code to return the correct error in the non-dynamic share case.
via 4d80d0e33fc s4: torture: Add new SMB2 lease test test_lease_duplicate_open().
via 5b67cf9fbbf s4: torture: Add new SMB2 lease test test_lease_duplicate_create().
via 24d05601ad7 s3:trusts_utils: use a password length of 120 for machine accounts
via 98714cc2350 upgradehelpers.py: add a comment to update_krbtgt_account_password()
via fcd3dc4e445 provision: add a comment that the value of krbtgtpass is ignored in the backend
via 097dbe8fe86 upgradehelpers.py: let update_machine_account_password() use 120 character passwords
via 8c58c14cd66 provision: use 120 characters for the dns account password
via 00aa1f8bbae provision: Decrease the length of random machine passwords
via 78d24902c79 s4/auth/simple_bind: correctly report TLS state
via f656f6c9179 pytest:auth_log: expect TLS connections when using ldaps
via c2a3c17da9f s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()
via 992a41e5e74 waf: re-add missing readlink test
via 26911b1489d readlink test: inverse return code
via 3d90f070894 s3:modules: Fix virusfilter_vfs_openat
via babfb227954 s3:selftest: Add test for virus scanner
via ae703cd4bcb selftest: Fix trailing whitespace in Samba3.pm
via e7c419d8397 docs-xml:manpages: Document 'dummy' virusfilter and 'virusfilter:infected files'
via 043f4b274b3 s3:modules: Implement dummy virus scanner that uses filename matching
via 34ade9eab0a s3:winbind: Use the canonical principal name to renew the credentials
via 98915350151 s3:winbind: Store canonical principal and realm in ccache entry
via f5672ef042b s3:libads: Return canonical principal and realm from kerberos_return_pac()
via af7f4e294dc lib:krb5_wrap: Fix wrong debug message and use newer debug macro
via fc3fed64ae0 lib:krb5_wrap: Improve debug message and use newer debug macro
via b464cbc0358 s3:libads: Fix memory leak in kerberos_return_pac() error path
via 77fac5ed243 libcli/smb: let smb2_signing_decrypt_pdu() cope with gnutls_aead_cipher_decrypt() ptext_len bug
via bbd4cd045ad libcli/smb: fix error checking in smb2_signing_decrypt_pdu() invalid ptext_len
via f75a0588512 selftest/quick: add smb2.session
via e59bf6bb2c3 s3/libads: ensure a sockaddr variable is correctly zero initialized
via 1cfb3b85f49 s3/libads: simplify storing existing ads->ldap.ss
via 885fafdee3b s3: libsmb: Call cli_dfs_target_check() from cli_smb2_rename_send().
via 5b653b0b076 s3: libsmb: Call cli_dfs_target_check() from cli_cifs_rename_send().
via f9a36e1aebf s3: libsmb: Call cli_dfs_target_check() from cli_smb1_rename_send().
via 9de91537f3d s3: libsmb: Call cli_dfs_target_check() from cli_ntrename_internal_send().
via fdd645fa702 s3: libsmb: Call cli_dfs_target_check() from cli_smb2_hardlink_send().
via 5790a73a0b6 s3: libsmb: Add cli_dfs_target_check() function.
via 231507270b4 s3: tests: Add a new test test_msdfs_rename() that does simple renames on MSDFS root shares.
via 6ef8465cf01 s3: tests: Add a new test test_msdfs_hardlink() that does simple hardlinks on MSDFS root shares.
via 9a4c688c2e7 lib: libsmbclient: Ensure cli_rename() always sets cli->raw_status.
via d775a15a346 s4: test: Add samba4.libsmbclient.rename test. Currently fails for SMB3.
via 66285f55862 VERSION: Bump version up to Samba 4.14.13...
via 038282f5236 Merge tag 'samba-4.14.12' into v4-14-test
via 96f88613a5e blackbox.ndrdump: fix test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test
via 0544a3a3c9c librpc/ndr: let ndr_push_string() let s_len == 0 result in d_len = 0
via 1d7e27ffa68 s4:torture/ndr: demonstrate the ndr_push_string(STR_NOTERM|REMAINING) of "" is wrong
via 56ccaafb032 blackbox.ndrdump: adjust example files to the usage of dump_data_diff output.
via 2f0a433811a ndrdump: make use of dump_data_file_diff() in order to show differences
via 7b96fe7e12b lib/util: add dump_data_diff*() helpers
via 7b844ab490c blackbox.ndrdump: adjust example files to changed dump_data() output.
via ec8b2ae38a9 lib/util: split out a dump_data_block16() helper
via 9e3c363030d dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
via cefad52c90b s4:dsdb/vlv_pagination: fix segfault in vlv_results()
via 271d3f7b4a8 s4:dsdb/paged_results: fix segfault in paged_results()
via 01e15dfaede s4:rpc_server/netlogon: let CSDVersion="" wipe operatingSystemServicePack
via 09832c6f95e s4:torture/rpc: test how CSDVersion="" wipes operatingSystemServicePack
via 6417cadc277 ldb: version 2.3.3
via 1d181de02de auth/ntlmssp: make sure we return INVALID_PARAMETER for NTLMv2_RESPONSE parsing errors
via 13ba2002bc1 libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore invalid netapp requests
via 74aca02a8f1 libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore BUFFER_TOO_SMALL
via ab38fec433f s4:torture/rpc: add test for invalid av_pair content in LogonSamLogonEx
via c51625b4830 auth/credentials: cli_credentials_set_ntlm_response() pass session_keys
via be1b37e7c6e s3:libsmb: fix signing regression SMBC_server_internal()
via 7aa5875ff92 s4:selftest: run libsmbclient.noanon_list against maptoguest
via 8feb866c215 s4:torture/libsmbclient: add libsmbclient.noanon_list test
via 72e5b758e04 selftest/Samba3: enable SMB1 for maptoguest
via 4a6813f7bc9 s3: smbd: Add missing pop_sec_ctx() in error code path of close_directory()
via 870991a12c5 ctdb-protocol: Allow rfc5952 "[2001:db8::1]:80" ipv6 notation
via 70d81ab1481 s3: includes: Make the comments describing itime consistent. Always use "invented" time.
via 15599f33909 s3: lib: In create_clock_itime(), use timespec_current() -> clock_gettime(CLOCK_REALTIME..).
via 7841b45a7f1 s3: smbd: Create and use a common function for generating a fileid - create_clock_itime().
via a0934daa711 lib: util: Add a function nt_time_to_unix_timespec_raw().
via 9f0353b2f4c tests: Add 2 tests for unique fileid's with top bit set (generated from itime) for files and directories.
from 4c6b1950c47 VERSION: Disable GIT_SNAPSHOT for the 4.14.12 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 98 ++++++-
auth/auth_log.c | 20 +-
auth/common_auth.h | 4 +-
auth/credentials/credentials.h | 6 +-
auth/credentials/credentials_internal.h | 2 +
auth/credentials/credentials_ntlm.c | 65 ++++-
auth/ntlmssp/ntlmssp_server.c | 9 +-
buildtools/scripts/abi_gen.sh | 9 +-
ctdb/protocol/protocol_util.c | 13 +
docs-xml/manpages/vfs_virusfilter.8.xml | 12 +
lib/krb5_wrap/krb5_samba.c | 7 +-
lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.3.3.sigs} | 0
...pyldb-util-2.1.0.sigs => pyldb-util-2.3.3.sigs} | 0
lib/ldb/wscript | 2 +-
lib/util/time.c | 30 +++
lib/util/time.h | 2 +
lib/util/util.c | 203 +++++++++-----
lib/util/util.h | 28 ++
libcli/auth/smbencrypt.c | 89 +++++-
libcli/smb/smb2_signing.c | 24 +-
librpc/ndr/ndr_string.c | 5 +-
librpc/rpc/dcesrv_auth.c | 6 +
librpc/rpc/dcesrv_core.c | 18 ++
librpc/rpc/dcesrv_core.h | 2 +
librpc/tools/ndrdump.c | 10 +
nsswitch/tests/test_wbinfo.sh | 2 +
python/samba/join.py | 2 +-
python/samba/provision/__init__.py | 7 +-
python/samba/tests/__init__.py | 4 +
python/samba/tests/auth_log.py | 8 +-
python/samba/tests/blackbox/ndrdump.py | 19 +-
python/samba/upgradehelpers.py | 11 +-
selftest/knownfail | 1 -
selftest/knownfail.d/smb1-tests | 12 +-
selftest/quick | 1 +
selftest/target/Samba3.pm | 19 +-
source3/auth/auth_util.c | 3 +-
source3/include/includes.h | 4 +-
source3/include/proto.h | 1 +
source3/lib/system.c | 52 ++++
source3/libads/authdata.c | 33 ++-
source3/libads/kerberos_proto.h | 2 +
source3/libads/ldap.c | 14 +-
source3/libsmb/cli_smb2_fnum.c | 14 +
source3/libsmb/clidfs.c | 57 ++++
source3/libsmb/clifile.c | 53 ++++
source3/libsmb/libsmb_server.c | 4 +-
source3/libsmb/proto.h | 6 +
source3/libsmb/trusts_util.c | 14 +-
source3/modules/vfs_virusfilter.c | 18 +-
source3/modules/vfs_virusfilter_common.h | 4 +
source3/modules/vfs_virusfilter_dummy.c | 58 ++++
source3/modules/wscript_build | 1 +
source3/rpc_client/cli_netlogon.c | 4 +
source3/rpc_server/rpc_config.c | 2 +
source3/script/tests/test_smbclient_s3.sh | 99 +++++++
source3/script/tests/test_virus_scanner.sh | 124 +++++++++
source3/selftest/ktest-krb5_ccache-2.txt | 4 +-
source3/selftest/ktest-krb5_ccache-3.txt | 4 +-
source3/selftest/tests.py | 11 +
source3/smbd/close.c | 2 +
source3/smbd/open.c | 44 ++-
source3/utils/net_ads.c | 2 +
source3/winbindd/winbindd.h | 2 +
source3/winbindd/winbindd_cred_cache.c | 18 +-
source3/winbindd/winbindd_pam.c | 15 +-
source3/winbindd/winbindd_proto.h | 4 +-
source3/wscript | 6 +
source4/auth/ntlm/auth.c | 7 +-
source4/auth/ntlm/auth_sam.c | 13 +-
source4/auth/ntlm/auth_simple.c | 14 +-
source4/auth/ntlm/auth_util.c | 4 +-
source4/auth/sam.c | 19 +-
source4/dsdb/samdb/ldb_modules/paged_results.c | 19 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 1 -
source4/dsdb/samdb/ldb_modules/vlv_pagination.c | 21 +-
source4/dsdb/tests/python/login_basics.py | 32 ++-
source4/dsdb/tests/python/password_lockout.py | 7 +-
source4/dsdb/tests/python/password_lockout_base.py | 36 ++-
source4/dsdb/tests/python/passwords.py | 1 -
source4/dsdb/tests/python/rodc_rwdc.py | 66 +++--
source4/heimdal/kdc/kerberos5.c | 10 +-
source4/kdc/db-glue.c | 51 +++-
source4/kdc/hdb-samba4.c | 80 ++----
source4/libnet/libnet_vampire.c | 2 +-
.../tests/dns-decode_dns_name_packet-hex.txt | 2 +-
.../librpc/tests/fuzzed_drsuapi_DsAddEntry_1.txt | 297 ++++++++++++++++++++-
.../librpc/tests/fuzzed_drsuapi_DsGetNCChanges.txt | 2 +-
.../tests/fuzzed_drsuapi_DsReplicaAttribute.txt | 31 ++-
.../tests/fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.txt | 33 +++
.../tests/fuzzed_ntlmssp-CHALLENGE_MESSAGE.txt | 52 +++-
source4/librpc/tests/krb5pac_upn_dns_info_ex.txt | 61 +++++
.../krb5pac_upn_dns_info_ex_not_supported.txt | 69 +++++
source4/rpc_server/netlogon/dcerpc_netlogon.c | 11 +-
source4/rpc_server/samr/samr_password.c | 1 -
source4/rpc_server/service_rpc.c | 10 +
source4/scripting/bin/renamedc | 2 +-
source4/selftest/tests.py | 17 ++
source4/smb_server/smb/sesssetup.c | 2 -
source4/torture/libsmbclient/libsmbclient.c | 162 +++++++++++
source4/torture/ndr/string.c | 30 ++-
source4/torture/rpc/netlogon.c | 10 +-
source4/torture/rpc/schannel.c | 209 +++++++++++++++
source4/torture/smb2/create.c | 205 ++++++++++++++
source4/torture/smb2/lease.c | 124 +++++++++
source4/torture/smb2/smb2.c | 1 +
tests/readlink.c | 11 +-
wscript_configure_system_gnutls | 3 +
109 files changed, 2797 insertions(+), 362 deletions(-)
copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.3.3.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.3.3.sigs} (100%)
create mode 100644 source3/modules/vfs_virusfilter_dummy.c
create mode 100755 source3/script/tests/test_virus_scanner.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index cbe15c92367..aa9e9870799 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=14
-SAMBA_VERSION_RELEASE=12
+SAMBA_VERSION_RELEASE=13
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 2f8e8c31500..491a388ca9c 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,95 @@
+ ===============================
+ Release Notes for Samba 4.14.13
+ April 04, 2022
+ ===============================
+
+
+This is the last bugfix release of the Samba 4.14 release series. There will be
+security releases only beyond this point.
+
+
+Changes since 4.14.12
+---------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 14169: Renaming file on DFS root fails with
+ NT_STATUS_OBJECT_PATH_NOT_FOUND.
+ * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2
+ objects with same lease key.
+ * BUG 14938: NT error code is not set when overwriting a file during rename
+ in libsmbclient.
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 14996: Fix ldap simple bind with TLS auditing.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
+ server.
+
+o Samuel Cabrero <scabrero at suse.de>
+ * BUG 14979: Problem when winbind renews Kerberos.
+
+o Pavel Filipenský <pfilipen at redhat.com>
+ * BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file.
+
+o Elia Geretto <elia.f.geretto at gmail.com>
+ * BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES
+ in SMBC_server_internal.
+
+o Björn Jacke <bj at sernet.de>
+ * BUG 13631: DFS fix for AIX broken.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
+ users).
+ * BUG 14641: Crash of winbind on RODC.
+ * BUG 14865: Uncached logon on RODC always fails once.
+ * BUG 14951: KVNO off by 100000.
+ * BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with
+ gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
+ * BUG 14984: Changing the machine password against an RODC likely destroys
+ the domain join.
+ * BUG 14993: authsam_make_user_info_dc() steals memory from its struct
+ ldb_message *msg argument.
+ * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
+ * BUG 15001: LDAP simple binds should honour "old password allowed period".
+ * BUG 15003: wbinfo -a doesn't work reliable with upn names.
+
+o Garming Sam <garming at catalyst.net.nz>
+ * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
+ users).
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 14621: "password hash userPassword schemes = CryptSHA256" does not seem
+ to work with samba-tool.
+ * BUG 14984: Changing the machine password against an RODC likely destroys
+ the domain join.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
===============================
Release Notes for Samba 4.14.12
January 31, 2022
@@ -43,8 +135,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
===============================
Release Notes for Samba 4.14.11
December 15, 2021
@@ -416,7 +507,8 @@ Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
diff --git a/auth/auth_log.c b/auth/auth_log.c
index 60bc6334591..dc1cea12390 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -152,6 +152,12 @@ static void log_authentication_event_json(
char negotiate_flags[11];
char logon_id[19];
int rc = 0;
+ const char *clientDomain = ui->orig_client.domain_name ?
+ ui->orig_client.domain_name :
+ ui->client.domain_name;
+ const char *clientAccount = ui->orig_client.account_name ?
+ ui->orig_client.account_name :
+ ui->client.account_name;
authentication = json_new_object();
if (json_is_invalid(&authentication)) {
@@ -203,12 +209,12 @@ static void log_authentication_event_json(
goto failure;
}
rc = json_add_string(
- &authentication, "clientDomain", ui->client.domain_name);
+ &authentication, "clientDomain", clientDomain);
if (rc != 0) {
goto failure;
}
rc = json_add_string(
- &authentication, "clientAccount", ui->client.account_name);
+ &authentication, "clientAccount", clientAccount);
if (rc != 0) {
goto failure;
}
@@ -594,6 +600,12 @@ static void log_authentication_event_human_readable(
char *trust_account_name = NULL;
char *logon_line = NULL;
const char *password_type = NULL;
+ const char *clientDomain = ui->orig_client.domain_name ?
+ ui->orig_client.domain_name :
+ ui->client.domain_name;
+ const char *clientAccount = ui->orig_client.account_name ?
+ ui->orig_client.account_name :
+ ui->client.account_name;
frame = talloc_stackframe();
@@ -640,8 +652,8 @@ static void log_authentication_event_human_readable(
" %s\n",
ui->service_description,
ui->auth_description,
- log_escape(frame, ui->client.domain_name),
- log_escape(frame, ui->client.account_name),
+ log_escape(frame, clientDomain),
+ log_escape(frame, clientAccount),
ts,
password_type,
nt_errstr(status),
diff --git a/auth/common_auth.h b/auth/common_auth.h
index 0452c673ebc..d922b66ab4d 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -49,14 +49,14 @@ struct auth_usersupplied_info
uint32_t logon_parameters;
- bool mapped_state;
+ bool cracknames_called;
bool was_mapped;
uint64_t logon_id;
/* the values the client gives us */
struct {
const char *account_name;
const char *domain_name;
- } client, mapped;
+ } client, mapped, orig_client;
enum auth_password_state password_state;
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 1fff37e8154..e1648677fda 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -218,8 +218,10 @@ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
bool cli_credentials_set_old_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash);
bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
- const DATA_BLOB *lm_response,
- const DATA_BLOB *nt_response,
+ const DATA_BLOB *lm_response,
+ const DATA_BLOB *lm_session_key,
+ const DATA_BLOB *nt_response,
+ const DATA_BLOB *nt_session_key,
enum credentials_obtained obtained);
int cli_credentials_set_keytab_name(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
index 3b86b742448..ef37c9a6eec 100644
--- a/auth/credentials/credentials_internal.h
+++ b/auth/credentials/credentials_internal.h
@@ -68,7 +68,9 @@ struct cli_credentials {
/* Allows NTLM pass-though authentication */
DATA_BLOB lm_response;
+ DATA_BLOB lm_session_key;
DATA_BLOB nt_response;
+ DATA_BLOB nt_session_key;
struct ccache_container *ccache;
struct gssapi_creds_container *client_gss_creds;
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index 1bec60e5dce..5995835e9a1 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -69,6 +69,14 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
return NT_STATUS_NO_MEMORY;
}
}
+ if (cred->nt_session_key.length != 0) {
+ session_key = data_blob_dup_talloc(frame,
+ cred->nt_session_key);
+ if (session_key.data == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
if (cred->lm_response.length != 0) {
lm_response = data_blob_dup_talloc(frame,
cred->lm_response);
@@ -77,6 +85,14 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
return NT_STATUS_NO_MEMORY;
}
}
+ if (cred->lm_session_key.length != 0) {
+ lm_session_key = data_blob_dup_talloc(frame,
+ cred->lm_session_key);
+ if (lm_session_key.data == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
if (cred->lm_response.data == NULL) {
*flags = *flags & ~CLI_CRED_LANMAN_AUTH;
@@ -483,19 +499,54 @@ _PUBLIC_ bool cli_credentials_set_old_nt_hash(struct cli_credentials *cred,
}
_PUBLIC_ bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
- const DATA_BLOB *lm_response,
- const DATA_BLOB *nt_response,
+ const DATA_BLOB *lm_response,
+ const DATA_BLOB *lm_session_key,
+ const DATA_BLOB *nt_response,
+ const DATA_BLOB *nt_session_key,
enum credentials_obtained obtained)
{
if (obtained >= cred->password_obtained) {
cli_credentials_set_password(cred, NULL, obtained);
- if (nt_response) {
- cred->nt_response = data_blob_talloc(cred, nt_response->data, nt_response->length);
- talloc_steal(cred, cred->nt_response.data);
+
+ data_blob_clear_free(&cred->lm_response);
+ data_blob_clear_free(&cred->lm_session_key);
+ data_blob_clear_free(&cred->nt_response);
+ data_blob_clear_free(&cred->nt_session_key);
+
+ if (lm_response != NULL && lm_response->length != 0) {
+ cred->lm_response = data_blob_talloc(cred,
+ lm_response->data,
+ lm_response->length);
+ if (cred->lm_response.data == NULL) {
+ return false;
+ }
}
- if (nt_response) {
- cred->lm_response = data_blob_talloc(cred, lm_response->data, lm_response->length);
+ if (lm_session_key != NULL && lm_session_key->length != 0) {
+ cred->lm_session_key = data_blob_talloc(cred,
+ lm_session_key->data,
+ lm_session_key->length);
+ if (cred->lm_session_key.data == NULL) {
+ return false;
+ }
}
+
+ if (nt_response != NULL && nt_response->length != 0) {
+ cred->nt_response = data_blob_talloc(cred,
+ nt_response->data,
+ nt_response->length);
+ if (cred->nt_response.data == NULL) {
+ return false;
+ }
+ }
+ if (nt_session_key != NULL && nt_session_key->length != 0) {
+ cred->nt_session_key = data_blob_talloc(cred,
+ nt_session_key->data,
+ nt_session_key->length);
+ if (cred->nt_session_key.data == NULL) {
+ return false;
+ }
+ }
+
return true;
}
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 939aa0ef4aa..e077c2f7379 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -532,6 +532,14 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
(ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE);
if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
nt_status = ndr_map_error2ntstatus(err);
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_BUFFER_TOO_SMALL)) {
+ /*
+ * Note that invalid blobs should result in
+ * INVALID_PARAMETER, as demonstrated by
+ * smb2.session.ntlmssp_bug14932
+ */
+ nt_status = NT_STATUS_INVALID_PARAMETER;
+ }
DEBUG(1,("%s: failed to parse NTLMv2_RESPONSE of length %zu for "
"user=[%s] domain=[%s] workstation=[%s] - %s %s\n",
__func__, ntlmssp_state->nt_resp.length,
@@ -763,7 +771,6 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
user_info->flags = 0;
- user_info->mapped_state = false;
user_info->client.account_name = ntlmssp_state->user;
user_info->client.domain_name = ntlmssp_state->domain;
user_info->workstation_name = ntlmssp_state->client.netbios_name;
diff --git a/buildtools/scripts/abi_gen.sh b/buildtools/scripts/abi_gen.sh
index 6dd6d321f77..ddb0a7cc36f 100755
--- a/buildtools/scripts/abi_gen.sh
+++ b/buildtools/scripts/abi_gen.sh
@@ -10,9 +10,14 @@ cat <<EOF
set height 0
set width 0
EOF
-nm "$SHAREDLIB" | cut -d' ' -f2- | egrep '^[BDGTRVWS]' | grep -v @ | egrep -v ' (__bss_start|_edata|_init|_fini|_end)' | cut -c3- | sort | while read s; do
+
+# On older linker versions _init|_fini symbols are not hidden.
+objdump --dynamic-syms "${SHAREDLIB}" | \
+ awk '$0 !~ /.hidden/ {if ($2 == "g" && $3 ~ /D(F|O)/ && $4 ~ /(.bss|.rodata|.text)/) print $NF}' | \
+ sort | \
+ while read -r s; do
echo "echo $s: "
- echo p $s
+ echo p "${s}"
done
) > $GDBSCRIPT
diff --git a/ctdb/protocol/protocol_util.c b/ctdb/protocol/protocol_util.c
index 2d0a6f33038..3eea95a274e 100644
--- a/ctdb/protocol/protocol_util.c
+++ b/ctdb/protocol/protocol_util.c
@@ -240,6 +240,19 @@ static int ip_from_string(const char *str, ctdb_sock_addr *addr)
uint8_t ipv4_mapped_prefix[12] = {
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff
};
+ size_t len = strlen(str);
+ char s[64];
+
+ len = strlcpy(s, str, sizeof(s));
+ if (len >= sizeof(s)) {
+ return EINVAL;
+ }
+
+ if ((len >= 2) && (s[0] == '[') && (s[len-1] == ']')) {
+ s[len-1] = '\0';
+ str = s+1;
+ p = strrchr(str, ':');
+ }
ret = ipv6_from_string(str, &addr->ip6);
if (ret != 0) {
diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml
index 329a35af68a..88f91d73a42 100644
--- a/docs-xml/manpages/vfs_virusfilter.8.xml
+++ b/docs-xml/manpages/vfs_virusfilter.8.xml
@@ -48,6 +48,10 @@
scanner</para></listitem>
<listitem><para><emphasis>clamav</emphasis>, the ClamAV
scanner</para></listitem>
+ <listitem><para><emphasis>dummy</emphasis>, dummy scanner used in
+ tests. Checks against the <emphasis>infected files</emphasis>
+ parameter and flags any name that matches as infected.
+ </para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
@@ -264,6 +268,14 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>virusfilter:infected files = empty</term>
+ <listitem>
+ <para>Files that virusfilter <emphasis>dummy</emphasis> flags as infected.</para>
+ <para>If this option is not set, the default is empty.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>virusfilter:block access on error = false</term>
<listitem>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index fff5b4e2a22..76c2dcd2126 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
goto done;
}
- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string);
/* FIXME: we should not fall back to defaults */
ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache);
@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string));
if (ret) {
- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' "
+ "for client '%s' and service '%s' failed: %s\n",
+ ccache_string, client_string, service_string,
+ error_message(ret));
goto done;
}
diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.3.3.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-2.0.5.sigs
copy to lib/ldb/ABI/ldb-2.3.3.sigs
diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs b/lib/ldb/ABI/pyldb-util-2.3.3.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs
copy to lib/ldb/ABI/pyldb-util-2.3.3.sigs
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 38f2d578c2e..4a0d807a731 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -2,7 +2,7 @@
APPNAME = 'ldb'
# For Samba 4.14.x
-VERSION = '2.3.2'
+VERSION = '2.3.3'
import sys, os
diff --git a/lib/util/time.c b/lib/util/time.c
index 680bfe7c282..d5854f5e464 100644
--- a/lib/util/time.c
+++ b/lib/util/time.c
@@ -869,6 +869,36 @@ _PUBLIC_ int get_time_zone(time_t t)
return tm_diff(&tm_utc,tm);
}
+/*
+ * Raw convert an NTTIME to a unix timespec.
+ */
+
+struct timespec nt_time_to_unix_timespec_raw(
+ NTTIME nt)
+{
--
Samba Shared Repository
More information about the samba-cvs
mailing list