[SCM] Samba Shared Repository - branch v4-16-test created
Stefan Metzmacher
metze at samba.org
Mon Jan 24 14:55:11 UTC 2022
The branch, v4-16-test has been created
at 809f4fe2c7862f25547cbdcf01160537e43e3f95 (commit)
- Log -----------------------------------------------------------------
commit 809f4fe2c7862f25547cbdcf01160537e43e3f95
Author: Björn Jacke <bj at sernet.de>
Date: Sun Jan 23 12:35:22 2022 +0100
s4:librpc: raise log level for failed connection attempts
this keeps the log files silent when other DCs are currently not running. We
saw frequent NT_STATUS_HOST_UNREACHABLE messages at log level 0 for now.
https://bugzilla.samba.org/show_bug.cgi?id=11537
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Sun Jan 23 12:51:44 UTC 2022 on sn-devel-184
commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Fri Jan 21 12:01:33 2022 +0100
s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184
commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Tue Jan 18 19:44:54 2022 +0100
s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit fcf225a356abb06d1205f66eb79f707c85803cb5
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Tue Jan 18 19:47:38 2022 +0100
s3:winbindd: Remove trailing spaces from winbindd_ads.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Tue Jan 4 12:00:20 2022 +0100
s4:selftest: plan test suite samba4.blackbox.test_weak_disable_ntlmssp_ldap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit eb0fa26dce77829995505f542af02e32df088cd6
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Mon Jan 3 15:33:46 2022 +0100
tests: Add test for disabling NTLMSSP for ldap client connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 17ea2ccdabbe935ef571e1227908d51b755707bc
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Mon Jan 3 11:13:06 2022 +0100
s3:libads: Disable NTLMSSP if not allowed (for builds without kerberos)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5f6251abf2f468b3744a96376b0e1c3bc317c738
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Fri Jan 7 10:31:19 2022 +0100
s3:libads: Improve debug messages for SASL bind
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Thu Dec 9 13:43:08 2021 +0100
s3:libads: Disable NTLMSSP for FIPS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Wed Dec 8 16:05:17 2021 +0100
s3:libads: Remove trailing spaces from sasl.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit afcdb090769f6f0f66428cd29f88b0283c6bd527
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Fri Dec 10 16:08:04 2021 +0100
s3:utils: set ads->auth.flags using krb5_state
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6843bdae306292a781636b4d295ed8d04ae59e07
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 21 17:06:15 2022 +0100
wafsamba: Add our own implmentation to generate the clangdb
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 85dbc023c300a651e7802b9ebb1f08b4c2f56e8b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 21 17:05:57 2022 +0100
wafsamba: Remove clangdb code which doesn't work
This generates an incomplete database where defines and includes are missing.
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 82a21581c63fc4e453fd4f5cd44e77a95c84f50c
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 17 10:49:13 2022 +0100
build: Without getrandom() require gnutls 3.7.2
gnutls before 3.7.2 and without getrandom() will open /dev/urandom at library
initialization time before main() is run. We use closefrom(3) in samba-bgqd and
samba-dcerpd, which closes /dev/urandom, which then breaks gnutls. On system
with getrandom(), no file descriptor is opened and gnutls 3.7.2+ will open and
close /dev/urandom whenever it needs to access it.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Jan 21 21:42:08 UTC 2022 on sn-devel-184
commit d0aa04e8c16192babfbafc7e9869e7ff98a731c9
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 20 12:05:35 2022 +0100
bootstrap: use compat-gnutls37-devel for centos7
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f60780c8b633ece61c952122aee4f313edb26010
Author: Volker Lendecke <vl at samba.org>
Date: Thu Jan 20 12:23:43 2022 +0100
libcli/dns: Fix TCP fallback
A customer has come across a DNS server that really just cuts a SRV
reply if it's too long. This makes the packet invalid according to
ndr_pull and according to wireshark. DNS_FLAG_TRUNCATION is however
set. As this seems to be legal according to the DNS RFCs, we need to
hand-parse the first two uint16's and look whether DNS_FLAG_TRUNCATION
is set.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Jan 20 18:01:41 UTC 2022 on sn-devel-184
commit d1891a0c4f6f639f60d2063ca4c54d3b283e3636
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jan 20 11:17:29 2022 +0100
autobuild: Fix path for libwbclient ldd checks
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Jan 20 14:19:02 UTC 2022 on sn-devel-184
commit 7d16a56b9d1cde8a5174381ef4924a2ea7be59bc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 19 15:57:08 2022 +0100
s4:dsdb/vlv_pagination: fix segfault in vlv_results()
It can happen that the vlv_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Jan 20 10:04:39 UTC 2022 on sn-devel-184
commit 19fa22b1fbcf33dbc4defe4dd2e487a642786c49
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 19 15:57:08 2022 +0100
s4:dsdb/paged_results: fix segfault in paged_results()
It can happen that the paged_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.
We also should not call ldb_module_done() if paged_results()
fails, as it was already called.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7055827b8ffd3823c1240ba3f0b619dd6068cd51
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 19 13:15:45 2022 +0100
HEIMDAL: move code from source4/heimdal* to third_party/heimdal*
This makes it clearer that we always want to do heimdal changes
via the lorikeet-heimdal repository.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton at samba.org>
Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
commit 1954e50f266256c9e153c9613f49f9d9f5dbf67b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jan 6 16:42:33 2022 +1300
s4:torture: Adapt KDC canon test to Heimdal upstream changes
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a24280dc72d05828befdf4bd1288bbea1e97e08c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 9 13:19:27 2021 +1300
s4:torture: Remove PAC-REQUEST check for RESPONSE_TOO_BIG
Needed by the Heimdal upgrade...
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9eead4853e26c1f589c4ef69469c199ff6670060
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 10 13:17:53 2021 +1300
s4:torture: Fix Orpheus' Lyre tests
The enc-pa-rep request protection allows these tests to now pass as
expected.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b59687a762fec30f9954282f3b587f24903d710d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Dec 6 11:10:01 2021 +1300
s4:torture: Adapt LSA tests to newer Heimdal version
The Heimdal upgrade results in some changes that affect these tests. The
cname is now non-NULL in certain circumstances, the IO counts are
different due to a change between the ordering of capaths and referrals,
some requests no longer fail, and referral tickets are not cached
anymore, and so cannot be checked.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 7679d596c5f1c57e8c6316b64097dc36530ac70e
Author: Isaac Boukris <iboukris at gmail.com>
Date: Fri Nov 9 00:20:06 2018 +0200
s4:torture: return ETYPE_INFO2 on PREAUTH_FAILED
This is an alternative to 978bc8681e74ffa17f96fd5d4355094c4a26691c
which got overriten by the upgrade merge.
One difference however, is that we don't return ENC_TIMESTAMP like
in PREAUTH_REQUIRED but only ETYPE_INFO2 same as Windows.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0b9c8b9e12965b0ca2b38f673726c3e08733aeeb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 30 17:07:10 2021 +1300
selftest: Expect FAST support for both MIT and Heimdal
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2232d8408e50e813380bde27b728fdf69ac7dd67
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 2 15:40:43 2016 +0100
selftest: set [libdefaults] fcache_strict_checking = false
We're using uid_wrapper so the checks will fail.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 71685966c22303c42f4f0b7fb269013d81d0f714
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 8 14:56:39 2021 +1300
selftest: knownfail updates after Heimdal Upgrade
The Heimdal upgrade brings the new feature of FAST, allowing more tests to pass.
However it causes a regression in FL2003 for the returned salt format in
the AS-REP, but FL 2003 has not been the default since Samba 4.2 as AES
keys are much stronger and should be preferred.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e5b9cc8f6c1c34a40787c1c395067e715140d6fe
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jun 18 19:41:10 2021 +1200
selftest: Update SimpleKerberosTests now that Samba supports FAST
Heimdal matches Windows in this respect
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 64e539bb7fd8f6634a0ba767f6890356b6d51299
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 30 09:47:32 2021 +1300
tests/krb5: Add option to check reply padata
So far we have only been checking padata in error replies and with FAST.
We should also check it in the general success case.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0be58f55fa0f0249b5f93568f71829400ea6ceb1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 24 16:59:42 2021 +1300
s4:kdc: Return PA-SUPPORTED-ENCTYPES
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit cb382f7cddebabde3dac2b4bdb50d5b864463abf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 24 16:59:12 2021 +1300
s4:kdc: Set supported enctypes in KDC entry
This allows us to return the supported enctypes to the client as
PA-SUPPORTED-ENCTYPES padata.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6c2a97d3b29ba14ff43840f3c7b146960f0f1665
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Dec 22 17:08:43 2021 +1300
s4:kdc: Add PAC_ATTRIBUTES integration for Heimdal
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit ba154d62f70d1749aea44ddb4dc62439766f1a0b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 15 12:30:28 2021 +1300
s4:kdc: Set require_pac and no-ENC_TS in FAST for new Heimdal import
This allows us to continue to avoid CVE-2020-25719 in particular
and pass our tests for expected FAST behaviour as the patches
we requested by upstream to be conditional, not hard-coded.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3dbf967703c9669e4c504ac92ed1b3834bc61c84
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 17 21:27:06 2021 +1200
s4:kdc/heimdal: Always include the salt in the PA-ETYPE-INFO[2]
This matches Windows and is detected by our samba.tests.krb5.as_canonicalization_tests
test as this always expects the salt, which Windows always provides.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 28701dc2d128f7fdfe8a4fa73584d1289918038a
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Sep 22 10:10:02 2017 +1200
s4:kdc: cope with upstream rename of configuration parameters.
This copes with the upstream commit:
commit c757eb7fb04a9b0ca883ddb72c1bc75bf5d814f3
Author: Nicolas Williams <nico at cryptonector.com>
Date: Fri Nov 25 17:21:04 2011 -0600
Rename and fix as/tgs-use-strongest-key config parameters
Different ticket session key enctype selection options should
distinguish between target principal type (krbtgt vs. not), not
between KDC request types.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
[abartlet at samba.org Researched and updated the commit message]
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c7bd176f4cb5d058337b64819858eca2764bd88e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 17 18:50:55 2018 -0700
s4:kdc: Move calls using the samba4 name to be right after each other
These all need to be in sync
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0d107482b5ade604b1edffb55b111b29e6028884
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 17 18:06:35 2018 -0700
s4:kdc: Adapt KDC to new Heimdal to load samba4 HDB plugin for keytab
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8d7e9366f90a549cd191c271fddfd03b4d00e4bb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 19 19:24:11 2018 -0700
s4:kdc/hdb: Store and retrieve a FX-COOKIE value
Note Windows uses the string "MICROSOFT" as cookie,
so it's wrong to have a per DC cookie, but we need to
adjust the Heimdal logic to support that.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8329e8d46917d67f0cb51c3a004e323a87fa1499
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 23 11:35:01 2021 +1200
s4:kdc: Set entry.flags.force_canonicalize to override the new Heimdal behaviour
This is needed to give hdb_samba4 the full control over the returned
principal, rather than the new code in the Heimdal KDC.
Including changes selected from code by Stefan Metzmacher <metze at samba.org>
in his Heimdal upgrade branch.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit eb5c3bb951391879f844199fe4de6076b4c98217
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 3 14:58:47 2016 +0100
s4:kerberos: adapt the heimdal send_to_kdc hooks to the send_to_kdc/realm plugin interface
With the recent heimdal upgrade we better try to use the send_to_realm()
hooks as it allows us to handle the KDC lookup as well as only getting
each logical request just once in the testing code, which makes it
let dependend on the heimdal internal kdc lookup logic.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 6395cbe32baa80d81fc656b828c8d63caf73e454
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 8 15:30:12 2021 +1300
s4:kerberos: adjust smb_krb5_debug_wrapper() to embedded heimdal
In future we need a real configure check for Heimdal 8.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 52ccce259ddbebcedd5780ee683386d283aabda0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 19 17:25:00 2022 +0100
tests/auth_log: adjust expected authDescription for test_smb_bad_user
With NO_SUCH_USER we don't know if any pre-authentication was requested,
so with the new Heimdal code we now used use "AS-REQ" instead of
assuming ENC-TS Pre-authentication.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 5a05066bafc432ddfd2bdbba14934308ba57071b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jan 8 14:08:18 2016 +1300
s4:kdc: Update to match updated Heimdal's new HDB version
Including updates to hook into the improved hdb_auth_status
by Stefan Metzmacher <metze at samba.org> from his Heimdal
upgrade branch.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3d8edb7b768578816b68c41aef0aae4222cb0b11
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 2 11:34:24 2021 +1300
s4:kdc: Adapt to use new combined windc interface in lorikeet-heimdal
This interface is as requested by Luke Howard towards possibly merging
this feature.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3057e140972400aa6bbe9d996cfb2cabfe0dc880
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 23 12:08:34 2021 +1200
s4:kdc: Adapt wamba_wdc_check_client_access() to modern Heimdal
Modern Heimdal falls back to kdc_check_flags() internally
when KRB5_PLUGIN_NO_HANDLE is returned, avoiding the need
to call back into the internal KDC APIs.
Selected from patch by by Stefan Metzmacher <metze at samba.org>
from his Heimdal upgrade branch.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 78937243dc5f8a9aebe687f017f3de8ca7666a23
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 24 16:58:22 2021 +1300
s4:kdc: Adapt samba_wdc_check_client_access() to upstream Heimdal
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9e43da24019761f75996e27f978da60509b4a52c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 20 14:12:59 2015 +0200
s4:kdc: Update samba_wdc_check_client_access() to match updated Heimdal
This based on a patch in Debian by Samuel Cabrero <scabrero at zentyal.com> in Debian.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit aaaae360192397533db75442f22701c8c85849c2
Author: Günther Deschner <gd at samba.org>
Date: Thu May 15 09:13:06 2014 +0200
s4:kdc: Do not encode the NTSTATUS error into a PA-DATA, just linearlise it
This allows another routine to do the wrapping.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 195e099f5508fc5d29280de64753a4474db11e90
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 24 16:57:42 2021 +1300
s4:kdc: Fix build failure by including <heimbase.h>
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6e8ac61b36ec74581fde8720107bce8971989015
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 29 15:36:37 2021 +1300
tests: Update latin1 list and ignored file list for new Heimdal import
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b2c96d927a661d5e830b271043a6a2be94d4c04d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 7 16:34:54 2021 +1300
s4:heimdal_build: changes required to build after import
For libtommath we do this by using the list from makefile.commo
in in libtommath rather than trying to match the list by hand.
This will be easier to maintain over the long term.
Thanks to work over many years by:
- Gary Lockyer <gary at catalyst.net.nz>
- Stefan Metzmacher <metze at samba.org>
- Andrew Bartlett <abartlet at samba.org>
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 40b65c840e03bd5eb7f3b02fe80144650c63c005
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 24 01:52:32 2021 +0100
s4:heimdal: import lorikeet-heimdal-202201172009 (commit 5a0b45cd723628b3690ea848548b05771c40f14e)
See
https://git.samba.org/?p=lorikeet-heimdal.git;a=shortlog;h=refs/heads/lorikeet-heimdal-202201172009
or
https://gitlab.com/samba-team/devel/lorikeet-heimdal/-/tree/lorikeet-heimdal-202201172009
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Pair-Programmed-With: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit d2a3016a9c59f93f89cf4bb86d40938d56400453
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 19 13:26:41 2022 +0100
s4:heimdal_build: include heimdal headers relative to heimdal_build
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 5636bfa9a27707895c97a32b0836ab9801456499
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 24 16:57:00 2021 +1300
netlogon.idl: Add FAST support bits
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ce4d134da7725df1c98f849f38dfc35b6b6271de
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jan 18 10:58:32 2022 +0100
gitlab-ci: Use Fedora 34 for Coverity Scan
The Coverity Scan tools are not updated very often and miss support for the
latest gcc build. Lets use Fedora 34 for that and stay behind a bit.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Jan 19 10:49:18 UTC 2022 on sn-devel-184
commit ec6d28e7290783da92cb8d9ee492e831ac7ed959
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jan 16 21:50:25 2022 +0100
smbd: Remove a duplicate protoype
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Jan 18 21:17:43 UTC 2022 on sn-devel-184
commit 12ca34115eabbb430cd0b01afeaaebfac76174d3
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jan 16 21:23:56 2022 +0100
lib: Remove unused asprintf_strupper_m()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 6bcdd3460a29a5b4e84290d963bfe1a3941adc69
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jan 16 21:21:00 2022 +0100
winbindd: Replace asprintf() with talloc_asprintf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3b6b12a19fc8bed2ee5a01fdf55be99c0297001e
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jan 16 21:16:02 2022 +0100
libads: Convert sitename_key() to talloc
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 84e53769382f1f5e381df131e675c86f7aeba607
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jan 16 20:51:51 2022 +0100
net: Align a few integer types
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ac12207e15c5483ef4a423221a1d7c104a4b9672
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jan 16 20:14:56 2022 +0100
libsmb: Avoid a cast
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4d5c1509bea058f434983da41fde014dae874187
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jan 2 19:33:07 2022 +0100
smbd: Align a few integer types
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 232a1fa46af0b05ba12bf5edc944caeb4f919c38
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jan 8 16:36:51 2022 +0100
smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a7fe22fd7f46a0db30e34ffc1ef400ebb321d096
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jan 8 16:29:58 2022 +0100
torture3: Align two integer types
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a924e2cb203affa5b0224d9fb7234e9585c803ad
Author: Volker Lendecke <vl at samba.org>
Date: Tue Jan 4 13:02:25 2022 +0100
rpc_host: We have tevent_req_oom() for ENOMEM
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 87325613962ced1d58249e37a0375f0a3e857098
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jan 3 13:33:22 2022 +0100
lib: Remove unused tstream_npa_socketpair()
This was used in the pre samba-dcerpcd source3 rpc server.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 07101587599d87eefe91fd52d855f3c6bc284495
Author: Volker Lendecke <vl at samba.org>
Date: Wed Jan 12 12:19:00 2022 +0100
lib: Save a few lines with str_list_add_printf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5ef5d1d4e5653687805cc1d5811327ab99d1357b
Author: Volker Lendecke <vl at samba.org>
Date: Wed Jan 12 12:15:08 2022 +0100
lib: Save a few lines with str_list_add_printf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2468f0412127e391ed486a1541c5f87319fa34bf
Author: Volker Lendecke <vl at samba.org>
Date: Wed Jan 12 12:12:50 2022 +0100
smbd: Save a few lines with str_list_add_printf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 6df560d353c18bb8a6f22cbed877642b29c2265b
Author: Volker Lendecke <vl at samba.org>
Date: Wed Jan 12 12:09:51 2022 +0100
printing: Save a few lines with str_list_add_printf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 114116b659dca81054801918f229380f041963cd
Author: Volker Lendecke <vl at samba.org>
Date: Tue Jan 11 10:54:05 2022 -0500
profile3: remove an unused include
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 19d9504b1b34ec7c52eaaf663d5ecf4f05066b6d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 23 22:44:10 2021 +0100
s4:kdc: improve DEBUG messages in samba_wdc_reget_pac2()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton at samba.org>
Autobuild-Date(master): Mon Jan 17 20:55:41 UTC 2022 on sn-devel-184
commit 84b76270ceb38cbb0263f415f4089bafa751b3a3
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 23 22:53:13 2021 +0100
s4:auth: debug make_user_info_dc_pac() failures in kerberos_pac_to_user_info_dc()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 879eba2740ac5e5f456b93a3b47e9a6b70355415
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 24 15:21:21 2021 +0100
s4:torture: check for pac_blob==NULL in test_generate_session_info_pac() functions
We should return an error instead of crashing for tickets without a PAC.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 12154b981c40d619e4ddb53aceee9f86368a75fb
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 23 19:29:06 2021 +0100
s4:heimdal_build: make version_script optional to HEIMDAL_LIBRARY()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 6fc5f22978bd77e4775856359d116492eccc9be6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 30 16:20:46 2021 +1300
kdc: Fix leak
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e9caa1edef846cdea2a719976ee0fd5bd8531048
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 23 15:59:21 2021 +1300
tests/krb5: Update supported enctype checking
We now do not expect the claims or compound ID bits to be set unless
explicitly specified, nor the DES bits.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 775bfc72509bf98f3c637ca22cc5edf0e7fae794
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Dec 29 17:35:09 2021 +1300
tests/krb5: Add AS-REQ PAC tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f94bdb41fccdb085d8f8f5a1a5e4a56581839e8e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 30 09:45:13 2021 +1300
tests/krb5: Check encrypted-pa-data if present
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 48362a706f8a6c35a17ecbf625bbf29802143185
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 30 09:42:10 2021 +1300
tests/krb5: Add FAST enc-pa-rep tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c51805f90c09b40236765c9594693fcb66a55715
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 16 14:21:18 2021 +1300
tests/krb5: Adjust expected error codes
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a107bb8b0d424bb1f8ee6df34e8f8e81dd499333
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 16 10:18:42 2021 +1300
tests/krb5: Generate unique UPNs for AS-REQ enterprise tests
This helps to avoid problems with account creation due to UPN uniqueness
constraints.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 492d9f083dc23aff2c1fa12e21765861df1c1b38
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Dec 22 16:08:43 2021 +1300
s4:torture: Remove netbios realm and lowercase realm tests
Tests for these are already present in
samba.tests.krb5.as_canonicalization_tests. These tests cause problems
with an upgraded Heimdal version, and we want to stop supporting
non-canonical realm names, so this commit removes them.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3b26c714d42fc5e4ab7d4138db987171edda6463
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 16 21:06:55 2021 +1300
s4:torture: Make etype list variables static
If they are not made static, these variables end up being used by the
Kerberos libraries after they have gone out of scope.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 493fe1a4315a8da3403b18233cbcbdc4e43fb4ee
Author: David Disseldorp <ddiss at samba.org>
Date: Fri Jan 14 10:38:40 2022 +0100
build: reduce printf() calls in generated build_options.c
build_options.c is inefficient in multiple ways:
1) it's generated via one python fp.write() call per line
2) the generated code calls output() for each and every build option
This commit addresses (2), modifying write_build_options_header() and
write_build_options_footer(). write_build_options_section() could also
be collapsed into a single output() call, but this may lead to oversize
string literals, so has been left as is.
I observe no change in smbd --build-options output.
Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): David Disseldorp <ddiss at samba.org>
Autobuild-Date(master): Mon Jan 17 13:17:53 UTC 2022 on sn-devel-184
commit 7a8c6c362e0151bc1bbd9cca8e2bfb03ba8320de
Author: David Disseldorp <ddiss at samba.org>
Date: Fri Jan 14 10:38:40 2022 +0100
build: reduce fp.write calls for build_options.c generation
build_options.c is inefficient in multiple ways:
1) it's generated via one python fp.write() call per line
2) the generated code calls output() for each and every build option
This commit reduces fp.write() calls for (1). I observe no change in the
generated build_options.c .
Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6a463c40d755b75b02884f123c19cc2c2845d729
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jan 13 15:31:33 2022 +0100
s3:smbd: handle --build-options without parsing smb.conf
The smb.conf is parsed in post mode of a popt callback. The smbd
--build-options parameter should be handled when first encountered
to avoid requiring smb.conf presence.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14945
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
commit da2e1047f1fc9f0ac98490c79c21c427b47274d5
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Jan 14 13:39:34 2022 +1100
WHATSNEW: Document CTDB leader and cluster lock changes
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
Autobuild-User(master): Martin Schwenke <martins at samba.org>
Autobuild-Date(master): Mon Jan 17 11:16:14 UTC 2022 on sn-devel-184
commit f7de2132bb999780331e5b005946ba5b494063c1
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Jan 10 13:41:31 2022 +1100
ctdb-doc: Remove documentation for recovery process
This is many years out of date and recent changes make it worse. It
is unlikely that anyone has the time to fix this in the near future,
so remove it because it is misleading.
Database recovery steps are well documented in comments in the
recovery helper. Cluster monitoring documentation can be re-added
when things stop changing.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit a940ad9370687c97d1ccb0f934842b69c1d44c76
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Jan 17 09:16:17 2022 +1100
ctdb-doc: Update example configuration migration script
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 01313ea243e4d52ea558ca4c53b6f4a1f07341e7
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Jan 14 23:09:38 2022 +1100
ctdb-tests: Improve test coverage for leader role yield and elections
Rename test, clean up node selection. Duplicate for for banning and
removing leader capability cases. Repeat all 3 tests without cluster
lock.
All of the standard election triggers are now tested, with and without
cluster lock. Due to test cluster configuration limitations, the
tests without cluster lock are skipped on a real cluster.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 5d317781498a69c94b47ce47b60438e6cb520f96
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Jan 14 13:59:25 2022 +1100
ctdb-tests: Support commenting out local daemons configuration options
Can be used to disable default options, such as cluster lock.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 34d2ca0ae6471c8d742b22aa4c57012232a2a832
Author: Martin Schwenke <martin at meltin.net>
Date: Sat Jan 15 13:02:02 2022 +1100
ctdb-config: Add configuration option [cluster] leader timeout
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 1dfb266038f6fdf971bb0ffe0726f778b986371d
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Jan 10 14:15:25 2022 +1100
ctdb-config: [legacy] recmaster capability -> [cluster] leader capability
Rename this configuration item and move it into the [cluster]
configuration section.
Update documentation to match.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit f5a39058f0743f5607df91cb698a2b15618e1360
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Jan 10 19:18:14 2022 +1100
ctdb-config: [cluster] recovery lock -> [cluster] cluster lock
Retain "recovery lock" and mark as deprecated for backward
compatibility.
Some documentation is still inconsistent.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit d752a92e1153fa355b0cbaa1f482fdc0d88e42f5
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Jan 10 14:18:32 2022 +1100
ctdb-doc: Update documentation for leader and cluster lock
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 73555e8248aff683b6cb3a02262a66ab52f2c665
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Mar 18 15:14:39 2020 +1100
ctdb-recoverd: Use race for cluster lock as election when lock is enabled
If the cluster is partitioned then nodes in one partition can not take
the lock anyway, so election is pointless. It just introduces
unnecessary corner cases.
Instead just race for the lock.
When a node notices a lack of leader and notifies other nodes of an
election via an unknown leader broadcast, the cluster lock election is
hooked into this broadcast.
The test needs to be updated because losing the cluster lock can now
result in a leadership change.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 938d64c8ff3d1776c2d5959714c4c11eba7278c4
Author: Martin Schwenke <martin at meltin.net>
Date: Wed May 6 00:19:38 2020 +1000
ctdb-protocol: Mark {GET,SET}_RECMASTER controls obsolete
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 03ae158cffc3812f82365c65f8333768539f854d
Author: Martin Schwenke <martin at meltin.net>
Date: Wed May 6 00:10:22 2020 +1000
ctdb-protocol: Drop marshalling for {GET,SET}_RECMASTER controls
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit a76374070d38e2dc86067ce413bb26b8e554c0b2
Author: Martin Schwenke <martin at meltin.net>
Date: Wed May 6 00:01:05 2020 +1000
ctdb-daemon: Drop implementation of {GET,SET}_RECMASTER controls
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 193b624d26acffaa39a5fc393268f152b5809f99
Author: Martin Schwenke <martin at meltin.net>
Date: Tue May 5 23:58:38 2020 +1000
ctdb-protocol: Drop protocol client functions for recmaster controls
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit cda673ff6dc6e33e947022305859f004197a803a
Author: Martin Schwenke <martin at meltin.net>
Date: Tue May 5 23:56:10 2020 +1000
ctdb-client: Drop unused recmaster functions
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 16efbca0036ee444aecfa0a992ff733bb182b2c7
Author: Martin Schwenke <martin at meltin.net>
Date: Tue May 5 23:52:05 2020 +1000
ctdb-daemon: Drop unused old client recmaster functions
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit c68267b2a60559755835c4d56b5ba7c766155489
Author: Martin Schwenke <martin at meltin.net>
Date: Tue May 5 23:26:41 2020 +1000
ctdb-recoverd: Drop calls to ctdb_ctrl_setrecmaster()
Nothing fetches this value anymore.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 58d7fcdf7c9568a3a4b9d8e5db8b68f073409ab1
Author: Martin Schwenke <martin at meltin.net>
Date: Tue May 5 23:25:34 2020 +1000
ctdb-recoverd: Drop recovery master verification
This doesn't make sense if leader broadcasts are used.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit f02e097485722badf27523c706adb99f21342f56
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Jan 10 13:22:19 2022 +1100
ctdb-tools: recovery master -> leader
The following command names are changed:
recmaster -> leader
setrecmasterrole -> setleaderrole
Command output changed for the following commands:
status
getcapabilities
Documentation and tests are updated to reflect these changes.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit e60581d5b5ecbac2b4bae49fbf60e071372fc2d3
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Mar 19 17:14:10 2020 +1100
ctdb-tools: Use leader broadcast in get_leader()
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 92fb68e9b8a5481d9dd5c9033c98e204035509fe
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Mar 19 17:30:24 2020 +1100
ctdb-tools: Factor out get_leader()
This seems pointless but it localises a subsequent change and also
starts a terminology change in the tool code.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 17ba15ccd88367dca82b0c4c8e4ff3f859896d87
Author: Martin Schwenke <martin at meltin.net>
Date: Mon May 4 17:56:22 2020 +1000
ctdb-tools: Handle leader broadcasts in ctdb tool
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit ec90f36cc6185fc6ed13164fb13ec3630aff68ad
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Mar 19 10:46:25 2020 +1100
ctdb-tools: Print "UNKNOWN" when leader PNN is unknown
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 01a8d1a4a400a3bacbe334ef0f379c03d64633d5
Author: Martin Schwenke <martin at meltin.net>
Date: Mon May 4 19:01:09 2020 +1000
ctdb-client: Factor out function ctdb_client_wait_func_timeout()
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 403db5b52882c91f35ae189bcf8f01f8180c7b50
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Jan 14 21:47:52 2022 +1100
ctdb-tests: Factor out getting leader and waiting for leader change
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 4786982cc80f4ec0c23673a144ac179fa60bde78
Author: Martin Schwenke <martin at meltin.net>
Date: Tue May 5 23:02:03 2020 +1000
ctdb-tests: Add leader broadcasts to fake_ctdbd
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 756dfdfed9fe7d6acf2cf894d9918c8ac489571e
Author: Amitay Isaacs <amitay at gmail.com>
Date: Tue May 5 16:53:39 2020 +1000
ctdb-tests: Implement srvid_handler for dispatching messages
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>
commit 958746f947dcd499b0fe9afee21e436912739284
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Mar 17 17:10:20 2020 +1100
ctdb-recoverd: Simplify some stopped/banned checks to inactive checks
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 358c59f51ab39175ffe72afdfc4c2e0ed23b5929
Author: Martin Schwenke <martin at meltin.net>
Date: Mon May 4 17:45:51 2020 +1000
ctdb-recoverd: No longer take cluster lock during recovery
Confirm instead that it is already held.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 36ffaaa691c63896b7b92628b147b7a564421311
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Dec 10 11:43:10 2021 +1100
ctdb-recoverd: Add and use function cluster_lock_enabled()
Now all references to ctdb->recovery_lock are encapsulated in the
cluster lock code.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 5ee664ee17fa4d2fbdea2be3f4c0b1fd8f8971b1
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Dec 10 11:29:06 2021 +1100
ctdb-recoverd: Terminology change: recovery lock -> cluster lock
No functional changes, just name changes for clarity.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 0f2250f4f9f4efbf73e887538969c395c57e57be
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Sep 20 14:13:58 2018 +1000
ctdb-recoverd: Take cluster lock when election completes
It is no longer just a recovery lock but is always held by the cluster
leader.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 011e880002b8d2bc783f96e8ea5713322fcc2a93
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Sep 20 12:30:58 2018 +1000
ctdb-recoverd: Factor out function cluster_lock_take()
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 037abf862069694acd849760175be9943a6fcd3e
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Mar 17 17:58:02 2020 +1100
ctdb-tests: Avoid a race
See the comment in the code for details.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit ef7e3265f76fbfdacdd9f17f3ddfca79ce823b60
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Dec 7 17:00:36 2021 +1100
ctdb-tests: Setup cluster with expected arguments
ctdb_test_init() doesn't actually pass arguments to local_daemons.sh.
This needs to be done using ctdb_nodes_start_custom().
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit b029ca4d513163c4b0146c2a303130ae2a2581b4
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Dec 17 12:54:23 2021 +1100
ctdb-recoverd: Drop leader validation
The introduction of the leader broadcast timeout provides an
alternative to the current leader validation. Using the leader
broadcast may not be as fast but it is more correct.
When the leader node is stopped or banned, the only way of triggering
an election is currently to fetch the leader's node map to check
whether the it is still active. This is because the leader will no
longer push the node map to other nodes. However, having all nodes
fetch the node map from an inactive leader may be unreliable.
Most of the other cases are also handled more reliably by the leader
broadcast timeout.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 7e53fab0a364426a03932974727c386e750716be
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Jan 6 14:47:45 2022 +1100
ctdb-recoverd: Drop special case for elected-before-connected
This no longer occurs at startup due to the leader broadcast timeout.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit ef4b8c13c0762fc5072627ee0211b3bf506f2d73
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Dec 17 14:42:47 2021 +1100
ctdb-recoverd: Handle leader broadcast timeout
If no leader broadcasts have been received from the leader for more
than 5s then trigger an election.
Apart from being sane behaviour, this avoids elected-before-connected
bugs at startup, where a node elects itself leader before it is
connected to other nodes.
When a node processes a leader broadcast timeout it sends an unknown
leader broadcast to all nodes. That causes cancellation of the leader
broadcast timeout across the cluster. This is particular important at
startup, since nodes may be started in a staggered fashion. Without
this cluster-wide cancellation, a node might notice the lack of
leader, win an election and complete a recovery before other nodes
notice the lack of leader. When the leader broadcast timeout finally
occurs on the other nodes then they'll put the cluster back into an
unnecessary recovery.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 5c7f6da0f0e6c92ae4cd338b92f475bb4a8e2cc9
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Mar 16 16:16:44 2020 +1100
ctdb-recoverd: Send leader broadcasts
These are triggered on 1 second timer, but are only sent if the node
is the current leader and there is no election underway.
If this node can not be the leader then ensure it releases the
recovery lock.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 789a75abfa2af0af39616c69575882e5db2b6f07
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Mar 16 16:07:26 2020 +1100
ctdb-recoverd: Process leader broadcasts
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 3d3767a259b29674882c102fe629cff1eb1a702c
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Mar 16 16:05:29 2020 +1100
ctdb-protocol: Add CTDB_SRVID_LEADER
CTDB_SRVID_LEADER will be regularly broadcast to all connected nodes
by the leader.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit c2cfd9c21aae6045b4ebf3ba330cbf2b9631490e
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Mar 18 20:27:10 2020 +1100
ctdb-recoverd: Add an explicit flag for election in progress
An alternate election method will be added that doesn't use the
election timeout, so this provides a common way for recognising when
an election is in progress.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit ac5a3ca063fd7435557a65866fda5fa1e0012394
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Jan 7 11:27:06 2022 +1100
ctdb-recoverd: Only start election if node can be leader
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 7baadfe27eda40560753fb4a61e053ea357fd2d2
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Dec 14 10:57:03 2021 +1100
ctdb-recoverd: Add and use function this_node_can_be_leader()
This makes the code self-documenting.
In ctdb_election_data() there is a slight behaviour change. An
inactive node will now try to lose an election. This case should not happen
because:
* An inactive node can't win an election round and then send a reply.
* Any inactive node should never start an election. There are
currently places where this happens and they will be fixed later.
There is an instance where this could be used in
validate_recovery_master() but this involves a more serious logic
change. Overhaul this function later.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 94b546c268ee5fb4505c6febe4bce05f1d75e7cd
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Dec 8 11:07:25 2021 +1100
ctdb-recoverd: Logging/comments: recovery master -> leader
There are some remaining instances in this file but they will be
removed in subsequent commits.
Modernise debug macros as appropriate.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit dd79e9bd14dd61fc60dfaac5c9065d465336714c
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Jul 14 15:22:33 2020 +1000
ctdb-recoverd: Rename recmaster field to leader
Recovery master is being renamed to leader. This follows clustering
best practice (e.g. RAFT).
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 2ee6763c7d9a8e347c0a98f918ad39f62222df31
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Dec 8 20:25:46 2021 +1100
ctdb-recoverd: Use rec->pnn everywhere
This is currently referenced in a number of inconsistent
ways, including:
* pnn
* rec->ctdb->pnn
* ctdb->pnn
* ctdb_get_pnn(ctdb)
* ctdb_get_pnn(rec->ctdb)
The first of these always requires some thought about the context - is
this the node PNN or some other PNN (e.g. argument to function)?
rec->pnn is now always used when referring to the recovery daemon's
PNN.
Doing this also reduces reliance on struct ctdb_context internals.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 4af3b10a378ea614f926c23570ec91334e2c6408
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Dec 8 21:28:05 2021 +1100
ctdb-recoverd: Change argument to srvid_disable_and_reply()
Reduce dependency on struct ctdb_context internals, enable a
subsequent change.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit b7c138ca99a4a839b9c30e59dff40fd2b95e13ec
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Dec 10 10:31:56 2021 +1100
ctdb-recoverd: Simplify arguments to ctdb_ban_node()
ban_time argument is always ctdb->tunable.recovery_ban_period, so
build this in and make the calling code more readable.
ctdb_ban_node() already logs how long a node is banned for, so don't
repeatedly log this.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit a5e0ddac626bc90c859949c977657cdf1fa110ac
Author: Martin Schwenke <martin at meltin.net>
Date: Mon Dec 13 09:51:36 2021 +1100
ctdb-recoverd: Simplify arguments to verify_local_ip_allocation()
All other arguments are available via rec, so simplify.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 67b51916408831f13ca05a6c395f01824288fe8d
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Jan 16 16:20:05 2018 +1100
ctdb-recoverd: Simplify arguments to do_recovery()
pnn and nodemap are both available via the rec context, so simplify.
vnnmap is unused.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 57882beb16a89d5e4081d0645549891a04ab5fb0
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Dec 8 19:27:01 2021 +1100
ctdb-recoverd: Simplify arguments to some election functions
The pnn and nodemap arguments to force_election() and
send_election_request() are always effectively rec->pnn and
rec->nodemap, so simplify.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 9dbe7cc85e41ce4f9163d8298ba9fb20052db894
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Dec 9 10:33:17 2021 +1100
ctdb-recoverd: Add PNN to recovery daemon context
This is currently referenced in a number of inconsistent
ways, including:
* pnn
* rec->ctdb->pnn
* ctdb->pnn
* ctdb_get_pnn(ctdb)
* ctdb_get_pnn(rec->ctdb)
The first of these always requires some thought about the context - is
this the node PNN or some other PNN (e.g. argument to function)?
The intention is to always use rec->pnn when referring to the recovery
daemon's PNN.
Doing this also reduces reliance on struct ctdb_context internals.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit ff0140e470016a7a2b5365c06f4d912e7a7c8af8
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Dec 9 11:47:54 2021 +1100
ctdb-recoverd: Use this_node_is_leader() in an extra context
This is arguably clearer.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit c8721d01c6547f33f51b8e26b3e1f4370ec1ecc6
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Dec 8 19:37:39 2021 +1100
ctdb-recoverd: Factor out and use function this_node_is_leader()
Make the code self-documenting.
This preempts an upcoming change to terminology but doing it now saves
a lot of churn.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 57a32cebdd834e24e69f524f8ffaa980472cde33
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Sep 30 21:16:44 2021 +1000
ctdb-recoverd: Pass SIGHUP to running helper
The recovery and takeover helpers can run for a while and generate
non-trivial logs, so have them reopen their logs to support log
rotation.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Mon Jan 17 04:36:30 UTC 2022 on sn-devel-184
commit 8e949a60828bae47a3636f051dcc86387b5fce23
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Sep 30 21:15:56 2021 +1000
ctdb-recoverd: Record helper PID in recovery daemon context
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 97a45f6f25f34fff97a9be7ba2b346a4e8b93218
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Sep 30 21:14:14 2021 +1000
ctdb-recoverd: Add log reopening on SIGHUP to helpers
Recovery and takeover helpers can run for a while and generate
non-trivial logs. They should support log reopening.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 51f0380e83c93702a08e29c230bb8d87d472b616
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Sep 30 21:10:33 2021 +1000
ctdb-daemon: Enable log reopening for event daemon
Add and call hook to pass on SIGHUP to eventd.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 4f14d7c0b9bf1f122a1e9f92c1b8bdc57c4c9e68
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Sep 30 21:11:44 2021 +1000
ctdb-event: Reopen logs on SIGHUP
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit c554a325fe81aab90f4816600849f6c4f901b2f9
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Sep 30 21:08:25 2021 +1000
ctdb-daemon: Enable log reopening for recovery daemon
Pass on a SIGHUP to the recovery daemon, which will then reopen its
logs.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 4acfefed61f2c9e069963ac76b2001469a694461
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Sep 30 21:03:15 2021 +1000
ctdb-recoverd: Add basic log reopening
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 4ed37de82b1be4732f6e5936e149aae718855513
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Sep 30 21:06:16 2021 +1000
ctdb-daemon: Add basic top-level log reopening
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 72773853901832e4728e42588570d69c93976ce1
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Sep 30 20:55:27 2021 +1000
ctdb-common: Add support for reopening logs
Now that CTDB uses Samba's file logging it is possible to reopen the
logs, so that log rotation can be supported.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit d0a19778cdbd04f8b6fca43199d7b12e1d4933b7
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Nov 18 21:17:39 2021 +1100
ctdb-common: Separate sock_daemon's SIGHUP and SIGUSR1 handling
SIGHUP is for reopening logs, SIGUSR1 is for reconfigure.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 10d15c9e5dfe4e8595d0b322c96f474fc7078f46
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Sep 23 18:37:57 2021 +1000
ctdb-common: Use Samba's DEBUG_FILE logging
This has support for log rotation (or re-opening).
The log format is updated to use an RFC5424 timestamp and to include a
hostname. The addition of the hostname allows trivial merging of log
files from multiple cluster nodes.
The hostname is faked from the CTDB_BASE environment variable during
testing, as per the comment in the code. It is currently faked in a
similar manner in local_daemons.sh when printing logs, so drop this.
Unit tests need updating because stderr logging no longer produces a
"PROGNAME[PID]: " header.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 666a048707436a8ba3b9a9cb297a4fd504fa1e54
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Sep 24 22:17:53 2021 +1000
ctdb-common: Switch initial debug type to DEBUG_DEFAULT_STDERR
This can be overridden by DEBUG_FILE, whereas DEBUG_STDERR can not.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 5f9dbf3decd17129f360cbe14383cc79e20fb70b
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jan 12 10:42:48 2022 -0800
s3: smbd: Add missing pop_sec_ctx() in error code path of close_directory()
If delete_all_streams() fails.
Found by Andrew Walker <awalker at ixsystems.com>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14944
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Jan 14 03:34:47 UTC 2022 on sn-devel-184
commit 7163846a49165cc3d70b2b20909af2ed19778e7a
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Dec 30 12:29:58 2021 +1100
ctdb-protocol: Print IPv6 sockets with RFC5952 "[2001:db8::1]:80" notation
RFC5952 says the existing style is not recommended and the [] style
should be employed.
There are more optimised ways of adding the square brackets but they
tend to be uglier.
Parsing IPv6 sockets without [] is now tested indirectly by parsing
examples in both styles and comparing the results.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Signed-off-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Jan 13 17:02:21 UTC 2022 on sn-devel-184
commit 255fe69c90fb0d437d26ce0a6966841b3663aa05
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Jan 5 12:09:45 2022 +1100
ctdb-tests: Add extra IPv6 socket parsing tests
Add tests to confirm that square brackets are handled and that
IPv4-mapped IPv6 addresses are parsed as expected.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 224e99804efef960ef4ce2ff2f4f6dced1e74146
Author: Volker Lendecke <vl at samba.org>
Date: Thu Dec 23 11:52:38 2021 +0100
ctdb-protocol: Allow rfc5952 "[2001:db8::1]:80" ipv6 notation
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14934
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Martin Schwenke <martin at meltin.net>
commit 820b0a63ccaceb4d66b18e3bcd585400a0b99ed2
Author: Volker Lendecke <vl at samba.org>
Date: Wed Dec 29 14:46:14 2021 +0100
ctdb-protocol: Save 50 bytes .text segment
Having this as a small static .text is simpler than having to create
this on the stack.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Martin Schwenke <martin at meltin.net>
commit baaedd69b3e02cdef06353bd5a21a5c5e6079604
Author: Volker Lendecke <vl at samba.org>
Date: Wed Dec 29 15:10:28 2021 +0100
ctdb-protocol: rindex->strrchr
According to "man rindex" on debian bullseye rindex() was deprecated
in Posix.1-2001 and removed from Posix.1-2008.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Martin Schwenke <martin at meltin.net>
commit 8c0391d38e53a356aabc6e2c9fdf747a1f1f16d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 20 17:48:44 2021 +0100
dsdb/schema: let dsdb_syntax_DN_BINARY_drsuapi_to_ldb return WERR_DS_INVALID_ATTRIBUTE_SYNTAX
When Object(OR-Name) uses dsdb_syntax_DN_BINARY_drsuapi_to_ldb() it
should genrate WERR_DS_INVALID_ATTRIBUTE_SYNTAX if the binary part
is not empty.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Jan 12 03:09:52 UTC 2022 on sn-devel-184
commit 8026efd647957bdb63e2ba98ea736ccaf3a71f4c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 20 17:46:47 2021 +0100
dsdb/schema: add no memory checks for {ldb,dsdb}_dn_get_extended_linearized()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 15f332a1c0340b808730427e482e374c96e2cd20
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 5 23:12:50 2021 +0200
dsdb/common: dsdb_dn_construct_internal() more strict checking
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8115fb03b6ade8d99c8acd459fc94dab5413a211
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 20 17:50:07 2021 +0100
dsdb/schema: fix Object(OR-Name) syntax definition
This is a strange one, it uses DN_BINARY in the drsuapi
representation, while the binary part must be 0 bytes.
and the LDAP/ldb representation is a plain DN (without 'B:').
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e16d29f719f8268b244cf7c6b20ade5d829669aa
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 5 23:12:20 2021 +0200
dsdb/schema/tests: let samba4.local.dsdb.syntax call the validate_dn() hook
This demonstrates that our OR-Name syntax is wrong,
which wasn't noticed yet as it's not used in the AD-Schema.
I noticed it by installing the Exchange-Schema on a Samba DC.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1243f52f7ae58de1005c431e20563f2f1902dfce
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 21 14:00:34 2021 +0100
s4:rpc_server/netlogon: let CSDVersion="" wipe operatingSystemServicePack
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14936
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Jan 11 22:03:03 UTC 2022 on sn-devel-184
commit 4a0a0d2fc9555dc8ff7692607b1d51189785bd47
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 21 13:58:07 2021 +0100
s4:torture/rpc: test how CSDVersion="" wipes operatingSystemServicePack
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14936
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c7488bf9e39ee4560061bf90a42c60c9590f7ff2
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jan 7 11:27:16 2022 -0800
lib: util: Make nt_time_to_full_timespec() call nt_time_to_unix_timespec_raw() for the conversion.
Cleanup to eliminate duplicate code.
The high check is now done against ret.tv_sec,
not 'd', as after calling nt_time_to_unix_timespec_raw()
this is identical to the previous intermediate 'd'
variable.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Jan 11 01:36:51 UTC 2022 on sn-devel-184
commit 545442ec0cab9ed06b1fa2be125ca36296597048
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jan 7 11:22:03 2022 -0800
lib: util: Make nt_time_to_unix_timespec() call nt_time_to_unix_timespec_raw() for the conversion.
Cleanup to eliminate duplicate code.
The low/high checks are now done against ret.tv_sec,
not 'd', as after calling nt_time_to_unix_timespec_raw()
this is identical to the previous intermediate 'd'
variable.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit cebf26d0624489db3cbf5e31e97c4a92771758f0
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Mon Jan 10 13:26:25 2022 +0100
s3:modules: Fix possible dereference of NULL for fio
We do not check consistently for fio being NULL in this file.
Found by covescan.
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Jan 11 00:22:09 UTC 2022 on sn-devel-184
commit 2e649846348ad6ce451b32ab534ac0030ccc7c0f
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Mon Jan 10 13:24:22 2022 +0100
s3:libnet: Fix dereference of NULL win7
Found by covscan.
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 82f53c82ed6ec4818bb1e2220e25e76fee7cb23e
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Fri Jan 7 14:11:53 2022 +0100
s3:libnet: Fix dead code in libnet_join.c
Found by covscan.
Pair-programmed-with: Andreas Schneider <asn at samba.org>
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5ac8762256830f1c7e48dcc9684802f00fc3b5c2
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Fri Jan 7 11:57:08 2022 +0100
ctdb:utils: Improve error handling of hex_decode()
This has been found by covscan and make analyzers happy.
Pair-programmed-with: Andreas Schneider <asn at samba.org>
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 41c86c9dda3fd7a733f54fa1af31adec96bb4a33
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Fri Jan 7 11:50:16 2022 +0100
s3:rpc_server: Fix possible NULL dereference
Found by covscan.
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 46460025175e83fbb47a510e412d83b1b2573db9
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Fri Jan 7 21:18:59 2022 +0100
s3:smbd: Fix dereferencing null pointer "fsp"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14942
Remove fsp which is always NULL and replace it with smb_fname->fsp.
Found by covscan.
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 728600a40f939de3172bbe429e17ea65ff21699a
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Fri Jan 7 21:18:59 2022 +0100
s3:smbd: Fix trailing whitespaces in dosmode.c
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4d7ed39fd8fa18f90756f215c8b0fc5d293e955e
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Fri Jan 7 13:16:26 2022 +0100
s3:modules: Fix the horrible vfs_crossrename module
It really has to be removed! ;-)
Found by covscan. The code always leaves here as the dst variable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14940
Pair-programmed-with: Andreas Schneider <asn at samba.org>
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 41ebb7f68c5b21492f503afc4cb341a97654a43d
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Fri Jan 7 13:55:38 2022 +0100
s3:modules: VFS CAP symlinkat always fails
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14941
Found by covscan.
Since capnew is initialized by NULL, checking it too early makes the
rest of the function a dead code.
Pair-programmed-with: Andreas Schneider <asn at samba.org>
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 745af26a1a6531b2e906aa7c1c0355cbab658441
Author: Jones Syue <jonessyue at qnap.com>
Date: Mon Jan 10 09:29:44 2022 -0800
s3: includes: Make the comments describing itime consistent. Always use "invented" time.
It gets confusing if we call it "imaginary" or "instantiation"
in different places.
Signed-off-by: Jones Syue <jonessyue at qnap.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Jan 10 18:42:02 UTC 2022 on sn-devel-184
commit 920611f0bc98229ac4a5ee127af7f99216075341
Author: Jeremy Allison <jra at samba.org>
Date: Mon Jan 10 09:01:09 2022 -0800
s3: lib: In create_clock_itime(), use timespec_current() -> clock_gettime(CLOCK_REALTIME..).
CLOCK_MONOTONIC (which we previously used) is reset
when the system is rebooted.
CLOCK_REALTIME is a "wall clock" time. It's still affected by NTP
changes (for Linux we should probably use CLOCK_TAI instead
but that is Linux-specific). For most systems CLOCK_REALTIME
will be good enough.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b5e56a30dfd33e89cfb602b1e7480e210434d600
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jan 9 13:38:37 2022 +0100
rpcclient: Fix ncacn_ip_tcp:<ip-address>
inet_pton expects "struct in_addr" or "struct in6_addr" as destination
pointer. It does not fill in a struct
sockaddr_storage. interpret_string_addr() takes care of this.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Jan 10 11:47:34 UTC 2022 on sn-devel-184
commit 03734be1d62b8860a6ccaae3801d89b7129729df
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jan 9 13:39:12 2022 +0100
test: Test rpcclient ncacn_ip_tcp:<ip-address>
Right now connecting to an IP address is broken.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 23fbf0bad0332a0ae0d4dc3c8f6df6e7ec46b88b
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jan 5 11:40:46 2022 -0800
s3: smbd: Create and use a common function for generating a fileid - create_clock_itime().
This first gets the clock_gettime_mono() value, converts to an NTTIME (as
this is what is stored in the dos attribute EA), then mixes in 8 bits of
randomness shifted up by 55 bits to cope with poor resolution clocks to
avoid duplicate inodes.
Using 8 bits of randomness on top of an NTTIME gives us around 114
years headroom. We can now guarentee returning a itime-based
fileid in a normal share (storing dos attributes in an EA).
Remove knownfail.d/fileid-unique
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Jan 8 06:35:22 UTC 2022 on sn-devel-184
commit 29d69c22a0d945193ce3dac27e1083dbc5c53f03
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jan 6 13:58:20 2022 -0800
lib: util: Add a function nt_time_to_unix_timespec_raw().
Not yet used. Does no checks on the converted values.
A later cleanup will allow us to move nt_time_to_unix_timespec()
and nt_time_to_full_timespec() to use common code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 30fea0d31117c1a899cd333a9b8a62ba765dbb02
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jan 6 15:11:20 2022 -0800
tests: Add 2 tests for unique fileid's with top bit set (generated from itime) for files and directories.
smb2.fileid_unique.fileid_unique
smb2.fileid_unique.fileid_unique-dir
Create 100 files or directories as fast as we can
against a "normal" share, then read info on them
and ensure (a) top bit is set (generated from itime)
and (b) uniqueness across all generated objects
(checks poor timestamp resolution doesn't create
duplicate fileids).
This shows that even on ext4, this is enough to
cause duplicate fileids to be returned.
Add knownfail.d/fileid-unique
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit ea9dc21a2308b9d8ad51d3205327e9e91ade9d84
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 16 17:04:02 2021 -0800
s3: smbd: Remove now redundent lock_flav parameter from smbd_do_unlocking().
We already stored this in struct smbd_lock_element.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Thu Jan 6 16:03:28 UTC 2022 on sn-devel-184
commit 07c74582c0f9fd74d00a667879787cdde1de3fb3
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 16 16:56:02 2021 -0800
s3: smbd: Remove lock_flav argument from smbd_smb1_brl_finish_by_lock().
We lookup the lock array from the state stored in the passed-in req
and all the locks in an array are always the same flavour, so this
isn't needed.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit 8ec30dade11c85b6f6b55a3ab564167f79ba3b0f
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 16 16:48:58 2021 -0800
s3: smbd: Remove lock_flav argument from internal function smbd_smb1_do_locks_check()
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit b03e0da5288667933d69b8a162534cdec8bc9b25
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 16 16:41:09 2021 -0800
s3: smbd: Remove lock_flav argument from smbd_smb1_do_locks_send().
And also inside struct smbd_smb1_do_locks_state.
All calls to this always (a) have one or more locks of the same type.
(the setup for smbd_smb1_do_locks_send() ensures there is always
at least one lock) and (b) always set locks[0].lock_flav correctly before calling.
lock_flav is thus a redundent argument. Removing it means
we can never drift out of sync with the lock_flav element
in the passed in locks array.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit c1d5993489472ac857f83729c901004f26866d6f
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 16 16:15:54 2021 -0800
s3: smbd: In smbd_smb1_do_locks_send() move access of lock_flav until after we know we have locks in the array.
When we remove the lock_flav parameter this will need to look into the array itself.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit 4a567652422f8fcf507fa8e5ec7300d7014268a0
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 16 15:06:59 2021 -0800
s3: smbd: Remove lock_flav parameter from smbd_do_locks_try().
This is now contained in the struct smbd_lock_element for
each lock.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit 85e131b54ba91f349316d9d637b4344d1a642bc5
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 16 15:00:03 2021 -0800
s3: smbd: Move implicit call to lp_posix_cifsu_locktype() out of init_strict_lock_struct().
Make it explicit. When we add POSIX handles to SMB2 we will only
look at the handle type. lp_posix_cifsu_locktype() already does this,
but hidden inside init_strict_lock_struct() makes it hard to see.
No logic change.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit 9a0212800cbc51e51e069334f1d5f3aa0e239086
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 16 14:26:44 2021 -0800
s3: smbd: Add "enum brl_flavour" to struct smbd_lock_element.
Initialized correctly but not yet used.
Will allow 'brl_flavour' to be removed from lock calls.
This will allow SMB2 POSIX handles to call with POSIX_LOCK
flavour instead of always using WINDOWS_LOCK (as now).
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit 099c62a654da2623653218c771dd8fabdc7cc091
Author: Jeremy Allison <jra at samba.org>
Date: Mon Jan 3 16:52:25 2022 -0800
s3: smbclient: In do_host_query(), if we need SMB1, ensure we select NT1 as the client max protocol" before continuing.
Remove knownfail: selftest/knownfail.d/list_servers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14939
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Thu Jan 6 11:50:32 UTC 2022 on sn-devel-184
commit 0d9d1546a7bad6e0fac58e146a75e4eb1ce78c11
Author: Jeremy Allison <jra at samba.org>
Date: Mon Jan 3 16:48:17 2022 -0800
s3: selftest: Add two tests that show we try and send an SMB1 request over an SMB2 connection to list servers if "-mSMB3" is selected.
Add knownfail: knownfail.d/list_servers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14939
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit 42cf3f4f0079549b99d6cdecdc741654ff7844d6
Author: Volker Lendecke <vl at samba.org>
Date: Thu Dec 23 13:24:27 2021 +0100
lib: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Jan 5 01:02:38 UTC 2022 on sn-devel-184
commit 621ceafe7f1ff1148b8ca3249a25f57c62a17c97
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 21 12:54:56 2021 +0100
vfs: Modernize a DEBUG statement
Fix the function name printed
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit aa377c7fd788585ac359c2a61066b7ffe90d8883
Author: Volker Lendecke <vl at samba.org>
Date: Sun Dec 19 11:02:46 2021 +0100
smbd: Modernize a DEBUG statement
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0970822699804dad44dba02513f47d875cf54d8d
Author: Volker Lendecke <vl at samba.org>
Date: Thu Oct 7 14:52:47 2021 +0200
rpc_server3: Inline single-use rpcint_binding_handle_ex()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit bad374ae66d795f971153c5561067b26c45e1c7b
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 12:20:17 2021 +0200
rpc_server3: Inline pipes_struct into dcerpc_ncacn_conn
This makes it clear that our internal representation of a rpc client
connection in the source3/ server is struct dcerpc_ncacn_conn and that
struct pipes_struct is only around for API compatibility with the
existing server stubs.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 55cdb61269f828be13186060b35c9be742a22fa0
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 11:16:21 2021 +0200
rpc_server3: Remove dcerpc_ncacn_conn->session_info
This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.
The talloc hierarchy is correctly maintained, dcesrv_endpoint_connect() takes a
talloc_reference() of session_info.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 79024fa681f3d64d21db80abc23ef6b8c238750a
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 11:16:21 2021 +0200
rpc_server3: Remove dcerpc_ncacn_conn->local_server_addr
This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 10478d39a1c028a79991a91984243f8d9d063045
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 11:16:21 2021 +0200
rpc_server3: Remove dcerpc_ncacn_conn->remote_client_addr
This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7c5b247e31484862edd394072e25c7154b890d8b
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 11:16:21 2021 +0200
rpc_server3: Remove dcerpc_ncacn_conn->tstream
This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0d315ddbfe919898d75284c9aefce5ed56cf6ca8
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 11:16:21 2021 +0200
rpc_server3: Remove dcerpc_ncacn_conn->dce_ctx
This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 909e309414fcc6926f8b574ac8247f837befb32a
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 11:16:21 2021 +0200
rpc_server3: Remove dcerpc_ncacn_conn->msg_ctx
This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7d92880fbf42e77a4193c7ff5ab2a22a0a65a79c
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 11:14:30 2021 +0200
rpc_server3: dcerpc_ncacn_conn->ev_ctx was only set but never used
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0eed31db6c327eaedc984ff5aab32afeea8a144a
Author: Volker Lendecke <vl at samba.org>
Date: Fri Oct 1 16:28:57 2021 +0200
winbind: Don't transfer a pointer that's NULL anyway
ncacn_conn was created by make_internal_ncacn_conn with talloc_zero(),
and that does not set session_info for the purely one-shot connection
state in winbindd_dual_ndrcmd().
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0cae08f298856af10959a031794155946a4e778c
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 11:39:21 2021 +0200
rpc_server3: No linked list for pipes_struct anymore
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0a7ecf1880a8d3191a142ed5d18d57fbe858f86c
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 4 13:50:02 2021 +0200
rpc_server3: Remove pipes_struct->auth
Replace with a call to dcesrv_call_auth_info(p->dce_call)
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8379d8cd532be9540cd61332923b76197ddb1e2c
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 4 13:40:02 2021 +0200
rpc_server3: Remove pipes_struct->session_info
This is a big patch, but all it does is replace all "p->session_info"
with "session_info" after introducing a local variable from
dcesrv_call_session_info(p->dce_call).
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 716727c020fefa8f5efe2e68814eb979e1bb5e22
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 4 12:49:56 2021 +0200
rpc_server3: Remove pipes_struct->pipe_bound
Only used in pipe_access_check(), superseded by dcesrv_call_auth_info()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit cdc18db7e2b43a52da1b7f038be7ae4483f81d04
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 4 12:37:30 2021 +0200
rpc_server3: Inline make_base_pipes_struct()
This did not even use all its arguments anymore.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 640f4403c65f3d07551127c1fe6ce8f9ed2b6785
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 4 12:26:18 2021 +0200
rpc_server3: Remove pipes_struct->remote_address
Also available via dcesrv_connection_get_remote_address(p->dce_call->conn)
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5a0155fb51dff6ce9f874f29ca847aebf349108d
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 4 12:19:57 2021 +0200
rpc_server3: Remove pipes_struct->local_address
Also available via dcesrv_connection_get_local_address(p->dce_call->conn)
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2777fde6a1a7d6b6683712b08f21d156080e97e3
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 4 12:03:55 2021 +0200
rpc_server3: Inline make_base_pipes_struct() into rpc_worker.c
This is the only user, and in winbind_dual_ndr.c's
make_internal_ncacn_conn we have another creator of pipes_struct. So
it seems not necessary to keep this public.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0f9f1fa0c26c065984d32426c1e55f88e7bcaced
Author: Volker Lendecke <vl at samba.org>
Date: Tue Sep 28 13:26:18 2021 +0200
rpc_server3: Inline make_internal_ncacn_conn() into rpc_worker.c
This was the only user, and as we have another custom version in
winbind with make_internal_ncacn_conn(), I think this is not really
required to keep around as a separate function.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 22176770ad2257319dd0a8b9c265b42de1d06122
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 21 17:12:55 2021 +0100
smbd: Avoid a DEBUGADD statement
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 25aa7243fb238f910ba52fc084d94f3430811ead
Author: Volker Lendecke <vl at samba.org>
Date: Tue Oct 12 12:06:20 2021 +0200
Remove some unused code
I think that if we want to work on asn1 routines we should use
libtasn1. We already depend on this via gnutls these days.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c7e36be5da5f09d03689c23e2a91d79a011e9204
Author: Volker Lendecke <vl at samba.org>
Date: Mon Dec 27 11:25:34 2021 +0100
lib: Avoid a cast
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d60f583245a9847e791a42c25286f2200662fc8d
Author: Volker Lendecke <vl at samba.org>
Date: Wed Nov 24 12:28:34 2021 +0100
smbd: Avoid some casts
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9a2f5a52e8c534ae9d70ceaa5ea697237480fab0
Author: Volker Lendecke <vl at samba.org>
Date: Fri Nov 26 16:36:25 2021 +0100
smbd: Remove an unneeded anonymous struct declaration
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 6c64e698f036d2028c3273939c2ebbeb3c74485c
Author: Volker Lendecke <vl at samba.org>
Date: Fri Nov 26 16:35:44 2021 +0100
smbd: Move fast_string_hash() to mangle_hash.c, the only user
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5ce8b395ec4bebb441fb568769cf6b91a94c1dd4
Author: Volker Lendecke <vl at samba.org>
Date: Thu Nov 25 16:52:41 2021 +0100
smbd: Fix a few typos
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d0b61ecd74c2d564ca38a6e84c3c8dae81a1ddb7
Author: Volker Lendecke <vl at samba.org>
Date: Thu Nov 25 15:37:00 2021 +0100
smbd: Save a few lines by using cp_smb_filename_nostream()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit dd9886100514941aa16af8566faf41501b601a44
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 17 23:32:28 2021 +0100
auth/ntlmssp: make sure we return INVALID_PARAMETER for NTLMv2_RESPONSE parsing errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Jan 4 20:57:41 UTC 2022 on sn-devel-184
commit e0b705d26f0b151ba52d1f9f5504f622fadf7d7c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 17 23:23:33 2021 +0100
s4:torture/smb2: add smb2.session.ntlmssp_bug14932 test
This demonstrates that an invalid av_pair in NTLMv2_CLIENT_CHALLENGE
should result in NT_STATUS_INVALID_PARAMETER at the NTLMSSP layer.
This is different from the netr_LogonSamLogon*() case, where it is
ignored instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 23bedd69b2db0dd6de98ed147eddcba799694de7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 15 17:25:06 2021 +0100
libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore invalid netapp requests
We should avoid spamming the logs with wellknown messages like:
ndr_pull_error(Buffer Size Error): Pull bytes 39016
They just confuse admins (and developers).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f123c1a171e59113feb688523b499dab0b824528
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 15 17:25:06 2021 +0100
libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore BUFFER_TOO_SMALL
Windows doesn't complain about invalid av_pair blobs,
we need to do the same.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e7e521fe9b947e553e2bf093e93f1d66ae9c95b9
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 17 22:28:51 2021 +0100
s4:torture/rpc: add test for invalid av_pair content in LogonSamLogonEx
A netapp diag tool uses a NTLMv2_CLIENT_CHALLENGE with invalid bytes
as av_pair blob. Which is supposed to be ignored by DCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0ef1254f4428ab83ab6c8ca5e3415a1a9e069c92
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Dec 18 10:40:36 2021 +0100
auth/credentials: cli_credentials_set_ntlm_response() pass session_keys
Otherwise cli_credentials_get_ntlm_response() will return session keys
with a 0 length, which leads to errors in the NTLMSSP code.
This wasn't noticed as cli_credentials_set_ntlm_response() has no
callers yet, but that will change in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a03aa131554ef17801248a21722f2c8fb398ee44
Author: David Mulder <dmulder at suse.com>
Date: Mon Jan 3 08:40:56 2022 -0700
Remove stray reference to "ldap ssl ads"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14462
"ldap ssl ads" has been deprecated and removed.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Isaac Boukris <iboukris at gmail.com>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Jan 4 19:58:24 UTC 2022 on sn-devel-184
commit 07cb2246cb36c70588ab19b2dd83d0a29851ae59
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 1 01:31:01 2022 +0100
Happy New Year 2022!
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Sat Jan 1 01:24:21 UTC 2022 on sn-devel-184
commit 96b1070229545a7c7e223dddadb9e8503d7d8b6a
Author: Volker Lendecke <vl at samba.org>
Date: Mon Dec 27 11:17:22 2021 +0100
smbd: Assert we don't leak fd's in struct fd_handle
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Dec 30 11:54:17 UTC 2021 on sn-devel-184
commit 529e6718c0944ce2e31ba5c72799bedd8569541c
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 28 12:25:59 2021 +0100
smbd: Replace SMB_VFS_CLOSE() calls with fd_close()
fd_close() mostly wraps SMB_VFS_CLOSE() but also takes care of refcounting
fsp->fh properly and also makes sure that fsp->fh->fd is set to -1 after close.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e6c8b38ecf1f040630a91a859d5f5bf528ceffbd
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 28 18:42:00 2021 +0100
vfs_commit: Reset fsp->fd->fd to -1 after SMB_VFS_CLOSE
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 28e09580b05951d2c1f5a6c57a1287b51e034e35
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 28 18:34:20 2021 +0100
pysmbd: Fix file descriptor leaks
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 5988607d7fa3f5f62cf7e0f9517b471c1db19aee
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 28 12:25:40 2021 +0100
smbd: Fix a fd leak when closing a print file
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 9d2bf015378c5bc630c92618e034c5eba95cc6b4
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 21 11:19:40 2021 +0100
s3:libsmb: fix signing regression SMBC_server_internal()
commit d0062d312cbbf80afd78143ca5c0be68f2d72b03 introduced
SMBC_ENCRYPTLEVEL_DEFAULT as default, but the logic to enforce
signing wasn't adjusted, so we required smb signing by default.
That broke guest authentication for libsmbclient using applications.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Dec 27 16:38:11 UTC 2021 on sn-devel-184
commit 0a808f6b53f50f426bd706f5327f610bb9e5967d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 21 12:05:13 2021 +0100
s4:selftest: run libsmbclient.noanon_list against maptoguest
This demonstrates the problem with guest access being rejected
by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 59e436297b0a4baa01e4e8a4bbb9c0bc9d7e1f29
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 21 12:04:30 2021 +0100
s4:torture/libsmbclient: add libsmbclient.noanon_list test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 648b476dcdb6f378b627266cb787fd8f38fba56a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 21 14:39:25 2021 +0100
selftest/Samba3: enable SMB1 for maptoguest
guest authentication is an old school concept,
so we should make sure it also works with SMB1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 9a68025ad391b148166c25b7dec06a7ce12fe4a6
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 23 18:32:44 2021 +0100
s4:rpc_server/netlogon: adjust the valid_flags based on dsdb_dc_functional_level()
This allows us to let DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED through
based on the manual changed msDS-Behavior-Version of our NTDSA object.
We still need to have tests depending on the msDS-Behavior-Version
value if the DSGETDC_VALID_FLAGS is really correct at all.
But for now this allows us to test krb5 FAST from Windows clients.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton at samba.org>
Autobuild-Date(master): Fri Dec 24 03:03:50 UTC 2021 on sn-devel-184
commit d9abd7fff58970725fa1375bf0ed210602e45d27
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Dec 22 14:41:50 2021 +1300
s4:rpc_server/netlogon: adjust the flags logic to MS-NRPC 3.5.4.3.1 DsrGetDcNameEx2
Note that this doesn't change the logic as we still reject
DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED via the initial DSGETDC_VALID_FLAGS
check. The may change that in future, but may need some tests for it.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 55948433135929488fa8370f826afdc02db1bf2a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Dec 22 14:51:08 2021 +1300
dsdb/netlogon: Indicate DC functional level support in samlogon response
The DS_SERVER_DS_8 flag is necessary for Windows to detect FAST support.
Note for know we only ever have DS_DOMAIN_FUNCTION_2008_R2 (4) in the
msDS-Behavior-Version attribute of our own NTDSA object. So
for now this is only for manual testing. In future we most likely
want to extend 'samba-tool domain level' to raise the dc level
manually or let 'samba' autoupgrade the value.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 0e515b3309d0c3bbb63447fb712df2279f071551
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 23 11:40:58 2021 +0100
dsdb/netlogon: make use of dsdb_dc_functional_level() in fill_netlogon_samlogon_response()
[MS-ADTS] 6.3.3.2 "Domain Controller Response to an LDAP Ping" indicates
that the resulting flags depend on the server software (behavior)
and not the domain wide functional level.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit e0b47257d9f004e943da78dcb84f9a4a15552cef
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Dec 22 14:53:44 2021 +1300
dsgetdcname: Display new flags in debug output
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 454e46c467fbba9814c03c7200c58efb269c326d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 23 10:57:50 2021 +1300
netlogon.idl: Add flags for indicating directory service versions
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 2926cfb299c14a6d80c32059377833d41fd7a32a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 23 11:34:25 2021 +0100
s4:rpc_server/dnsserver: make use of dsdb_dc_functional_level()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit b5f71e25d49cff27a7f9c48b60a1a0eb70adfeec
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 23 11:34:02 2021 +0100
dsdb/common: add dsdb_dc_functional_level() helper
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 2da538a4585bc8ead5fc4e4c4422b8fe638cb621
Author: Andreas Schneider <asn at samba.org>
Date: Thu Dec 16 07:24:58 2021 +0100
python:tests: Don't require an emtpy 'authorization-data' to be present
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Dec 20 17:01:11 UTC 2021 on sn-devel-184
commit bd804e0eef85ed4e05f9a3b7afbd29b1ba4a5d97
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 20 17:02:12 2021 +0100
Revert "python:tests: Don't require an emtpy 'authorization-data' to be present"
This reverts commit 36325f1ee907d38c978229da67de3844f969cd33.
This was not the latest version from:
https://gitlab.com/samba-team/samba/-/merge_requests/2304
The correct version follows...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 00c2425c2c10c324868f0c5e7283da7714c009eb
Author: Anoop C S <anoopcs at samba.org>
Date: Fri Dec 17 15:41:25 2021 +0530
s3/rpc_server: Remove duplicate dependency listing for RPC_SERVICE
Signed-off-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Anoop C S <anoopcs at samba.org>
Autobuild-Date(master): Mon Dec 20 10:14:53 UTC 2021 on sn-devel-184
commit 36325f1ee907d38c978229da67de3844f969cd33
Author: Andreas Schneider <asn at samba.org>
Date: Thu Dec 16 07:24:58 2021 +0100
python:tests: Don't require an emtpy 'authorization-data' to be present
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton at samba.org>
Autobuild-Date(master): Mon Dec 20 08:26:45 UTC 2021 on sn-devel-184
commit 5fa7f73b14790f4c581fb2bd4d67cd5561e79b6a
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 15 10:41:39 2021 -0800
s3: smbd: In setup_close_full_information(), remove unneeded vfs_stat().
After openat_pathref_fsp() is successful we know we have a VALID_STAT().
It either returns NT_STATUS_OK or we look at the stat
struct for S_ISLNK so we know we have VALID_STAT().
If it's not successful we error out, so we don't need
another vfs_stat() here.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Dec 16 07:33:09 UTC 2021 on sn-devel-184
commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472
Author: Günther Deschner <gd at samba.org>
Date: Wed Nov 17 09:56:09 2021 +0100
pam_winbind: add new pwd_change_prompt option (defaults to off).
This change disables the prompt for the change of an expired password by
default (using the PAM_RADIO_TYPE mechanism if present).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Dec 16 03:05:30 UTC 2021 on sn-devel-184
commit eae4c54e2b15c0022010b75c3117edce39d6c204
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 14 16:27:17 2021 +0100
s3:winbind: Fix using normalized name in sam_name_to_sid()
name is never read again, we want lsa_name to be set.
Found by covscan.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Dec 15 20:22:47 UTC 2021 on sn-devel-184
commit 4e9a58f376f60b16e88f0e34f35168fc3e260326
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 14 16:13:51 2021 +0100
lib:util: Initialize pid
Found by covscan
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 31b9208d8390d2cb6fc784ff3486cab27a187b98
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 14 16:12:43 2021 +0100
lib:krb_wrap: Add missing error check in smb_krb5_salt_principal_str()
Found by covscan.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 092e11295a9cfaed1cc0b70a4d1e25a6a106826c
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 14 15:46:05 2021 +0100
s3:winbindd: Remove dead code from sam_rids_to_names()
domain_name is never NULL in this case. Found by covscan.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 116123e9214cfc9a2c2c0f5ffe223f65ae03da05
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 14 15:42:06 2021 +0100
s4:dns_server: Remove less-than-zero comparison of an unsigned value
This will never be true. Found by covscan
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 90fd7674f81ca03485908ea483d6c9a5631a0179
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 14 15:38:45 2021 +0100
ctdb:client: Initialize structs and pointers in ctdb_ctrl_(en|dis)able_node()
Found by covscan.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3397e04d7149f22604e6213e833190da7ce1a5ac
Author: Andreas Schneider <asn at samba.org>
Date: Fri Dec 10 15:10:39 2021 +0100
s3:libnet: Initialize struct ODJ_POLICY_DNS_DOMAIN_INFO
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e25af2bc4f18e2c497c64e654b3059a1949c909e
Author: Andreas Schneider <asn at samba.org>
Date: Fri Dec 10 15:06:03 2021 +0100
lib:util: Check return value of tdb_parse_record()
This makes covscan happy.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e8e1a74da3f5ba4850a6f4ad8b54ea2ac5703710
Author: Andreas Schneider <asn at samba.org>
Date: Fri Dec 10 15:03:20 2021 +0100
s3:lib: Do not close fd = -1 on fail in netapi example
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9bd0fbf5e8d2e4cf65d5d26311a8b510eef3eba5
Author: Andreas Schneider <asn at samba.org>
Date: Fri Dec 10 14:56:08 2021 +0100
s3:lib: Fix memory leak in netapi examples
Found by covscan.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c8c3c547646c2f91c63b5a195476d5bed88ae2a1
Author: Jeremy Allison <jra at samba.org>
Date: Tue Dec 14 09:50:12 2021 -0800
s3: smbd: In call_trans2qfilepathinfo(), remove unneeded vfs_stat().
We know at this point that we have VALID_STAT(smb_fname->st).
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Dec 15 19:26:50 UTC 2021 on sn-devel-184
commit 6000d3408e303936eaccdc06d4e7f3087834ce13
Author: Jeremy Allison <jra at samba.org>
Date: Tue Dec 14 09:46:51 2021 -0800
s3: smbd: In call_trans2qfilepathinfo(), we must have an existing object in the QPATHINFO case.
qpathinfo must operate on an existing file, so we
can exit early if filename_convert() returned the "new file"
NT_STATUS_OK, !VALID_STAT case.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit 834aa7bb0118ad3fab7cc2bb80d9be48f2e5b7e4
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 13 16:54:07 2021 -0800
s3: smbd: Inside call_trans2setfilepathinfo(), for the TRANSACT2_SETPATHINFO case, we don't need to re-stat.
If we need a valid filesystem object, and we have a !VALID_STAT()
return from filename_convert(), the previous commit has already
errored out. We don't need a re-stat call here.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit d508dff634509eb9c3a69ef628f618eeeda34d9b
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 13 16:48:14 2021 -0800
s3: smbd: Inside call_trans2setfilepathinfo(), for the TRANSACT2_SETPATHINFO case, ensure we have a VALID_STAT return from filename_convert().
Remember, filename_convert() can return NT_STATUS_OK
with !VALID_STAT() if the last component doesn't exist,
as this may be an object create.
For call_trans2setfilepathinfo(), there are only 4 info levels
for the TRANSACT2_SETPATHINFO (pathname) case that don't require
an existing filesystem object (i.e. a VALID_STAT()) in the return
from filename_convert() as they can create an object in the
filesystem.
If we don't get a VALID_STAT() and the info level isn't one of
those 4, error out.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit eabcaa2e5545abce9363b729a8128046e10a6191
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 13 14:19:35 2021 -0800
s3: smbd: call_trans2setfilepathinfo(), TRANSACT2_SETFILEINFO case, use helper function vfs_stat().
This isn't a change in behavior, even though the
old comment says: "Always do lstat for UNIX calls".
A previous commit enforces POSIX pathname negotiation
before allowing UNIX info levels to be processed here,
so we can guarantee that SMB_FILENAME_POSIX_PATH is set
on smb_fname if we're allowing a UNIX info level.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit de88369c358abee3f6991a99c2b6e6f1e589ce52
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 13 14:13:59 2021 -0800
s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QPATHINFO, use helper function vfs_stat().
This isn't a change in behavior, even though the
old comment says: "Always do lstat for UNIX calls".
A previous commit enforces POSIX pathname negotiation
before allowing UNIX info levels to be processed here,
so we can guarantee that SMB_FILENAME_POSIX_PATH is set
on smb_fname if we're allowing a UNIX info level.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit 80e3f4e5ca66cff1d078a8020c7de918824bb75a
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 13 14:09:33 2021 -0800
s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QPATHINFO on a named stream case, use helper function vfs_stat().
This isn't a change in behavior, even though the
old comment says: "Always do lstat for UNIX calls".
A previous commit enforces POSIX pathname negotiation
before allowing UNIX info levels to be processed here,
so we can guarantee that SMB_FILENAME_POSIX_PATH is set
on smb_fname if we're allowing a UNIX info level.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit 8c0f34f05706f7e172c96f54e679d34962f67a2e
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 13 14:05:32 2021 -0800
s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QFILEINFO case, use helper function vfs_stat().
This isn't a change in behavior, even though the
old comment says: "Always do lstat for UNIX calls".
A previous commit enforces POSIX pathname negotiation
before allowing UNIX info levels to be processed here,
so we can guarantee that SMB_FILENAME_POSIX_PATH is set
on smb_fname if we're allowing a UNIX info level.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit eb0e68d0e7a22f0cc2a53757d7daf87489406282
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 13 16:08:14 2021 -0800
s3: smbd: In parent_dirname_compatible_open(), use helper function vfs_stat().
This is a change in behavior, but the old behavior was incorrect.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit 04a4cd2ada7557f0db5bd32e7459b146567d2240
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 13 14:02:51 2021 -0800
s3: smbd: In vfs_stat_smb_basename() use vfs_stat() helper function.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit b0a41119f4ccebd8930cc79d6fe381ab4b363058
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 13 13:45:13 2021 -0800
s3: smbd: In smbd_smb2_getinfo_send(), use vfs_stat() utility function.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
commit da2d61ba80d5b7cc87e52e373cdb2f2270b86c12
Author: Noel Power <noel.power at suse.com>
Date: Wed Dec 15 15:55:02 2021 +0000
s3: smbd: In stat_cache_lookup(), remove unused posix_paths param.
Signed-off-by: Noel Power <npower at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d8f09c1bf097087f287d39b660f135793b652d2d
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 13 13:44:25 2021 -0800
s3: smbd: In stat_cache_lookup(), use vfs_stat() utility function.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
commit c94d919fd9c93f6d8987e2a0d6fa4ba066497d99
Author: Noel Power <noel.power at suse.com>
Date: Wed Dec 15 15:36:22 2021 +0000
s3: smbd: In setup_close_full_information() the posix_open parameter is not needed anymore.
Signed-off-by: Noel Power <npower at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 89574ed33ba5b22c05e8f1911f663e4f7026a78f
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 13 13:43:06 2021 -0800
s3: smbd: In setup_close_full_information() use vfs_stat() helper function.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit 8767f60a0a2db0bd9c0de2a36b9cef64efef6ada
Author: Jeremy Allison <jra at samba.org>
Date: Mon Dec 13 13:42:35 2021 -0800
s3: smbd: In check_parent_exists() use utility function vfs_stat().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit 0f4eca775aa52cfe40a25ead90c560d76b286ad9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Dec 14 19:16:15 2021 +1300
tests/krb5: Add tests for AS-REQ to self with FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Dec 15 04:33:11 UTC 2021 on sn-devel-184
commit 100be7eb8e70ba270a8e92957a5e47466160a901
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Dec 14 19:16:00 2021 +1300
tests/krb5: Correctly determine whether tickets are service tickets
Previously we expected tickets to contain a ticket checksum if the sname
was not the krbtgt. However, the ticket checksum should not be present
if we are performing an AS-REQ to our own account. Now we determine a
ticket is a service ticket only if the request is also a TGS-REQ.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1eb91291b54b194d8312dac6dd605c793eabfd53
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Dec 14 19:16:26 2021 +1300
tests/krb5: Generate unique UPNs for enterprise tests
This helps to avoid problems with account creation on Windows due to UPN
uniqueness constraints.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3b23ae59ac4953d20ca4422b567a15227a17c545
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 9 13:18:54 2021 +1300
s4:torture: Fix typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 030afa6c01bfc0bfd20a204a5cc7c9d33032a1e7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 9 13:18:45 2021 +1300
s4:torture: Remove comments that are no longer relevant
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bba30095ca14dd947cb32a4403e351b0523304dd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 10 14:59:22 2021 +1300
kdc: Pad UPN_DNS_INFO PAC buffer
Padding this buffer to a multiple of 8 bytes allows the PAC buffer
padding to match Windows.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 31f3e815799a205f48bebae666deb327e1058674
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Dec 14 19:19:42 2021 +1300
Revert "s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows"
This alignment should be done on the Samba side instead.
This reverts commit 28a5a586c8e9cd155d676dcfcb81a2587ace99d1.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7dfcbc4e381080b3e3e1777134aecef5522d1f01
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 9 11:56:55 2021 +1300
tests/krb5: Add tests for PAC buffer alignment
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit abbeb5c2175ad9574d75e852c101887d6e642cb4
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 13 08:31:49 2021 +0100
s4:mitkdc: Call krb5_pac_init() in kdb_samba_db_sign_auth_data()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3a3f7feac59feba08438831cb02564e9b80cdc59
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 7 15:12:35 2021 +0200
s4:mitkdc: Do not allocate the PAC buffer in samba_make_krb5_pac()
This will be allocated by the KDC in MIT KRB5 1.20 and newer.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 731d9c42d0775d9b1a7475ad2efbe23c2439f6db
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 13 15:48:08 2021 +0100
s4:mitkdc: Pass NULL to ks_get_pac() as the client_key
This is unused with MIT KRB5 < 1.20 as this is probably not the right key.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e95fb04c5dec9f0487010fb59b6ebf99effe873f
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 13 08:33:05 2021 +0100
s4:mitkdc: Add support for pac_attrs and requester_sid
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b46a942f95bb28bceb84a14d1125d7f69fdc3fe7
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 8 09:17:32 2021 +0100
s4:mitkdc: Reset errno to 0 for com_err messages
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c69bfa0939df3a8f15c917d7f9b8336fb0fef655
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 8 09:16:57 2021 +0100
s4:mitkdc: Use talloc_get_type_abort() in ks_get_context()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f00eb8485f429e100d09ae2d529a7b8a1f6a6d34
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Tue Oct 19 12:15:50 2021 +0200
s4:mitkdc: Initilalize is_error with errno instead of EPERM(1)
Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5b526f4533bda42b51326c3b60fd771bc1cd88e7
Author: Volker Lendecke <vl at samba.org>
Date: Mon Dec 13 17:49:51 2021 +0100
tdb: Raw performance torture to beat tdb_increment_seqnum
Running this on sn-devel-184 takes ~14 seconds with the atomic
ops. Without them I did not wait for it to finish. After reducing
NPROCS from 500 to 50 it still ran for more than a minute.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Dec 15 01:03:56 UTC 2021 on sn-devel-184
commit b9f06ab3472352d064082a44f7d5077c8c13931c
Author: Volker Lendecke <vl at samba.org>
Date: Mon Dec 13 17:42:12 2021 +0100
tdb: Use atomic operations for tdb_[increment|get]_seqnum
With locking.tdb now based on g_lock.c code, we change locking.tdb a
lot more often. I have a customer case where LDX tortures smbd very
hard with 800+ concurrent connections, which now completely falls over
where 4.12 still worked fine. Some debugging showed a thundering herd
on fcntl locking.tdb index 48 (TDB_SEQNUM_OFS). We still use fcntl for
the seqnum, back when we converted the chainlocks to mutexes we did
not consider it to be a problem. Now it is, but all we need to do with
the SEQNUM is to increment it, so an __atomic_add_fetch() of one is
sufficient.
I've taken a look at the C11 standard atomics, but I could not figure
out how to use them properly, to me they seem more general to be
initialized first etc. All we need is a X86 "lock incl 48(%rax)" to be
emitted, and the gcc __atomic_add_fetch seems to do this.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 62dab3921b335d47a0c9c419714d0e2ea2320f74
Author: Volker Lendecke <vl at samba.org>
Date: Mon Dec 13 17:40:52 2021 +0100
configure: Check for __atomic_add_fetch() and __atomic_load()
To be used in the tdb_seqnum code soon
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1dc803048f8f0069079142245ec5ac4c11933bff
Author: Bernd Kuhls <bernd.kuhls at t-online.de>
Date: Sun Dec 12 10:27:42 2021 +0100
lib/util: Add signal.h include
Fixes build error with samba-4.15.3 and uClibc:
../../source3/printing/samba-bgqd.c: In function ‘main’:
../../source3/printing/samba-bgqd.c:340:21: error: ‘SIGPIPE’ undeclared (first use in this function); did you mean ‘EPIPE’?
../../source3/printing/samba-bgqd.c:384:14: error: ‘SIGTERM’ undeclared (first use in this function)
Signed-off-by: Bernd Kuhls <bernd.kuhls at t-online.de>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Dec 13 16:22:28 UTC 2021 on sn-devel-184
commit b5e7e7b65ae3251e128bbb41e7bbd0bfaeef4c7b
Author: Jeremy Allison <jra at samba.org>
Date: Thu Nov 18 12:16:44 2021 -0800
s3: smbtorture3: Fix POSIX-BLOCKING-LOCK to actually negotiate SMB1+POSIX before using POSIX calls.
This must be done before doing POSIX calls on a connection.
Remove the final entry in knownfail.d/posix_infolevel_fails
samba3.smbtorture_s3.plain.POSIX-BLOCKING-LOCK.smbtorture\(nt4_dc_smb1\)
And remove the file knownfail.d/posix_infolevel_fails itself.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Sat Dec 11 12:03:36 UTC 2021 on sn-devel-184
commit 89f284af616e63b4ebc8bf00aed289cc7faf372e
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 00:05:35 2021 -0800
s3: tests: Fix the samba3.blackbox.acl_xattr test to actually negotiate SMB1+POSIX before using POSIX calls.
Remove the following entries in knownfail.d/posix_infolevel_fails.
samba3.blackbox.acl_xattr.NT1.nt_affects_posix.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chown.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chgrp.*
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e7f2cfb5442f50c25c9a127dc1676360cab78b50
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 12:12:36 2021 -0800
s3: tests: Fix the samba3.blackbox.inherit_owner test to actually negotiate SMB1+POSIX before using POSIX calls.
Remove the following entry in knownfail.d/posix_infolevel_fails.
samba3.blackbox.inherit_owner.*.NT1.*verify.*unix\ owner.*
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6453e5aac45a41b21c5cad989bad34caa47d7e53
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 12:15:06 2021 -0800
s4: torture: Fix unix.info2 test to actually negotiate SMB1+POSIX before using POSIX calls.
Cope with the minor difference in wildcard search return when
we're actually using SMB1+POSIX on the server (SMB1+POSIX treats
all directory search paths as wildcards).
Remove the following entries in knownfail.d/posix_infolevel_fails.
samba3.unix.info2.info2\(nt4_dc_smb1\)
samba3.unix.info2.info2\(ad_dc_smb1\)
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 397cc7599b91cec10aa79570e29e9ced72a1690f
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 14:51:39 2021 -0800
s4: torture: Fix raw.search:test_one_file() by using the SMB1+POSIX connection for POSIX info levels.
Remove the following entry in knownfail.d/posix_infolevel_fails.
^samba3.raw.search.one\ file\ search.*
from knownfail.d/posix_infolevel_fails
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit aaa6d09f6fa376926237f90168c2dbc22fcf2e39
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 14:48:20 2021 -0800
s4: torture: raw.search: Add setup_smb1_posix(). Call it on the second connection in test_one_file().
Not yet used.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d681a4b058522211e2db3095653dddf53a1f3caf
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 14:44:05 2021 -0800
s4: torture: In raw.search:test_one_file() add a second connection.
Change from torture_suite_add_1smb_test() to torture_suite_add_2smb_test().
Not yet used. We will need this to do SMB1+POSIX search calls on
a connection on which we have negotiated SMB1+POSIX.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 4bd1f7609fa36d19ee4c7837105cfd365a8e87fa
Author: Jeremy Allison <jra at samba.org>
Date: Sat Nov 20 20:17:11 2021 -0800
s3: smbclient: Give a message if we try and use any POSIX command without negotiating POSIX first.
Ensure we only use a POSIX command if POSIX is set up.
Issue the message: Command "posix" must be issued before the "XXXX" command can be used.
After the parameter parsing has been done.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 59fa3806c942ef7cd290e5bddb19f38949c4ca3b
Author: Jeremy Allison <jra at samba.org>
Date: Thu Nov 18 11:48:42 2021 -0800
s3: smbd: Tighten up info level checks for SMB1+POSIX to make sure POSIX was negotiated first.
Add knownfail file
knownfail.d/posix_infolevel_fails
for tests that don't currently negotiate
SMB1+POSIX before using SMB1+POSIX calls.
These are:
samba3.smbtorture_s3.plain.POSIX-BLOCKING-LOCK.smbtorture\(nt4_dc_smb1\)
samba3.blackbox.acl_xattr.NT1.nt_affects_posix.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chown.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chgrp.*
samba3.blackbox.inherit_owner.*.NT1.*verify.*unix\ owner.*
samba3.unix.info2.info2\(nt4_dc_smb1\)
samba3.unix.info2.info2\(ad_dc_smb1\)
samba3.raw.search.one\ file\ search.*
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 00fd039c9040ae9649151555314d5d70dae565f5
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 14:18:47 2021 -0800
s4: torture: In raw.search:test_one_file() remove the leading '\\' in the test filenames.
We'll soon be using this under SMB1+POSIX and neither Windows or POSIX
need a leading '\\' (and SMB1+POSIX sees the '\\' as part of the name).
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 57c56d89be068f3ff5f46368566fcb9622294460
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 12:54:47 2021 -0800
s4: torture: Fix raw.search:test_one_file() to use torture_result() instead of printf.
I think this test pre-dates torture_result.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 25c87b70c07647896c9e7c4c1132835dbe318b61
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 13:06:27 2021 -0800
s3: smbd: Remove 'struct uc_state' name_has_wildcard element.
It is never set or looked at.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Sat Dec 11 08:07:14 UTC 2021 on sn-devel-184
commit 0ecb5e3e3fb45c119c9cb933cc8479b6d33de1ad
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 13:05:55 2021 -0800
s3: smbd: In unix_convert_step_stat() remove use of state->name_was_wildcard.
It can never be true.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e6f0269817ef121f55b212bcec8ed9fad40a6ffd
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 13:03:47 2021 -0800
s3: smbd: In unix_convert_step() remove all use of 'state->name_was_wildcard'
We know it is never true.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ce6b3ba4099cf1fd35ccd5b85c59f1e76918fb3b
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 12:59:50 2021 -0800
s3: smbd: In unix_convert() remove the now unneeded block indentation.
We removed the 'if (state->name_has_wildcard) {' clause, so
the block no longer needs indenting.
Best seen with git show -b.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b21ba035bf364400c74385c1364ea93387903c7f
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 12:55:41 2021 -0800
s3: smbd: In unix_convert(), remove all references to state->name_has_wildcard.
It is never set.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1d52a4a46779244950f7ca911364b92166117b4b
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 12:53:36 2021 -0800
s3: smbd: Inside unix_convert(), never set state->name_is_wildcard.
We error out immediately if it's set anyway.
Preparing to remove 'state->name_is_wildcard' structure element.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6493d39b6796a7997c078902e7dcf71493bf8d9c
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 12:40:43 2021 -0800
s3: smbd: UCF_ALWAYS_ALLOW_WCARD_LCOMP 0x00000002 is no longer used.
Hurrah !
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6f15f8b68a56fca559604a83d30b659b301d2a43
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 12:37:15 2021 -0800
s3: smbd: We no longer need determine_path_error().
Now we don't have to consider wildcards just
return NT_STATUS_OBJECT_PATH_NOT_FOUND for
the cases we used to call it.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e1cc3e3a6737d8c238abd111264dd6c3490ddc9a
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 11:33:42 2021 -0800
s3: smbd: Inside 'struct uc_state', remove allow_wcard_last_component.
This is never allowed.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit da1417fb37b88b975c22dba8276723e05f2ea282
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 11:30:42 2021 -0800
s3: smbd: filename_convert() no longer deals with wildcards.
These are already errored out with NT_STATUS_OBJECT_NAME_INVALID
in the unix_convert() code.
Remove the check.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 24002be5883692fa6a586f66bf46f30cee72d4ba
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 11:48:23 2021 -0800
s3: smbd: parse_dfs_path() can ignore wildcards.
If one is passed to filename_convert(), it will error out there
with NT_STATUS_OBJECT_NAME_INVALID.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 52ca4bf6d5adcb4a40fb0b660779760c1f876cbd
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 11:42:23 2021 -0800
s3: smbd: Remove 'bool search_wcard_flag' from parse_dfs_path().
Never set.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 181257474833745c78de00a54daef3ac88d43719
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 11:31:40 2021 -0800
s3: smbd: dfs_path_lookup() no longer deals with wildcards.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit fa45c91cb45afc1a2e11e8569b4564d49000ae34
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 11:28:40 2021 -0800
s3: smbd: Fix call_trans2findfirst() to use filename_convert_smb1_search_path().
filename_convert() no longer has to handle wildcards.
UCF_ALWAYS_ALLOW_WCARD_LCOMP is now unused.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1658fad32cbc30f9bd9e5fa3620762f47821bf7b
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 11:22:03 2021 -0800
s3: smbd: Convert reply_search() to use filename_convert_smb1_search_path().
Cleans up this code path nicely !
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3ca822186435d917913f4163532ad5a0f306215f
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 10:35:09 2021 -0800
s3: smbd: Add filename_convert_smb1_search_path() - deals with SMB1 search pathnames.
SMB1search and trans2 findfirst are unique in that
they are the only passed in pathnames that can contain
a terminal wildcard component.
Deal with these two special cases with this new function
that strips off the terminal wildcard and returns as
the mask, and pass the non-wildcard parent directory
component through the standard filename_convert().
Uses new helper function strip_gmt_from_raw_dfs().
When SMB1search and trans2 findfirst have been
converted to use this function, we can strip all
wildcard handling out of filename_convert() as
we now know it will only ever be given valid
pathnames.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit addbf4cc3ba3a7a72c35118cf71bbed0e6d2c7f7
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 16:14:08 2021 -0800
s3: smbd: Allow dfs_redirect() to return a TWRP token it got from a parsed pathname.
This one is subtle. If an SMB1 request has both a DFS path and a @GMT token,
the unix_convert() inside the DFS path processing will remove the @GMT
token, not allowing the subsequent unix_convert() inside filename_convert()
to see it. By returning it from dfs_redirect() we can ensure it's correctly
added to the smb_filename returned from filename_convert().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit a568e92e51a7229a3a370daa95f066413ab2b293
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 16:00:26 2021 -0800
s3: smbd: In dfs_path_lookup(). If we have a DFS path including a @GMT-token, don't throw away the twrp value when parsing the path.
Not yet used.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 14e0dd43d56f5daad12af87a373db78d2b2a709a
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 10:19:38 2021 -0800
s3: smbd: filename_convert() is now a one-to-one wrapper around filename_convert_internal().
Remove filename_convert() and rename filename_convert_internal() -> filename_convert().
Move the old DEBUG(..) statements to DBG_XXX() so they don't print the wrong name.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 5425f2aa43d289b3fc57d55441992500e6cf6661
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 10:14:03 2021 -0800
s3: smbd: Remove now unused check_reduced_name_with_privilege().
We now only have one function that does this check (check_reduced_name()),
used everywhere.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 02f840308d5e265eab7dcc90029f7defb3f79809
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 10:13:13 2021 -0800
s3: smbd: Remove unused check_name_with_privilege().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b18c2abae99563e411b0dd798e1c4a59e87c2ccc
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 10:10:45 2021 -0800
s3: smbd: In filename_convert_internal(), remove call to check_name_with_privilege().
We now always pass NULL as struct smb_request *smbreq,
so this code path can never be taken.
Comment out check_name_with_privilege() as it's now
no longer used.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 59b7101ac9ebc001f3ad9f03b5607e1db577e9e4
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 17:55:26 2021 -0800
s3: smbd: Remove filename_convert_with_privilege(). No longer used.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 18a1cc632b4b799e0219554c8873024cb45f1b6a
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 17:51:42 2021 -0800
s3: smbd: In call_trans2findfirst() we don't need filename_convert_with_privilege() anymore.
It was extra-paranoid code now not needed as the new VFS
version of filename_convert() does the same job.
There are now no remaining callers of filename_convert_with_privilege().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit a3acb8698bb0f4fa00a0084ca66cd58b6561aa1a
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:51:45 2021 -0800
s3: smbd: Remove split_fname_dir_mask().
No longer used.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit a325cb095527054a8b57a7ffe6c93052c6d2bd09
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:49:46 2021 -0800
s3: smbd: In rename_internals(), remove the name spliting and re-combining code.
filename_convert() handles mangled names just fine, so we don't
need to split the last component and check for mangle.
Now we don't take wildcard names this is not needed. This was the
last caller of split_fname_dir_mask(), so ifdef it out.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 449aa4153a65177eb15f8dcb77f4a6615d5690b3
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:47:13 2021 -0800
s3: smbd: check_name() is now static to filename.c
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 07df94ade1efaa4f261df672ebe6d460063338d6
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:45:13 2021 -0800
s3: smbd: In rename_internals_fsp(), remove unneeded call to check_name().
All callers have gone through filename_convert(), which has
already called check_name() on the destination.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d58b9094f7bffec7b59f30229c8ee925fdd7581a
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:35:17 2021 -0800
s3: smbd: Handling SMB_FILE_RENAME_INFORMATION, the destination name is a single component.
No errors should be allowed from filename_convert().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6db08012e999b59cc92ae0ba9ac864d4bf59694d
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:16:52 2021 -0800
s3: smbd: Remove the old unlink_internals() implementation.
No longer used. filename_convert() already handles mangled
names just fine, so we don't need this logic.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b2a0664d4c1a91e98e5b1c3b15480c157525280f
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:14:40 2021 -0800
s3: smbd: Comment out the old unlink_internals(). Rename do_unlink() -> unlink_internals().
One parameter needs changing position. The logic inside unlink_internals()
is no longer needed if it doesn't accept wildcards. filename_convert()
already handles mangled names just fine, so we don't need this logic.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e60360c4868190633debc6bc31b98af2b74ad7cd
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:11:20 2021 -0800
s3: smbd: Move to modern debug calls inside do_unlink().
We will be changing its name next.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 0333348239d422fe6a99aaaf4ac5cd9e32169e05
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:08:07 2021 -0800
s3: smbd: Move setting of dirtype if FILE_ATTRIBUTE_NORMAL to do_unlink().
Now we don't use wildcards when calling in unlink_internals()
the logic inside it serves no purpose and can be replaced with
a direct call to do_unlink() (which we will rename to unlink_internals()).
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f7e1a81cc05fdffb2c377bdc480e974a70f76bef
Author: Andreas Schneider <asn at samba.org>
Date: Fri Dec 10 17:24:43 2021 +0100
s3:torture: Initialize pointer with NULL
source3/torture/torture.c:4309:17: error: ‘pname’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
4309 | printf("qfilename gave different name? [%s] [%s]\n",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4310 | fname, pname);
| ~~~~~~~~~~~~~
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Dec 11 00:25:46 UTC 2021 on sn-devel-184
commit ea2ec7ea5e891f662278dc0fae9f87b426196f2e
Author: Jeremy Allison <jra at samba.org>
Date: Thu Sep 30 16:05:49 2021 -0700
WHATSNEW. Added section about samba-dcerpcd.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Dec 10 14:52:54 UTC 2021 on sn-devel-184
commit 7b62fa967d02f771d4afa9eaeef2f6b2d9f6ccd0
Author: Volker Lendecke <vl at samba.org>
Date: Mon Sep 27 13:13:11 2021 +0200
dcesrv_core: Remove unused dcesrv_reinit_context()
This was only used in the prefork source3 rpc servers
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 730f7dfd615ed9997cdf2e7e418605b28826e310
Author: Volker Lendecke <vl at samba.org>
Date: Tue Jun 8 09:10:05 2021 +0200
s3:rpc_server: Delete unused code and doc references
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9e3ee8c40c012ef6febe1737d952a744b0b14861
Author: Volker Lendecke <vl at samba.org>
Date: Sun Nov 28 20:29:26 2021 +0100
printing: Remove "start_daemons" from printing_subsystem_init()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a7c65958a15149918415b7456d6f20ee8c9669d2
Author: Volker Lendecke <vl at samba.org>
Date: Fri Jun 18 19:11:19 2021 +0200
s3:rpc_server: Activate samba-dcerpcd
This is the big switch to use samba-dcerpcd for the RPC services in
source3/. It is a pretty big and unordered patch, but I don't see a
good way to split this up into more manageable pieces without
sacrificing bisectability even more. Probably I could cut out a few
small ones, but a major architechtural switch like this will always be
messy.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d522a8cce12043903ecf4f66835eb69367cdde17
Author: Volker Lendecke <vl at samba.org>
Date: Wed Apr 7 07:13:25 2021 +0000
s3:rpc_server: Add samba-dcerpcd helper programs
These are rpcd_* binaries.
rpcd_classic collects everything that's not specific
Changes the epmapper to read the epmdb.tdb, which will make the
epmapper tests non-bisectable until the switch is done.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3fb2fd49445eae8a075638d0ed18e2ca41696450
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jun 19 17:06:59 2021 +0200
s3:winbind: Close internal RPC pipes after 5 idle seconds
Even internal pipes have a small cost, external ones will block a
process from exiting soon.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a350a000f10ed3360fa0b1300893902db8e07231
Author: Volker Lendecke <vl at samba.org>
Date: Fri Jun 18 19:56:48 2021 +0200
s3:rpc_server: Make npa_state_init() public
Will be used later in client tools.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a0075a1fd0e2cc650997562d0980982b1f9d564f
Author: Volker Lendecke <vl at samba.org>
Date: Thu Jun 17 08:31:32 2021 +0200
unittest: Remove test_sambafs_srv_pipe
is_known_pipename() will be removed soon
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c2b8cf05c372c12658d6a65da7f37afce0f8655b
Author: Volker Lendecke <vl at samba.org>
Date: Wed Jun 16 08:31:56 2021 +0200
s3:printing: Move pcap_cache_loaded() to load.c
A future patch will remove the PRINTING dependency from smbd, but in
delete_and_reload_printers() we still reference it.
Maybe at some later stage we can remove reload_printers() overall, we
don't really need to load the full printer list into every smbd. All
we need is to load them on-demand for explicit listing functions, but
there we can throw them away again. And when someone connects to the
printer, we can also load them on demand.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3aee4c171c2fdb555c91f74d861d7977e4b91f06
Author: Volker Lendecke <vl at samba.org>
Date: Sun Feb 28 22:03:01 2021 +0100
smbcontrol: Add rpc-dump-status
Get status information out of samba-dcerpcd and its RPC helpers.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 188586dddde933ef9dfd8e732593982a1a65e540
Author: Volker Lendecke <vl at samba.org>
Date: Wed Apr 7 07:19:27 2021 +0000
s3:rpc_client: Add rpc_pipe_open_local_np()
Helper routine to connect to bind to a locally started rpcd_* process's
rpc interface.
Based upon local_np_connect() to start samba-dcerpcd on demand if it's
not there, designed to replace our internal RPC interfaces where the
RPC server runs in the same process. This will be called from winbindd_cm.c
and source3/rpc_server/rpc_ncacn_np.c
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d3e1ece1a451f9f91a2c2a4fc3169ac08c4758ba
Author: Volker Lendecke <vl at samba.org>
Date: Wed Apr 7 07:00:23 2021 +0000
s3:rpc_server: Implement the rpcd_* helper-end of the samba-dcerpc protocol
This is the generic code that becomes the
template that all rpcd_* instances that
serve DCERPC can use to provide services to samba-dcerpcd.
The external entry point is:
rpc_worker_main() which takes an argc/argv list
and two functions:
get_interfaces() - List all interfaces that this server provides
get_servers() - Provide the RPC server implementations
Each rpcd_* service needs only to provide
the implementations of get_interfaces() and get_servers()
and call rpc_worker_main() from their main() function
to provide services that can be connected to from samba-dcerpcd.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4d75f08fd22f1126a4fd616d8374de15305970b9
Author: Volker Lendecke <vl at samba.org>
Date: Wed Apr 7 07:07:50 2021 +0000
s3:rpc_client: Add local_np_connect()
This will be used for internal pipe connects. It starts samba_dcerpc
on demand if it's not there yet, so long as smb.conf [global]
has "rpc start on demand helpers = true" (the default setting).
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3ca7c640da0bd47bfa9899f0921404a42013d28d
Author: Volker Lendecke <vl at samba.org>
Date: Wed Jun 9 08:37:06 2021 +0200
s3:rpc_server: Add samba-dcerpcd
Central dispatcher for incoming RPC requests, supported by helpers
that implement RPC services.
Upon startup, it asks all helpers which interfaces and endpoints to
listen on so it doesn't interfere with the samba binary when we're
configured as an Active Directory Domain Controller, then samba-dcerpcd
opens the relevant sockets. Once clients connect, start required helpers
and tell them to shut down once idle for a while.
Can be started as a full standalone daemon without smbd involved or as
a helper daemon started on demand by smbd or winbind or other local
processes trying to connect to a named pipe based RPC service.
NB. To start as a standalone daemon the smb.conf [global] option
"rpc start on demand helpers = false" must be set.
By default "rpc start on demand helpers = true"
in order to allow upgrades without needing an smb.conf change.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8ffeb18b9a1aac87d5bcec09744c7c90f64fbdbd
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 4 14:39:03 2021 -0700
docs-xml: Add "rpc start on demand helpers", true by default.
If "true" allow smbd and winbindd to spawn samba-dcerpcd
as a named pipe helper. Allows upgrade without any change
to smb.conf. If samba-dcerpcd is run as a daemon this
must be set to "false".
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a697814eba925c0a1d7bea8210181adf370436be
Author: Volker Lendecke <vl at samba.org>
Date: Wed Jun 9 08:27:36 2021 +0200
idl: Define messages sent between samba-dcerpcd and rpcd's
MSG_RPC_DUMP_STATUS will be like pool-usage carrying a file descriptor to
report status to, the other two are described in rpc_host.idl.
NOALIGN on rpc_worker_status: This makes it easier to count bytes to
push into a static buffer.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit da90c02b16849038a8fce4f3ab824a41c43bfea9
Author: Volker Lendecke <vl at samba.org>
Date: Thu Jan 21 15:28:31 2021 +0100
dcesrv_core: Add dcesrv_loop_next_packet()
This is used by the helpers of samba-dcerpcd: When accepting a DCERPC
client, normally the server engine would read the initial bind
packet. In case of samba-dcerpcd the bind packet will already be read
from the socket, so we need to inject it into the rpc server engine
externally.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 95659031e4519e9c9222c51737fe177eb5a56a7c
Author: Volker Lendecke <vl at samba.org>
Date: Thu Mar 4 18:53:37 2021 +0100
backupkey.idl: Don't listen on \\pipe\ntsvcs
[MS-BKRP] says it SHOULD listen here. In the ad dc, this conflicts
with smbd's srv_ntsvcs_nt.c listening also on nt ntsvcs unix domain
socket. Because "samba" starts smbd after itself, smbd takes over the
socket anyway, backupkey can't have been reached over this transport.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3284ee9985d8cc0dd2086b03acee4937fefcd5e0
Author: Volker Lendecke <vl at samba.org>
Date: Tue Feb 2 15:10:38 2021 +0100
dcesrv_core: Add dcesrv_context_set_callbacks()
We'll need to set custom callbacks on source3's global_dcesrv_ctx,
which right now is deeply embedded. Once we have everything more
nicely layered, this can go again.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ebc3918f7d0704b8f08b6e7e3d50c7b0c50b9fc6
Author: Volker Lendecke <vl at samba.org>
Date: Thu Jul 8 09:48:07 2021 +0200
s3:rpc_client: Bump debug level for ncalrpc connect error
This does not have to go to syslog by default always, it might be just
a daemon not listening.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f83f7bd6bdd8c8e62446d67ec59c21db31c11ba8
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jun 13 07:48:01 2021 +0200
s3:rpc_server: Remove direct registry access from svcctl_init_winreg
Once we do registry access via a pipe into a different process, a
registry client won't be able to directly do registry transactions
anymore. In this case, I argue that doing this in a transactioned way
is overkill anyway. svcctl_init_winreg() just sets up some registry
keys, and if that leaves behind some stale entries if it fails
somewhere in the middle, it does not really matter because the only
one looking at these registry keys is the svcctl service, and that
only starts up if the init function was successfully run.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a60c7b4ff29bc59c0d5a42f14dbe0ae4dbe26192
Author: Volker Lendecke <vl at samba.org>
Date: Mon Jun 14 07:54:55 2021 +0200
s3:services: Disable rcinit-based service control code
This is a become_root user callout that I have never seen in use in
more than 20 years of Samba. Why disable now? In the next commit I
need to make a change to initializing the registry values for
services, the svcctl service won't be able to do registry transactions
anymore. I'm not sure that going without transactions is 100% safe in
all failure cases, so I decided to propose disabling the problematic
code that might lead to security issues.
One fix might be to add a lot more validation code to
_svcctl_OpenServiceW() to see whether the registry values underlying
the service are sane.
Yes, this is technical debt, but I would question that starting unix
daemons via DCERPC used at all out there.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit afd014245a95f97f2bf166dad74ca9e6a58fc83b
Author: Volker Lendecke <vl at samba.org>
Date: Wed Sep 1 12:04:43 2021 +0200
test: Prime the kpasswd server
I was getting this failure:
[102(815)/143 at 10m59s] samba4.blackbox.net_ads_dns(ad_member:local)(ad_member:local)
UNEXPECTED(failure): samba4.blackbox.net_ads_dns(ad_member:local).Adding an unprivileged user(ad_member:local)
REASON: Exception: Exception: Could not add user unprivuser. Error setting password Incorrect net address
My preliminary analysis shows that the KRB5KRB_AP_ERR_BADADDR error
message is triggered by the libkrb5 client code. I have not yet shown
this to happen with pure libkrb5, but my theory is the following:
k5_privsafe_check_addrs() fails under the following circumstances: The
kpasswd server is contacted on IPv4 and is slow to reply. After
waiting a bit, libkrb5 also tries to contact kpasswd on
IPv6. kpasswd_sendto_msg_callback() for the IPv6 request changes the
authentication context's local_addr to IPv6. Then the IPv4 request is
replied to, and then k5_privsafe_check_addrs() bails on the address
family in ac->local_addr (IPv6) vs the one received and via the IPv4
connection.
libkrb5's src/lib/krb5/os/changepw.c has this comment:
/*
* TBD: Does this tamper w/ the auth context in such a way
* to break us? Yes - provide 1 per conn-state / host...
*/
I think we're hit by this.
This patch hacks around the situation by priming the kpasswd server
without error checking. If the initial v4 request is quick enough
because the kpasswd server is already started up properly, everything
works flawlessly.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d5fa62639489a97407ac53fcedbded2246328407
Author: Volker Lendecke <vl at samba.org>
Date: Sun Nov 28 16:19:56 2021 +0100
rpc_server: Check info5->transport
Eventually, this new mechanism might replace the ncalrpc_as_system mechanism: I
think with this we're much more flexible and even more secure: We rely on the
direct permissions on "np/" and don't have to pretend that the local client
came from a file on /root. We are more flexible because with this mechanism we
can easily fake arbitrary tokens and play with session keys.
However, this would require that the source4 librpc code needs to learn about
this mechanism, which I was not able to complete.
The source3 rpc_server side of this will go away soon, so for now only
allow NCACN_NP there. The check in source4 will stay with us for a
while, so allow NCACN_NP and NCALRPC to be set remotely here. With
NCACN_NP (the case for a client to connect on a named pipe), protect
against accidentially connecting as system.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 00e41d198d2972dddf075f79747f257f81c8e3b8
Author: Volker Lendecke <vl at samba.org>
Date: Sun Nov 28 08:48:58 2021 +0100
librpc: Get transport out of tstream_npa_accept_existing_recv()
To be used by the RPC servers in the next commit
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit fa445f153180fee33291f0650437c1a72ccc9104
Author: Volker Lendecke <vl at samba.org>
Date: Sat Nov 27 16:42:00 2021 +0100
auth: Fix a typo in auth/gensec/ncalrpc.c
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1bab76223cd1b87a96909a66143d02b8b6b5d5f6
Author: Volker Lendecke <vl at samba.org>
Date: Sat Nov 27 16:38:38 2021 +0100
librpc: Add named_pipe_auth_req_info5->transport
This will serve as a check to make sure that in particular a SAMR
client is really root. This is for example used in get_user_info_18()
handing out a machine password.
The unix domain sockets for NCACN_NP can only be contacted by root,
the "np\" subdirectory for those sockets is root/root 0700.
Connecting to such a socket is done in two situations: First, local
real root processes connecting and smbd on behalf of SMB clients
connecting to \\pipe\name, smbd does become_root() there. Via the
named_pipe_auth_req_info4 smbd hands over the SMB session information
that the RPC server blindly trusts. The session information (i.e. the
NT token) is heavily influenced by external sources like the KDC. It
is highly unlikely that we get a system token via SMB, but who knows,
this is information not fully controlled by smbd.
This is where this additional field in named_pipe_auth_req_info5 makes
a difference: This field is set to NCACN_NP by smbd's code, not
directly controlled by the clients. Other clients directly connecting
to a socket in "np\" is root anyway (only smbd can do become_root())
and can set this field to NCALRPC.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 530fb4fdfb32d38cc55ed57cc6157bf63df069a7
Author: Volker Lendecke <vl at samba.org>
Date: Wed Jun 9 06:09:37 2021 +0200
named_pipe_auth.idl: Add "need_idle_server"
Once RPC services are done by individual processes, we need to avoid
recursion between processes:
Any RPC server process will be able to serve multiple client requests
simultaneously, but each request is served in a single-threaded
blocking manner.
For example the netlogon RPC service needs to ask samr for
something. The netlogon->samr connection will initially be handled by
a central dispatcher assigning clients to processes. This dispatcher
needs to know that this connection can't end up in the same process
that originated the request.
With this flag an RPC client can request a samr server process that
exclusively serves its own requests and that will not serve anybody
else while serving netlogon.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d1934e2331f4e452dce8fa2ed2e32ea595dc5e97
Author: Volker Lendecke <vl at samba.org>
Date: Fri Nov 12 19:24:33 2021 +0100
named_pipe_auth: Bump info4 to info5
We'll add a field soon
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit bd98e040d4a4a24cc2be5bb9cfde5ebbe575ce52
Author: Jeremy Allison <jra at samba.org>
Date: Tue Dec 7 10:25:38 2021 -0800
Update WHATSNEW.txt with removal of wildcard copy, rename and unlink.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Dec 9 18:57:15 UTC 2021 on sn-devel-184
commit 4ac91bd065cee699cdb4daeff719d02464d75326
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:40:55 2021 -0800
s3: smbd: Remove 'const char *src_original_lcomp' from reply_mv().
No longer used.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 5190a8bd8211f93b11409ae2ba5fbe365b1a8390
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:39:42 2021 -0800
s3: smbd: Remove 'const char *src_original_lcomp' parameter from rename_internals().
No longer used.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7ac844ce92afe15354520dfcf0e090e6af5b951b
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:35:54 2021 -0800
s3: smbd: Inside rename_internals() remove '{ ... }' block around singleton rename code.
Best viewed with 'git show -b'
As we're touching the DEBUG() code, change it to modern DBG_NOTICE().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit fe92aaa962a61ac912b1cad4c7c6136785c11a9c
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:31:36 2021 -0800
s3: smbd: Remove the commented out resolve_wildcards().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ff722c0fdfb2ce7691ff67349edd96b3c6c19d2a
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:29:43 2021 -0800
s3: smbd: Remove all wildcard code from rename_internals().
We no longer use resolve_wildcards() so comment it out
for later removal. Keep the '{ ... }' block around the
singleton rename for now, to keep the diff small.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3cb5ef1c7985c6a9a92cc854f9b23e5cc8af7eb7
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:26:28 2021 -0800
s3: smbd: Remove dest_has_wild and all associated code from rename_internals()
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 885a982b9fde950e80862c481ee711a9e16403b2
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:25:03 2021 -0800
s3: smbd: Prepare to remove wildcard matching from rename_internals().
src_has_wild and dest_has_wild can never be true.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit de90620bec55e26535917a8bacd71b1f115e1733
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:17:51 2021 -0800
s3: smbd: In reply_ntrename() remove 'bool dest_has_wcard' and all uses.
It's always false now.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f44fc91505a4e021ebf2bdaffac9944cd2cf8a01
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:14:57 2021 -0800
s3: smbd: In reply_ntrename(), never set dest_has_wcard.
It can never be true.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e66148c8741175bfb2f117ce2ff3a3aa4bf23946
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:12:46 2021 -0800
s3: smbd: In reply_ntrename() remove the UCF_ALWAYS_ALLOW_WCARD_LCOMP flag for destination lookups.
We know the destination will never be a wildcard.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ff4bbb1279a383ae0965601d89a6fb41d3cdd9c4
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:08:13 2021 -0800
s3: smbd: In SMBntrename (0xa5) prevent wildcards in destination name.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f67f25bcf02d82f04742eef213235e0136d875ef
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:07:07 2021 -0800
s3: smbd: In smb_file_rename_information() (SMB_FILE_RENAME_INFORMATION info level) prevent destination wildcards.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 4cfe055ca7e5428cf2e616039ceb065708db3af2
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 13:56:31 2021 -0800
s3: smbd: Remove UCF_ALWAYS_ALLOW_WCARD_LCOMP flag from pathname processing in reply_mv().
We are no longer supporting wildcard rename via SMBmv (0x7)
as WindowsXP SMB1 and above do not use it.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 098d63a219c3db0406fecca853ea1798cf50cb1b
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 13:03:03 2021 -0800
s3: smbd: Remove 'bool has_wild' parameter from unlink_internals().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 42985702df0485208fc46117ea73622f1a9e4a26
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 12:53:29 2021 -0800
s3: smbd: Change unlink_internals() to ignore has_wild parameter.
It's always passed as false now so we can remove the (horrible)
enumeration code for unlink.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f46445cb6ae81d17a423da9ef0b2703ae755d191
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 12:31:44 2021 -0800
s3: smbd: In reply_unlink() remove the possibility of receiving a wildcard name.
This was the only user of "has_wild=true" passed to
unlink_internals().
Next commit will remove this functionality from unlink_internals().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7f61ff777b1dafb757794e256fb9d3a52dfb7e24
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 12:24:07 2021 -0800
s3: smbd: Remove support for SMBcopy SMB_COM_COPY (0x29)
It's not used in our client code or tested.
From MS-CIFS.
This command was introduced in the LAN Manager 1.0 dialect
It was rendered obsolete in the NT LAN Manager dialect.
This command was used to perform server-side file copies, but
is no longer used. Clients SHOULD
NOT send requests using this command code.
Servers receiving requests with this command code
SHOULD return STATUS_NOT_IMPLEMENTED (ERRDOS/ERRbadfunc).
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d2aae105c610e263f53eb502822d6de65bb7a733
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 12:18:35 2021 -0800
s3: torture: Remove the wildcard unlink test code.
This is pre WindowXP SMB1 functionality, and we
need to remove this from the server in order to
move towards SMB2-only, so the test must go.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit fb4e998346db1bbaa7c6be7edbba17b9b07f5765
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 13:22:39 2021 -0800
s4: torture: Remove the wildcard rename test code.
This is pre WindowXP SMB1 functionality, and we
need to remove this from the server in order to
move towards SMB2-only, so the test must go.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3c9a33ca3463ab010e24430a1743f4669c70a75f
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 12:05:20 2021 -0800
s4: torture: Remove the wildcard unlink test code.
This is pre WindowXP SMB1 functionality, and we
need to remove this from the server in order to
move towards SMB2-only, so the test must go.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ef1d9d31bc3bf620c549a1c609e2ce99ceacff43
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:10:41 2021 -0800
s3: torture: In run_smb1_wild_mangle_unlink_test() use a valid pathname for rename target.
The server will not be supporting wildcard rename soon.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 78ee275c7347440748995e94e0c064ac30e8b3c7
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:21:47 2021 -0800
s3: torture: In torture_mangle(), use torture_deltree() for setup and cleanup.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6cb9f127e1fcec2cef42eafa92d085e5fdfe0230
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:20:07 2021 -0800
s3: torture: In test_mask(), use torture_deltree() for setup.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 9398655cfddb2f4a3f2c8243b6c0f48f36bad14f
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:18:56 2021 -0800
s3: torture: In run_streamerror(), use torture_deltree() for setup.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 5a802ae2d314e3a8558894f516f61ecf85a256aa
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:16:38 2021 -0800
s3: torture: In torture_chkpath_test(), use torture_deltree() for setup and cleanup.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1eeabbf8401b576b96723dd714d6993b096f6ed3
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:14:53 2021 -0800
s3: torture: In torture_casetable(), use torture_deltree() for setup and cleanup.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 498b3d923cd74b1190f4ab7dcaa9f9b04ddba6fd
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:13:41 2021 -0800
s3: torture: In torture_utable(), use torture_deltree() for setup.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7ffc03d5e7d517957fcf4fe26d7ba423ef02a306
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 13:51:12 2021 -0800
s3: torture: In run_smb1_wild_mangle_rename_test() use torture_deltree() for setup and cleanup.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3a73178fe48efd0f98da49547941dd0ac052f715
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 12:51:54 2021 -0800
s3: torture: In run_smb1_wild_mangle_unlink_test() use torture_deltree() for setup and cleanup.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit a0bfb37b4beb74bdb3f95e491efcd1806069a154
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 13:47:07 2021 -0800
s3: torture: Add torture_deltree() for setup and teardown.
Not yet used.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 770d8375fca47fa2312d25ae4deb52b6b2346aff
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:23:10 2021 -0800
s4: libcli: smbcli_unlink() is no longer used with wildcard patterns.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3a42b35136437b8bbb2f1473ecb2dfdee13bbbb9
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 18:08:32 2021 -0800
s4: torture: Use smbcli_unlink_wcard() to setup and cleanup in masktest.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 367dc3cb59793babc393e842c610b45b42016454
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 18:03:57 2021 -0800
s4: torture: Use smbcli_unlink_wcard() in base.casetable test.
Avoid smbcli_unlink() calls with a wildcard path.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c697ad1e389ab8c282b44961c6fa224e45759d30
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 17:58:58 2021 -0800
s4: torture: Use smbcli_unlink_wcard() to cleanup in base.mangle test.
Avoid using smbcli_unlink() calls with wildcard names.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 781028949318d808836738c8f8067c718aa24a6f
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 17:52:37 2021 -0800
s4: torture: Use smbcli_unlink_wcard() to remove wildcards in base.chkpath test.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 35d8b1466551ebe78346265899f130b1c60ae098
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 12:08:49 2021 -0800
s4: torture: In raw.notify test use smbcli_unlink_wcard() in place of smbcli_unlink().
We know we have a wildcard mask here.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 5b7ff5a9d0028d1ea8d22f88c410e73557f214e2
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 12:10:14 2021 -0800
s4: libcli: In smbcli_deltree() use smbcli_unlink_wcard() in place of smbcli_unlink().
We know we have a wildcard mask here.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3d0857c9ec2c99636a44da927b6ccbb8eff9a9de
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 12:05:51 2021 -0800
s4: libcli: Add smbcli_unlink_wcard().
We will use this in place of smbcli_unlink() when we
know we are using a wildcard pattern. If can be used
to generally replace smbcli_unlink() as it calls down
to smbcli_unlink() is no wildcard is detected.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e2b7a2f78117e20739aa4f895ce68825e160d451
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 8 15:30:02 2021 +1300
s4-auth: Remove unused headers
These changes were submitted in a patch by
Stefan Metzmacher <metze at samba.org> in his lorikeet-heimdal
import branch of patches to upgrade to a modern Heimdal.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Dec 9 14:14:12 UTC 2021 on sn-devel-184
commit 1bacf26d30adc89348786bff7b9e2fe6d6f43856
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 3 15:29:32 2020 +0200
auth/credentials: Fix cli_credentials_shallow_ccache error case
Avoid dangling values if something fails...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit ce293eb861b2fc6c7a88cf67664c91735bf49d44
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 3 15:27:45 2020 +0200
auth/credentials: Handle ENOENT when obtaining ccache lifetime
The new Heimdal may return ENOENT instead of KRB5_CC_END.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 102ad9ee6a037e2aa6296d0dfbf17f3e4175a581
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 26 15:10:12 2017 +1300
librpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for Heimdal
This is needed to ensure Heimdal does not attempt to use nss to canonicalize the name.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Dec 9 07:42:38 UTC 2021 on sn-devel-184
commit cd5a5f590ff21587a45405977ab6bef9ff3c2db6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 7 16:04:08 2021 +1300
build: Add missing dependency on addns
This becomes noticed when we upgrade Heimdal as we do not find
the correct gssapi headers any more.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b948aeac5398693e0c8c70cbff531965ed7ecd23
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Dec 8 16:42:32 2021 +1300
hdb: Initialise HDB structure
Additional fields may be added to this structure without us explicitly
initialising them. This could cause Heimdal to crash upon reading
garbage data, so we should zero-initialise the structure.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Dec 9 02:47:27 UTC 2021 on sn-devel-184
commit 221569a14c8ecd529eae5c8c021cffe65324afec
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Dec 6 14:54:31 2021 +1300
tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors
A skew error means the client just tried using PADATA-ENC-TIMESTAMP or
PADATA-ENCRYPTED-CHALLENGE, so it might not be necessary to announce
them in that case.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Dec 7 08:32:42 UTC 2021 on sn-devel-184
commit 9844a331864ff44645d15e946707fe5278f97ae6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Dec 6 13:06:52 2021 +1300
tests/krb5: Allow 'renew-till' element to be present if STRICT_CHECKING=0
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d5cb6a1449db10f2ab287798704c035f793f584c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 17 20:17:27 2021 +1300
tests/krb5: Don't require claims PAC buffers if STRICT_CHECKING=0
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f03f304deb30522ed5bdc0875cf3b5233ef6ddc5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 17 20:16:32 2021 +1300
tests/krb5: Adjust unknown critical FAST option test
Heimdal does not check FAST options when no preauth data is supplied, so
the original test could not pass against Heimdal.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7d14aedd3dc904d4341d06c8b38d6e94e780ea71
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 17 20:15:12 2021 +1300
tests/krb5: Add test for FAST with invalid ticket checksum
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit aa38476d89d4a41bef63f3814dd921c4dd4e103f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 17 20:14:50 2021 +1300
tests/krb5: Remove magic flag constants
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 45d81d56abeb5dbc63471ef45bf6473d3ebf5189
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Dec 7 10:59:27 2021 +1300
tests/krb5: Allow additional unexpected padata types
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6bf3610c5dc729cf1dd0b6b63d85e512c25e99c3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Dec 7 15:45:06 2021 +1300
tests/krb5: Make edata checking less strict
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dfe6ef6f3ec61a99e4f067d26dc1abae5adf5cce
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 18 13:44:32 2021 +1300
tests/krb5: Add tests for FAST with use-session-key flag and armor ticket
This flag should be ignored and the FAST armor key used instead.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9c050a4a03a8bb1dd8b25a1e800942ce1da68710
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 16 19:56:24 2021 +1300
tests/krb5: Add test for AD-fx-fast-armor in enc-authorization-data
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1eb1049d2bdd44af95da820b3dcb5ccd94e4c231
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 16 19:55:44 2021 +1300
tests/krb5: Don't request renewable tickets
This is not necessary for testing FAST, and was causing some of the
tests to fail.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f8e55b3670c221e5d880c79d0def7be82819e435
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 16 19:55:17 2021 +1300
tests/krb5: Adjust expected error codes for FAST tests
This allows more of the tests to pass.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8bd7b316bd61ef35f6e0baa0b65f0ef00910112c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Dec 7 13:15:38 2021 +1300
kdc: Canonicalize realm for enterprise principals
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Dec 7 04:54:35 UTC 2021 on sn-devel-184
commit dc2222eee8f62ace1b7a67401d502d2b3c4a1e17
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 7 11:30:10 2021 +1300
heimdal_build: Do not build samba4kinit unless building embedded Heimdal
We should not attempt to build local copies of Heimdal utilities against
a system krb5 library.
Inspired by a WIP commit by Stefan Metzmacher <metze at samba.org> in his
lorikeet-heimdal import branch of patches to upgrade to a modern Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit a0d75b1cce4b97e1d6b78ba2b7adf96988d55608
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 6 12:26:44 2021 +1200
lib/replace: For heimdal_build: Try to use the OS or compiler provided atomic operators
This provides the defines that may be needed to use the
compiler-provided atomics, rather than a fallback.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 2701293f48a9e4014f9ba1e925d458fe25865bfb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 3 11:58:53 2021 +1300
s4:torture: Remove pre-send and post-receive callbacks
The client-side testing done by these callbacks is no longer needed, and
the server-side testing is covered by Python-based tests. Removing these
leaves us with a more manageable test of the Kerberos API.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7eb1e1cc9498c761c9fcd2bd839e1e2c28a365df
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 3 11:58:40 2021 +1300
s4:torture: Remove test combination with enterprise principal without canonicalize flag
This test combination is not needed. Removing it allows us to avoid
modifying requests prior to sending them, which can cause problems with
an upgraded Heimdal version.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Dec 6 22:57:54 UTC 2021 on sn-devel-184
commit 23ec41fd13f3ccae6b494682901f084d34538bec
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 3 11:57:49 2021 +1300
s4:torture: Remove AS_REQ_SELF test stage
This behaviour is already covered by existing Python tests. This test
stage also modifies the request prior to sending it, which can cause
problems with an upgraded Heimdal version.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f8b17214d06ad9f1321a1d57f6e9bfe7b8899bf6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 30 09:42:00 2021 +1300
tests/krb5: Add tests for enterprise principals with canonicalization
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 860065a3c99475e43f68330f7349cb317bc5b009
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 16:22:58 2021 +1300
tests/krb5: Add tests for AS-REQ with an SPN
Using a SPN should only be permitted if it is also a UPN, and is not an
enterprise principal.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 31900a0a58283868798dcb90ed43519b39559c2c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 3 13:13:29 2021 +1300
tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption types
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ff6d325e38d83b689da47c1b059f3ed865ffa7c2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 16:16:52 2021 +1300
tests/krb5: Check ticket cname for Heimdal
This is currently not checked in several places due to STRICT_CHECKING
being set to 0.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3fc9dc2395ebc292087ae050bd721747e851056d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 2 16:51:26 2021 +1300
tests/krb5: Check logon name in PAC for canonicalization tests
This allows us to ensure that the correct name makes it through to the
PAC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 10983779bc5d50cdb69b64656cbc56f0250e3f23
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 2 16:50:55 2021 +1300
tests/krb5: Only create testing accounts once per test run
This decreases the time that the tests take to run.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8036aa12766840e019f28e914a30769f71444ba9
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 6 18:01:40 2021 +0100
waf:mitkrb5: Always define lib so we get the header include path
If you have libkrb5 in a non-standard include path, we would not check the
latest version but search default paths (e.g. /usr/include) first.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 238e4c86ca70174e88f11ab876965f9aba866e0d
Author: Andreas Schneider <asn at samba.org>
Date: Fri Dec 3 08:49:24 2021 +0100
waf:mitkrb5: Fix MIT KRB5 detection if not in default system location
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 61404faf7671f87359cf7c701ac6e159e7f2c7f9
Author: Andreas Schneider <asn at samba.org>
Date: Fri Dec 3 09:13:52 2021 +0100
waf:mitkrb5: Detect com_err with pkgconfig first
It is needed as a dependency later!
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 61ce2899791dc9a078b1af4ee62ab29436fe95dc
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 6 18:00:33 2021 +0100
wafsamba: Pass lib to CHECK_DECLS()
This is needed if you have headers in non-standard include paths.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 18788e174edbc0c852eccf7eadb76c1a421778f5
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 6 18:17:35 2021 +0100
s3:waf: Fix dependendies for libads
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 93619962020968bbfe7967f88b8814cff3ce5510
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 6 18:13:58 2021 +0100
s4:waf: Fix dependencies for TORTURE_UTIL
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8393adaa5ad8e4b9ba9b2a155514e09f16298ca8
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 6 18:08:54 2021 +0100
s3:param: Only include smb_ldap.h for LDAP_* defines
There is no need for ads.h which would pull in krb5.h and much more ...
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3bfdbc1e93bdad91e7498ba2601e1527bc1982f0
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 6 18:08:37 2021 +0100
s3:param: Remove trailing spaces in loadparm.c
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 528e5efc17ddc3393c04b7add9c51303d5ff9336
Author: David Mulder <dmulder at suse.com>
Date: Tue Nov 23 08:59:01 2021 -0700
samba-tool: Test DNS record creation on member join
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5e31e8f15bf0dea1de4f09d270f6bed1a71fb875
Author: David Mulder <dmulder at suse.com>
Date: Fri Nov 5 14:43:18 2021 -0600
samba-tool: Create DNS entries on member join
The net ads join command already handles this,
and the call was missing from the python bindings
for samba-tool domain join member.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 05c09e8cfa09d22b31b7da6b461413dfb807984a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 2 13:25:07 2021 +1300
heimdal_build: Prepare for Heimdal upgrade by only building HEIMDAL_ASN1_GEN_HOSTCC when needed.
This will otherwise break the system-heimdal build.
This is correct regardless.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Dec 6 21:48:30 UTC 2021 on sn-devel-184
commit 98cb41cb35dfacbd5c6acfb13a0ac555b474da08
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 2 11:47:35 2021 +1300
build: Remove kdc_include except where needed
This include was being set on too many subsystems, including some MIT-related.
This was a problem because it would then trigger the mixing of MIT and Heimdal
krb5.h files. It is now only set on the plugins and services that use the
embedded Heimdal KDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 209a33670fab5dd7373444ae1ce76dbb5dfa0058
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 2 11:33:02 2021 +1300
build: Only use embedded Heimdal include paths in an embedded Heimdal build
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit d6380560f871a0097366b26382d2ac22b60bc48e
Author: Ralph Boehme <slow at samba.org>
Date: Mon Dec 6 15:16:36 2021 +0100
docs: fix documentation for default of "fruit:zero_file_id"
This got changed by 6e65c283120e3e627f0d8570601263f904529996 without updating
the manpage.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14926
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Dec 6 18:24:24 UTC 2021 on sn-devel-184
commit dab828f63c0a6bf0bb96920fd36383f6cbe43179
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Nov 17 20:17:53 2021 +0000
pytest/source_char: check for mixed direction text
As pointed out in https://lwn.net/Articles/875964, forbidding bidi
marker characters is not always going to be enough to avoid
right-to-left vs left-to-right confusion. Consider this:
$ python -c's = "b = x # 2 * n * m"; print(s); print(s.replace("x", "א").replace("n", "ח"))'
b = x # 2 * n * m
b = א # 2 * ח * m
Those two lines are semantically the same, with the Hebrew letters
"א" and "ח" replacing "x" and "n". But they look like they mean
different things.
It is not enough to say we only allow these scripts (or indeed
non-ascii) in strings and comments, as demonstrated in this example:
$ python -c's = "b = \"x#\" # n"; print(s); print(s.replace("x", "א").replace("n", "ח"))'
b = "x#" # n
b = "א#" # ח
where the second line is visually disordered but looks valid. Any series
of neutral characters between teo RTL characters will be reversed (and
possibly mirrored).
In practice this affects one file, which is a text file for testing
unicode normalisation.
I think, for the reasons shown above, we are unlikely to see legitimate
RTL code outside perhaps of documentation files — but if we do, we can
add those files to the allow-list.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Dec 3 18:53:43 UTC 2021 on sn-devel-184
commit 0f7e58b0e29778711d3385adbba957c175c3bdef
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Dec 1 10:20:48 2021 +1300
samba-tool domain backup: backup but do not follow symlinks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14918
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 697abc15ea50e9069eb483fdd734588281bae123
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Nov 25 09:26:54 2021 +1300
samba-tool domain backup: cope better with dangling symlinks
Our previous behaviour was to try to os.stat() the non-existent
target.
The new code greatly improves efficiency for this little task.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14918
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5e3df5f9ee64a80898f73585b19113354f463c44
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 26 11:59:45 2021 +0100
smbd: s3-dsgetdcname: handle num_ips == 0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184
commit 1e61de8306604a0d3858342df8a1d2412d8d418b
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 26 10:57:17 2021 +0100
CVE-2020-25717: s3-auth: fix MIT Realm regression
This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.
As a quick solution it might be possible to use the username map script based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
sure this behaves identical, but it might work in the standalone server case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit f621317e3b25a8925ab6e448068264488a0a47c7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Nov 12 12:44:44 2021 +1300
dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d1ea9c5aaba42447f25a15935a9bf5bbd20f7d93
Author: Andreas Schneider <asn at samba.org>
Date: Thu Nov 18 13:46:26 2021 +0100
libcli:auth: Allow to connect to netlogon server offering only AES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Dec 2 14:49:35 UTC 2021 on sn-devel-184
commit 6bf3a39b11832ad2feb655e29da84f8b5aac298e
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 18 11:52:18 2021 +0100
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 62aa769667464451cda672fc073e52a8e52ae4c1
Author: Andreas Schneider <asn at samba.org>
Date: Thu Nov 18 11:47:26 2021 +0100
s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c7ead1292852da371ff53fcdbd7ebd4bc1c08fbd
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 18 11:43:08 2021 +0100
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit be1520d2058a9430cf370f6fefd07bbddf3fbfe0
Author: Andreas Schneider <asn at samba.org>
Date: Wed Nov 24 13:21:28 2021 +0100
s3:libsmb: Remove trailing white spaces from passchange.c
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit bb3e0ce8fc932f5146044c548730f454a0119800
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 18 11:31:00 2021 +0100
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 34c57ebee04bb770174fab31edd9bfe2f88a84eb
Author: Andreas Schneider <asn at samba.org>
Date: Thu Nov 18 11:38:42 2021 +0100
s3:libnet: Remove tailing whitespaces in libnet_join.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 33eb7a1bc9c21463dc699d6daaa6a1e19f668268
Author: Andreas Schneider <asn at samba.org>
Date: Thu Nov 18 11:32:42 2021 +0100
s3:rpcclient: Remove trailing white spaces in rpcclient.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 016429acaf76bde53bd4ab81b48be23c2bcc28e3
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 18 11:18:59 2021 +0100
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b3bf5bbaf81de369c8f9415d903816a2d7424ffc
Author: Andreas Schneider <asn at samba.org>
Date: Thu Nov 18 11:14:16 2021 +0100
s3:rpc_client: Remove trailing white spaces from cli_pipe.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 492fd5b00fe9d62f53b96e3a7588a7f2848a571d
Author: Andreas Schneider <asn at samba.org>
Date: Wed Nov 17 11:46:04 2021 +0100
testprogs: Add rpcclient schannel tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f4d0bb164f028da46eab766135bb38175c117deb
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 15 19:29:40 2021 +0200
smb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTERFACE_INFO
We should not fail this just because the user doesn't have
permissions on the share root.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Dec 1 11:51:50 UTC 2021 on sn-devel-184
commit 629d161b8f579bc24acfaf3fe02612a5237345b4
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 29 19:56:20 2021 +0100
s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO should work on noperm share
Demonstrate that smbd fails FSCTL_QUERY_NETWORK_INTERFACE_INFO
only because the user doesn't have permissions on the share root.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1744dd8c5bc342a74e397951506468636275fe45
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 15 20:27:12 2021 +0200
smb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file ids
smbd_smb2_request_process_ioctl() already detailed checks for file_ids,
which not reached before.
.allow_invalid_fileid = true was only used for SMB2_OP_IOCTL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit fb33f145ff598b03a08098b7f12f3c53491f6c04
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 29 19:56:20 2021 +0100
s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO gives INVALID_PARAMETER with invalid file ids
An invalid file id for FSCTL_QUERY_NETWORK_INTERFACE_INFO gives
INVALID_PARAMETER instead of FILE_CLOSED.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit aab540503434817cc6b2de1d9c507f9d0b3ad980
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 15 20:26:58 2021 +0200
smb2_ioctl: return BUFFER_TOO_SMALL in smbd_smb2_request_ioctl_done()
We should not send more data than the client requested.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b3212b359edb78d4c60fed377fa18478c8e75d9a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 29 19:44:12 2021 +0100
s4:torture/smb2: test FSCTL_QUERY_NETWORK_INTERFACE_INFO with BUFFER_TOO_SMALL
It seems that we currently don't have BUFFER_TOO_SMALL handling
for FSCTL/IOCTL calls.
FSCTL_QUERY_NETWORK_INTERFACE_INFO is just an easy example
to demonstrate it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c850ce96fd32ea91d8a31223bb09dd5b8b98d99e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Aug 16 17:28:05 2021 +0200
smb2_server: skip tcon check and chdir_current_service() for FSCTL_VALIDATE_NEGOTIATE_INFO
We should not fail this just because the user doesn't have permissions
on the share root.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit bd3ba3c96e6ba811afd5898ff5470188557a6e33
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 15 17:25:53 2021 +0200
smb2_server: decouple IOCTL check from signing/encryption states
There's no reason to handle FSCTL_SMBTORTURE_FORCE_UNACKED_TIMEOUT
differently if signing/encryption is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1cd948d8520fd41a4e2f0cc6ee787c1e20211e33
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 15 17:22:39 2021 +0200
smb2_server: make sure in_ctl_code = IVAL(body, 0x04); reads valid bytes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 735fc34682c541056fd912d07c69f299f961983c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 15 18:31:06 2021 +0200
s4:torture/smb2: add smb2.ioctl.bug14788.VALIDATE_NEGOTIATE
Demonstrate that smbd fails FSCTL_VALIDATE_NEGOTIATE_INFO
only because the user doesn't have permissions on the share root.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 04a79139a42cfd1b607317dec041618cbf629584
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 16 10:51:43 2021 +0200
libcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon*
This will be used in tests in order to separate the tcon from
validate_negotiate_info.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 0991946ab2e64cb9aa3ed9f177e5a545c82c7b3d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 20 16:24:28 2018 +1300
heimdal_build: Remove memset_s from roken, already in libreplace
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Nov 30 19:18:59 UTC 2021 on sn-devel-184
commit d6a1a849a2aec1172ead1b85482b4cea37cd10bd
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Sep 29 10:22:20 2017 +1300
heimdal_build: Use HAVE___ATTRIBUTE__ for unused, noreturn and unused_result
[abartlet at samba.org Squashed with TODO commit from Gary that provided
HEIMDAL_UNUSED_ATTRIBUTE etc]
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6f7b555dad96f9d36cb48d46b232a74f18ce2eb7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Nov 24 11:49:37 2021 +1300
heimdal_build: Do not list hx509 files twice
This makes maintaining the file lists easier.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 93de0f017fddbd84e1356c7bdc5c43ab7456422e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 7 15:23:17 2021 +1200
Allow overflow in lib/hx509.c and lib/gssapi/mech/gss_inquire_cred.c
This is in preperation for the Heimdal upgrade (which otherwise
can be compiled with stricter flags).
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit de18c9bf4108dd4f838a4711eda0ed2a59f6ff09
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 6 12:26:17 2021 +1200
heimdal_build: Allow errors integer overflow errors in gen.c (only)
This is in preperation for the Heimdal upgrade.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 75e1000d280a1310d64c9bfffe55f7b67b402463
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 30 17:03:06 2021 +0100
heimdal_build: consistently pass extra_cflags=cflags to HEIMDAL_CFLAGS()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ccfefe289093457587009e1862e1ed8591495aac
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 27 13:06:00 2021 +0200
s4:samba: split out a samba_service_init() helper function
The loading function should be in the same SAMBA_LIBRARY()
as the modules.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Nov 30 16:44:57 UTC 2021 on sn-devel-184
commit 5d295e41af4e9316aee1b4cf1c3087663b7c06a4
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 27 13:10:41 2021 +0200
vfs_not_implemented: mark all functions with _PUBLIC_
These functions are used directly by other modules.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6745968a15497c88646c1213ec6a8b198e624abb
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Aug 23 12:56:15 2021 +0000
script/autobuild.py: make sure nss, pam and krb5 plugins don't provide unexpected symbols
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4862a8ff2f02cf7c735d666520846f6a0d63c6b0
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Aug 23 12:56:15 2021 +0000
script/autobuild.py: make sure nss and pam plugins don't link any samba libraries
Note that we exclude libtalloc.so.2 in pam_winbind.so as that simulates
a system libtalloc.so.2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 66e90b7391bd404580f3919c4f2b8625c9c89c0e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 1 12:08:16 2021 +0200
nsswitch: reduce dependecies to private libraries and link static/builtin if possible
Over the last month I got more and more reports,
that it's not possible to use a custom Samba version
on systems with sssd being installed, which depends on some
specific samba libraries installed in the system.
One major problem is that the custom libnss_winbind.so.2
depends on the libreplace-samba4.so of the custom build
and also injects an RPATH into the running process.
When sssd uses any nss library call it will get this,
when it then tries to load some of its plugins via dlopen(),
e.g.
ldd /usr/lib64/sssd/libsss_ad.so| grep samba
libsamba-util.so.0 => /lib64/libsamba-util.so.0
libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so
libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so
libsamba-errors.so.1 => /lib64/libsamba-errors.so.1
libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so
libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so
libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so
libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so
libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so
libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so
When that loads dlopen() will fail as a soname libreplace-samba4.so is
already loaded, but the symbol version within the other one don't match, as the
contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3.
This is just an example and similar things can happen in all situations
where we provide libraries, which are potentially injected into every
process of the running system. These should only depend on libc.so and
related basic system libraries in order to avoid the problem.
We have the following libraries, which are in the that category:
- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so
- async_dns_krb5_locator.so
The rules of library loading are really complex and symbol versioning
is not enough to solve it, only the combination of unique soname and
unique symbol version suffix seem to solve the problem, but injecting
an RPATH is still a problem.
In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM()
definitions with 'hide_symbols=True' in order to do some static linking
of selected components, e.g.
bld.SAMBA_SUBSYSTEM('replace-hidden',
source=REPLACE_SOURCE,
group='base_libraries',
hide_symbols=True,
deps='dl attr' + extra_libs)
It's relatively simple to get to the point where the following are
completely static:
- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so
But 'async_dns_krb5_locator.so' links in almost everything!
It seems we install the krb5 plugins into our own $MODULESDIR/krb5/,
so it may not be so critical, as long it's the admin who created
the desired symlinks into the location the kerberos libraries search
for plugins. Note the at least the locator plugins are always loaded
without any configuration, every .so in a special path are loaded with dlopen().
This is done by every application using kerberos, so we load a lot of samba libraries
into them.
Packagers should not put async_dns_krb5_locator.so (nor a symlink) into
the path that's reachable by libkrb5.so.
As a longterm solution we may want to change async_dns_krb5_locator.so
to use a helper process with posix_spawn() instead of doing everything
within the process.
Note I added hiden_symbols=True to the nss modules for Linux and
FreeBSD only, because these are the only platforms I'm able to test
on. We most likely should do the same on other platforms, but some
with access to the platform should provide a tested patch.
In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with
'-hidden', I added the 'provide_builtin_linking=True' option,
as the logic is very similar to what we already have with the
'--builtin-libraries=BUILTIN_LIBRARIES' configure option.
SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order
to make it more strict that these plugins can't be used as
normal depedency by other subsystems and libraries.
While being there it was easy enough to make libwbclient.so
also standalone without dependecies to other samba libraries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 05ca7b9809d7329aea93fc8f1b8b2e54703f1dbd
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 18:03:14 2021 +0200
lib/replace: use dlsym(RTLD_DEFAULT,) for {nss,nss_host,uid,socket}_wrapper_enabled()
We should not provide the symbols ourself instead we should just check
if they are already available when we want to check the result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 62d05a81087029d93ba0cf81c11e5b244d788aef
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 12 14:30:09 2021 +0200
nsswitch/libwbclient: explicitly mark all wbc* symbols as _PUBLIC_
Some private functions from wbclient_internal.h already
leaked into the ABI. With hide_symbols=True we make sure
this doesn't happen again.
Having wbcRequestResponse[Priv]() as part of the ABI helps us
in order to hide winbindd_[priv_]request_response() soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit fa98a44cb4d94c6a290deb931b260e411364314d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 1 12:08:16 2021 +0200
nsswitch: explicitly mark nss_module_register() _PUBLIC_ on FreeBSD
This is the only symbol which is used via dlopen()/dlsym() and
needs to be exported, in future we'll do hide all other symbols.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 419ca68de0c9ed02612e64717963d133833061e7
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 1 12:08:16 2021 +0200
nsswitch: explicitly mark NSS_STATUS _nss_winbind_* symbols as _PUBLIC_ on Linux
The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.
On other platforms, which are implemented as wrappers above the
Linux implementation, we mark the symbols as _PRIVATE_
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3f9948bd6dc16e7cf488277fab6837f545e94432
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 1 12:08:16 2021 +0200
nsswitch: explicitly mark PAM_EXTERN pam_sm_* symbols as _PUBLIC_
The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a663c9648f14294d7e02f30ee1a9a53b1a404279
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 1 12:08:16 2021 +0200
nsswitch: explicitly mark magic krb5 plugin symbols as _PUBLIC_
The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 9615395b1fdaa4509a9739bada93c3bb72903b2c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 22 17:59:48 2021 +0100
nsswitch/wbinfo: use wbcRequestResponse() instead of winbindd_request_response()
We should try to route everything through libwbclient.so, because we'll
soon don't have a single library providing winbindd_request_response().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 41108b9ed9f32ca9ad1b3d4a48a91a6f22c65db6
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 22 18:11:27 2021 +0100
nsswitch: move winbindd_free_response() as inline function to winbind_struct_protocol.h
nsswitch/wb_common.c will be made completely internal soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f3c5980f76f30c65378623e4f5b25e73d4ace25b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 22 17:59:48 2021 +0100
s4:torture/winbind: use wbcRequestResponse() instead of winbindd_request_response()
We should try to route everything through libwbclient.so, because we'll
soon don't have a single library providing winbindd_request_response().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ac8977d1e760824d9f170455899e53aa555f807e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 22 17:59:48 2021 +0100
s3:ntlm_auth: use wbcRequestResponse[Priv]() instead of winbindd_request_response()
We should try to route everything through libwbclient.so, because we'll
soon don't have a single library providing winbindd_request_response().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 35446c27f8ef3532d2440d4e86774e13065e86c4
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 26 01:39:40 2021 +0100
s3:utils: remove notify_msg.c from smbstatus sources
This is not needed for smbstatus and the symbols are also available
via 'smbd_base', which already contains notify_msg.c.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 600ebefa5af806f376abda722fb492895f0603ac
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 4 18:03:13 2021 +0200
libwbclient: fix strict-overflow warning in wbcSidToString()
../../nsswitch/libwbclient/wbc_sid.c:83:5: error: assuming signed overflow does not occur when simplifying conditional [-Werror=strict-overflow]
if (len+1 > sizeof(buf)) {
^
Even this would fail:
../../nsswitch/libwbclient/wbc_sid.c:83:5: error: assuming signed overflow does not occur when simplifying conditional [-Werror=strict-overflow]
if (len >= sizeof(buf)) {
^
Note that this only seems to happen with gcc 7 and when -O3 and
-fvisibility=hidden are used together. E.g. in the opensuse151-samba-o3
builds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c461b906ca5940bcf69901f973b5698e3ef75063
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 18 17:55:25 2021 +0200
heimdal_build: let HEIMDAL_LIBRARY() use SAMBA_LIBRARY()
This simplifies a lot and makes sure we always use the
same rules for private libraries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6c64f3cee832c9f48b3cc058d3de31561524997a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 18 15:47:33 2021 +0200
heimdal_build: avoid using hardcoded vnum values passed to HEIMDAL_LIBRARY()
For private libraries we don't want versioned sonames,
it's also pointless to use the upstream heimdal vnum values
for our private libraries as the soname is different anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e35f23195f921f48b78dfe9cc1d0f85194697ece
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 18 15:47:33 2021 +0200
heimdal_build: remove unused cflags argument of HEIMDAL_LIBRARY()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f168f548784e643335cf0351a5f506dbc087f65f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 18 17:34:09 2021 +0200
wafsamba: allow SAMBA_LIBRARY() to get and use original 'version-script.map' for private libraries
We'll soon use this for the internal Heimdal build and take the raw
version-script.map files in order to create our own .vscript file
with our private version suffix.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 38d37d4a53285f08ce805f28b0659456c197f023
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 20 23:05:57 2021 +0200
wafsamba: introduce SAMBA[3]_PLUGIN()
This will be used to define plugins we provide to be used
via dbopen/dlsym to external consumers.
SAMBA_PLUGIN() is used instead of SAMBA_LIBRARY() in order
to make it more strict that these plugins can't be used as
normal depedency by other subsystems and libraries.
With require_builtin_deps=True we make sure that only
symbols explicitly marked with _PUBLIC_ are exported
and we only link to system libraries and include all
internal depedencies as builtin subsystems.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 70da83a8ca7fdb2d1bcd8601a1a0111d39469000
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 19 17:31:24 2021 +0200
wafsamba: introduce require_builtin_deps/provide_builtin_linking/builtin_cflags to SAMBA_{SUBSYSTEM,LIBRARY}
The 'provide_builtin_linking=True' option that allows wscript files
to specify that a SAMBA_{SUBSYSTEM,LIBRARY} will also create a
builtin version of them in addition.
The logic behind this is very similar to what we already have with the
'--builtin-libraries=BUILTIN_LIBRARIES' configure option.
This avoids the need for manual definitions of SAMBA_SUBSYSTEMS() with
like this:
bld.SAMBA_SUBSYSTEM('replace-hidden',
source=REPLACE_SOURCE,
group='base_libraries',
hide_symbols=True,
deps='dl attr' + extra_libs)
The builtin version will also make sure that it will include all
dependecies (of internal code) also in the builtin variant.
Note that this is also possible if the dependency also
provided 'provide_builtin_linking=True' in order to limit
the scope.
We now imply '-D_PUBLIC_=_PRIVATE_' and 'hide_symbols=True' for
builtin libraries and subsystems in order to avoid exporting
the symbols of them.
With 'require_builtin_deps=True' a library can specify that it
is only able to use libraries/subsystems marked with
provide_builtin_linking=True. As a result it won't
link against any other SAMBA_LIBRARY() dependency,
but link in everything internal. Only system libraries
still get linked dynamically.
Use 'git show -w' to see a reduced diff.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 38ef29bc219afcd608a1c87f8aae99cebe79b665
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 20 16:25:02 2021 +0200
wafsamba: let reduce_objects() not remove duplicates of BUILTINS even if there are more than one
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 295e5270f60296feb4e9bbb57ae3b3f58f2d3258
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 20 12:27:17 2021 +0000
wafsamba: add SAMBA_SUBSYSTEM(force_empty=False)
We will need to define empty subsystems without any dependency.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3aff74e29ed3bb99fd7b9a510001e7046b86c8fa
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 18 17:20:12 2021 +0200
wafsamba: assert for *.sigs source files in abi_build_vscript()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 33e6949dda83996550d126d7de09a13691ff35cc
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 1 15:29:46 2021 +0200
wafsamba: the symbol version string of private libraries should be based on the toplevel project
If we build a private library all symbols should be made private based
on a unique suffix.
When we use a unique soname and a unique symbol version suffix it's very unlikely
to hit conflicts due to inherited libraries.
For the abi checking we still use the original vnum as abi_vnum.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit da7c41e26016845f0dfd78601987c075ef8711a6
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 13 15:16:59 2021 +0200
wafsamba: use private extentions also for bundled public libraries
Playing tricks with redefining libraries, which may also be installed in
the system with the same version, isn't really a good thing.
It may work in some cases, but there are so many things which may go
wrong. So if we build a library as private/bundled library we should
change the soname of the library.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 43b90da1867135ddb5f740c9d664af4c2d96a18f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 13 15:14:01 2021 +0200
wafsamba: remove unused private_library argument of PRIVATE_NAME()
The only caller asserts that private_library is True.
Use: git show -U5
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d6749f590f338cff42634c7406dda96dc1d8e2fd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 18 17:54:31 2021 +0200
wafsamba: SAMBA_GENERATOR() should not alter the callers dep_vars
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 932c408c1b4f53098c8857941bcaf67c978195ec
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 1 12:08:11 2021 +0200
wafsamba: fix '--private-libraries' option when using 'ALL,!something'
We already had the desired logic in LIB_MUST_BE_BUNDLED(), so we can
just reuse it in LIB_MUST_BE_PRIVATE().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 893c24605a5874b4b093ea1967ebbcb1e4837ffa
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 27 12:39:01 2021 +0200
wafsamba: mark SAMBA_MODULE() with private_library=True
Symbols from modules should have a symbol versioning tag of the
current version.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 03cd1449f697dc7a9950fd4d333273ea72bcb174
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 20 09:21:13 2021 +0000
script/autobuild.py: fix "nondevel" builds of 'samba-libs'
Commit 3e6af7109eb9d49328b426095580e4bfb2338ceb removed environment
variables like PKG_CONFIG_PATH from the configure run, so we no longer
tested a build against the shared libraries we build before.
We also assert that we no longer build private libraries
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 38c5bad4a853b19fe9a51fb059e150b153c4632a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 20:41:54 2021 +1300
kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Nov 30 03:33:26 UTC 2021 on sn-devel-184
commit 9bd26804852d957f81cb311e5142f9190f9afa65
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 23 19:38:35 2021 +1300
heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket
Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but
when generating a service ticket for S4U2Self, we want to avoid adding
the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ee4aa21c487fa80082a548b2e4f115a791e30340
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 09:29:42 2021 +1300
selftest: Properly check extra PAC buffers with Heimdal
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1f4f3018c5001b289b91959a72d00575c8fc0ac1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 23 17:30:50 2021 +1300
heimdal:kdc: Always generate a PAC for S4U2Self
If we decided not to put a PAC into the ticket, mspac would be NULL
here, and the resulting ticket would not contain a PAC. This could
happen if there was a request to omit the PAC or the service did not
require authorization data. Ensure that we always generate a PAC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 192d6edfe912105ec344dc554f872a24c03540a3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 12:46:40 2021 +1300
tests/krb5: Add a test for S4U2Self with no authorization data required
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4b60e9516497c2e7f1545fe50887d0336b9893f2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 10:53:49 2021 +1300
kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets
Windows ignores PAC_TYPE_ATTRIBUTES_INFO and always issues a PAC when
presented with an RODC-issued TGT. By removing this PAC buffer from
RODC-issued tickets, we ensure that an RODC-issued ticket will still
result in a PAC if it is first renewed or validated by the main DC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 90025b6a4d250a15c0f988a9a9150ecfb63069ef
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 20:42:22 2021 +1300
kdc: Don't include extra PAC buffers in service tickets
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e61983c7f2c4daade83b237efb990d0c0645b3a3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 13:24:57 2021 +1300
Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers"
This reverts commit fa4c9bcefdeed0a7106aab84df20b02435febc1f.
We should not be generating these additional PAC buffers for service
tickets, only for TGTs.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 73a48063469205099f02efdf3b8f0f1040dc7a3d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 10:32:44 2021 +1300
tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 690a00a40c0a3f77da6e4dca42b630f2793a98b8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 23 20:15:41 2021 +1300
kdc: Always add the PAC if the header TGT is from an RODC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b6a25f5f016aef39c3b1d7be8b3ecfe021c03c83
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 23 20:00:07 2021 +1300
kdc: Match Windows error code for mismatching sname
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bac5f75059450898937be891e863826e1350b62c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 10:05:17 2021 +1300
tests/krb5: Add test for S4U2Self with wrong sname
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d5d22bf84a71492342287e54b555c9f024e7e71c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 20:41:45 2021 +1300
kdc: Adjust SID mismatch error code to match Windows
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f7a2fef8f49a86f63c3dc2f6a2d7d979fb53238a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 20:41:34 2021 +1300
heimdal:kdc: Adjust no-PAC error code to match Windows
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9cfb88ba04818b5e9cec3c96422e8e4a3080d490
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 18 16:22:34 2021 +1300
s4:torture: Fix typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 11fb9476ad3c09415d12b3cdf7934c293cbefcb2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 18 13:14:51 2021 +1300
heimdal:kdc: Fix error message for user-to-user
We were checking the wrong variable to see whether a PAC was found or not.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 749349efab9b401d33a4fc286473a924364a41c9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 15:32:32 2021 +1300
tests/krb5: Add comments for tests that fail against Windows
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ca80c47406e0f2b6fac2c55229306e21ccef9745
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 13:10:52 2021 +1300
tests/krb5: Add tests for validation with requester SID PAC buffer
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ebc9137cee94dee9dcf0e47d5bc0dc83de7aaaa1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 12:37:08 2021 +1300
tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2
We set EXPECT_EXTRA_PAC_BUFFERS to 0 for the moment. This signifies that
these checks are currently not enforced, which avoids a lot of test
failures.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ec823c2a83c639f1d7c422153a53d366750e5f2a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 12:09:18 2021 +1300
tests/krb5: Add TGS-REQ tests with FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 778029c1dc443b87f4ed4b9d2c613d0e6fc45b0d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 12:10:45 2021 +1300
tests/krb5: Add tests for TGS requests with a non-TGT
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7574ba9f580fca552b80532a49d00e657fbdf4fd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 30 09:26:40 2021 +1300
tests/krb5: Add tests for invalid TGTs
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 28d501875a98fa2817262eb8ec68bf91528428c2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 12:04:36 2021 +1300
tests/krb5: Remove unnecessary expect_pac arguments
The value of expect_pac is not considered if we are expecting an error.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d95705172bcf6fe24817800a4c0009e9cc8be595
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 11:52:31 2021 +1300
tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e930274aa43810d6485c3c8a7c82958ecb409630
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 11:40:35 2021 +1300
tests/krb5: Split out methods to create renewable or invalid tickets
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a560c2e9ad8abb824d1805c86c656943745f81eb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 11:37:35 2021 +1300
tests/krb5: Allow PasswordKey_create() to use s2kparams
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 167bd2070483004cd0b9a96ffb40ea73c6ddf579
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 16:02:00 2021 +1300
tests/krb5: Run test_rpc against member server
We were instead always running against the DC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f0b222e3ecf72c8562bc97bedd9f3a92980b60d5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 11:34:11 2021 +1300
tests/krb5: Deduplicate AS-REQ tests
salt_tests was running the tests defined in the base class as well as
its own tests.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 57b1b76154d699b9d70ad04fa5e94c4b30f0e4bf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 11:53:18 2021 +1300
tests/krb5: Remove unused variable
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ad4d6fb01fd8083e68f07c427af8932574810cdc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 11:30:38 2021 +1300
selftest: Check received LDB error code when STRICT_CHECKING=0
We were instead only checking the expected error.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cbf312f02bc86f9325fb89f6f5441bc61fd3974f
Author: Andreas Schneider <asn at samba.org>
Date: Tue Nov 23 15:48:57 2021 +0100
s3:winbind: Fix possible NULL pointer dereference
BUG: https://bugzilla.redhat.com/show_bug.cgi?id=2019888
Signed-off-by: Andreas Schneider <asn at samba.org>
Rewiewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Nov 29 19:40:50 UTC 2021 on sn-devel-184
commit 90febd2a33b88af49af595fe0e995d6ba0f33a1b
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sat Sep 19 14:16:20 2020 +0200
s4:mit-kdb: Force canonicalization for looking up principals
See also
https://github.com/krb5/krb5/commit/ac8865a22138ab0c657208c41be8fd6bc7968148
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Nov 29 09:32:26 UTC 2021 on sn-devel-184
commit 8b83758b7c51e4effc57c6130abb38bd53d74bb9
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Tue Oct 19 09:59:54 2021 +0200
s4:kdc: Remove trailing spaces in db-glue.c
Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit d128a85f999afb002b510ad6ec8c94f7df006195
Author: Andreas Schneider <asn at samba.org>
Date: Tue Nov 23 07:43:05 2021 +0100
s4:mit-kdb: Reduce includes to only what's needed
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 28be1acd8eb921c15cbd1260711cbbdd48595e6c
Author: Andreas Schneider <asn at samba.org>
Date: Mon Oct 11 10:55:52 2021 +0200
mit-kdc: Use more strict KDC default settings
As we require MIT KRB5 >= 1.19 for the KDC, use more secure defaults.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 18 16:09:47 2021 +1300
CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts
This puts all the detail on one line so it can be searched
by IP address and connecting SID.
This relies on the anr handling as otherwise this log
becomes the expanded query, not the original one.
RN: Provide clear logs of the LDAP search and who made it, including
a warning (at log level 3) for queries that are 1/4 of the hard timeout.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Thu Nov 25 02:30:42 UTC 2021 on sn-devel-184
commit 5f0590362c5c0c5ee20503a67467f9be2d50e73b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 18 15:57:34 2021 +1300
CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it
RN: Do not modify the caller-supplied memory in the anr=* handling to
allow clear logging of the actual caller request after it has been processed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 2b3af3b560c9617a233c131376c870fce146c002
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 18 15:27:08 2021 +1300
CVE-2021-3670 ldap_server: Remove duplicate print of LDAP search details
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 1d5b155619bc532c46932965b215bd73a920e56f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 27 16:47:46 2021 +1300
CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing
The LDB filter processing is where the time is spent in the LDB stack
but the timeout event will not get run while this is ongoing, so we
must confirm we have not yet timed out manually.
RN: Ensure that the LDB request has not timed out during filter processing
as the LDAP server MaxQueryDuration is otherwise not honoured.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit e1ab0c43629686d1d2c0b0b2bcdc90057a792049
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 28 17:20:43 2021 +1300
CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 86fe9d48883f87c928bf31ccbd275db420386803
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Aug 26 13:53:23 2021 +1200
CVE-2021-3670 ldap_server: Set timeout on requests based on MaxQueryDuration
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit dcfcafdbf756e12d9077ad7920eea25478c29f81
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Aug 26 21:18:26 2021 +1200
CVE-2021-3670 tests/krb5/test_ldap.py: Add test for LDAP timeouts
We allow a timeout of 2x over to avoid this being a flapping test.
Samba is not very accurate on the timeout, which is not otherwise an
issue but makes this test fail sometimes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b5e0f33e8296d6312efadd8a78d752b788d66f54
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Nov 19 16:16:30 2021 +1300
pytest/docs: better spelling of set_smbconf_arbitrary
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Mon Nov 22 11:18:09 UTC 2021 on sn-devel-184
commit b674c57a1829365f50bfdf846ca609d4ac205e52
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Nov 19 16:15:50 2021 +1300
pytest/docs: set_smbconf_arbitrary_opposite() needs param_type
also, we fixed the name ("arbitrary", not "arbitary").
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
commit 5bbf105937cd94a09abe550297aa0d366aa839e1
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Nov 19 16:13:39 2021 +1300
pytest/dns_aging: remove duplicate tests
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
commit 524ca3c6d23323a67fad36e39f5e05f893c44a80
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Nov 19 16:12:43 2021 +1300
pytest/dns_aging: use correct variable names
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b5e2651f1ca99a8a654f60767a40f9228413437b
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Nov 19 16:21:08 2021 +1300
py/dnsserver: add a missing exception variable
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
commit 3c18bb6c77d33b000489c6b4bd1dd87b81f2162f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Nov 19 16:11:14 2021 +1300
py/dnsserver: add missing imports
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.com>
commit 1926335839a83795a8594fe0b3a2a298bdf366ac
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Nov 19 15:33:09 2021 +1300
third_party/update: forget pep8
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Fri Nov 19 13:25:16 UTC 2021 on sn-devel-184
commit 2c3596e72144fb1b356de860ccfef1ea1f39fd9d
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Nov 19 15:28:48 2021 +1300
pytest/source_chars: forget thirdparty/pep8 test file
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
commit e94e649bbb474920c681c644e9a53e5f09147982
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Nov 19 15:18:23 2021 +1300
third_party: remove pep8
This was a *partial* copy of the python linting tool that has been
known as 'pycodestyle' since 2017. I say partial copy, because it does
not seem to contain the pep8 binary itself, just some documentation
and tests. It has not been changed since it was added in 2015.
It is GOOD that people run python linters, but this doesn't help them
in the slightest.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
commit cdc0268c1987f36ab400ea01df88d55c02dccfdb
Author: Volker Lendecke <vl at samba.org>
Date: Wed Nov 17 12:27:27 2021 +0100
cmdline: Make -P work in clustered mode
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Nov 17 18:29:09 UTC 2021 on sn-devel-184
commit 63c80f25da8829a7bd3244afea29c13f699efac1
Author: Volker Lendecke <vl at samba.org>
Date: Wed Nov 17 12:25:58 2021 +0100
cmdline: Add a callback to set the machine account details
source3 clients need to work in clustered mode, the default
cli_credentials_set_machine_account() only looks at the local
secrets.tdb file
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d6270525699fbc856b217cf18ece7f1d063b144d
Author: Volker Lendecke <vl at samba.org>
Date: Wed Nov 17 12:25:05 2021 +0100
lib: Add required includes to source3/include/secrets.h
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 9faa3173193ddcb95905993d960cc10d4366524e
Author: Volker Lendecke <vl at samba.org>
Date: Wed Nov 17 16:34:07 2021 +0100
selftest: Add reproducer for bug 14908
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14908
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2868b8036498e7fa0c7ae3615f5d97b42b360da2
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Nov 17 09:47:18 2021 +1300
lib/replace/timegm: use utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Nov 17 05:27:39 UTC 2021 on sn-devel-184
commit 039f876c4e9f635b207f3b16c99662297a93dd5e
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Nov 17 09:48:37 2021 +1300
s4/auth/gensec/gensec_krb5_heimdal: use utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6ced906e2be66fb324aa012a06c8d3b10bbf78b2
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Nov 17 09:49:05 2021 +1300
test/blackbox/test_samba-tool_ntacl: use utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 4c85693f55341344117f0b6d2bb7498099828dab
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Nov 17 09:47:52 2021 +1300
s3/modules/vfs_acl_common.h: use utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c3194d0d65d838b79cb5345a9d9433704b2f95ba
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Nov 17 10:23:02 2021 +1300
test/bad_chars: ensure our tests could fail
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit fccb105e079df7bfe22b6887262128ab9e81064d
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Nov 16 20:23:04 2021 +0000
pytests: check that we don't have bad format characters
Unicode has format control characters that affect the appearance —
including the apparent order — of other characters. Some of these,
like the bidi controls (for mixing left-to-right scripts with
right-to-left scripts) can be used make text that means one thing look
very much like it means another thing.
The potential for duplicity using these characters has recently been
publicised under the name “Trojan Source”, and CVE-2021-42694. A
specific example, as it affects the Rust language is CVE-2021-42574.
We don't have many format control characters in our code — in fact,
just the non-breaking space (\u200b) and the redundant BOM thing
(\ufeff), and this test aims to ensure we keep it that way.
The test uses a series of allow-lists and deny-lists to check most
text files for unknown format control characters. The filtering is
fairly conservative but not exhaustive. For example, XML and text
files are checked, but UTF-16 files are not.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1c8ea2448eaacb84c1c134e9597a5f873779b0a4
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 9 14:57:18 2021 -0800
s3: smbd: In SMB1 call_trans2findnext() add and use a helper variable to ensure we don't call mangle_is_mangled() with a posix name.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Nov 16 21:06:38 UTC 2021 on sn-devel-184
commit 761c9190454ce1704a041275723e23025bf62cf3
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 9 14:55:05 2021 -0800
s3: smbd: In unlink_internals() ensure we never call mangle_is_mangled for a posix path.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e2c45a092639c56d4a6b615fecef6d85f13b87eb
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 9 14:28:34 2021 -0800
s3: smbd: SMB1 reply_copy(). Posix pathnames always means case_sensitive = true.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e3c40250fb1afafe833a02ff65474a76ea6e41eb
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 9 14:23:22 2021 -0800
s3: smbd: SMB1 reply_copy(). Posix pathnames should never call into mangle_is_mangled().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d0d8f32d8f764bb2c9c00a3eda36367a7cd5a08f
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 9 14:21:41 2021 -0800
s3: smbd: In SMB1 reply_copy(), make req->posix_pathnames a helper variable.
I need to use it elsewhere in here.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 826ae5c80694093f65809b314c72fd5e1cb45b47
Author: Jeremy Allison <jra at samba.org>
Date: Mon Nov 8 16:37:26 2021 -0800
s3: smbd: Add and use helper variables for case_sensitive, case_preserve, short_case_preserve to rename_internals().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 395acac7b465c5b8e9461d42f50e860003a98bad
Author: Jeremy Allison <jra at samba.org>
Date: Mon Nov 8 16:31:40 2021 -0800
s3: smbd: Ensure we never call mangle_is_mangled() for a posix path.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 23be0565dc738e98d1619435dffb716726b62214
Author: Jeremy Allison <jra at samba.org>
Date: Mon Nov 8 16:30:27 2021 -0800
s3: smbd: Add and use helper variable posix_pathname in rename_internals().
We're going to re-use it inside this function.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 026b4318967eb923b8b5666e7b8e977b43b2dbcc
Author: Jeremy Allison <jra at samba.org>
Date: Mon Nov 8 16:27:19 2021 -0800
s3: smbd: Add and use helper variables case_sensitive, case_preserve in rename_internals_fsp().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 836d6f8a22696e1de4009dbde46bf355261f8e7a
Author: Jeremy Allison <jra at samba.org>
Date: Mon Nov 8 16:22:50 2021 -0800
s3: smbd: Add and use case_sensitive helper variable to unlink_internals().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 89d986ec13085f416e24276375cc1d2353077010
Author: Jeremy Allison <jra at samba.org>
Date: Mon Nov 8 15:59:51 2021 -0800
s3: smbd: Use a helper variable in smbd_smb2_query_directory_send().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit db6902a3c5889112b5349b28b10df813fc747525
Author: Jeremy Allison <jra at samba.org>
Date: Mon Nov 8 14:10:59 2021 -0800
s3: smbd: In open_file() use the helper variable to select correct case_sensitive setting to is_in_path().
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 51b582546b5d613a108f8b5a3ef4b7a1cd99df86
Author: Jeremy Allison <jra at samba.org>
Date: Mon Nov 8 14:09:53 2021 -0800
s3: smbd: In open_file(), use a helper variable instead of always checking sp->posix_flags & FSP_POSIX_FLAGS_OPEN.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit df8abb5aa760363391edd2def3f2edb667d66ba2
Author: Jeremy Allison <jra at samba.org>
Date: Mon Nov 8 11:25:26 2021 -0800
s3: smbd: Use dptr_case_sensitive() in directory listing code.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e163f22e81d082e2ca161ee032eb14083154b70f
Author: Jeremy Allison <jra at samba.org>
Date: Mon Nov 8 11:21:03 2021 -0800
s3: smbd: Add dptr_case_sensitive(). Not yet used.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ab1e97f87b10596a83794579ac0bfb4be39eded2
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 5 16:43:14 2021 -0700
s3: smbd: In OpenDir_fsp(), set dir_hnd->case_sensitive to true if FSP_POSIX_FLAGS_OPEN is set.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ede3a45dfcaa91bbf8c64683ec51eeba9054cfbb
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 16:52:10 2021 -0700
s3: smbd: Use dir_hnd->case_sensitive instead of conn->case_sensitive.
No logic change.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit af35c684a39ed59a750a03b71ef78522fc14ce13
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 16:48:03 2021 -0700
s3: smbd: Add case_sensitive to struct smb_Dir.
Not yet used.
This allows it to be independent of conn settings on
a per-handle-basis for SMB2 posix.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1b130decc2bb17b058d57bbcd46babb5b2b939a6
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 5 16:55:06 2021 -0700
s3: smbd: Use state->case_sensitive instead of state->conn->case_sensitive.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1240f741e6672a0bef036c8d1b1f89507ec0b599
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 5 16:53:26 2021 -0700
s3: smbd: Add 'bool case_sensitive' to struct smbd_dirptr_lanman2_state.
Initialize from conn->case_sensitive. Not yet used.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1cc5a394209f018f4c41d07bc0c790fb2bd5b29e
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 16:26:24 2021 -0700
s3: smbd: In unix_convert() component_was_mangled is always false for posix.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3911ca59f48f5d7445195b09ba61f97374370f85
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 16:20:34 2021 -0700
s3: smbd: In unix_convert_step_search_fail() ensure posix names don't call into name mangling functions.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d650d9ad8aef9d39ed8eb960ec6d5fe409c3f6b3
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 15:03:16 2021 -0700
s3: smbd: Add comment to unix_convert() explaining why posix never calls into mangle_is_mangled() here.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 77f54fc14f2dcf9da6a68dd8880f0d31ac33c860
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 13:32:27 2021 -0700
s3: smbd: Turn on case sensitivity for a posix filename lookup.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f4354571d615c5b6ea64ed20cb880049c1b49053
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 12:08:25 2021 -0700
s3: smbd: Use state->short_case_preserve instead of state->conn->short_case_preserve.
No logic changes.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 598c07b106edf47febc2319f923931542fa1c519
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 12:07:05 2021 -0700
s3: smbd: Use state->case_preserve instead of state->conn->case_preserve.
No logic change.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2910657694ed6843702b1f901674e0568e64846e
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 12:02:33 2021 -0700
s3: smbd: Use state->case_sensitive instead of state->conn->case_sensitive.
No logic change.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 35ee8a7b6c7e68a6a48e2ecafae78d9f6f901040
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 11:59:56 2021 -0700
s3: smbd: Add case_sensitive, case_preserve, short_case_preserve to state struct.
Not yet used.
This allows them to be independent of conn settings on
a handle-basis for posix.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b460c534272271b3f6c673ef544b7a5549ad11bb
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 11:54:38 2021 -0700
s3: smbd: Ensure normalize_filename_case() doesn't modify posix names.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 86e42fb484147ed687086cf3fcf8cd8eb07b7164
Author: Jeremy Allison <jra at samba.org>
Date: Fri Sep 17 17:02:06 2021 -0700
s3: smbd: Add ucf_flags parameter to normalize_filename_case().
Not yet used.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3f0935b369e79d67f7a42b9531b2c123f2410ccc
Author: Jeremy Allison <jra at samba.org>
Date: Fri Oct 15 14:04:07 2021 -0700
s3: smbd: get_real_filename() is actually static to filename.c
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit a8c0c2c9e3adc94843a236fd9374980e2c0e6bfe
Author: Ralph Boehme <slow at samba.org>
Date: Mon Nov 15 18:04:30 2021 +0100
smbd: get rid of get_file_handle_for_metadata()
This also avoids triggering an assert in get_share_mode_lock(). We already have
a handle, use that one, no need to call get_file_handle_for_metadata().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14907
RN: set_ea_dos_attribute() fallback calling get_file_handle_for_metadata() triggers locking.tdb assert
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Nov 16 18:51:15 UTC 2021 on sn-devel-184
commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Nov 12 16:10:31 2021 +1300
CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails
Before the CVE-2020-25717 fixes we had a fallback from
getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
unpredictable.
Now we do the fallback based on sid_to_uid() followed by
getpwuid() on the returned uid.
This obsoletes 'username map [script]' based workaround adviced
for CVE-2020-25717, when nss_winbindd is not used or
idmap_nss is actually used.
In future we may decide to prefer or only do the SID/UID based
lookup, but for now we want to keep this unchanged as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[metze at samba.org moved the new logic into the fallback codepath only
in order to avoid behavior changes as much as possible]
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184
commit 494bf7de6ff3e9abeb3753df0635737b80ce5bb7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Nov 12 14:22:47 2021 +1300
CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[metze at samba.org removed unused tests for a feature that
was removed before merging]
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 8a9f2aa2c1cdfa72ad50d7c4f879220fe37654cd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Nov 12 14:20:45 2021 +1300
CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss
In reality environments without 'nss_winbind' make use of 'idmap_nss'.
For testing, DOMAIN/bob is mapped to the local 'bob',
while DOMAIN/jane gets the uid based on the local 'jane'
vis idmap_nss.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[metze at samba.org avoid to create a new ad_member_idmap_nss environment
and merge it with ad_member_no_nss_wb instead]
Reviewed-by: Ralph Boehme <slow at samba.org>
commit fdbee5e074ebd76d659613b8b7114d70f938c38a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Nov 12 20:53:30 2021 +1300
CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 5ea347d3673e35891613c90ca837d1ce4833c1b0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Nov 12 14:14:55 2021 +1300
CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit bfd093648b4af51d104096c0cb3535e8706671e5
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 12 15:27:58 2021 +0100
CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain
We already check the sid belongs to the domain, but checking the name
too feels better and make it easier to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c69b66f649c1d47a7367f7efe25b8df32369a3a5
Author: Alexander Bokovoy <ab at samba.org>
Date: Fri Nov 12 19:06:01 2021 +0200
IPA DC: add missing checks
When introducing FreeIPA support, two places were forgotten:
- schannel gensec module needs to be aware of IPA DC
- _lsa_QueryInfoPolicy should treat IPA DC as PDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184
commit 240addaed7b87759dff13c1c6c18681815c28c92
Author: Volker Lendecke <vl at samba.org>
Date: Tue Nov 2 10:35:35 2021 +0100
smbd: Convert ret==false into !ret
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Nov 11 19:59:03 UTC 2021 on sn-devel-184
commit b063aa1cf13ece9673edbf225281993cfa39085d
Author: Volker Lendecke <vl at samba.org>
Date: Fri Nov 5 11:48:25 2021 +0100
lib: Use a direct struct initialization
Don't init with 0 just to overwrite again. Probably the compiler will
figure that out anyway, but to me this looks cleaner.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8f248bee5be182cfbffce99f373cd3675724adba
Author: Volker Lendecke <vl at samba.org>
Date: Sun Nov 7 19:33:31 2021 +0100
smbd: Make sure we don't overwrite tmp_buf
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b829d6671f93deeea07ce8b42a023bf9944cb55b
Author: Volker Lendecke <vl at samba.org>
Date: Fri Nov 5 18:52:56 2021 +0100
smbd: Avoid casts
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 62d21fac5ff243d92089a635ce07298dc3c3b7c9
Author: Volker Lendecke <vl at samba.org>
Date: Fri Nov 5 18:52:40 2021 +0100
smbd: Fix typos
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 738dc11cb336d658ff325fb85ac7402428e24d62
Author: Volker Lendecke <vl at samba.org>
Date: Fri Nov 5 12:58:58 2021 +0100
vfs: Use cp_smb_filename_nostream() in vfswrap_parent_pathname()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d64e180ba93630867d0027cca92c51f8f0ca7d31
Author: Volker Lendecke <vl at samba.org>
Date: Fri Nov 5 12:03:02 2021 +0100
smbd: Move "struct fd_handle" into fd_handle.c
A separate header file is not required here, everything goes through
the API published by fd_handle.c. This makes it harder to include the
fd_handle definition and violate the guarantees.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 05c41a02dd6dee3e29b44b69ac3dd6f60d87b475
Author: Volker Lendecke <vl at samba.org>
Date: Fri Nov 5 11:51:33 2021 +0100
lib: Slightly tune cp_smb_filename_nostream()
Don't talloc_strdup() the stream_name, just to free it again.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 68078e560aae6bafbe9ffc48133271b6552ef1e1
Author: Volker Lendecke <vl at samba.org>
Date: Sat Oct 30 11:45:20 2021 +0200
libcli4: Remove outdated README file
This has not materialized since 2005. We can easily add it once we
create libsmbclient4.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5e9a781dcb82f6c1b8049c0cabdf674f2cb76261
Author: Volker Lendecke <vl at samba.org>
Date: Tue Nov 2 11:16:57 2021 +0100
vfs: Fix a few typos
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit cde87d62d35e7691d29bd7a5aa45022c96db4fd3
Author: Volker Lendecke <vl at samba.org>
Date: Tue Nov 2 11:06:18 2021 +0100
smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d542cbb9a769b6205b990cf9d077a431e0256d5f
Author: Volker Lendecke <vl at samba.org>
Date: Wed Nov 10 16:19:40 2021 +0100
smb.conf.5: Fix a typo for "username map script"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a21bc14e13b48fb4d6f0c89159162cb4f4511769
Author: Volker Lendecke <vl at samba.org>
Date: Fri Oct 29 14:18:02 2021 +0200
libsmb: Move cli_qfilename() to its only user in torture.c
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 69546f56fe8e259246ce0136471569c621b9f5a5
Author: Volker Lendecke <vl at samba.org>
Date: Fri Oct 22 13:32:36 2021 +0200
dbwrap: Remove unused dbwrap_watched_wakeup()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 72e9b8ceede2ac9fc9180a798fec7a2cb62e2be1
Author: Volker Lendecke <vl at samba.org>
Date: Fri Oct 22 17:30:46 2021 +0200
lib: Fix a debug typo in g_lock.c
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b7fc678107d99cbd64cd7018840ce2bf8d0eb811
Author: Volker Lendecke <vl at samba.org>
Date: Thu Oct 14 15:08:55 2021 +0200
libcli: Remove NT_STATUS_INACCESSIBLE_SYSTEM_SHORTCUT error code
This is the same as STATUS_STOPPED_ON_SYMLINK, and this is what also
wireshark displays. Avoid some confusion.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8b89be8c37936272d38d5e7245818f141cbe6828
Author: Volker Lendecke <vl at samba.org>
Date: Tue Oct 12 12:36:16 2021 +0200
VFS: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d0759cb648f3d17f7501ea2cf3333d79e4ebcd98
Author: Volker Lendecke <vl at samba.org>
Date: Sun Oct 24 20:38:19 2021 +0200
libsmb: move reparse_symlink to libcli/smb/
This will be useful for smbXcli_create to parse the symlink error
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2bb63e04035a65f445ec13206b752b34db4c5f99
Author: Volker Lendecke <vl at samba.org>
Date: Sun Oct 24 15:28:35 2021 +0200
libsmb: Avoid a talloc_stackframe.c dependency
This is simple enough for explicit TALLOC_FREE()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5823634b46ef7c1ef959916dd427656e11f76e61
Author: Volker Lendecke <vl at samba.org>
Date: Sun Oct 24 15:24:42 2021 +0200
libsmb: Introduce "struct symlink_reparse_struct"
Simplify symlink_reparse_buffer_parse() slightly, failure cleanup
becomes simpler with that, and this struct will be useful elsewhere
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 58c8289b2ff8bf3a413e82f1d4dc05ab10a6e2d6
Author: Volker Lendecke <vl at samba.org>
Date: Sun Oct 24 12:45:23 2021 +0200
libsmb: Give reparse_symlink.c its own header
While there, avoid an "includes.h"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit fadce102d477c2cd9ba5cf071b03b1bc5525d2ec
Author: Volker Lendecke <vl at samba.org>
Date: Sun Oct 24 12:44:56 2021 +0200
libcli: "smb_util.h" needs "ntstatus.h"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c05bc2d22189f8136aaacd5fc9d76a26c1b5eeeb
Author: Volker Lendecke <vl at samba.org>
Date: Sun Oct 24 12:38:21 2021 +0200
libsmb: Remove "trans_oob()" macro
It was just a 1:1 substitution for smb_buffer_oob()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8820101cd0b33aff95febcbe760bb59434b5b289
Author: Volker Lendecke <vl at samba.org>
Date: Tue Oct 26 10:14:28 2021 +0200
smbclient: Use cli_checkpath in "cd" command
No need for special qpathinfo_basic code
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c0fda0bd6262a571159b9df02fdc313ef8b32113
Author: Volker Lendecke <vl at samba.org>
Date: Tue Oct 26 08:51:16 2021 +0200
libsmb: Use cli_ntcreate in cli_chkpath
cli_ntcreate handles smb2, thus remove cli_smb2_chkpath.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 99d1f1fa10da5c0ab3bb5ebc36152fe091bd3700
Author: Volker Lendecke <vl at samba.org>
Date: Tue Oct 26 13:56:54 2021 +0200
smbd: Remove unused "struct connections_key"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ca8afc660474bad2327300bc19d3b01e617f171b
Author: Volker Lendecke <vl at samba.org>
Date: Tue Oct 26 13:48:28 2021 +0200
smbd: Give smbXsrv_open.c its own header file
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c89799beda6757c03045e3b103344adc15006a33
Author: Andreas Schneider <asn at samba.org>
Date: Thu Nov 11 14:46:15 2021 +0100
docs-xml: Fix smbget manpage
There is no &stdarg.encrypt anymore.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Nov 11 16:27:12 UTC 2021 on sn-devel-184
commit 57c1e115ecef41ef18599e5233079ccd83d13bfc
Author: Volker Lendecke <vl at samba.org>
Date: Tue Jul 7 11:32:46 2020 +0200
smbd: reopen logs on SIGHUP for notifyd and cleanupd
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Nov 11 15:34:28 UTC 2021 on sn-devel-184
commit 06ed4ccba6cfe08aef061866f98b1d1da26682b8
Author: Ralph Boehme <slow at samba.org>
Date: Mon Nov 8 12:09:43 2021 +0100
lib/cmdline: setup default file logging for servers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897
RN: samba process doesn't log to logfile
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Nov 11 14:42:13 UTC 2021 on sn-devel-184
commit 97592f16bfb8590efbd2ed31fc9883d747ec650f
Author: Ralph Boehme <slow at samba.org>
Date: Mon Nov 8 12:09:16 2021 +0100
lib/cmdline: remember config_type in samba_cmdline_init()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 120a598e53173aacc0994318223bdac33dac4fbd
Author: Ralph Boehme <slow at samba.org>
Date: Mon Nov 8 12:08:47 2021 +0100
lib/cmdline: fix indentation
s/whitespace/tab/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit fa9d9974d068897d35539e5316f606a15e8b38de
Author: Ralph Boehme <slow at samba.org>
Date: Mon Nov 8 19:41:50 2021 +0100
lib/debug: in debug_set_logfile() call reopen_logs_internal()
This simplifies the logging API for callers that typically would want to set
logging by just setup_logging() once without bothering that typically
configuration is loaded (via some lpcfg_load*() or lp_load*() varient) which
will only then pick up the configured logfile from smb.conf without actually
applying the new logifle to the logging subsytem.
Therefor our daemons will additionally call reopen_logs() explicitly in their
startup code after config is loaded, eg
setup_logging(getprogname(), DEBUG_FILE);
...
lpcfg_load(lp_ctx, config_file);
...
reopen_logs();
By calling reopen_logs_internal() implicitly from debug_set_logfile() there's no
need to call reopen_logs() explicitly anymore to apply the logfile.
As reopen_logs() will also apply other logging configuration options, we have to
keep the explicit calls in the daemon code. But at least this allows consistent
logging setup wrt to the logfile in the new cmdline library.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 948a82bd2651e73e4e669a89dc77ba93abbb9b2f
Author: Ralph Boehme <slow at samba.org>
Date: Wed Nov 10 14:13:11 2021 +0100
lib/debug: fix fd check before dup'ing to stderr
Before I added per-class logfile and we had only one fd for the logfile the code
looked like this:
/* Take over stderr to catch output into logs */
if (state.fd > 0) {
if (dup2(state.fd, 2) == -1) {
/* Close stderr too, if dup2 can't point it -
at the logfile. There really isn't much
that can be done on such a fundamental
failure... */
close_low_fd(2);
}
}
In the current code the equivalent to state.fd is dbgc_config[DBGC_ALL].fd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 117d45df47a1f3206bc38aaeaa11f2b327e43530
Author: Ralph Boehme <slow at samba.org>
Date: Wed Nov 10 18:27:08 2021 +0100
winbindd: remove is_default_dyn_LOGFILEBASE() logic
Handling of -l commandline parameter is already implemented by lib/cmdline/.
is_default_dyn_LOGFILEBASE() == true is the default case and this causes us to
temporarily overwrite the configured logfile with LOGFILEBASE/log.winbindd until
winbindd_reload_services_file() restores it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 54f54fc2627acbf5fac5e1fa86ab9f743741f3c4
Author: Ralph Boehme <slow at samba.org>
Date: Thu Nov 11 05:23:09 2021 +0100
samba-bgqd: fix startup and logging
Let samba-bgqd use the new POPT_COMMON_DAEMON infrastructure.
The calls to setup_logging() can safely be removed as this is already taken care
of by samba_cmdline_init().
To avoid a logfile basename of ".log" when using "%m", we add a call to
set_remote_machine_name().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 25043ebb2e6f74592e802f78d327f844e615a442
Author: Ralph Boehme <slow at samba.org>
Date: Wed Nov 10 20:18:07 2021 +0100
source3: move lib/substitute.c functions out of proto.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c28be4067463e582e378df402f812e510883d606
Author: Andreas Schneider <asn at samba.org>
Date: Wed Nov 10 12:06:51 2021 +0100
auth:creds: Guess the username first via getpwuid(my_id)
If we have a container, we often don't have USER or LOGNAME set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14883
Tested-by: Anoop C S <anoopcs at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Nov 10 19:11:53 UTC 2021 on sn-devel-184
commit 711d01ff205fe536688598bbdb7d1766c17ece2a
Author: Andreas Schneider <asn at samba.org>
Date: Wed Nov 10 12:01:20 2021 +0100
auth:creds: Remove trailing spaces
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a7f6c60cb037b4bc9eee276236539b8282213935
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 9 20:50:20 2021 +0100
s3:winbindd: fix "allow trusted domains = no" regression
add_trusted_domain() should only reject domains
based on is_allowed_domain(), which now also
checks "allow trusted domains = no", if we don't
have an explicit trust to the domain (SEC_CHAN_NULL).
We use at least SEC_CHAN_LOCAL for local domains like
BUILTIN.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
commit 3121be69cac7748d1cb01273c0d09fab2fe726a0
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 14:24:40 2021 +0200
CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper
This avoids a crash that's triggered by windows clients using
handles from samr_Connect*() on across multiple connections within
an association group.
In other cases is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly and also
improves the auditing for the dcesrv_samdb_connect_as_system() case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Jule Anger <janger at samba.org>
Autobuild-Date(master): Tue Nov 9 20:37:30 UTC 2021 on sn-devel-184
commit 5724868c22eb2ecd6d58fd167f315699ede53043
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 15:09:04 2021 +0200
CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper
This is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly and
also improves auditing for the dcesrv_samdb_connect_as_system() case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a159e6f036db497bd976e2d165db5c187a09cf6
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 14:24:25 2021 +0200
CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper
This avoids a crash that's triggered by windows clients using
handles from OpenPolicy[2]() on across multiple connections within
an association group.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 965fe0e906263bffd6fb994263e51a8435f155d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 14:22:47 2021 +0200
CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper
This is not strictly required, but it makes it easier to audit that
source4/rpc_server no longer calls samdb_connect() directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit af6151ef122a4f452d486e541626c2a1feacb369
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 13:31:29 2021 +0200
CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers
This avoids a crash that's triggered by windows clients using
DsCrackNames across multiple connections within an association group
on the same DsBind context(policy) handle.
It also improves the auditing for the dcesrv_samdb_connect_as_system() case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 897c0e8fc6fe9a9323f3ff657dc4245a7249c6fd
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 14:22:32 2021 +0200
CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers
We already had dcesrv_samdb_connect_as_system(), but it uses the per
connection memory of auth_session_info and remote_address.
But in order to use the samdb connection on a per association group
context/policy handle, we need to make copies, which last for the
whole lifetime of the 'samdb' context.
We need the same logic also for all cases we make use of
the almost same logic where we want to create a samdb context
on behalf of the authenticated user (without allowing system access),
so we introduce dcesrv_samdb_connect_as_user().
In the end we need to replace all direct callers to samdb_connect()
from source4/rpc_server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b173ac586a688c2c3c6e75b02952e939fd0d4698
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 13:30:41 2021 +0200
CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
We want to use this also in code without existing
stackframe.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b9deab4ca43a2d08bed6950c05a57a7b2c7557bd
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 11:26:16 2021 +0200
CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests
This adds a reproducer for an invalid memory access, when
using the context handle from DsBind across multiple connections
within an association group.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 45315f2284d9971d0b9e63b61bfdeab5e9589b54
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 10:34:06 2021 +0200
CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials
This will be used in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 73b6ed864e084814e0a39c1d16c6217ba0ca26dd
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 09:58:37 2021 +0200
CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials
We want to use the credentials of the joined dc account
in future tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 923c80eea96e725bdfc9e91f854f459bbaa8954f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 5 11:24:26 2021 +0200
CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
This will make it easier to reuse.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14468
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c17f4256e53229bd100f7bdcbc77620a64446326
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 27 10:40:28 2016 +0200
CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos
We should not send NTLM[v2] nor plaintext data on the wire if the user
asked for kerberos only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 93dad333a22a3b46217072333491b87621db01f5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 24 09:12:59 2016 +0100
CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos
We should not send NTLM[v2] data on the wire if the user asked for kerberos
only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 871d672f51fa8de6b2a4feee2039b76654e6aad2
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 16 14:15:06 2020 +0100
CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts
All other fragments blindly inherit it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 9ebc679e76803e41861b9901d69fee41d3ce9a0f
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 17 18:14:46 2020 +0100
CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 44584f97b088796818aaaa721cf317541116d506
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 17 17:43:06 2020 +0100
CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit e21c405163a119af496b6801c31f38dd33e4da93
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 17 09:50:58 2020 +0100
CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 478656531610ea35c860a769f2309592f7561bcb
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 11 16:59:06 2020 +0100
CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 2f0bc04afe27af91901c66b2f4220129cabaf8a7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 13 11:27:19 2020 +0100
CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE
That makes the callers much simpler and allow better debugging.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit c00e5fc2c646ef56a457d3850fb4a6e4d8d45294
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 13 11:25:41 2020 +0100
CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()
It's better to see the location that triggered the fault.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
commit 5f4634310196c6b2c8b097ad41f949a0cccf0ec6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 2 21:00:00 2021 +1300
CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
If one of the objectClass checks passed, samldb_add() could return
through one of the samldb_fill_*() functions and skip the
servicePrincipalName uniqueness checking.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit ae47a7307766014e637e4a539c96316cf0f09108
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 2 21:21:17 2021 +1300
CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 262f59a71f5488dcb8b9a3c5fafdcf21b30affca
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 2 14:11:27 2021 +0100
CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 433092d61705bdfb3124be94f6d881214b9432ba
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 2 14:02:14 2021 +1300
CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal
This is tested in other places already, but this ensures a global
check that a TGS-REP has a PAC, regardless.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 972f0435bd8b1f0db1f98954692bc58b10631d27
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 2 14:52:22 2021 +1300
Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
This reverts an earlier commit that was incorrect.
It is not Samba practice to include a revert, but at this point in
the patch preperation the ripple though the knownfail files is
more trouble than can be justified.
It is not correct to refuse to parse all tickets with no authorization
data, only for the KDC to require that a PAC is found, which is done
in "heimdal:kdc: Require PAC to be present"
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit fa65ceb3dc3469019ec801d0a2a2272ae32308ed
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 15:53:33 2021 +1300
CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14886
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f5baabd987bbe71bbf37277e11f51f03372c28f1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 15:07:07 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b8c6fa20f41a65fcaa9bb09a6316df97da07ee79
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 15:43:28 2021 +1300
CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 756934f14cc87dc1adfd9315672ae5d49cb24d95
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 14:35:52 2021 +1300
CVE-2020-25719 heimdal:kdc: Require PAC to be present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4888e198110a811a1815e2fdffc7562fe979f477
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 4 15:18:34 2021 +1300
CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 49a13f0fc942d1cfb767d5b6bf49d62241d52046
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 15:52:06 2021 +1300
CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f08e6ac86226dcd939fd0e40b6f7dc80c5c00e79
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 15:51:58 2021 +1300
CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fd50fecbe99ae4fc63843c796d0a516731a1fe6a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 13:50:03 2021 +1300
CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f170f1eb4989d7f337eed0f45a558fe5231ea367
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:34:44 2021 +1300
CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection
This allows us to use it when validating user-to-user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a5db5c7fa2bdf5c651f77749b4e79c515d164e4f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 13:53:25 2021 +1300
CVE-2020-25719 heimdal:kdc: Check return code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1d3548aeffa2ec136f7cdece112a127241d8be13
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:42:41 2021 +1300
CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a3aee582a5c94b3d4de5edd0e9e5a0367addacbd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 20 11:36:58 2021 +1300
CVE-2020-25722 Ensure the structural objectclass cannot be changed
If the structural objectclass is allowed to change, then the restrictions
locking an object to remaining a user or computer will not be enforcable.
Likewise other LDAP inheritance rules, which allow only certain
child objects can be bypassed, which can in turn allow creation of
(unprivileged) users where only DNS objects were expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 43983170fc8671f7c0f0a0a6e1f8a82d9dbc2b60
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 27 12:10:02 2021 +1300
CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 05898cfb139ae0674c8251acc9d64c4c3d4c8376
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 8 08:29:51 2021 +1300
CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check
Looking up the DB twice is subject to a race and is a poor
use of resources, so instead just pass in the record we
already got when trying to confirm that the server in
S4U2Self is the same as the requesting client.
The client record has already been bound to the the
original client by the SID check in the PAC.
Likewise by looking up server only once we ensure
that the keys looked up originally are in the record
we confirm the SID for here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 80257fa37c49138fb1af0a910a3ea41954096c11
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 4 12:43:13 2021 +1300
CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b176ddba2a2e3ec9e74e0b6b40b12d1a1139bdf5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 16:14:37 2021 +1300
CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit a9ac1f919127cf91a08dd3c20bbeda27af980aef
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 15:59:28 2021 +1300
CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
These common routines will assist the KDC to do the same access
checking as the RPC servers need to do regarding which accounts
a RODC can act with regard to.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 158765d1f33daf19396cb063473c3a132b15a7fc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 15:57:41 2021 +1300
CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
These are added for the uncommon cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit a831ef74c5b2982c108cc16dae9b116e9658dcb8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 14:31:00 2021 +1300
CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit c70710a0483e500f03e59df4dd759e6033975c15
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 12:29:49 2021 +1300
CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
In particular the objectGUID is no longer used, and in the NETLOGON case
the special case for msDS-KrbTgtLink does not apply.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 16f96dbb5d4b2262c5ba85fb32a479f0cb66ed23
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 12:25:30 2021 +1300
CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to()
This shares the lookup of the tokenGroups attribute.
There will be a new caller that does not want to do this step,
so this is a wrapper of samdb_confirm_rodc_allowed_to_repl_to_sid_list()
rather than part of it
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 601403504325f2f0e241da0a4eb3e390e73f3c08
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 12:01:12 2021 +1300
CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 8ee6753a6ea782050b5b722ce1ac63a275a94f7c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 11:55:11 2021 +1300
CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
While these checks were not in the NETLOGON case, there is no sense where
an RODC should be resetting a bad password count on either a
UF_INTERDOMAIN_TRUST_ACCOUNT nor a RODC krbtgt account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit edd3d61feabf2530c9dc2caff98bfbb5f0a2bd1a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 11:38:16 2021 +1300
CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit cdb5690be40f6f6c5e5809783c4a364785f85a6e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 11:09:48 2021 +1300
CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
This will allow the creation of a common helper routine that
takes the token SID list (from tokenGroups or struct auth_user_info_dc)
and returns the allowed/denied result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 4796b0a5c1d3948642d17eef9f72d364f0e29de3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 1 10:47:29 2021 +1300
CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid
This is instead of an array of struct dom_sid *.
The reason is that auth_user_info_dc has an array of struct dom_sid
(the user token) and for checking if an RODC should be allowed
to print a particular ticket, we want to reuse that a rather
then reconstruct it via tokenGroups.
This also avoids a lot of memory allocation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 19719003af110c6ed664970cddb353d60805ba91
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 30 14:55:06 2021 +1300
CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit bacb51d0d3acd529de4e3315ed2f04eeac4829d5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 15:07:58 2021 +1300
CVE-2020-25719 heimdal:kdc: Require authdata to be present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2f9245f2a549bd89829d7807ec525c54ff61f8e5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:41:31 2021 +1300
CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0db5c69d2961fbc538b7bd47373f9d00215fd5a2
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 9 17:20:31 2021 +0200
CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 01df6559ee6ba86110878da094a3badb50fb75d5
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 9 17:19:45 2021 +0200
CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 87a769fc0a9cdc75f2f79f5cc8072efa95ff4437
Author: Andreas Schneider <asn at samba.org>
Date: Fri Aug 6 12:03:49 2021 +0200
CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 41a36191f671d4e7e172da6b50ca07c3530ff561
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 9 17:25:53 2021 +0200
CVE-2020-25719 mit_samba: Create the talloc context earlier
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bdf07fc4211a123b2fe914050d2cb221e0c4a55b
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 9 17:22:52 2021 +0200
CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry
This does the same check as the hdb plugin now. The client check is already
done earlier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 435719185c3c80539eb3041becf1ec18bcd99bac
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 14:00:19 2021 +0200
CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2903a50523a80e6de37ff0e052734e9170d147c9
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 13:58:57 2021 +0200
CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 61fa866449e1f804b6118ccefdc9cbbc648ed625
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 13:12:00 2021 +0200
CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d14a6a8846493438dca2f974a3a5d5e00a414d72
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 11:20:29 2021 +0200
CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4ef445a1f37e77df8016d240fcf22927165b8c03
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jul 14 14:51:34 2021 +0200
CVE-2020-25719 mit-samba: Add ks_free_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
[abartlet at samba.org As submitted in patch to Samba bugzilla
to address this issue as https://attachments.samba.org/attachment.cgi?id=16724
on overall bug https://bugzilla.samba.org/show_bug.cgi?id=14725]
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit d0fb22ee85ee4baeba5eec5f7332e752e27765e0
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 12:32:12 2021 +0200
CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit deccd0dc5e41a86722e41883bb8788f70797aa5f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 19:18:20 2021 +1300
CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fa4c9bcefdeed0a7106aab84df20b02435febc1f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 11:00:38 2021 +1300
CVE-2020-25719 s4/torture: Expect additional PAC buffers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a461b7d4f8c07b2fc64243c99a2c334ab9e73721
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:09:32 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 26480ba2aa9834a24f1ea11ae3f8e2d7ed0ccfd8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:06:58 2021 +1300
CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7ff05eb8d44ed7bd7d71227ba42f0fddf09cd0ed
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:04:25 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2e1e57fca84ba7c8f68a1a2d64f49f9f2c4b80c0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:19:44 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b8c85fe81c4e95dab1b9a679d0d3e3d27e4f8ed9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:02:08 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 72f82d949a3ee0889f358a586484248f8386b744
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 11:18:36 2021 +1300
CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets
If multiple calls to get_tgt() or get_service_ticket() specify different
expected parameters, we want to perform the request again so that the
checking can be performed, rather than reusing a previously obtained
ticket and potentially skipping checks.
It should be fine to cache tickets with the same expected parameters, as
tickets that fail to be obtained will not be stored in the cache, so the
checking will happen for every call.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8752b83bb98792579b7705d0ce1bd0fb9321043e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:47:24 2021 +1300
CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 42405aa46be210af0ffdd6ecc9e43e41fc8c4c83
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:51:13 2021 +1300
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 58455c4876113173e682e9b321b8a175779b8a43
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:50:09 2021 +1300
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 40a3f71818b7c9923d31050f05ac24fe7b7f70c4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 27 10:25:08 2021 +1300
CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets
https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2158ba1eb0800ba9429a9891d7af47d82985b73d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:12:12 2021 +1300
CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e647186c144748b6e1672cea2ae37c7f93760984
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:08:34 2021 +1300
CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 924f323188774fabbb8fc1a08d24c1be51b37708
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:20:51 2021 +1300
CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit faf47b0b6b6037e2059cb4871c3e99020a3f605a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:15:53 2021 +1300
CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a236e2cc255b98603449e96d7ce94a3e48277c6c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:14:45 2021 +1300
CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9602594585d0a8d5c4fb7bfb419760765b262138
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 21:05:08 2021 +1300
CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 21298ddfc5d8e4d755cfb7c6ae2068386447f538
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:51:46 2021 +1300
CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 383bedd6fddb81cbd6d39c41a5c463f432344f5e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:51:34 2021 +1300
CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dd251f26df6a26b1f6024758ec85ee2df54e6d50
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:47:53 2021 +1300
CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 336dfc32075ed8776378c35506db94c43cce2a88
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:44:45 2021 +1300
CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f4ed37ad6aa0359f4799188d2b1d30571c6b42a6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:33:49 2021 +1300
CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6ec80380dc9372a896f74e95738b01c046411429
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:33:38 2021 +1300
CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2249143fe3dae59648466326c398912d7d61835f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 26 20:56:10 2021 +1300
CVE-2020-25718 tests/krb5: Fix indentation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 72840a972bcd36b7ab5bbe3713f4b05913215651
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 12:20:49 2021 +1300
CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5fe2633b2a8e2d1c38bc61cc0629888c67a7c371
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 21 13:49:28 2021 +1300
CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
Nobody uses it now. It never really did what it said it did. Almost
every use was wrong. It was a trap.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b9962c1e5e481191063e75550757c74e63c38039
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:20:54 2021 +1300
CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass
This tightens the logic a bit, in that a message with trailing DELETE
elements is no longer accepted when the bypass flag is set. In any case
this is an unlikely scenario as this is an internal flag set by a private
control in pdb_samba_dsdb_replace_by_sam().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 59201d5424a7de44226562af854d5c8cb923f2a3
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:19:42 2021 +1300
CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ed9ec0b0813e0789d45b21dc3b8d4f02d3fb9834
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 21 12:52:07 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 280c07f58abb257a3dc4ec991dde9fdf26bd40e4
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:18:21 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ecb2c3a80ccdc3d8a1f0d10a8150a27ed9d77209
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:18:10 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change checks values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d120204012ce3df76c14366c89d5bf1daff33d5d
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:17:50 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4fb4136a84ba98654622ebaff9a1969e17ede5aa
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:17:31 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1e0176cf65342e36973e1624768bdc214799ebe6
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:16:34 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 74623b644d61ce02d0f09fe70b2743a790e0375c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:15:43 2021 +1300
CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add final value
dsdb_get_single_valued_attr() was finding the last non-delete element for
userAccountControl and changing its value to the computed value.
Unfortunately, the last non-delete element might not be the last element,
and a subsequent delete might remove it.
Instead we just add a replace on the end.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bdfcea484ef3ba868be185b01206ed29fedb1861
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:15:00 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change() checks all values
There is another call to dsdb_get_expected_new_values() in this function
that we change in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 87382e198f7883dee81ccac769ae54a6700f4f24
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:14:05 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e4762f4c018805e0c3de2d2993a17d90b6683fce
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:13:35 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a73827583e4cc6d28a885508c70975c5f54747b
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:12:49 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks all values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4d50fe2ff2a163856b5ec11ef9e4b53732056973
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 14:52:49 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check all values
Using dsdb_get_expected_new_values().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c24a41342f03fbfe92b6d45104b7b6b12c916a1e
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:10:44 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all values
using dsdb_get_expected_new_values().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8abf90a3ef5a9939f4e076a2fa8caa984aa2c412
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Oct 20 17:09:21 2021 +1300
CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values()
This function collects a superset of all the new values for the specified
attribute that could result from an ldb add or modify message.
In most cases -- where there is a single add or modify -- the exact set
of added values is returned, and this is done reasonably efficiently
using the existing element. Where it gets complicated is when there are
multiple elements for the same attribute in a message. Anything added
before a replace or delete will be included in these results but may not
end up in the database if the message runs its course. Examples:
sequence result
1. ADD the element is returned (exact)
2. REPLACE the element is returned (exact)
3. ADD, ADD both elements are concatenated together (exact)
4. ADD, REPLACE both elements are concatenated together (superset)
5. REPLACE, ADD both elements are concatenated together (exact)
6. ADD, DEL, ADD adds are concatenated together (superset)
7. REPLACE, REPLACE both concatenated (superset)
8. DEL, ADD last element is returned (exact)
Why this? In the past we have treated dsdb_get_single_valued_attr() as if
it returned the complete set of possible database changes, when in fact it
only returned the last non-delete. That is, it could have missed values
in examples 3-7 above.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 13377f0b59e28c7e7b7b6fe922f0b1f1e95042f6
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 16:03:18 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9235617c637a5ba878dd7d30764326ea58f91e46
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 13:14:32 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases
Not only should it not be possible to add a servicePrincipalName that
is already present in the domain, it should not be possible to add one
that is implied by an entry in sPNMappings, unless the user is adding
an alias to another SPN and has rights to alter that one.
For example, with the default sPNMappings, cifs/ is an alias pointing to
host/, meaning if there is no cifs/example.com SPN, the host/example.com
one will be used instead. A user can add the cifs/example.com SPN only
if they can also change the host/example.com one (because adding the
cifs/ effectively changes the host/). The reverse is refused in all cases,
unless they happen to be on the same object. That is, if there is a
cifs/example.com SPN, there is no way to add host/example.com elsewhere.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 510378f94a62313777da09efebf4bf737b23cd55
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 15:27:25 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters
This only for the real account name, not the account name implicit in
a UPN. It doesn't matter if a UPN implies an illegal sAMAccountName,
since that is not going to conflict with a real one.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 45a4a198b81740fe4d81e6459ca90e004ef99efc
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 13:17:34 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames
We already know duplicate sAMAccountNames and UserPrincipalNames are bad,
but we also have to check against the values these imply in each other.
For example, imagine users with SAM account names "Alice" and "Bob" in
the realm "example.com". If they do not have explicit UPNs, by the logic
of MS-ADTS 5.1.1.1.1 they use the implict UPNs "alice at example.com" and
"bob at example.com", respectively. If Bob's UPN gets set to
"alice at example.com", it will clash with Alice's implicit one.
Therefore we refuse to allow a UPN that implies an existing SAM account
name and vice versa.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b6f4d931d088c70c62490fb051ec9ab9f081cd77
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 13:16:30 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses samldb_get_single_valued_attr()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit efbf0b77d0050faee15b680e5e908357993d869b
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Oct 22 14:12:25 2021 +1300
CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper
This takes a string of logic out of samldb_unique_attr_check() that we
are going to need in other places, and that would be very tedious to
repeat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ce2930d2d2ddcb40b6d44852aa3409ad6d64bedf
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Aug 12 21:53:16 2021 +1200
CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling
These need to stay a little bit in sync. The reverse comment is there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 11540375af181bf41b24ae38daac51e05253d631
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Aug 6 12:03:18 2021 +1200
CVE-2020-25722 pytest: test setting servicePrincipalName over ldap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit df34c11cbc704270eaccb86fabb16132b37a884f
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Mon Sep 13 14:15:09 2021 +1200
CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap
Because the sam account name + the dns host name is used as the
default user principal name, we need to check for collisions between
these. Fixes are coming in upcoming patches.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 55752c12cf14b64d981c9a6010ead0fd8d847857
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 28 13:07:01 2021 +1300
CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp
We need to have the SPNs there before someone else nabs them, which
makes the re-provisioned old releases different from the reference
versions that we keep for this comparison.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0a555cf097a5a8d38c7b61edaee838dd0973a989
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 28 09:45:36 2021 +1300
CVE-2020-25722 s4/provision: add host/ SPNs at the start
There are two reasons for this. Firstly, leaving SPNs unclaimed is
dangerous, as someone else could grab them first. Secondly, in some
circumstances (self join) we try to add a DNS/ SPN a little bit later
in provision. Under the rules we are introducing for CVE-2020-25722,
this will make our later attempts to add HOST/ fail.
This causes a few errors in samba4.blackbox.dbcheck.* tests, which
assert that revivified old domains match stored reference versions.
Now they don't, because they have servicePrincipalNames.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8cde23709050533c0da898ca0a1072bca0845890
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 1 18:35:02 2021 +1200
CVE-2020-25722 tests: blackbox samba-tool spn non-admin test
It is soon going to be impossible to add duplicate SPNs (short of
going behind DSDB's back on the local filesystem). Our test of adding
SPNs on non-admin users doubled as the test for adding a duplicate (using
--force). As --force is gone, we add these tests on Guest after the SPN
on Administrator is gone.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 72a2c21f3f51d1b56b41c9401419b69b2c916ddf
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Aug 27 11:36:42 2021 +1200
CVE-2020-25722 samba-tool spn add: remove --force option
This did not actually *force* the creation of a duplicate SPN, it just
ignored the client-side check for the existing copy. Soon we are going
to enforce SPN uniqueness on the server side, and this --force will not
work. This will make the --force test fail, and if that tests fail, so
will others that depend the duplicate values. So we remove those tests.
It is wrong-headed to try to make duplicate SPNs in any case, which is
probably why there is no sign of anyone ever having used this option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7243bd7d388db2dfaa2072f92162d5cee770c6ea
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Jul 28 05:38:50 2021 +0000
CVE-2020-25722 samba-tool spn: accept -H for database url
Following the convention and making testing easier
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5a79fca9682fe1962317d100b581de0b7b123153
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Tue Aug 10 23:02:36 2021 +0000
CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c7e3617cc368bc8c36b4b353e827712b08370e16
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Aug 11 16:56:07 2021 +1200
CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b919246c5523a511ad812c35c1a6b0eb4cc56259
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Sun Oct 24 15:18:05 2021 +1300
CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy
This makes it easier to convert tests that don't have good messages.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit de24916a82069d4892c052018596e50fdf7e0ca4
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Mon Oct 4 12:56:42 2021 +1300
CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes
You can give ldb_err() it a number, an LdbError, or a sequence of
numbers, and it will return the corresponding strings. Examples:
ldb_err(68) # "LDB_ERR_ENTRY_ALREADY_EXISTS"
LDB_ERR_LUT[68] # "LDB_ERR_ENTRY_ALREADY_EXISTS"
expected = (ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
ldb.ERR_INVALID_CREDENTIALS)
try:
foo()
except ldb.LdbError as e:
self.fail(f"got {ldb_err(e)}, expected one of {ldb_err(expected)}")
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2c4aee1145df27f47a1748964ece490d95908ad3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 1 17:21:16 2021 +1300
CVE-2020-25722 Check for all errors from acl_check_extended_right() in acl_check_spn()
We should not fail open on error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 42eb5fee22a482bc727dfdc1ad3ba1b123e4239a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 1 17:19:29 2021 +1300
CVE-2020-25722 Check all elements in acl_check_spn() not just the first one
Thankfully we are aleady in a loop over all the message elements in
acl_modify() so this is an easy and safe change to make.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 8da6d0bf6f575166126dc3196155ca3fc9004819
Author: Nadezhda Ivanova <nivanova at symas.com>
Date: Mon Oct 18 14:27:59 2021 +0300
CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute
Validate Writes and Control Access Rights only grant access if the
object is of the type listed in the Right's appliesTo attribute. For
example, even though a Validated-SPN access may be granted to a user
object in the SD, it should only pass if the object is of class
computer This patch enforces the appliesTo attribute classes for
access checks from within the ldb stack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6121f31c0e1553194d74de41ea7bcc55364a2612
Author: Nadezhda Ivanova <nivanova at symas.com>
Date: Mon Oct 25 14:54:56 2021 +0300
CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute
Validate Writes and Control Access Rights should only grant access if the
object is of the type listed in the Right's appliesTo attribute.
Tests to verify this behavior
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832
Signed-off-by: Nadezhda Ivanova <nivanova at symas.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 48e3cf96511607e99c665773b30654c918dfa992
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:49:31 2021 +1300
CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls
Without these calls the tests could pass if an expected error did not
occur.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Included in backport as changing ACLs while
ACL tests are not checking for unexpected success would be bad]
commit 62d1cb4c19670b7d5ad24083931c1b644ead5eac
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 14:07:41 2021 +1300
CVE-2020-25722 Add test for SPN deletion followed by addition
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Removed transaction hooks, these do nothing over
remote LDAP]
commit 757f1d20e4bcdef20307607a4501fe920270fd6e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 18:03:04 2021 +0200
CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
This is only ever be called in standalone mode with an MIT realm,
so we don't have a PAC/info3 structure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e8bb009009cd68550db814904399163794e3a84a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 17:59:59 2021 +0200
CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument
This code is only every called in standalone mode on a MIT realm,
it means we never have a PAC and we also don't have winbindd arround.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2609e4297e04c93ca5bd1466617c4536faf5be32
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 5 18:12:49 2021 +0200
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode
We should be strict in standalone mode, that we only support MIT realms
without a PAC in order to keep the code sane.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3ed0e5b924f77e0f92867cf93892e974e21542e5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 5 17:14:01 2021 +0200
CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
The 'ktest' environment was/is designed to test kerberos in an active
directory member setup. It was created at a time we wanted to test
smbd/winbindd with kerberos without having the source4 ad dc available.
This still applies to testing the build with system krb5 libraries
but without relying on a running ad dc.
As a domain member setup requires a running winbindd, we should test it
that way, in order to reflect a valid setup.
As a side effect it provides a way to demonstrate that we can accept
smb connections authenticated via kerberos, but no connection to
a domain controller! In order get this working offline, we need an
idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which
should be the default choice.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 566c2b296dd6826491958bf739673ca7b8d75be5
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 4 19:42:20 2021 +0200
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c4ddf939e0ee2b9ae1af8b2ff8344fc9c7118adf
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 21 12:44:01 2021 +0200
CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bd8d06ff155fb831cd8d487eabfbc69743d12252
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 21 12:27:28 2021 +0200
CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 935feff8e54cef9b379f653a3198a5bbd3a64989
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 11 23:17:19 2021 +0200
CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal()
We'll require a PAC at the main gensec layer already.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e2d271cb6bcd292f786664f055cde41c32002804
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 5 18:11:57 2021 +0200
CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)
AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set
on the service account, which can only be explicitly configured,
but that's an invalid configuration!
We still try to support standalone servers in an MIT realm,
as legacy setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[jsutton at samba.org Removed knownfail entries]
commit e2d5b4d709293b52112d078d6fcde95593d790c5
Author: Alexander Bokovoy <ab at samba.org>
Date: Wed Nov 11 18:50:45 2020 +0200
CVE-2020-25717: Add FreeIPA domain controller role
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.
It means that role won't result in ROLE_STANDALONE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 57abb7f8f8884f52f1d194c5c74e067aecd0d3dd
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 4 18:03:55 2021 +0200
CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
We always require a running winbindd on a domain member, so
we should better fail a request instead of silently alter
the behaviour, which results in a different unix token, just
because winbindd might be restarted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 52190982de134fb55abce76def0609651e45012e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 21 13:13:52 2021 +0200
CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain()
is_allowed_domain() is a central place we already use to
trigger NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, so
we can add additional logic there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8f79ee99a6a3390ccb409ac1b5f543488e7bd784
Author: Ralph Boehme <slow at samba.org>
Date: Fri Oct 8 12:33:16 2021 +0200
CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
So far we tried getpwnam("DOMAIN\account") first and
always did a fallback to getpwnam("account") completely
ignoring the domain part, this just causes problems
as we mix "DOMAIN1\account", "DOMAIN2\account",
and "account"!
As we require a running winbindd for domain member setups
we should no longer do a fallback to just "account" for
users served by winbindd!
For users of the local SAM don't use this code path,
as check_sam_security() doesn't call check_account().
The only case where smb_getpwnam("account") happens is
when map_username() via ("username map [script]") mapped
"DOMAIN\account" to something without '\', but that is
explicitly desired by the admin.
Note: use 'git show -w'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dd0423bfbbce2d9f1f8a62c21cf612e5c755b616
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 18:08:20 2021 +0200
CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
So far we autocreated local user accounts based on just the
account_name (just ignoring any domain part).
This only happens via a possible 'add user script',
which is not typically defined on domain members
and on NT4 DCs local users already exist in the
local passdb anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 28fae9c2215698e465201b6ad27eb9eeb55c906a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 17:40:30 2021 +0200
CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
We should avoid autocreation of users as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4b78ad7346c7128142a65ce6d6625d3d28116882
Author: Samuel Cabrero <scabrero at samba.org>
Date: Tue Sep 28 10:45:11 2021 +0200
CVE-2020-25717: s3:auth: Check minimum domain uid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Removed knownfail on advice from metze]
commit 97d54027910b7d3fa04bd6c1b72448a85cdf5d7c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 19:57:18 2021 +0200
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors
Mapping everything to ACCESS_DENIED makes it hard to debug problems,
which may happen because of our more restrictive behaviour in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 14b9f905da196e4e1904e4d4b0dec6192e76ab61
Author: Samuel Cabrero <scabrero at samba.org>
Date: Tue Oct 5 16:56:06 2021 +0200
CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Fixed knowfail per instruction from metze]
commit 6771b2f211f6f5ae08d94a75afb7c6109f65497d
Author: Samuel Cabrero <scabrero at samba.org>
Date: Tue Oct 5 12:31:29 2021 +0200
CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment
This environment creates an AD member that doesn't have
'nss_winbind' configured, while winbindd is still started.
For testing we map a DOMAIN\root user to the local root
account and unix token of the local root user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b39b698cdac9ef97d018d6f02d59493ec5bff6e6
Author: Samuel Cabrero <scabrero at samba.org>
Date: Tue Sep 28 10:43:40 2021 +0200
CVE-2020-25717: loadparm: Add new parameter "min domain uid"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 79a6616cbe723a2bc05084b90298745143a76a7c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 27d20fc335c5df53bf6780d6296f1e4aef277311
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s3:auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4cda41677ccb6d68289bafdf4d486e85b6beb2a7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s3:rpcclient: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cc32b2464a74ecd8a53460eba3523296fa31e943
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s3:torture: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cc6d63100cdfad10cd1a17e111b7d3012d796098
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 76ec5f94091095bb1736a4582696ef6c4b37654c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s4:auth_simple: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9a2351581416223a4486c33378f430f510a03db4
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s4:smb_server: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6aedd965e167c46ab7e42e35268574e18a97fd51
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 26 17:42:41 2021 +0200
CVE-2020-25717: s4:torture: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0e23000f27823243ad797eb39581f83c3ad50b2b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 4 17:29:34 2021 +0200
CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 05587361498ae8131435aca2d8c860e98f605581
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 4 17:29:34 2021 +0200
CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b4ea50f8b272a3b1d1d9d9ceda3641c22a082604
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 10:27:41 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f9b16272d2879812011c5642019fd33ae72a6b91
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 22 16:20:36 2021 +0200
CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
[jsutton at samba.org Added knownfail entries]
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9fe1b719e1b35ae4053cbb13f29f76f4b2f950ef
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 24 17:11:24 2021 +0200
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC
At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if
no PAC is available.
For now we want to look for ACCESS_DENIED as this allows
the test to pass (showing that gensec:require_pac = true
is a useful partial mitigation).
This will also help others doing backports that do not
take the full patch set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 903ab1a02776504ba3b4eb59470cfb8bdf4f2a90
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 21 16:46:56 2021 +1300
CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 24be204834889fca3f963ac4fee503a6ecbef439
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 28 16:20:07 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3af0c36a06354bae9737dad37a341d3c120a1aba
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 21 11:45:23 2021 +1300
CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7f7476b08cb3eb8ec3d9c1c5b6903a2d6e79b6a8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 19 20:02:45 2021 +1300
CVE-2020-25719 tests/krb5: Add principal aliasing test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 48e5154de645daa168c6b79467abfd977f72277e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 19 14:39:36 2021 +1300
CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bd87905cf1bc014729ac72e8f1462ba10533efa9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 15:02:39 2021 +1300
CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3f7b971d3762b6f3a1e934a99f1b25365f7b6a54
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 13 16:07:09 2021 +1300
CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 89c88a83dafca26d09a374aa410066113467547a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 21 15:45:00 2021 +1300
CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4125650a27c3be0f43f873843821751010090010
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 22 11:37:37 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 873ac6d814c814fdf2088745dbd562cd91caddd3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 22 11:37:31 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service
This allows us to use get_tgt() and get_service_ticket() to obtain
tickets, which simplifies the logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 23dc0cbd53e16f0450204aa3a0eb971d1215bc5a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 21 16:46:23 2021 +1300
CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4ac05264a762de8d3673b91d1ceb84b1f1703936
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 15:48:20 2021 +1300
MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dbedf5b6e26cd6ed7ba18a96797f9bd610161a49
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 19 15:02:10 2021 +1300
CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4a792ad92d6f7319f3272b38e32e281b55d76f70
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 16:53:22 2021 +1300
CVE-2020-25719 tests/krb5: Add is_tgt() helper method
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 43df8d0b2ea539f031ff0226dbd78470b9c4f569
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:40:09 2021 +1300
CVE-2020-25722 tests/krb5: Allow creating server accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 06168fd4e3d1b1ea7fdcb6a42f1c721ba7340475
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 15:00:38 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ff6631ecdcb7f0f6455d83e905647dc5aacee51d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 14:59:01 2021 +1300
CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f7f49db72223478b64f1d2aa07a160737f95629a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 15:48:35 2021 +1300
CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 558f440f2060934d39bd1b6297e554f47fc44e8c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 27 11:20:19 2021 +1300
CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit ccd94963bd3c0600e1b6ae6b94e01fb5d2cbca9e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 23:41:23 2021 +1300
CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock
This new restriction breaks a large number of assumptions in the tests, like
that you can remove some UF_ flags, because it turns out doing so will
make the 'computer' a 'user' again, and this will fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b001f91668a17e128e709d8e548d053091e5337b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 22:54:52 2021 +1300
CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors
This favors a test that confirms we got an error over getting exactly
the right error, at least for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit adfae12584c8af82624bdbd2461d1fdc404e320a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 22:40:06 2021 +1300
CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 56eff305cff77d5e642eba5e6dc2457285f483b8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 15:42:46 2021 +1300
CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new default computer behaviour
Objects of objectclass computer are computers by default now and this changes
the sAMAccountType and primaryGroupID as well as userAccountControl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 66986eefc656988bc04922706f105dedcd0d45f7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 15:19:19 2021 +1300
CVE-2020-25722 selftest: Adapt sam.py test to userAccountControl/objectclass restrictions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 6c03fb656d493f026684934cd320fa6d2a7cbfbf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 15:14:28 2021 +1300
CVE-2020-25722 selftest: New objects of objectclass=computer are workstations by default now
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 756f116b0ecb5a38664782d5113be944b70e9167
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 15:06:14 2021 +1300
CVE-2020-25722 selftest: Adjust sam.py test_userAccountControl_computer_add_trust to new reality
We now enforce that a trust account must be a user.
These can not be added over LDAP anyway, and our C
code in the RPC server gets this right in any case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 4150264ce0b50f01c52dd67f6cbbf5d3dab9d69e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 14:03:05 2021 +1300
CVE-2020-25722 selftest: Split test_userAccountControl into unit tests
The parts that create and delete a single object can be
safely split out into an individual test.
At this point the parts that fail against Windows 2019 are:
error: __main__.SamTests.test_userAccountControl_computer_add_normal [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_computer_modify [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_add_0_uac [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_add_normal [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_modify [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 0b06e9a5a58c240a38be498ed9a7c8a63cfaa38b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 13:02:42 2021 +1300
CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 55cc9324b48ac981ae3bd716aab3e28a7075e30a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 21 11:57:22 2021 +1300
CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default
Objects with objectclass computer now have UF_WORKSTATION_TRUST_ACCOUNT
by default and so this test must adapt.
The changes to this test passes against Windows 2019 except for
the new behaviour around the UF_WORKSTATION_TRUST_ACCOUNT default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 53d0e5d31e0f50d632771d835a5f97ce266eb4ba
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 22 11:29:02 2021 +1200
CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit adf628000fb597ef530dfe4f8d673f40a82b76ef
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 22 11:28:05 2021 +1200
CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation
This makes the code less indented and simpler to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit c77f9cbaee0fd2483be20d2d695f88cd3af37c16
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 16:18:51 2021 +1300
CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types
This makes many of our tests pass again. We do not pass against Windows 2019 on all
as this does not have this restriction at this time.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit dc08915834a8beed960328a62ecea88aa95f941d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 28 14:47:30 2021 +1300
CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a00c525a4e01342ee8b9ec8441994ad27bffb254
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 16:07:46 2021 +1300
CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass.
There are a lot of knownfail entries added with this commit. These
all need to be addressed and removed in subsequent commits which
will restructure the tests to pass within this new reality.
The restriction is not applied to users with administrator rights,
as this breaks a lot of tests and provides no security benefit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 6a8f03c52746bc5e55caf40d4a57838a84808269
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 29 23:33:32 2021 +1300
CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9c3259e5030deee1838a5e9da43842ce5954c0d0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 15:42:08 2021 +1300
CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC
This helps ensure we cover off all the cases that matter
for objectclass/trailing-doller/userAccountControl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit e5b94eea6a9d78b53ec34eb32d8ab5c94d78d151
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 16 08:46:42 2021 +1200
CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default
There are a lot of knownfail entries added with this commit. These
all need to be addressed and removed in subsequent commits which
will restructure the tests to pass within this new reality.
This default applies even to users with administrator rights,
as changing the default based on permissions would break
to many assumptions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 755e8a53ce041cc3e448fb0579b430db847bd0a0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 17 13:41:40 2021 +1200
CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests
This will allow these to be listed in a knownfail shortly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 63eb24f0925f0a3d117fc5eb2dc728a5af121f6a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 20 14:54:03 2021 +1200
CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied()
This allows future patches to restrict changing the account type
without triggering an error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 0d804cfd07789c6bcd8c252756ead99e92bceb1b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 20 12:35:51 2021 +1200
CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind
This allows for any failures here to be handled via the knownfail system.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 23983fb50b475b74eea8571e0d9c7923fd2ca76e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 13 10:21:03 2021 +1200
CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user
The idea here is to split out the restrictions seen on Windows 2019
at the schema level, as seen when acting as an administrator.
These pass against Windows 2019 except for the account type swapping
which is not wanted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 2bdff65b333365740e5e9c8c2b2fc176323f5108
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 13 20:34:54 2021 +1200
CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f478aecc45efb56868bc7cec216f33e5db7ccf18
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 13 17:42:23 2021 +1200
CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify
The remaining failures in the priv_attrs (not the strict one) test are
due to missing objectclass constraints on the administrator which should
be addressed, but are not a security issue.
A better test for confirming constraints between objectclass and
userAccountControl UF_NORMAL_ACCONT/UF_WORKSTATION_TRUST values would
be user_account_control.py.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 9ef9746bca73a939ad04b1df07caeb70921bc3de
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 12 11:10:09 2021 +1200
CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed
This allows the add of an RODC, before setting the password, to avoid
this module, which helps isolate testing of security around the
msDS-SecondaryKrbTgtNumber attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 93e5902369c22d625fa2e48b3eafe043dc17e3ba
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 10 22:31:02 2021 +1200
CVE-2020-25722 dsdb: Tests for our known set of privileged attributes
This, except for where we choose to disagree, does pass
against Windows 2019.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f4cad8b2bc34ecf535deab8979a6e5f6b22233ff
Author: David Disseldorp <ddiss at samba.org>
Date: Mon Nov 8 12:11:17 2021 +0100
smbd: check lp_load_printers before reload via NetShareEnum
api_RNetShareEnum() unconditionally attempts to reload printers via
delete_and_reload_printers(). Add a lp_load_printers() check to
obey smb.conf "load printers = off" settings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14895
Reported-by: Nate Stuyvesant <nstuyvesant at gmail.com>
Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Nov 8 13:27:40 UTC 2021 on sn-devel-184
commit 80115f9be1b21dfc92e3e23fd624decb1a5496f5
Author: Andreas Schneider <asn at samba.org>
Date: Thu Nov 4 09:31:08 2021 +0100
gitlab-ci: Add Fedora 35 and drop Fedora 33
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andreas Schneider <asn at cryptomilk.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Nov 5 12:36:55 UTC 2021 on sn-devel-184
commit e556b4067e0c4036e20fc26523e3b4d6d5c6be42
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 7 15:55:37 2021 +0200
waf: Fix resolv_wrapper with glibc 2.34
With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper
anymore. The res_* symbols have been moved from libresolv to libc. We are not
able to intercept any traffic inside of libc.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andreas Schneider <asn at cryptomilk.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit e9495d2ed28a26899dc3dd77bdfe56e284980218
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 4 22:22:44 2021 +0100
s3-winexe: Fix winexe core dump (use-after-free)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14893
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Fri Nov 5 11:43:57 UTC 2021 on sn-devel-184
commit 1fce72f796e44e9d7fc40f8f8052d08b5e0b2ec2
Author: David Mulder <dmulder at suse.com>
Date: Thu Nov 4 08:42:06 2021 -0600
samba-tool: Add domain member leave
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Rowland Penny <rpenny at samba.org>
Autobuild-User(master): David Mulder <dmulder at samba.org>
Autobuild-Date(master): Thu Nov 4 20:43:32 UTC 2021 on sn-devel-184
commit 8082e2eb7e33c0993135791c03823886f5aa8496
Author: Ralph Boehme <slow at samba.org>
Date: Fri Oct 29 22:03:42 2021 +0200
lib/dbwrap: reset deleted record to tdb_null
This allows the calling the following sequence of dbwrap functions:
dbwrap_delete_record(rec);
data = dbwrap_record_get_value(rec);
without triggering the assert rec->value_valid inside dbwrap_record_get_value().
Note that dbwrap_record_storev() continues to invalidate the record, so this
change somewhat blurs our semantics.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14882
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Nov 4 19:49:47 UTC 2021 on sn-devel-184
commit 1fa006f1f71cce03d92e76efda3ff055aae4eb91
Author: Ralph Boehme <slow at samba.org>
Date: Fri Oct 29 06:27:38 2021 +0200
CI: add a test for bug 14882
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14882
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c1470b120bb75ea73ba90dc83ab7efcbb733b1a7
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 5 08:52:32 2020 +0200
s3/libsmb: check for global parametric option "libsmb:client_guid"
Useful in test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14882
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 141f3f5f9a5ef556cc7864b2afbf8ad48b7ebe77
Author: Jeremy Allison <jra at samba.org>
Date: Wed Nov 3 19:02:36 2021 -0700
s3: smbd: Ensure in the directory scanning loops inside rmdir_internals() we don't overwrite the 'ret' variable.
If we overwrite with ret=0, we return NT_STATUS_OK even when we goto err.
This function should be restructured to use NT_STATUS internally,
and make 'int ret' transitory, but that's a patch for another
time.
Remove knownfail.
BUG: BUG: https://bugzilla.samba.org/show_bug.cgi?id=14892
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Nov 4 09:10:27 UTC 2021 on sn-devel-184
commit adfad6390962022277cc6aacaa388af86e46b71c
Author: Jeremy Allison <jra at samba.org>
Date: Wed Nov 3 16:50:10 2021 -0700
s3: smbtorture3: Add test for setting delete on close on a directory, then creating a file within to see if delete succeeds.
Exposes an existing problem where "ret" is overwritten
in the directory scan.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14892
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b919798f5758e3284ff7f6f7402312c0a4b24d03
Author: Ralph Boehme <slow at samba.org>
Date: Wed Nov 3 14:40:01 2021 +0100
smbd: early out in is_visible_fsp()
This is used in a hot codepath (directory enumeration) so we should avoiding the
string comparisions by adding an early exit.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Nov 3 17:33:00 UTC 2021 on sn-devel-184
commit 3cb9f8f5ff29c14e117b57896c4540cc66510a1a
Author: Ralph Boehme <slow at samba.org>
Date: Tue Nov 2 05:34:59 2021 +0100
vfs_fruit: remove a fsp check from ad_fset()
This comes from times before we had pathref fsps. Back then if you wanted to
check if fsp->fh->fd contained a valid value != -1, you'd also first check that
the passed in fsp and fsp->fh are non NULL. With pathref fsps we don't need this
anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14890
RN: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit bbdcd66c048fee39629aeff450b50d049806e2f7
Author: Jeremy Allison <jra at samba.org>
Date: Tue Nov 2 10:44:44 2021 -0700
s3: smbd: dirfsp is being used uninitialized inside rmdir_internals().
Not caught be the tests in bugs 14878, 14879 as can_delete_directory_fsp()
doesn't have the same bug.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14892
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Nov 3 14:33:49 UTC 2021 on sn-devel-184
commit a8a0667263dc635d67da3ca3f48b46f71ca12289
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Thu Oct 21 15:01:48 2021 +0200
s3:librpc: Improve calling of krb5_kt_end_seq_get()
Remove indentation with early return, best reviewed with
git show -b
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Nov 3 08:36:00 UTC 2021 on sn-devel-184
commit 5199eb14123b26b02d3a4d10d514b37688f9b580
Author: David Mulder <dmulder at suse.com>
Date: Thu Oct 14 15:36:52 2021 -0600
gp: Apply Firewalld Policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Nov 1 21:16:43 UTC 2021 on sn-devel-184
commit cd73e4101347f1e3c1bb865f9a9c361b3771fd34
Author: David Mulder <dmulder at suse.com>
Date: Tue Oct 12 12:54:09 2021 -0600
gp: Test Firewalld Group Policy Apply
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d3eb2a5de91c7c57fe07d983722c7c21e927ddde
Author: David Mulder <dmulder at suse.com>
Date: Wed Oct 6 12:46:26 2021 -0600
gp: Add Firewalld ADMX templates
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 494eb0c22a67f0a9672a53f8941ad6fecf291a77
Author: Martin Schwenke <martin at meltin.net>
Date: Sun Oct 31 11:59:30 2021 +1100
debug: Add new smb.conf option "debug syslog format"
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon Nov 1 07:29:47 UTC 2021 on sn-devel-184
commit 5e1e9d74ab6f59a62ac8dae3239299a0ef334708
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Oct 28 19:05:19 2021 +1100
debug: Add debug_syslog_format setting
Without debug_hires_timestamp this produces a syslog style header
containing:
"MON DD HH:MM:SS HOSTNAME PROGNAME[PID] "
With debug_hires_timestamp this produces a syslog style header
containing:
"RFC5424-TIMESTAMP HOSTNAME PROGNAME[PID] "
All other settings are ignored.
This will be made visible via smb.conf in a subsequent commit.
This commit adds some simple hostname handling. It avoids using
get_myname() from util.c because using that potentially pulls in all
manner of dependencies. No real error handling is done. In the worst
case debug_set_hostname() sets the hostname to a truncated version of
the given string. Similarly, in an even weirder world,
ensure_hostname() sets the hostname to a truncation of "unknown".
Both of these are unlikely in all reasonable cases.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit be3a47e22ad6be204f4a7d6070f82f990c17e6fb
Author: Andrew Walker <awalker at ixsystems.com>
Date: Thu Oct 28 16:01:42 2021 -0400
s3:modules:recycle - fix crash in recycle_unlink_internal
Original logic for separating path from base name assumed
that we were using same string to determine offset when
getting the parent dir name (smb_fname->base_name).
Simplify by using parent_dirname() to split the path
from base name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14888
Signed-off-by: Andrew Walker <awalker at ixsystems.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Oct 30 04:34:53 UTC 2021 on sn-devel-184
commit 14f56750fcf51a1d6daa14da08b34eb789241a23
Author: eaglegai <eaglegai at 163.com>
Date: Thu Oct 28 21:51:13 2021 +0800
fix undefined-shift in put_res_rec fuzz error: ../../source3/libsmb/nmblib.c:451:4: runtime error: left shift of 65312 by 16 places cannot be represented in type 'int'
Author: eaglegai <eaglegai at 163.com>
Signed-off-by: eaglegai <eaglegai at 163.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Oct 29 20:29:26 UTC 2021 on sn-devel-184
commit 0b818c6b77e972626d0b071bebcf4ce55619fb84
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 25 12:42:02 2021 -0700
s3: docs-xml: Clarify the "delete veto files" paramter.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Oct 29 14:57:14 UTC 2021 on sn-devel-184
commit e9ef970eee5eca8ab3720279c54098e91d2dfda9
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 25 12:36:57 2021 -0700
s3: smbd: Fix logic in can_delete_directory_fsp() to cope with dangling symlinks.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 26fecad2e66e91a3913d88ee2e0889f266e91d89
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 25 12:32:29 2021 -0700
s3: smbd: Fix logic in rmdir_internals() to cope with dangling symlinks.
Still need to add the same logic in can_delete_directory_fsp()
before we can delete the knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit a37d16e7c55f85e3f2c9c8614755ea6307092d5f
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 25 12:21:37 2021 -0700
s3: smbd: Fix rmdir_internals() to do an early return if lp_delete_veto_files() is not set.
Fix the comments to match what the code actually does. The
exit at the end of the scan directory loop if we find a client
visible filename is a change in behavior, but the previous
behavior (not exist on visible filename, but delete it) was
a bug and in non-tested code. Now it's testd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f254be19d6501a4f573843af97963e350a9ee2ed
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 25 12:02:43 2021 -0700
s3: VFS: xattr_tdb. Allow unlinkat to cope with dangling symlinks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 295d7d026babe3cd5123d0f53adcb16868907f05
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 25 12:01:58 2021 -0700
s3: VFS: streams_depot. Allow unlinkat to cope with dangling symlinks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 942123b95923f35a32df4196a072a3ed3468396a
Author: Jeremy Allison <jra at samba.org>
Date: Thu Oct 21 16:37:27 2021 -0700
s3: smbd: Add two tests showing the ability to delete a directory containing a dangling symlink over SMB2 depends on "delete veto files" setting.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 73de1194c3c429ab93d722a852aa4f54213b112a
Author: Jeremy Allison <jra at samba.org>
Date: Thu Oct 21 16:18:24 2021 -0700
s3: smbd: Fix recursive directory delete of a directory containing veto file and msdfs links.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ad0082d79a681b981154747dcde5713e1933b88f
Author: Jeremy Allison <jra at samba.org>
Date: Thu Oct 21 15:06:20 2021 -0700
s3: smbd: Add two tests showing recursive directory delete of a directory containing veto file and msdfs links over SMB2.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 866c16332771d2c111534a64374fe18646a19ce3
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Tue Oct 26 09:20:32 2021 +0200
editorconfig: Heimdal has mixed spaces and tabs with different width
Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Oct 29 10:16:15 UTC 2021 on sn-devel-184
commit 7f6f4777b4081dbfcd875bf6dcbbab03a1fa413d
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Thu Oct 28 10:50:30 2021 +0200
third_party: Update pam_wrapper to version 1.1.4
Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Oct 28 19:03:04 UTC 2021 on sn-devel-184
commit 6ed71ad7e6aa98a34cfde95d7d62c46694d58469
Author: Ralph Boehme <slow at samba.org>
Date: Tue Oct 5 15:10:33 2021 +0200
lib: handle NTTIME_THAW in nt_time_to_full_timespec()
Preliminary handling of NTTIME_THAW to avoid NTTIME_THAW is passed as some
mangled value down to the VFS set timestamps function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
RN: Avoid storing NTTIME_THAW (-2) as value on disk
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0659069f8292996be475d407b53d161aa3f35554
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 28 12:55:39 2021 +0200
torture: add a test for NTTIME_FREEZE and NTTIME_THAW
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 194faa76161a12ae1eae2b471d6f159d97ef75a8
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 28 10:18:54 2021 +0200
lib: add a test for null_nttime(NTTIME_THAW)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5503bde93bddf3634b183e665773399c110251d4
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 28 10:18:17 2021 +0200
lib: update null_nttime() of -1: -1 is NTTIME_FREEZE
NTTIME_FREEZE is not a nil sentinel value, instead it implies special, yet
unimplemented semantics. Callers must deal with those values specifically and
null_nttime() must not lie about their nature.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e2740e4868f2a49877a86a8666d26226b5657317
Author: Ralph Boehme <slow at samba.org>
Date: Thu Oct 28 10:17:01 2021 +0200
lib: use NTTIME_FREEZE in a null_nttime() test
No change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d84779302cc54a7b84c05ccc458e04b27fd142f4
Author: Ralph Boehme <slow at samba.org>
Date: Wed Oct 27 17:02:48 2021 +0200
lib: fix null_nttime() tests
The test was checking -1 twice:
torture_assert(tctx, null_nttime(-1), "-1");
torture_assert(tctx, null_nttime(-1), "-1");
The first line was likely supposed to test the value "0".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f73aff502cadabb7fe6b94a697f0a2256d1d4aca
Author: Ralph Boehme <slow at samba.org>
Date: Tue Oct 5 15:10:10 2021 +0200
lib: add NTTIME_THAW
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 16d43ccfddf0e67a0ae87e3f13b3114c858d64ac
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Wed Oct 27 13:45:15 2021 +0200
lib:cmdline: Fix -k option which doesn't expect anything
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14846
Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Oct 28 13:23:34 UTC 2021 on sn-devel-184
commit 5c6640470aa845780fbf17961e67b0d9302c2fbc
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Wed Oct 27 15:30:20 2021 +0200
testprogs: Use new cmdline option for kerberos
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14846
Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2be0a19d44879788c70bef51df86db0deab8bc9e
Author: David Mulder <dmulder at suse.com>
Date: Tue Oct 26 08:46:24 2021 -0600
Revert "samba-tool: Pick local host if calling samba-tool from DC"
This reverts commit 7c9195e28bc51ac375d609f8306db2456f348167.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): David Mulder <dmulder at samba.org>
Autobuild-Date(master): Tue Oct 26 16:00:28 UTC 2021 on sn-devel-184
commit 7c9195e28bc51ac375d609f8306db2456f348167
Author: David Mulder <dmulder at suse.com>
Date: Mon Oct 25 08:49:35 2021 -0600
samba-tool: Pick local host if calling samba-tool from DC
It is reasonable to assume, that if we are running a command from a DC,
that a user expects that the command will run against this DC.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Rowland Penny <rpenny at samba.org>
Autobuild-User(master): David Mulder <dmulder at samba.org>
Autobuild-Date(master): Tue Oct 26 14:23:42 UTC 2021 on sn-devel-184
commit 5a75212b60b8d90e63e6ff048fda4f00ad6ff94a
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Mon Oct 25 14:29:56 2021 +0200
Revert "gp: Add Firewalld ADMX templates"
This reverts commit 7253405c35247dff192e86598b18d524e1602818.
Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
Reviewed-by: David Mulder <dmulder at suse.com>
Autobuild-User(master): David Mulder <dmulder at samba.org>
Autobuild-Date(master): Mon Oct 25 15:04:18 UTC 2021 on sn-devel-184
commit db34188246c571bde2f8cb71a643852220bbdabf
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Mon Oct 25 14:29:41 2021 +0200
Revert "gp: Test Firewalld Group Policy Apply"
This reverts commit 8f347449190c698ec4d2720bbf6ffced853ef797.
Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
Reviewed-by: David Mulder <dmulder at suse.com>
commit cd5f5199131433640dd2f275d388f82930c3d81b
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Mon Oct 25 14:29:20 2021 +0200
Revert "gp: Apply Firewalld Policy"
This reverts commit 9ac2d5d991d16d1957c720fcda3ff6a9ac78dc13.
Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
Reviewed-by: David Mulder <dmulder at suse.com>
commit c174e9ebe715aad6910d53c1f427a0512c09d651
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 21 16:46:56 2021 +1300
tests/krb5: Check account name and SID in PAC for S4U tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at cryptomilk.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Oct 25 09:23:35 UTC 2021 on sn-devel-184
commit 9ac2d5d991d16d1957c720fcda3ff6a9ac78dc13
Author: David Mulder <dmulder at suse.com>
Date: Thu Oct 14 15:36:52 2021 -0600
gp: Apply Firewalld Policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Andreas Schneider <asn at cryptomilk.org>
commit 8f347449190c698ec4d2720bbf6ffced853ef797
Author: David Mulder <dmulder at suse.com>
Date: Tue Oct 12 12:54:09 2021 -0600
gp: Test Firewalld Group Policy Apply
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Andreas Schneider <asn at cryptomilk.org>
commit 7253405c35247dff192e86598b18d524e1602818
Author: David Mulder <dmulder at suse.com>
Date: Wed Oct 6 12:46:26 2021 -0600
gp: Add Firewalld ADMX templates
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Andreas Schneider <asn at cryptomilk.org>
commit 5094d986b7686f057195dcb10764295b88967019
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 10:50:36 2021 +1300
lib/krb5_wrap: Fix missing error check in new salt code
CID 1492905: Control flow issues (DEADCODE)
This was a regression in 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184
commit 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 19 16:01:36 2021 +1300
dsdb: Allow special chars like "@" in samAccountName when generating the salt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
commit 46039baa81377df10e5b134e4bb064ed246795e4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:46:36 2021 +1300
tests/krb5: Add tests for account salt calculation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 25bdf4c994e4fdb74abbacb1e22237f3f2cc37fe
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:45:47 2021 +1300
tests/krb5: Fix account salt calculation to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 889476d1754f8ce2a41557ed3bf5242c1293584e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:45:08 2021 +1300
tests/krb5: Allow specifying the UPN for test accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f4785ccfefe7c89f84ad847ca3c12f604172b321
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:44:19 2021 +1300
tests/krb5: Allow creating machine accounts without a trailing dollar
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 7e39994ed341883ac4c8c257220c19dbf70c7bc5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:41:39 2021 +1300
tests/krb5: Allow specifying prefix or suffix for test account names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a5a6296e57cab2b53617d997c37b4e92d4124cc7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:39:05 2021 +1300
tests/krb5: Decrease length of test account prefix
This allows us more room to test with different account names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 5 16:42:00 2021 +0200
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
This is much more flexible and concentrates the logic in a single place.
We'll use winbindd => "offline" in other places soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d998f7f8df215866ab32e05be772e24fc0b2131c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 18:04:55 2021 +0200
selftest/Samba3: remove unused close(USERMAP); calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5d8e794551b5df835f07e2bd8348fef746144601
Author: Andreas Schneider <asn at samba.org>
Date: Mon Oct 4 13:02:35 2021 +0200
waf: Allow building with MIT KRB5 >= 1.20
gssrpc/xdr.h:105:1: error: function declaration isn’t a prototype
[-Werror=strict-prototypes]
105 | typedef bool_t (*xdrproc_t)();
| ^~~~~~~
This can't be fixed, as the protoype is variadic. It can take up to three
arguments.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 459200caba04fd83ed650b9cdfe5b158cf9a149f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 11:55:14 2021 +1300
selftest: Improve error handling and perl style when setting up users in Samba4.pm
This catches errors and avoids using global varibles (the old
style file handles are global).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2c0658d408f17af2abc223b0cb18d8d33e0ecd1a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 20:44:54 2021 +1300
selftest: Remove duplicate setup of $base_dn and $ldbmodify
These are already set up to the same values above for the full
DC and correct values for the (strange) s4member environment.
By not setting $base_dn again we avoid an error once we start
checking for them.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d4a75eead058879b11c8a0901d7277052123d13b
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Aug 20 11:26:02 2021 +1200
pytest: s3_net_join: avoid name clash
The net_join test uses "NetJoinTest" (and doesn't properly clean up),
we must use a unique name for this test in s3_net_join.py.
[abartlet at samba.org The hilarious naming conventions come from a time when samba-tool
was known as "net" in the s4 branch]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 49306f74eb29a2192019fab9260f9d242f9d5fd9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:40:09 2021 +1300
selftest: krb5 account creation: clarify account type as an enum
This makes the code clearer with a symbolic constant rather
than a True/False boolean.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit aacb18f920349e13b562c7c97901a0be7b273137
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Aug 6 11:08:10 2021 +1200
pytest: dynamic tests optionally add __doc__
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6292f0597f208d7953382341380921cf0fd0a8a8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 16:27:40 2021 +1200
selftest: Increase account lockout windows to make test more realiable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a169e013e66bab15e594ce49b805edebfcd503cf
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 8 17:01:26 2021 +1200
pytest/rodc_rwdc: try to avoid race.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 7e961f3f7a815960ae25377d5b7515184d439690
Author: Viktor Dukhovni <viktor at twosigma.com>
Date: Wed Aug 10 23:31:14 2016 +0000
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets. This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
(similar to heimdal commit b1e699103f08d6a0ca46a122193c9da65f6cf837)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184
commit 83a654a4efd39a6e792a6d49e0ecf586e9bc53ef
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 16:07:11 2021 +1300
tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184
commit cc3d27596b9e8a8a46e8ba9c3c1a445477d458cf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 16:05:19 2021 +1300
tests/krb5: Ensure PAC is not present if expect_pac is false
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 031a8287642e3c4b9d0b7c6b51f3b1d79b227542
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 16:00:45 2021 +1300
kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause
the PAC to be stripped not to given an error if the PAC was still
present.
Tested against Windows 2019
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 92e8ce18a79e88c9b961dc20e39436c4cf653013
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 15:21:50 2021 +1300
kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8a607e7577a259ae8a786f436241b41b6cc6c884
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 16 16:08:29 2018 +0200
netlogon_creds_cli: add netlogon_creds_cli_SendToSam_recv() and don't ignore result
This is a low level function that should not ignore results.
If the caller doesn't care it's his choice.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Oct 19 20:20:00 UTC 2021 on sn-devel-184
commit dd07bb81bb9a570b321bb2e5adab42546736ff9f
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 28 22:24:32 2021 +0200
libcli/smb: use MID=0 for SMB2 Cancel with ASYNC_ID and legacy signing algorithms
We can only assume that servers with support for AES-GMAC-128 signing
will except an SMB2 Cancel with ASYNC_ID and real MID.
This strategy is also used by Windows clients, because
some vendors don't cope otherwise.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14855
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Oct 19 19:23:39 UTC 2021 on sn-devel-184
commit 04f188f4d573f0138b75f26d1c18d98329a3446e
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Oct 19 11:00:22 2021 +1100
bootstrap: Debian 11 has liburing-dev
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14872
Signed-off-by: Martin Schwenke <martin at meltin.net>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Oct 19 09:14:10 UTC 2021 on sn-devel-184
commit c901adaa0d4526deff550806e49976d686122674
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Oct 14 14:50:41 2021 +1100
bootstrap: Add Debian 11
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14872
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Oct 18 17:19:17 UTC 2021 on sn-devel-184
commit 9d3a691920205f8a9dc05d0e173e25e6a335f139
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:29:26 2021 +1300
tests/krb5: Add tests for requesting a service ticket without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
commit 288355896a2b6f460c42559ec46ff980ab57782e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:27:25 2021 +1300
tests/krb5: Add method to get the PAC from a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0dc69c1327f72384628a869a00482f6528b8671b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:27:15 2021 +1300
tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e086c6193f6da6fcb5d0bcada2199e9bc7ad25f5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:26:40 2021 +1300
tests/krb5: Allow get_tgt() to request including or omitting a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d23d8e859357b0fac4d1f4a49f1dce6cf60d6216
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 12:12:30 2021 +1300
heimdal:kdc: Fix ticket signing without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a7ad665e65f0701eb75cac5bc10a366ccd9689f4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 15 13:09:20 2021 +1300
selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
The previous commit was correct on intention, but it was not noticed
as there is a race, that the incorrect rule was appended to.
These links are removed by remove_plausible_deleted_DN_links not
fix_all_old_dn_string_component_mismatch
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 15 10:00:47 UTC 2021 on sn-devel-184
commit ce3d33f4c141afdfa3fbe9fe26835dc32ef95fe0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 15 08:22:17 2021 +1300
gitlab-ci: Do not download artifacts of unrelated builds
This needs: is overridden in many cases, but ensures none of the other
main jobs start until this build finishes. However this also
ensures we do not download artifacts from any build unless we
specifically depend on it, saving bandwidth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14863
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 1cdf8493b5a43a084b5004e5c2667b9dd9e31d91
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 14 20:24:49 2021 +1300
gitlab-ci: Do not retry for job_execution_timeout
If we timeout, we should just stop at 2 hours, not waste 6 hours (3 x 2 hours).
This is for when the job runs long for any reason, currently the
reasons for a timeout are not transient, we need to either change
the timeout or fix the system. Likewise if the tests get into a loop
or deadlock we want to see that as a failure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14863
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 1d3e118f6f2274a67cdb8141dc8dade0c571c8f5
Author: Jeremy Allison <jra at samba.org>
Date: Wed Oct 13 09:46:07 2021 -0700
s3: smbspool. Remove last use of 'extern char **environ;'.
This should come from lib/replace/replace.h to cope with
system (MacOSX etc.) differences.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14862
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Oct 14 19:51:59 UTC 2021 on sn-devel-184
commit f6adfefbbb41b9100736134d0f975f1ec0c33c42
Author: Nicolas Williams <nico at twosigma.com>
Date: Sun Oct 10 21:55:59 2021 -0500
krb5: Fix PAC signature leak affecting KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Cherry-picked from Heimdal commit
54581d2d52443a9a07ed5980df331f660b397dcf]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 02fa69c6c73c01d82807be4370e838f3e7c66f35
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 16:08:39 2021 +1300
s4:kdc: Check ticket signature
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3bdce12789af1e7a7aba56691f184625a432410d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:43:41 2021 +1300
heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
This lets us call it from Samba.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 28a5a586c8e9cd155d676dcfcb81a2587ace99d1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Aug 11 13:27:11 2021 +1200
s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 91e684f5dcb48b76e6a322c15acb53cbce5c275a
Author: Luke Howard <lukeh at padl.com>
Date: Thu Sep 23 17:51:51 2021 +1000
kdc: correctly generate PAC TGS signature
When generating an AS-REQ, the TGS signature was incorrectly generated using
the server key, which would fail to validate if the server was not also the
TGS. Fix this.
Patch from Isaac Bourkis <iboukris at gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Backported from Heimdal commit
e7863e2af922809dad25a2e948e98c408944d551
- Samba's Heimdal version does not have the generate_pac() helper
function.
- Samba's Heimdal version does not use the 'r' context variable.
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 75d1a7cd14b134506061ed64ddb9b99856231d2c
Author: Luke Howard <lukeh at padl.com>
Date: Thu Sep 23 14:39:35 2021 +1000
kdc: use ticket client name when signing PAC
The principal in the PAC_LOGON_NAME buffer is expected to match the client name
in the ticket. Previously we were setting this to the canonical client name,
which would have broken PAC validation if the client did not request name
canonicalization
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Backported from Heimdal commit
3b0856cab2b25624deb1f6e0e67637ba96a647ac
- Renamed variable to avoid shadowing existing variable
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit db30b71f79864a20b38a1f812a5df833f3a92de8
Author: Luke Howard <lukeh at padl.com>
Date: Sun Jan 6 17:54:58 2019 +1100
kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Backported from Heimdal commit
f1dd2b818aa0866960945edea02a6bc782ed697c
- Removed change to _kdc_find_etype() use_strongest_session_key
parameter since Samba's Heimdal version uses different logic
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d6a472e953545ec3858ca969c1a4191e4f27ba63
Author: Luke Howard <lukeh at padl.com>
Date: Fri Sep 17 13:57:57 2021 +1000
krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
Return KRB5KRB_AP_ERR_INAPP_CKSUM instead of EINVAL when verifying a PAC, if
the checksum is absent or unkeyed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Cherry-picked from Heimdal commit
c4b99b48c4b18f30d504b427bc1961d7a71f631e]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2773379603a5a625c5d1c6e62f29c442942ff570
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sun Sep 19 15:16:58 2021 +0300
krb5: rework PAC validation loop
Avoid allocating the PAC on error.
Closes: #836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Cherry-picked from Heimdal commit
6df8be5091363a1c9a9165465ab8292f817bec81]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2d09de5c41e729bccc2d7949d8a3568a95e80e76
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sun Sep 19 15:04:14 2021 +0300
krb5: allow NULL parameter to krb5_pac_free()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Cherry-picked from Heimdal commit
b295167208a96e68515902138f6ce93972892ec5]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d7b03394a9012960d71489e775d40d10fd6f5232
Author: Isaac Boukris <iboukris at gmail.com>
Date: Fri Aug 13 12:44:37 2021 +0300
kdc: sign ticket using Windows PAC
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.
Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.
Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.
Lookup the delegated client in DB instead of passing the delegator DB entry.
Add PAC ticket-signatures and related functions.
Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.
Closes: #767
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Backported from Heimdal commit
2ffaba9401d19c718764d4bd24180960290238e9
- Removed tests
- Adapted to Samba's version of Heimdal
- Addressed build failures with -O3
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ccabc7f16cca5b0dcb46233e934e708167f1071b
Author: Isaac Boukris <iboukris at gmail.com>
Date: Mon Dec 28 22:07:10 2020 +0200
kdc: remove KRB5SignedPath, to be replaced with PAC
KRB5SignedPath was a Heimdal-specific authorization data element used to
protect the authenticity of evidence tickets when used in constrained
delegation (without a Windows PAC).
Remove this, to be replaced with the Windows PAC which itself now supports
signing the entire ticket in the TGS key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Backported from Heimdal commit
bb1d8f2a8c2545bccdf2c9179ce9259bf1050086
- Removed tests
- Removed auditing hook (only present in Heimdal master)
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d5002c34ce1ffef795dc83af3175ca0e04d17dfd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:42:29 2021 +1300
s4/torture: Expect ticket checksum PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c14c61748b5a2d2a4f4de00615c476fcf381309e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 6 16:40:21 2021 +1300
s4:kdc: Fix debugging messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7149eeaceb426470b1b8181749d2d081c2fb83a4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 16:06:58 2021 +1300
s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3dede18c5a1801023a60cc55b99022b033428350
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:40:39 2021 +1300
tests/krb5: Fix duplicate account creation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3948701f1d0f3ccd06f6dad56ca72833d66b1d84
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:41:35 2021 +1300
tests/krb5: Allow bypassing cache when creating accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1a08399cd8169a525cc9e7aed99da84ef20e5b9c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:07:40 2021 +1300
tests/krb5: Don't include empty AD-IF-RELEVANT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 56ccdba54e0c7cf3409d8430ea1012e5d3d9b092
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 15:03:04 2021 +1300
tests/krb5: Add constrained delegation tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d86eee2fd0fb72e52d878ceba0c476ca58abe6cf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 6 16:35:47 2021 +1300
tests/krb5: Verify tickets obtained with get_service_ticket()
We only require the ticket checksum with Heimdal, because MIT currently
doesn't add it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bf63221722903665e7b20991021fb5cdf4e4327e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 5 15:39:11 2021 +1300
tests/krb5: Require ticket checksums if decryption key is available
We perform this check conditionally, because MIT doesn't currently add
ticket checksums.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ae2c57fb0332f94ac44d0886c5edbed707ef52fe
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 14 16:58:15 2021 +1300
tests/krb5: Add TKT_SIG_SUPPORT environment variable
This lets us indicate that service tickets should be issued with ticket
checksums in the PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 40e5db4aabcd32834ee524857b77d36921f6bdfe
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 13 12:26:22 2021 +1300
selftest/dbcheck: Fix up RODC one-way links
Test accounts were replicated to the RODC and then deleted, causing
state links to remain in the database.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ebe729786806c69e95b26ffc410e887e203accb8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 5 16:32:01 2021 +1300
tests/krb5: Fix sha1 checksum type
Previously, sha1 signatures were being designated as rsa-md5-des3
signatures.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5233f002000f196875af488b4f4d1df26fca90de
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 5 19:47:22 2021 +1300
tests/krb5: Provide clearer assertion messages for test failures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dfd613661eec4b81e162f2d86a8fa9266c2fdc03
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 11:48:41 2021 +1300
tests/krb5: Disable debugging output for tests
This reduces the time spent running the tests in a testenv.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cf3ca6ac4567d7c7954ea4ecc8cc9dd5effcc094
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:49:34 2021 +1300
tests/krb5: Simplify padata checking
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e7c39cc44f2e16aecb01c0afc195911a474ef0b9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:48:03 2021 +1300
tests/krb5: Check logon name in PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bd22dcd9cc4dfda827f892224eb2da4a16564176
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:45:45 2021 +1300
tests/krb5: Check padata types when STRICT_CHECKING=0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 238f52bad811688624e9fd4b1595266e2149094a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 12 11:34:59 2021 +1300
tests/krb5: Add environment variable to specify KDC FAST support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 72265227e9c2037b63cdfb01a456a86ac8932f59
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 16:15:43 2021 +1300
tests/krb5: Fix padata checking at functional level 2003
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ee2b7e2c77f021984ec583fa0c4c756979197b0f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:39:26 2021 +1300
tests/krb5: Clarify checksum type assertion message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 687c8f94c68af9f1e44771dfd7219eeb41382bba
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:37:03 2021 +1300
tests/krb5: Use correct principal name type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ec4b264bdf9ab64a728212580b344fbf35c3c673
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 14 16:43:05 2021 +1300
tests/krb5: Add compatability tests for ticket checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ef24fe982d750a42be81808379b0254d8488c559
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 16:53:35 2021 +1300
tests/krb5: Add parameter to enforce presence of ticket checksums
This allows existing tests to pass before this functionality is
implemented.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 248249dc0acac89d1495c3572cbd2cbe8bdca362
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:52:01 2021 +1300
tests/krb5: Supply supported account enctypes in tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 34020766bb7094d1ab5d4fc4c0ee89ccb81f39f1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:48:50 2021 +1300
tests/krb5: Allow specifying options and expected flags when obtaining a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bb58b4b58c66a6ada79e886dd0c44401e1c5878c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:41:23 2021 +1300
tests/krb5: Save account SPN
This is useful for testing delegation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0e232fa1c9e5760ae6b9a99b5e7aa5513b84aa8b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:26:54 2021 +1300
tests/krb5: Check constrained delegation PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit aa2e583fdea4fd93e4e71c54630e32a1035d1e2a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:15:26 2021 +1300
tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8e1efd8bd3bf698dc0b6ed2081919f49b1412b53
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:53:47 2021 +1300
heimdal:kdc: Only check for default salt for des-cbc-crc enctype
Previously, this algorithm was preferring RC4 over AES for machine
accounts in the preauth case. This is because AES keys for machine
accounts in Active Directory use a non-default salt, while RC4 keys do
not use a salt. To avoid this behaviour, only prefer keys with default
salt for the des-cbc-crc enctype.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14864
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7cfc225b549108739bd86e222f2f35eb96af4ea3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:10:07 2021 +1300
tests/krb5: Add expect_claims parameter to kdc_exchange_dict
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ab92dc16d20b0996b8c46714652c15019c795095
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 15:48:58 2021 +1300
tests/krb5: Fix checking for presence of error data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7fba83c6c6309a525742c38e904d3e473db99ef1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 14:02:37 2021 +1300
tests/krb5: Remove unneeded parameters from ticket cache key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 788b3a29eea62f9f38ca8865c7cb7860bdc94bec
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 13:03:49 2021 +1300
tests/krb5: Fix assertElementFlags()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8f6d369d709614e2f5c0684882c62f0476bcafa2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 13:01:30 2021 +1300
tests/krb5: Make expected_sname checking more explicit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 012b6fcd1976c6570e9b92c133d8c21e543e5a4f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:16:58 2021 +1300
tests/krb5: Fix status code checking
The type used to encode the status code is actually KERB-ERROR-DATA,
rather than PA-DATA.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a4bc712ee02f32c2d04dfc2d99d58931344e5ceb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:06:03 2021 +1300
tests/krb5: Fix handling authdata with missing PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dcf45a151a198f7165cd332a26db78a5d8e8f8c5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:03:33 2021 +1300
tests/krb5: Allow excluding the PAC server checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a927cecafdd5ad6dc5189fa98cb42684c9c3b033
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:59:42 2021 +1300
tests/krb5: Fix checksum generation and verification
The KDC and server checksums may be generated using the same key, but
only the KDC checksum should have an RODCIdentifier. To fix this,
instead of overriding the existing methods, add additional ones for
RODC-specific signatures, so that both types of signatures can be
generated or verified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ae09219c3a1c6d47817f51baf3784e8986c7478d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:56:21 2021 +1300
tests/krb5: Fix method for creating invalid length zeroed checksum
Previously the base class method was being used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9d142dc3a452b0f06efc66f422402ee6e553ee7c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:54:49 2021 +1300
tests/krb5: Introduce helper method for creating invalid length checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cda50b5c505072989abf84c209e16ff4efe2e628
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:52:17 2021 +1300
tests/krb5: Add assertion to make failures clearer
These failures may occur if tests are not run against an RODC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bba8cb8dce19e47a7b813efd9a7527e38856435e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:50:36 2021 +1300
tests/krb5: Allow created accounts to use resource-based constrained delegation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 31817c383c2014224b1397fde610624663313246
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:47:39 2021 +1300
tests/krb5: Rename allowed_to_delegate_to parameter for clarity
This helps to distinguish resourced-based and non-resource-based
constrained delegation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1fd00135fa4dff4331d86b228ccc01f834476997
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 10:54:33 2021 +1300
tests/krb5: Fix PA-PAC-OPTIONS checking
Make the check work correctly if bits other than the claims bit are
specified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6f1282e8d34073d8499ce919908b39645b017cb8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 10:51:01 2021 +1300
tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
These padata were not being sent if other FAST padata was not specified.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ce433ff868d3cdf8e8a6e4995d89d6e036335fb6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:23:17 2021 +1300
tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8e4b21590836dab02c1864f6ac12b3879c4bd69c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:16:51 2021 +1300
tests/krb5: Remove unused parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d501ddca3b7b9c39c0b3eccf19176e3122cf5b9d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:16:24 2021 +1300
tests/krb5: Rename method parameter
For class methods, the name given to the first parameter is generally 'cls'
rather than 'self'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a9a3555b43075c46e2051e6c1ef80762a0a19120
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Oct 14 11:08:38 2021 +1100
debug: Optimise construction of msg_no_nl
If it isn't used then it isn't copied.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Oct 14 11:10:40 UTC 2021 on sn-devel-184
commit 62fd771aea4bfb9f3042c80207e9800b74a43f75
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Oct 14 11:00:20 2021 +1100
debug: Move msg_no_nl to state
This enables an optimisation.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit cb70eea0536a33583cd57e8dd416bfc2e37fe9d2
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Oct 13 20:40:34 2021 +1100
debug: Optimise early return when header string buffer is full
The existing check is for truncation, not whether the buffer is full.
However, if the buffer is full (i.e. hs_len == sizeof(header_str) - 1)
then there's no use trying subsequent snprintf() calls because there
will be one byte available that already contains the NUL-terminator.
A subsequent call will just do a no-op truncation.
Check for full buffer instead.
This might be confusing because it isn't the standard check that is
done after snprintf() calls. Is it worth it for a rare corner case?
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit c5061ebe2146b6e8257205a4ad9ba69d1caa4c7d
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Oct 13 12:06:13 2021 +1100
debug: Optimise to avoid walking the header string
strlcat() needs to walk to the end of its first argument. However,
but the length of state.header_str is already known, so optimise by
manually appending the extra characters if they will fit.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit ee17f5306c3db1b6d950a9ea7d1787cac96a6d9d
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Sep 23 18:13:30 2021 +1000
debug: Optimise construction of header_str_no_nl
If it isn't used then it isn't copied.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 8cdd20c70a17e6ee8e7ca41e4c38763f41d158b4
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Oct 6 23:02:10 2021 +1100
debug: Rename variable for consistency
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 24dc8c5d2b809fefcb27abcb0aba7a1de5a55630
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Dec 2 16:37:47 2016 +1100
debug: Push message length argument down to backend log functions
Optimise because length is now available.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 3085a7d317dd4ce338a5265312c57ed389391786
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Dec 2 16:29:56 2016 +1100
debug: Add length argument to Debug1()
This the first step in avoiding potentially repeated length
calculations in the backends. The length is known at call time for
most usual callers, so pass it down.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 9f8be709c4951f2af8797f175555c6b861ea6fa4
Author: Martin Schwenke <martin at meltin.net>
Date: Sat Dec 3 12:27:47 2016 +1100
debug: Avoid debug header being separated from debug text
Currently the file backend can produce something like:
HEADER1 HEADER2 TEXT2
TEXT1
when different processes try to log at the same time.
Avoid this by writing the header and text at the same time using
writev(). This means that the header always has to be written by the
backend, so update all backends to do this.
The non-file backends should behave as before when they were invoked
separately to render the header. It might be possible to optimise
some of them (e.g. via sd_journal_sendv) but this requires more
investigation (e.g. sd_journal_sendv()'s handling of newlines) and is
beyond the scope of this change.
state.header_str_no_nl takes the place of msg_no_nl for the header,
since some of the backends need the no-newline version. It is handled
the same was as msg_no_nl: produce the no_nl version exactly once,
whether or not it is needed, since this is better than repeating it in
several backends.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 10f68148a9716fd06ac58d0b69783a4fac30c2bc
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Oct 6 22:49:06 2021 +1100
debug: Factor out function copy_no_nl()
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 0e59375ac5bc6e88f324b6d4d8b823ddc9d6f574
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Sep 23 10:25:04 2021 +1000
debug: Add a level of indirection to ring buffer logging
Add an internal function to do the work and call it. It will be
called again in a subsequent commit.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit fb29a8ebcd076df9da51275adb45d90482f2e19f
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Oct 13 11:42:14 2021 +1100
debug: Move header_str and hs_len to state
They'll need to be accessible by the backends.
Note that the snprintf() and strlcat() calls can result in
state.hs_len >= sizeof(state.header_str), so state.hs_len needs to be
sanitised before any potential use. Previously this wasn't necessary
because this value was on the stack, so it couldn't be used after
dbghdrclass() returned.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 71cef2fa1ddbe05d29e7ce571a35888ef4663b22
Author: Ralph Boehme <slow at samba.org>
Date: Wed Oct 13 19:16:10 2021 +0200
docs: document new Spotlight Elasticsearch options
elasticsearch:ignore unknown attribute = yes | no (default: no)
elasticsearch:ignore unknown type = yes | no (default: no)
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Thu Oct 14 10:20:27 UTC 2021 on sn-devel-184
commit 8e3372eceab1bc7ad8ac813b12d654c979e20769
Author: Ralph Boehme <slow at samba.org>
Date: Sat Oct 9 18:51:14 2021 +0200
mdssvc: add options to allow ignoring attribute and type mapping errors
This adds two options that are used by the Spotlight query parser to optionally
ignore unknown attributes or types in a query.
elasticsearch:ignore unknown attribute = yes | no (default: no)
elasticsearch:ignore unknown type = yes | no (default: no)
Example Spotlight query with unknown attributes and type:
kMDItemContentType=="public.calendar-event"||kMDItemSubject=="Kalender*"cdw||
kMDItemTitle=="Kalender*"cdw||kMDItemTopic=="Kalender*"cdw||
kMDItemTextContent=="Kalender*"cd||*=="Kalender*"cdw||
kMDItemTextContent=="Kalender*"cdw
The unknown attributes are "kMDItemTopic" and "kMDItemSubject". The unkown type
is "public.calendar-event".
Currently the parser will outright fail to parse the query and the search will
enter an error state.
To give users some control over the mapping the above options can be used to
tell the parser to simply ignore such unknown attributes and types.
(meta.title:Kalender* OR content:Kalender* OR Kalender* OR content:Kalender*)
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit c67432378910691456f1deec3d5a8a73a6080887
Author: Ralph Boehme <slow at samba.org>
Date: Sat Oct 9 18:50:02 2021 +0200
mdssvc: prepare for ignore attribute and type mapping errors
Lower the debug levels to debug from error. No change in behaviour.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit 232146775bb00769a3c208441ad0fa28bfe7f42f
Author: Ralph Boehme <slow at samba.org>
Date: Sat Oct 9 16:44:25 2021 +0200
selftest: add a test ignored spotlight/elasticsearch mapping failures
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
commit 8ab0238abd171f9a11b013fd185605e7d1722b27
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 14 08:51:21 2021 +1300
.gitlab-ci: Avoid duplicate CI on all merge requests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Oct 14 01:21:11 UTC 2021 on sn-devel-184
commit bcc22d00569551cfa25851c8c267ec9decc63d21
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 14 08:11:49 2021 +1300
.gitlab-ci.yml: Restore building most of our jobs
We are changing the primary build jobs to use "when"
not "only". These a similar and related GitLab syntax
tools to control when jobs are run.
With 'when' now in use it must be specified on all jobs
that inherit from each other via:
.extends .shared_template
"only" can be left however for the pages and coverity as
these use:
.extends .shared_runner_build_image
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit dd178d97250e041b29aad9b26d2994163bd99231
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 15:37:48 2021 +1300
.gitlab-ci: Increase build timeout
While the build will not take > 1hr, uploading the artifacts
needed to pass the build objects to the next stage can take
some time due to the distance between the runners and the
private CI server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Oct 13 12:00:03 UTC 2021 on sn-devel-184
commit 7857e1249b72be8c8841b99cb0820c9c563178f9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 12 07:55:54 2021 +1300
.gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in GitLab CI
GitLab CI resources are expensive and often rationed so
provide a way to test other things without testing an -O3
build also, as this will save 9 jobs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit fc2347be4ed9a9083a56468ca5e43070059038c5
Author: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Date: Wed Sep 8 14:42:57 2021 +0100
Fix detection of rpc/xdr.h on macOS
We need to include rpc/types.h first to include this header.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14862
Signed-off-by: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Oct 13 02:33:05 UTC 2021 on sn-devel-184
commit 99ee7f3d89cce9b07b8ed3f55f7e8e67baed6ee1
Author: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Date: Wed Sep 8 14:42:25 2021 +0100
vfs_preopen.c: Fix -Wformat error on macOS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14862
Signed-off-by: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1d893f723207040c285ed061db3a690099f8c929
Author: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Date: Wed Sep 8 13:29:54 2021 +0100
source3/smbd/statcache.c: Fix -Wformat build error on macOS
The format string uses PRIx64, so we should be using uint64_t and not
uintmax_t.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14862
Signed-off-by: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 6dadf251fc02c2b3237c48d316f5cb8791ab4f76
Author: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Date: Wed Sep 8 13:27:41 2021 +0100
sec_ctx.c: Fix -Wunused-function warning on macOS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14862
Signed-off-by: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e4eb1f151011d2bd6a2d39b156663ddd9126d345
Author: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Date: Wed Sep 8 13:25:04 2021 +0100
source3/printing/queue_process.c: fix build on macOS
On macOS environ is defined to (*_NSGetEnviron()) in lib/replace/replace.h
and otherwise the `extern char **environ` can be found there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14862
Signed-off-by: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d3675e66fe8eec15076c6b88e47b627ee80c6f9e
Author: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Date: Wed Sep 8 12:57:03 2021 +0100
audit_logging.c: fix compilation on macOS
On macOS tv_usec is an int so failus the build with -Werror,-Wformat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14862
Signed-off-by: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2564e96e8319b4cb4c987dd2a03cf8a293db985a
Author: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Date: Wed Sep 8 12:52:57 2021 +0100
charset_macosxfs.c: fix compilation on macOS
The DEBUG macro was missing and the CFStringGetBytes() was triggering a
-Werror,-Wpointer-sign build failure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14862
Signed-off-by: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1719ef7893ae5dc87e452c24bafd55db598464bc
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Oct 12 12:27:51 2021 +1100
ctdb-tests: Drop unused function ctdb_get_all_public_addresses()
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Martin Schwenke <martins at samba.org>
Autobuild-Date(master): Tue Oct 12 23:24:18 UTC 2021 on sn-devel-184
commit 4e3676cb3c4d24cd4c287703d2cd812a2a8c36ff
Author: Ralph Boehme <slow at samba.org>
Date: Fri Oct 8 05:58:37 2021 +0200
ctdb-tests: add a comment to the generated public_addresses file used by eventscript UNIT tests
test stub code has been updated to handle this, so now let's put it
to work.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14826
RN: Correctly ignore comments in CTDB public addresses file
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Martin Schwenke <martin at meltin.net>
commit 5426c104f5090751c1ea02f0c0667d8d071a4a83
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Oct 12 12:19:27 2021 +1100
ctdb-tests: Fix typo in ctdb stub comment matching
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14826
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 530e8d4b9e47601b88e20bcaefa2d502efcebe60
Author: Ralph Boehme <slow at samba.org>
Date: Wed Sep 8 16:53:12 2021 +0200
ctdb-scripts: filter out comments in public_addresses file
Note that order of sed expressions matters: the expression to delete
comment lines must come first as the second expression would transform
# comment
to
comment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14826
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Martin Schwenke <martin at meltin.net>
commit 0a376b23dbaaec551d0ed48b7098129c09eec1bc
Author: Jeremy Allison <jra at samba.org>
Date: Mon Oct 11 12:26:57 2021 -0700
s3: VFS: zfsacl: Ensure we use a pathref fd, not an io fd, for getting/setting ZFS ACLs.
Don't use path-based calls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14685
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Oct 12 18:14:27 UTC 2021 on sn-devel-184
commit 14db80fe6139ced8b118e5e95b37f9a73c9d20aa
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 6 14:02:10 2021 +0200
docs-xml: Use /var/tmp for spooling in smb.conf.5
This is a world writeable directory which exists on Linux distributions by
default already.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Oct 12 17:24:01 UTC 2021 on sn-devel-184
commit 3262f69690cd3fa915fc593193a4d03194d978af
Author: Andreas Schneider <asn at samba.org>
Date: Wed Oct 6 14:01:42 2021 +0200
docs-xml: Remove trailing spaces in smb.conf.5.xml
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 12d04d9a9288a9358d5f5aebaec126cc610952b1
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Fri Oct 8 13:16:05 2021 +0200
docs-xml: Update winbindd(8) manpage
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14852
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Oct 12 09:30:02 UTC 2021 on sn-devel-184
commit b92589c31f0eb3eaf2b3b1867e10b759f6a2edda
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Thu Oct 7 12:08:22 2021 +0200
s3:winbindd: Fix winbindd child logfile name handling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14852
Handling of logfile name for main and child winbindd must ensure:
1) Log directory is selected in this order:
* -l option of winbindd
* "log file" parameter in smb.conf
* compile time value '/usr/local/samba/var'
2) Log filename pattern
* parent process uses log.winbindd
* child uses log.wb-<name>
3) Log reopen works for both parent and child (i.e. log filename is not changed)
* kill -HUP <pid>
* smbcontrol <pid> reload-config
This commit removes 3 calls of is_default_dyn_LOGFILEBASE() to make sure that:
- 1st removal: child uses log.wb-<name> after the fork
- 2nd removal: child after HUP signal, does not switch to log.winbindd
- 3rd removal: child after smbcontrol reload-config, does not switch to
log.winbindd
Interesting commits: bfa1b2a8 1484b7f3 3b015a4c d1f7a371
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4fe965836243928ac33eb95a67d3e889fdc15861
Author: Jeremy Allison <jra at samba.org>
Date: Thu Oct 7 14:11:25 2021 -0700
s3: smbd: Ensure when we change security context we delete any $cwd cache.
This will ensure we *always* call into the VFS_SMB_CHDIR backends
on security context switch. The $cwd was an optimization that
was only looking at the raw filesystem path. We could delete it
completely but that is a patch for another day.
Remove knownfail on regression test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14682
RN: vfs_shadow_copy2: core dump in make_relative_path
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Oct 8 21:28:04 UTC 2021 on sn-devel-184
commit 954e637ddc6f0f5291d0a15cdbcbc6a4f7a6cb13
Author: Jeremy Allison <jra at samba.org>
Date: Thu Oct 7 14:08:48 2021 -0700
s3: selftest: Add regression test to show the $cwd cache is misbehaving when we connect as a different user on a share.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14682
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3268bcd8f5668c4c1c78d957f7017e7a867288f3
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jul 9 11:28:22 2021 +0200
vfs: add and use a few SMB_VFS_ODX defines
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Oct 8 20:21:21 UTC 2021 on sn-devel-184
commit 2f523a03f5061feb68c614f39ae0061748c2d9b3
Author: Ralph Boehme <slow at samba.org>
Date: Tue Jun 22 18:58:21 2021 +0200
lib: add sys_block_align[_truncate]()
This implements MS-FSA algorithms BlockAlign() and BlockAlignTruncate().
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8fa7848b4a002900e0c3384d2e0d41ea0fdf6ea9
Author: Ralph Boehme <slow at samba.org>
Date: Tue Jun 22 20:13:02 2021 +0200
vfs: Add flags and xferlen args to SMB_VFS_OFFLOAD_READ_RECV
We missed these values which follow from MS-FSCC 2.3.80 “FSCTL_OFFLOAD_READ
Reply”:
Flags (4 bytes):
A 32-bit unsigned integer that indicates which flags were returned for this
operation. Possible values for the flags follow. All unused bits are reserved
for future use, SHOULD be set to 0, and MUST be ignored.
OFFLOAD_READ_FLAG_ALL_ZERO_BEYOND_CURRENT_RANGE (0x00000001)
=> The data beyond the current range is logically equivalent to zero.
TransferLength (8 bytes):
A 64-bit unsigned integer that contains the amount, in bytes, of data that the
Token logically represents. This value indicates a contiguous region of the
file from the beginning of the requested offset in the FileOffset field in the
FSCTL_OFFLOAD_READ_INPUT data element (section 2.3.79). This value can be
smaller than the CopyLength field specified in the FSCTL_OFFLOAD_READ_INPUT
data element, which indicates that less data was logically
represented (logically read) with the Token than was requested. The value of
this field MUST be greater than 0x0000000000000000 and MUST be aligned to a
logical sector boundary on the volume.
As we currently only implement COPY_CHUNK over the OFFLOAD VFS interface, the
VFS COPY_CHUNK backend in vfs_default just sets both values to 0 and they are
unused in the SMB frontend.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3afd4bd61033773312605102f7203ef54e2e0986
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jun 18 16:32:53 2021 +0200
idl: declare token array of storage_offload_token as in-line
This ensures the order of the struct element is the same as in the IDL
definition. For an conformant array using the [sizeis(n)] syntax the sizeis
member is stored as first element in the marshall buffer.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 83ad7e01fc34d26cbe1a524d7f2ea3a60f2cbfb4
Author: Volker Lendecke <vl at samba.org>
Date: Thu Oct 7 11:22:59 2021 +0200
rpc_server3: Remove pipes_struct->private_data
netlogon3 was the only user
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 426a7b4805597b47df176288e3ed981b69d9c207
Author: Volker Lendecke <vl at samba.org>
Date: Thu Oct 7 11:22:20 2021 +0200
rpc_server3: Use dcesrv_iface_state in netlogon3
Align with the source4/rpc_server/netlogon
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 246a5ceab1cba9935af436154172b9e39dc685d7
Author: Volker Lendecke <vl at samba.org>
Date: Thu Oct 7 10:07:48 2021 +0200
netlogon: Move netlogon_server_pipe_state to netlogon.idl
Make this available as a shared structure for both source3 and source4
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 81a7b2e08ddd4efd330dfeeada5577192f8281bf
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 4 10:25:14 2021 +0200
rpc_server3: Remove an outdated comment
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ed9e2850bfc2b4d89da45b36871afe5d6ec88bd0
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 4 10:19:24 2021 +0200
rpc_server3: Remove "pipes_struct->opnum"
Also available via dce_call->pkt.u.request.opnum
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2e3cea27fc0e5c8bf6117b72255813be62d65707
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 4 10:07:09 2021 +0200
rpc_server3: Remove "pipes_struct->call_id"
Unused.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e5b446fe116fa6b66e86658a26a38cd40382e996
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 10:33:50 2021 +0200
libcli: Simplify get_sec_mask_str()
Use talloc_asprintf_addbuf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3a8374b831a8b5faf40e87884b08bff91be3aa5f
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 10:47:48 2021 +0200
dsdb: Simplify schema_attribute_description() & friends
Use talloc_asprintf_addbuf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 61b06695b703908d57c36077f8707b99124127c9
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 10:13:52 2021 +0200
winbind: Simplify winbindd_sids_to_xids_recv()
Use talloc_asprintf_addbuf(), fix an realloc error path memleak
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit fc4ee9c494d5a0c9330db50337dfec55d1bb127f
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 10:10:21 2021 +0200
winbind: Simplify winbindd_getusersids_recv()
Use talloc_asprintf_addbuf(), fix an realloc error path memleak
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4869497b709789d159e2b0f917218f57516d2e09
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 10:09:45 2021 +0200
winbind: Simplify winbindd_getsidaliases_recv()
Use talloc_asprintf_addbuf(), fix an realloc error path memleak
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0853a7a2bbfc8dc32c3ec1fa9498d01c02080217
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 10:01:07 2021 +0200
lib: Use talloc_asprintf_addbuf() in utok_string()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 18cbeab98bd4c943410936001b541c1a66d5babc
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 09:54:46 2021 +0200
librpc: Use talloc_asprintf_addbuf() in dcerpc_binding_string()
Saves quite a few lines
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 20536080a5699fb33305510a67b401680b042e00
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 09:53:57 2021 +0200
lib: Add talloc_asprintf_addbuf()
Simplifies building up a string step by step, see next commit
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 55ec7e6d00fb807d3eb96c84d47148b95f1a88da
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 10:09:27 2021 +0200
winbind: Align an integer type
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 10ac08fc1dbbd9ecb9438db906b2b50d8ebd73fa
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 11:10:57 2021 +0200
rpc_server3: Remove unused fields from struct dcerpc_ncacn_conn
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 34c08da059dc22021cdfe39223cc263d35e6d209
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 09:20:44 2021 +0200
libcli: Align integer types
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 423e5726d2d066e6504de4aca5985c90999d1be3
Author: Volker Lendecke <vl at samba.org>
Date: Wed Oct 6 09:16:32 2021 +0200
libcli: Avoid an includes.h
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 668d3459ac6ba88d8f7114c80b6fc8f64597ac69
Author: Volker Lendecke <vl at samba.org>
Date: Thu Sep 30 09:27:10 2021 +0200
idmap_script: Save a few lines with str_list_add_printf()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c38e2d5ff56263bd828a458a79acdbe271f6f00b
Author: Volker Lendecke <vl at samba.org>
Date: Tue Oct 5 21:44:53 2021 +0200
lib: Fix a typo in a DEBUG fn prefix by using DBG_
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 761ede419fcdb9abc4cd5c5a188a4c73d31413c0
Author: Volker Lendecke <vl at samba.org>
Date: Tue Oct 5 21:40:45 2021 +0200
lib: Simplify set_privileges with a struct initialization
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b266d39dbb85bad46f0f305f33f45f50e5f9386d
Author: Volker Lendecke <vl at samba.org>
Date: Tue Oct 5 21:31:41 2021 +0200
lib: Avoid a cast in a DBG statement
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f24b2163be0c2dfb7ae8fa2f33d4f4bbeb422d03
Author: Volker Lendecke <vl at samba.org>
Date: Sat Sep 25 08:23:03 2021 +0200
libcli: Simplify security_session_user_level()
Use sid_compose(), use struct dom_sid on the stack.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 70b1260020d61b8722e9af4290ce1ef61a4969ca
Author: Volker Lendecke <vl at samba.org>
Date: Sat Sep 25 08:20:18 2021 +0200
libcli: Introduce a helper variable in security_session_user_level()
Makes it easier to read for me
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 82281ca34f9fb00c803243fc840a2d4996eef1b5
Author: Volker Lendecke <vl at samba.org>
Date: Sat Sep 25 07:58:47 2021 +0200
libcli: Remove unused security_token_has_sid_string()
This should have been removed in ef990008f22, I just was not aware
it's there...
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 187529c979c0bba1dad0034df55cf918dae74971
Author: Volker Lendecke <vl at samba.org>
Date: Tue Sep 28 11:28:01 2021 +0200
samba: Save a line with TALLOC_FREE
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5529aa8c4dacaf71e3d88817d2b96f6994881e22
Author: Volker Lendecke <vl at samba.org>
Date: Sat Sep 25 08:25:14 2021 +0200
smbd: Avoid ZERO_STRUCT() with a struct init
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9b260ff83906af57f21f97e3bb219b8fc550be2a
Author: Volker Lendecke <vl at samba.org>
Date: Mon Oct 4 10:10:42 2021 +0200
lsa_server3: Align integer types
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a767eb55d8bd3109907baff311e221dc340ca6ba
Author: Volker Lendecke <vl at samba.org>
Date: Fri Oct 8 11:38:30 2021 +0200
rpc_server3: Avoid a literal number available as a constant
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e2256c99a6591092937b9395e39c2a7f461db42e
Author: Volker Lendecke <vl at samba.org>
Date: Fri Oct 8 11:34:23 2021 +0200
smbd: Make SID_SAMBA_SMB3 a static SID
No need to parse it
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a19016e002f4588a75cf16ce7a9dfaa19501a0e4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 29 11:35:54 2021 +1300
Release ldb 2.50 for the future samba 4.16 series
This avoids master having an older or identical LDB version
to Samba 4.15.x while it gains additional changes that may
not all be backported.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Oct 5 19:57:51 UTC 2021 on sn-devel-184
commit 76899e236149ff3b86cd9032a3c6bdafe3a2f036
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 29 11:27:41 2021 +1300
Release ldb 2.4.1
* Corrected python behaviour for 'in' for LDAP attributes
contained as part of ldb.Message (bug 14845)
* Fix memory handling in ldb.msg_diff (bug 14836)
* Corrected python docstrings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b45190bdac7bd9dcefd5ed88be4bd9a97a712664
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 16 16:09:24 2021 +1200
selftest: Use self.assertRaisesLdbError() in user_account_control.py test
This changes most of the simple pattern with self.samdb.modify()
to use the wrapper. Some other calls still need to be converted, while
the complex decision tree tests should remain as-is for now.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Oct 4 21:55:43 UTC 2021 on sn-devel-184
commit 298515cac2f35082483c2b4e4b7dbfe4df1d2e0c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 13 21:48:13 2021 +1200
selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase
This is easier to reason with regarding which cases should work
and which cases should fail, avoiding issues where more success
than expected would be OK because a self.fail() was missed in a
try: block.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit fc69206f8b8956662e7fc05600e39d2f149a22d9
Author: Andreas Schneider <asn at samba.org>
Date: Fri Oct 1 09:16:21 2021 +0200
lib:fuzzing: Fix quoting of --fuzz-target-ldflags
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
Autobuild-User(master): Uri Simchoni <uri at samba.org>
Autobuild-Date(master): Mon Oct 4 11:36:06 UTC 2021 on sn-devel-184
commit cc3081cebfb65181cd291702cb6a2e727dc999b2
Author: Andreas Schneider <asn at samba.org>
Date: Fri Oct 1 10:46:09 2021 +0200
s3:utils: Fix format error
regedit_hexedit.c:166:39: error: format ‘%X’ expects argument of type ‘unsigned
int’, but argument 3 has type ‘size_t’ {aka ‘long unsigned int’}
166 | wprintw(buf->win, "%08X ", off);
| ~~~^ ~~~
| | |
| | size_t {aka long unsigned int}
| unsigned int
| %08lX
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
commit 2d87e0f6efa1d8438b26f98d2ad69ffed0af8d0b
Author: Jeremy Allison <jra at samba.org>
Date: Wed Sep 29 20:49:48 2021 -0700
s4: process_prefork: Make prefork_restart() use an asynchronous timer event instead of calling sleep(X).
This should prevent any long pauses in the calling process, as we get a callback
for the restart after X seconds. To make the code flow more understandable,
always go through a timer event even if the wait time is zero. This
has the same effect as an immediate event as it will call the callback
function as soon as we go back into the event loop.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Oct 2 01:38:43 UTC 2021 on sn-devel-184
commit b6d60e8f4d06ca9733a4cc3094312a3dc456a656
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 5 15:57:09 2021 +1200
samldb: Address birthday paradox adding an RODC
It is possible that the randomly chosen RODC number will be one
that is already in use. The samldb_krbtgtnumber_available()
function was meant to prevent that, but due to a typo did not.
There is no other race here as the whole thing is inside a transaction,
and we have duplicate protection on samAccountName, so the failure
looked like this:
...
Adding CN=krbtgt_TESTRODCDRS5320202,CN=Users,DC=samba,DC=example,DC=com
UNEXPECTED(error): samba4.drs.repl_rodc.python(ad_dc_ntvfs).repl_rodc.DrsRodcTestCase.test_msDSRevealedUsers_admin(ad_dc_ntvfs)
REASON: Exception: Exception: Traceback (most recent call last):
File "/m/abartlet/aMASTER/b1635147/samba-def-build/source4/torture/drs/python/repl_rodc.py", line 111, in setUp
self._create_rodc(self.rodc_ctx)
File "/m/abartlet/aMASTER/b1635147/samba-def-build/source4/torture/drs/python/repl_rodc.py", line 693, in _create_rodc
ctx.join_add_objects()
File "bin/python/samba/join.py", line 641, in join_add_objects
ctx.add_krbtgt_account()
File "bin/python/samba/join.py", line 429, in add_krbtgt_account
ctx.samdb.add(rec, ["rodc_join:1:1"])
_ldb.LdbError: (68, "LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS - <00002071: samldb: samAccountName krbtgt_4405 already in use!> <>")
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14854
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Oct 1 20:50:37 UTC 2021 on sn-devel-184
commit 1305ec3ae64e67fa68d3251d35f8a244a4a5be56
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 23 11:14:35 2021 +1200
.gitlab-ci: Allow a 1 hour to build Samba
I have seen cases where the job is pushed to the private runners
(which do not have the ccache) where this takes over 45mins, and
a typical job can be 35 mins so this is too tight.
Triggering the timeout causes a rebuild from scratch, which is
done twice automatically, and is financially costly (we pay
per VM start) and a waste of CPU/energy/etc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14844
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Oct 1 19:43:16 UTC 2021 on sn-devel-184
commit b0b9663c80e416bdbeae5af0b3e3977761ebb9ad
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 23 11:06:13 2021 +1200
.gitlab-ci: Ignore errors from missing source files in code coverage
This could happen when code coverage is collected from multiple distributions.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3f4660900a71816df505c2e634eef86a86afcda3
Author: Uri Simchoni <uri at samba.org>
Date: Thu Sep 16 20:03:59 2021 +0300
selftest: test tsocket_address_inet_from_hostport_strings
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep 28 10:34:12 UTC 2021 on sn-devel-184
commit 262148721ee6d794f7f2d1ad1b36e00a1401ec41
Author: Uri Simchoni <uri at samba.org>
Date: Thu Sep 16 20:03:02 2021 +0300
selftest: add more tests for test_address_inet_from_strings
Test the case of NULL address as input
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c26fcef50d09d3d70c646f3151dda265d4b0eb92
Author: Uri Simchoni <uri at samba.org>
Date: Thu Sep 16 10:11:46 2021 +0300
WHATSNEW: document dns forwarder change
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a098030977d7720436b7850fa731557eeb70bc2
Author: Matthew Grant <matt at mattgrant.net.nz>
Date: Sat Sep 18 10:05:24 2021 +1200
libcli/dns.c: dns forwarder port test changes
Test harness for the dns fowarder setting in smb.conf. Adds IPv6
forwarder as second target DNS forwarder, listening on port 54.
Signed-off-by: Matthew Grant <grantma at mattgrant.net.nz>
Reviewed-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 617a5a1d3579b27de0e2b0736909ca83b7b3ee15
Author: Matthew Grant <matt at mattgrant.net.nz>
Date: Sat Sep 18 10:02:11 2021 +1200
libcli/dns: smb.conf dns forwarder port support
Call new tsocket_address_inet_from_hostport_strings() instead of
tsocket_address_inet_from_strings() to implement setting a port to query
for a DNS forwarder.
Signed-off-by: Matthew Grant <grantma at mattgrant.net.nz>
Reviewed-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f39a06de3bea9ec03a3e82c8892d9e572abd1163
Author: Matthew Grant <matt at mattgrant.net.nz>
Date: Sun Sep 19 17:41:42 2021 +1200
lib/tsocket: new function to parse host port strs.
tsocket_address_inet_from_hostport_strings() on top of
tsocket_address_inet_from_strings(), implementing the ability to parse a
port number appended to an IPv6 or IPv4 address. IPv6 addresses can also
optionally have square brackets around them, but these are needed to
specify the port number as colon is used to delimit port from the IP
address in the string.
Note that this code just recognises and parses the strings with port
given, or just IPv6 with square brackets. The rest of the parsing is
passed on to tsocket_address_inet_from strings(), and errors from there
passed back up the stack.
Signed-off-by: Matthew Grant <grantma at mattgrant.net.nz>
Reviewed-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 775939823a5a956acc236c808d5aee78cbd9e132
Author: Matthew Grant <matt at mattgrant.net.nz>
Date: Sat Sep 18 09:57:26 2021 +1200
libcli/dns: dns forwarder port doc changes
Documentation changes specifying how list entries for dns forwarder
are to be specified with ability to add trailing target port number.
Signed-off-by: Matthew Grant <grantma at mattgrant.net.nz>
Reviewed-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 860d8902a9c502d4be83396598cf4a53c80fea69
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 14:39:59 2021 +1200
pyldb: Make ldb.Message containment testing consistent with indexing
Previously, containment testing using the 'in' operator was handled by
performing an equality comparison between the chosen object and each of
the message's keys in turn. This behaviour was prone to errors due to
not considering differences in case between otherwise equal elements, as
the indexing operations do.
Containment testing should now be more consistent with the indexing
operations and with the get() method of ldb.Message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 865fe238599a732360b77e06e592cb85d459acf8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 13:48:57 2021 +1200
pyldb: Add tests for ldb.Message containment testing
These tests verify that the 'in' operator on ldb.Message is consistent
with indexing and the get() method. This means that the 'dn' element
should always be present, lookups should be case-insensitive, and use of
an invalid type should result in a TypeError.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 22353767ca75af9d9e8fa1e7da372dcb5eddfcb7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 13:39:56 2021 +1200
pyldb: Raise TypeError for an invalid ldb.Message index
Previously, a TypeError was raised and subsequently overridden by a
KeyError.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b018e51d2725a23b2fedd3058644b8021f6a6a06
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 13:22:05 2021 +1200
pyldb: Add test for an invalid ldb.Message index type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fb758c32e7633178f42dc2c031667b10c2ca6e90
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 19:18:39 2021 +1200
s4/torture/drs/python: Fix attribute existence check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9d25a21d6024c6c2f8e4634f45e3944d8acbf8b8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 11:16:09 2021 +1200
pyldb: Fix deleting an ldb.Control critical flag
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b1adaa517c1237a473bdcf818523f5107df3d6b0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 11:13:02 2021 +1200
pytest:segfault: Add test for deleting an ldb.Control critical flag
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d7af772de88885f46708329ff7bb5798da91d2c7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 11:12:16 2021 +1200
pyldb: Fix deleting an ldb.Message dn
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6a041f6a99c39632d5c32e9d53b06719c20bef2c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 10:56:25 2021 +1200
pytest:segfault: Add test for deleting an ldb.Message dn
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 81e27693c62336d28c11462c790d7bc68ff3aa0c
Author: Volker Lendecke <vl at samba.org>
Date: Mon Sep 20 16:49:53 2021 +0200
mdssvc: Use ndr_policy_handle_empty()
is_zero_policy_handle() was a duplicate.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Sep 25 00:46:23 UTC 2021 on sn-devel-184
commit 1e30fad7ee04baaebc2d87fb933cefe358799882
Author: Volker Lendecke <vl at samba.org>
Date: Mon Sep 20 16:42:08 2021 +0200
rpc_server: Simplify dcesrv_handle_lookup()
Reduce indentation with a "break;" from the loop, best reviewed with
git show -b
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit acaa89aac9d0ae6b655ea606aaa576d261e92fac
Author: Volker Lendecke <vl at samba.org>
Date: Mon Sep 20 16:36:15 2021 +0200
rpc_server: Move a type check in dcesrv_handle_lookup()
This check is independent of whether we found a handle or not, we can
do it before walking the handle list.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ef990008f22a0790442c0259defdfdcf0a28eb3d
Author: Volker Lendecke <vl at samba.org>
Date: Tue Sep 21 14:35:17 2021 +0200
libcli: Remove unused security_token_is_sid_string()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5b331443d0698256ee7fcc040a1ab8137efe925d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 15:10:35 2021 +1200
tests/krb5: Add classes for testing invalid checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep 23 19:28:44 UTC 2021 on sn-devel-184
commit c0b81f0dd54d0d71b5d0f5a870b505e82d0e85b8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 15:06:18 2021 +1200
tests/krb5: Add method to determine if principal is krbtgt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ea7b550a500d9e458498d37688b67dafd3d9509d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:10:07 2021 +1200
tests/krb5: Verify checksums of tickets obtained from the KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1458cd9065de34c42bd5ec63feb2f66c25103982
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 13:54:47 2021 +1200
tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 394e8db261b10d130c5e5730989bf68f9bf4f85f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:05:58 2021 +1200
tests/krb5: Simplify account creation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f2f1f3a1e9269f0e7b93006bba2368a6ffbecc7c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 22 11:41:45 2021 +1200
tests/krb5: Provide ticket enc-part key to tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f9284d8517edd9ffd96f0c24166a16366f97de8f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:08:16 2021 +1200
tests/krb5: Fix checking for presence of authorization data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9d01043042f1caac98a23cf4d9aa9a02a31a9239
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:58:09 2021 +1200
tests/krb5: Add method to get DC credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 38b4b334caf1b32f1479db3ada48b2028946f5e6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:59:24 2021 +1200
tests/krb5: Allow tgs_req() to check the returned ticket enc-part
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 054ec1a8cc4ae42918c7c06ef9c66c8a81242655
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:54:39 2021 +1200
tests/krb5: Set key version number for all accounts created with create_account()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 14cd933a9d6af08deb680c9f688b166138d45ed9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:11:28 2021 +1200
tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b6eaf2cf44fb66d8f302d4cab050827a67de3ea4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:10:49 2021 +1200
tests/krb5: Get supported enctypes for credentials from database
Look up the account's msDS-SupportedEncryptionTypes attribute to get the
encryption types that it supports. Move the fallback to RC4 to when the
ticket decryption key is obtained.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 432eba9e09849e74f4c0f2d7826d45cbd2b7ce42
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 21:01:46 2021 +1200
tests/krb5: Add methods to convert between enctypes and bitfields
These methods are useful for converting a collection of encryption types
into msDS-SupportedEncryptionTypes bit flags, and vice versa.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7cedd383bcc1b5652ea65817b464d6e0485c7b8b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:01:12 2021 +1200
tests/krb5: Make get_default_enctypes() return a set of enctype constants
This is often more convenient than a bitfield.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4c67a53cdca206a118e82b356db0faf0ddc011ab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 13:33:16 2021 +1200
tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1fcde7cb6ce50e0a08097841e92476f320560664
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 17 15:26:12 2021 +1200
tests/krb5: Add method for modifying a ticket and creating PAC checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 12b5e72a35d632516980f6c051a5d83f913079e7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 17 14:56:51 2021 +1200
tests/krb5: Add method to verify ticket PAC checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 702ebb3d8c8d9f7241bb264f9cb2a41a3dc46f32
Author: Ralph Boehme <slow at samba.org>
Date: Wed Aug 25 09:26:00 2021 +0200
registry: skip root check when running with uid-wrapper enabled
Currently registry config is not used in the clustered testenv, so currently
there's no problem. But once we do add that, the check would be triggered.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14787
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Sep 22 16:57:25 UTC 2021 on sn-devel-184
commit ec95b3042bf2649c0600cafb12818c27242b5098
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 17:20:22 2021 +1200
tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
Signatures created by an RODC have an RODCIdentifier appended to them
identifying the RODC's krbtgt account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep 21 23:55:39 UTC 2021 on sn-devel-184
commit a562882b15125902c5d89f094b8c9b1150f5d010
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 16:54:57 2021 +1200
tests/krb5: Add methods for creating zeroed checksums and verifying checksums
Creating a zeroed checksum is needed for signing a PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 419e4061ced466ec7e5e23f815823b540ef4751c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 11:51:20 2021 +1200
tests/krb5: Cache obtained tickets
Now tickets obtained with get_tgt() and get_service_ticket() make use of
a cache so they can be reused, unless the 'fresh' parameter is specified
as true.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6193f7433b15579aa32b26a146287923c9d3844d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 11:51:05 2021 +1200
tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
The encpart is already contained in ticket_creds, so it no longer needs
to be returned as a separate value.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 59c1043be25b92db75ab5676601cb15426ef37a3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:24:46 2021 +1200
tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 035a8f198555ad1eedf8e2e6c565fbbbe4fbe7ce
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:14:45 2021 +1200
tests/krb5: Allow get_tgt() to specify expected and unexpected flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4ecfa82e71b0dd5b71aa97973033c5c72257a0c3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:14:06 2021 +1200
tests/krb5: Allow get_tgt() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2d69805b1e3a8022f1418605e5f29ae0bbaa4a06
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:41:46 2021 +1200
tests/krb5: Allow get_tgt() to get tickets from the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5d3a135c2326edc9ca8f56bea24d2f52320f4fd6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:38:38 2021 +1200
tests/krb5: Allow get_service_ticket() to get tickets from the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7645dfa5bedee7ef3f7debbf0fa7600bd1c4bd79
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:19:28 2021 +1200
tests/krb5: Set DN of created accounts to ldb.Dn type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c226029655ca361560d93298a6729a021f2f6b75
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:13:51 2021 +1200
tests/krb5: Don't manually create PAC request and options in fast_tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3504e99dc5bcc206ca2964012b7fdca541555416
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:06:51 2021 +1200
tests/krb5: Use PAC buffer type constants from krb5pac.idl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a5e62d681d81a422bac7bd89dc27ef2314d77457
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:52:46 2021 +1200
tests/krb5: Allow as_req() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6403a09d94ab54f89d6e50601ae6b19ab7e6aae7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:25:01 2021 +1200
tests/krb5: Allow tgs_req() to send requests to the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1a3426da54463c3e454c1b76c3df4e96882e6aa9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:18:12 2021 +1200
tests/krb5: Allow tgs_req() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1f0654b8facf3b9b2288d2569a573ff3a5ca4a82
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:16:27 2021 +1200
tests/krb5: Allow tgs_req() to send additional padata
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a4d53dc12aa785f696e53ae3376f67375ce455f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:13:09 2021 +1200
tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0061fa2c2a26d990ed2e47441bca8797fc9be356
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:22:28 2021 +1200
tests/krb5: Check correct flags element
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a281ae09bcf35277c830c4112567c72233fd66b8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 15 20:56:28 2021 +1200
tests/krb5: Add helper method for modifying PACs
This method can remove or replace a PAC in an authorization-data
container, while additionally returning the original PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b81f6f3d71487085bb355392ce7f8eff2db5bb4d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 17 16:43:00 2021 +1200
autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
This allows making a push to do a full test ignoring errors without
needing "HACK!!!" commits on top.
Use like this:
git push -o ci.variable='AUTOBUILD_FAIL_IMMEDIATELY=0'
RN: Samba CI runs can now continue past the first error if AUTOBUILD_FAIL_IMMEDIATELY=0 is set
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14841
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org
Reviewed-by: Noel Power <npower at samba.org>
commit 21a7717359082feaddfdf42788648c3d7574c28e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 10 14:02:22 2021 +1200
python/join: Check for correct msDS-KrbTgtLink attribute
Previously, the wrong case was used when checking for this attribute,
which meant krbtgt accounts were not being cleaned up.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cde38d36b98f1d40e7b58cd4c4b4bedfab76c390
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:42:28 2021 +1200
python: Don't leak file handles
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9a24d8e491fc5b289c3e25eb448574e035420536
Author: Michael Adam <obnox at samba.org>
Date: Mon Sep 20 13:27:59 2021 +0200
lib:cmdline: fix a comment
The default log target was changed in 726ccf1d56b2979c827dd8586d1aeb6cb8de236c
(as a side effect), but the comment was only partially updated.
This patch fixes the comment by completing the orignal change to
correctly reflect current behavior.
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Sep 21 20:28:49 UTC 2021 on sn-devel-184
commit e50083ceb8013288d506ba9224f65deb5e3a38a5
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:55:32 2021 -0700
smbd: Update debug messages for failed sharemode release
Use new macros, consistent log level and remove reference to flock.
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Christof Schmitt <cs at samba.org>
Autobuild-Date(master): Tue Sep 21 19:39:10 UTC 2021 on sn-devel-184
commit 0a2b50114599ed609778eb5add9a9c18126d07a4
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:50:08 2021 -0700
smbd: Remove return variable for releasing filesystem sharemode
flock is no longer used, the existing "ret" variable can be used
instead.
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit fa3f952f3e7d27a0977f497ce96ef8484c2f1111
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:46:21 2021 -0700
smbd: Rename return variable for requesting filesystem sharemode
flock is no longer used, rename the variable accordingly.
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d8972d920106043c8b0a24482174009d68f6faf8
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:38:59 2021 -0700
smbd: Update comment for durable handles
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 113f6964d0168c21dc94aa594f728c175fc294df
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:29:22 2021 -0700
VFS: Update tracking documents for renamed function
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 041dfdfc131e92e6947325a78180d83909e81b8e
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:27:07 2021 -0700
vfs_catia: Rename kernel_flock to filesystem_sharemode
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3224eb8fcf79b5f2554a6195aeeb313dd25c2de5
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:26:19 2021 -0700
vfs_default: Rename kernel_flock to filesystem_sharemode
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4209e42ab1b07753c6130a25b52a48bada4d90e9
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:25:21 2021 -0700
vfs_streams_xattr: Rename kernel_flock to filesystem_sharemode
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b63ee5c7391ce683eed46e68a1e2dd47c2b14fd7
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:24:33 2021 -0700
vfs_gpfs: Rename kernel_flock to filesystem_sharemode
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 272fce3cbd5114c190570e4565f8e2f7b16ea3d4
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:22:50 2021 -0700
vfs_time_audit: Fix message for fcntl VFS call
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f3bd312ad97521df5f78d784a6abf7b82bc37a90
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:22:06 2021 -0700
vfs_time_audit: Rename kernel_flock to filesystem_sharemode
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0bd1df93fc331123e377775815337c98e5ebe1e8
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:20:42 2021 -0700
vfs_glusterfs: Rename kernel_flock to filesystem_sharemode
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0ac9dfd2677392f1e5d292752b046fb025679a5f
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:18:56 2021 -0700
vfs_ceph: Rename kernel_flock to filesystem_sharemode
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 73f04003e3e7c587c9be7cbd58a10fdd059f50ab
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:17:16 2021 -0700
docs-xml: Update vfs_full_audit manpage for renamed function
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ad87998ab405bd87a9bad9019e9f09819cb38681
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 15:15:39 2021 -0700
vfs_full_audit: Rename kernel_flock to filesystem_sharemode
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 264440c983a25f9043f2801e2fb6082b24990a88
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 14:58:23 2021 -0700
s3: Remove definition of removed kernel_flock function
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0ae59ffc4992821e6242f0a21235bf7514d94786
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 14:57:07 2021 -0700
examples/VFS/skel_opaque: Rename kernel_flock to filesystem_sharemode
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a2578d9b5642f639cf7016b43e71957478213b76
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 14:56:08 2021 -0700
examples/VFS/skel_transparent: Rename kernel_flock to filesystem_sharemode
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0a26b2386e3fedd5d90e3c0197b31ed31b286699
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 14:53:59 2021 -0700
VFS: Increase VFS version for renamed function
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c794e77381477f4a3d5e96c5100cfbf0b1804c52
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 14:51:02 2021 -0700
VFS: Rename kernel_flock to filesystem_sharemode
With the removal of the call to flock LOCK_MAND, the only remaining use
of this VFS path is to register sharemodes with specific file systems.
Rename the VFS call to reflect that this is no longer related to flock.
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f3b5733df7637ad0c6d4bb42378ae430a35cc633
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 20 13:46:18 2021 -0700
profile: Remove syscall_kernel_flock profiling
This no longer calls flock, so it should not be part of the system call
profiling.
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit af06d73a7563f6a7dec7653b7de1748de099b051
Author: Samuel Cabrero <scabrero at suse.de>
Date: Mon Aug 23 14:27:49 2021 +0200
s3:rpc_server: Do not use the default ncalrpc endpoint for external services
In samba3 it is possible to run some services externally, for example:
rpc_daemon:lsasd = fork
rpc_server:netlogon = disabled
rpc_server:samr = external
rpc_server:lsarpc = external
The external services running in separate processes have to use its own
dedicated ncalrpc endpoint, otherwise will race with main smbd serving the
embedded services to accept connections on ncalrpc default socket. If the
connection ends in an external process and the client tries to bind to an
interface not registered there (like winreg for example) the bind will fail.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Sep 21 11:00:01 UTC 2021 on sn-devel-184
commit 9c8521848bb5fedb3501d03e564a759d8709f418
Author: Samuel Cabrero <scabrero at suse.de>
Date: Thu Aug 19 12:52:04 2021 +0200
librpc:core: Add a function to register an interface passing the binding handle
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 99bf0c1b2649f74a3199c59bbc16c6e604ff4e79
Author: Samuel Cabrero <scabrero at suse.de>
Date: Mon Aug 23 14:23:58 2021 +0200
pidl:NDR/ServerCompat.pm: Do not register disabled services
In samba3 it is possible to disable RPC services, for exapmle:
rpc_server:netlogon = disabled
If a service is disabled do not register the interface neither create its
endpoint.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit b09efc8b8b9f482443a9d99074c6167c08859d84
Author: Volker Lendecke <vl at samba.org>
Date: Mon Sep 20 12:09:55 2021 +0200
lib: Move closefrom_except*() to a separate file
Enable use in other daemons
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Sep 21 01:12:12 UTC 2021 on sn-devel-184
commit 6f973a4f79bcde2ee13047cd7dd1ff3a105f3d0e
Author: Volker Lendecke <vl at samba.org>
Date: Mon Sep 20 11:59:13 2021 +0200
samba-bgqd: Convert closeall_*() to closefrom_*()
Align it with closefrom() in preparation for use elsewhere
Signed-off-by: Volker Lendecke <vl at samba.org>
commit e11881ea1678575797cab3503c8214d11834dd54
Author: Volker Lendecke <vl at samba.org>
Date: Thu Sep 16 17:05:25 2021 +0200
lib: Avoid an "includes.h"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit aea829250daee5b80686fc8f9369f8fdecb6e735
Author: Volker Lendecke <vl at samba.org>
Date: Sat Sep 18 08:30:07 2021 +0200
lib: Give util_specialsids.c its own prototype header
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit df4c03d52429bf8b40e7876016c65bd7d7ed5af8
Author: Volker Lendecke <vl at samba.org>
Date: Thu Sep 16 17:04:47 2021 +0200
lib: Add required #includes
dom_sid.h itself references talloc, and security.h references
DATA_BLOB.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 917f7902dfefb053bb9efd82cb9b1fc69ac70844
Author: Volker Lendecke <vl at samba.org>
Date: Sat Sep 18 07:59:25 2021 +0200
winbind: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ad462c27a4bcc8aa7262ee75b069841c16c4f0f5
Author: Volker Lendecke <vl at samba.org>
Date: Fri Sep 17 15:00:36 2021 +0200
rpc_server4: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 07113263893a42d4abddffba1ab341297d349ebf
Author: Volker Lendecke <vl at samba.org>
Date: Sun Sep 19 10:01:33 2021 +0200
samba-bgqd: Enable smbcontrol pool-usage
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 86cf8f462f0837f385001c0c1671c4e480ceb4bf
Author: Volker Lendecke <vl at samba.org>
Date: Sat Sep 18 08:51:59 2021 +0200
lib: Simplify sid_linearize()
We have ndr_push_dom_sid() for this
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8a93ef625fd348c1473c7a55bff480de05bdaf77
Author: Samuel Cabrero <scabrero at suse.de>
Date: Thu Sep 16 14:08:28 2021 +0200
s3: rpc_server: Avoid creating new handles when received an empty policy_handle
After merging s3 and s4 RPC handles implementations in commit
70fa7e817e48c9faa3c6c7ae3749e4a8ebf3e6c2 a new empty handle is allocated
when find_policy_by_hnd() or close_policy_hnd() is called with an empty
policy_handle (see dcesrv_handle_lookup() implementation).
This new behavior was causing a crash when running samba3.rpc.mdssvc test
with log level >= 10, because a debug message in _mdssvc_close() was
dereferencing the handle's associated data when called from
test_mdssvc_close() with an empty policy_handle.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Sep 20 14:31:33 UTC 2021 on sn-devel-184
commit cf4a868be50e795889b76b59f7fbe1cca51bcbfa
Author: Volker Lendecke <vl at samba.org>
Date: Fri Sep 17 10:22:29 2021 +0200
debug: Remove "override_logfile"
The only writer to this variable left with c377845d27d4dcd7. The
closest match for override_logfile is is_default_dyn_LOGFILEBASE()
with the opposite logic.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Sep 18 00:53:28 UTC 2021 on sn-devel-184
commit 48521736b4c40c05237a2a6f0e81e173be36154d
Author: Volker Lendecke <vl at samba.org>
Date: Fri Sep 10 12:22:46 2021 +0200
smbtorture: Fix epmapper.Map_full test
For detailed knownfail on subtests we need torture_assert() calls
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8d5534d2369ea2654703c93697b3d5257da3cdb6
Author: Amitay Isaacs <amitay at gmail.com>
Date: Wed Sep 15 14:29:28 2021 +1000
lib/tsocket: Fix build on Freebsd
This fixes the following build error on freebsd.
[1567/3959] Compiling lib/tsocket/tsocket_bsd.c
../../lib/tsocket/tsocket_bsd.c:415:8: error: use of undeclared identifier 'EAI_ADDRFAMILY'
case EAI_ADDRFAMILY:
^
On FreeBSD EAI_ADDRFAMILY is obsoleted. Here's the relevant excerpt
from netdb.h on FreeBSD 13.
-----------------------------------------------------------------
/*
* Error return codes from gai_strerror(3), see RFC 3493.
*/
#if 0
/* Obsoleted on RFC 2553bis-02 */
#define EAI_ADDRFAMILY 1 /* address family for hostname not supported */
#endif
-----------------------------------------------------------------
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Uri Simchoni <uri at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Sep 16 19:42:19 UTC 2021 on sn-devel-184
commit d12cb47724c2e8d19a28286d4c3ef72271a002fd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 18:17:47 2021 +1200
selftest: Update user_account_control tests to pass against Windows 2019
This gets us closer to passing against Windows 2019, without
making major changes to what was tested. More tests are needed,
but it is important to get what was being tested tested again.
Account types (eg UF_NORMAL_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT)
are now required on all objects, this can't be omitted any more.
Also for UF_NORMAL_ACCOUNT for these accounts without a password
set |UF_PASSWD_NOTREQD must be included.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Sep 15 08:49:11 UTC 2021 on sn-devel-184
commit 35292bd32225b39ad7a03c3aa53027458f0671eb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 21:24:31 2021 +1200
tests/krb5: Allow replicating accounts to the created RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit ef5666bc51ca80e1acdadd525a9c61762756c8e3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 21:24:05 2021 +1200
tests/krb5: Create RODC account for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 3cc9e77f38f6698aa01abca4285a520c7c0cd2ac
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 22:13:24 2021 +1200
tests/krb5: Allow replicating accounts to the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit af633992e31e839cdd7f77740c1f25d129be2f79
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 20:58:01 2021 +1200
tests/krb5: Add get_secrets() method to get the secret attributes of a DN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a5bf7aad54b7053417a24ae0918ee42ceed7bf21
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 20:20:23 2021 +1200
tests/krb5: Add method to get RODC krbtgt credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7bc52cecb442c4bcbd39372a8b98bb033e4d1540
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 21:14:18 2021 +1200
tests/krb5: Sign-extend kvno from 32-bit integer
This helps to avoid problems with RODC kvnos that have the high bit set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 19a2af02f57d99db8ed3c6b028c3abdf4b553700
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 11:15:17 2021 +1200
pyldb: Avoid use-after-free in msg_diff()
Make a deep copy of the message elements in msg_diff() so that if either
of the input messages are deallocated early, the result does not refer
to non-existing elements.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit c2bbe774ce03661666a1f48922a9ab681ef4f64b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 14 11:08:41 2021 +1200
ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a99a76722d6046a5d63032e3d2bb3f791da948a6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 11:34:56 2021 +1200
pytest:segfault: Add test for ldb.msg_diff()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 943079fd94fec66cdc2ba4ea1b2beb2971473004
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 8 11:28:52 2021 +1200
tests/krb5: Generate padata for FAST tests
This gives us access to parameters of kdc_exchange_dict and enables us
to simplify the logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit c9fd8ffd8927ef42fd555e690f966f65aa01332e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 15:36:24 2021 +1200
tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 0e99382d73f44eed7e19e83e430938d587e762d0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 09:55:10 2021 +1200
tests/krb5: Get encpart decryption key from kdc_exchange_dict
Instead of using check_padata_fn to get the encpart decryption key, we
can get the key from the AS-REQ preauth phase or from the TGT, depending
on whether the message is an AS-REQ or a TGS-REQ. This allows removal of
check_padata_fn and some duplicated code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a5186f92803009c81eca2957e1bf2eb0ff7b6dff
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 09:40:02 2021 +1200
tests/krb5: Get expected cname from TGT for TGS-REQ messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 4ba5e82ae53410ec9a0bc7d47b181a88c15d9387
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:26:43 2021 +1200
tests/krb5: Allow specifying status code to be checked
This allows us to check the status code that may be sent in an error
reply to a TGS-REQ message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit d40f57321a12c28840cdd2efd3e0e8f21855b6d4
Author: Christof Schmitt <cs at samba.org>
Date: Tue Sep 14 10:32:58 2021 -0700
WHATSNEW: Document changes for "kernel share modes"
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Sep 15 00:04:47 UTC 2021 on sn-devel-184
commit 079e706e1711cae82db913fa46fa9efe7afafc97
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 13 13:25:09 2021 -0700
docs-xml: Update manpage for "kernel share modes" option
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 54fe40836ba1813166ab9f060255139dd37d697a
Author: Christof Schmitt <cs at samba.org>
Date: Tue Sep 14 09:54:22 2021 -0700
loadparm: Set default of "kernel share modes" to "no"
selftest: Remove knownfail for smb2.lock.replay_smb3_specification_durable
With the changed default for "kernel share modes", this test can now
acquire durable handles and succeed.
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c2d6284a033da3984cc13a85c862489c78fb7739
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 13 13:14:49 2021 -0700
wscript: Remove config check for LOCK_MAND
The define set from this check is no longer needed.
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b2b7f9e658d80f8e193c4d1e266783b1f02a6012
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 13 13:13:44 2021 -0700
system: Remove kernel_flock
LOCK_MAND will be deprecated in the Linux kernel, so stop using this
feature and remove the kernel_flock function.
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e1398c34b2c24b76b30fdde8417b871d53825a36
Author: Christof Schmitt <cs at samba.org>
Date: Tue Sep 14 09:49:16 2021 -0700
vfs_default: Return ENOTSUP for sharemodes flock call
Remove the call to kernel_flock, as this function will be deleted.
Have the function return ENOTSUP to indicate that this is not supported
by default (without a file-system specific VFS module).
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5488a242fbd6d7123a9cb3297c0cf71acbb9d523
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 13 13:00:03 2021 -0700
vfs_gpfs: Remove call to kernel_flock
The function kernel_flock will be deleted.
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit facd6e01bd3b932a6bf33c71bbb590a8be51aa30
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 13 12:16:20 2021 -0700
vfs_gpfs: Update comment in vfs_gpfs_kernel_flock
The function kernel_flock will be deleted, drop the reference to it.
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0fa4766e43a5e302a4152f370315ce2f73293cac
Author: Christof Schmitt <cs at samba.org>
Date: Mon Sep 13 12:01:01 2021 -0700
smbd: Update comment explaining streams and file-system sharemodes
The function kernel_flock will be deleted, drop the reference to it.
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ce2bc74dce46cc9e27f692527a0b81e1afab0096
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 13 18:22:36 2021 +1200
bootstrap: Remove last references to Ubuntu 16.04
The Ubuntu 16.04 build went away with
4366c3bb71fe9c083dedeae8798547b64a64d2b4 as oss-fuzz moves
to Ubuntu 20.04.
We don't do a special build for the oss-fuzz, this restores the
behaviour before e10910f8de542b0be9b89942791bd37288b7a32a and
d048d7e17d756099e208fa4d6b931a147b0b1489 where oss-fuzz was only
tested as part of the main build. (In the case of a failure the
pipeline would fail, preventing a merge, just the same as for
any other failing test).
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
Autobuild-User(master): Uri Simchoni <uri at samba.org>
Autobuild-Date(master): Tue Sep 14 04:44:44 UTC 2021 on sn-devel-184
commit 01378a52a1cf0b6855492673455013d5719be45b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 09:18:32 2021 +1200
tests/krb5: Create testing accounts in appropriate containers
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep 14 00:01:44 UTC 2021 on sn-devel-184
commit c3b746290278f7b5c1dea676e3fa28b9f15bcf94
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:47:27 2021 +1200
tests/krb5: Check for presence of 'key-expiration' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit d3106a8d35225e826d548d3bea0d42edc3998c38
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:45:57 2021 +1200
tests/krb5: Check 'caddr' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 9cba5f9a1b098e49315e2e3d4c0b626884c04a64
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:43:41 2021 +1200
tests/krb5: Check for presence of 'renew-till' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 0afb548a0a3221730c4a81d51bc31e99ec90e334
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:34:20 2021 +1200
tests/krb5: Allow Kerberos requests to be sent to DC or RODC
If run inside the 'rodc' testing environment, 'DC_SERVER' and 'SERVER'
refer to the hostnames of the DC and RODC respectively, and this commit
allows either one of them to be used as the KDC for Kerberos exchanges.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 1974b872fb5a7da052305d01e2f1efc8d0637078
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:15:17 2021 +1200
tests/krb5: Make time assertion less strict
This assertion could fail if there was a time difference between the KDC
and the client.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 85ddfc1afcf21797dab15431a5f375444c4d316e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:13:11 2021 +1200
tests/krb5: Allow specifying ticket flags expected to be set or reset
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 571265257f335ba7f6f1b46daa0d657b8a8dff2b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 17:46:02 2021 +1200
tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 7556a4dfa64650939aef14a2fc4d10b9ed3d29f7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:38:33 2021 +1200
tests/krb5: Don't create PAC request or options manually in fast_tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit bc21ba2592093c765751ed3e8083dcd3512997f8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:37:27 2021 +1200
tests/krb5: Don't create PAC request manually in as_req_tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit c0db1ba54d238d4b2da8895215d8314b068ce09c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:36:42 2021 +1200
tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 1f23b16ef3a900a1bda01bf2a5a3a3847e2e79d1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:27:00 2021 +1200
tests/krb5: Move padata generation methods to base class
This allows them to be used directly from RawKerberosTest.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 9973b51e48a5d5f3e33c6e0da46e6231a42bd77a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:35:58 2021 +1200
tests/krb5: Keep track of account DN in credentials object
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 9aa900857441ea7e1c2d6c60bfa1ddeb142bf3e3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:34:46 2021 +1200
tests/krb5: Allow specifying additional User Account Control flags for account
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 7aae0e9b100b8cb7d1da78b8cb9a4a5c20acffbd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:34:02 2021 +1200
tests/krb5: Allow specifying an OU to create accounts in
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit bf55786fcd9a96daa9002661d6f5d9b3502ed8a7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:31:56 2021 +1200
tests/krb5: Replace expected_cname_private with expected_anon parameter
This is used in the case where the KDC returns 'WELLKNOWN/ANONYMOUS' as
the cname, and makes the reply checking logic easier to follow. This
also removes the need to fetch the client credentials in the test
methods.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 3fd73b65a3db405db5a0a82cca6c808763d4f437
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:21:55 2021 +1200
tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 08086c43987abecc588ebd32ec846ff7e27a83b6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:05:39 2021 +1200
tests/krb5: Add KDCOptions flag for constrained delegation
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 448b661bf8815a05f534926d8ee8d6f57d123c2c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:57:26 2021 +1200
tests/krb5: Use signed integers to represent key version numbers in ASN.1
As specified in 'MS-KILE 3.1.5.8: Key Version Numbers', Windows uses
signed 32-bit integers to represent key version numbers. This makes a
difference for an RODC with a msDS-SecondaryKrbTgtNumber greater than
32767, where the kvno should be encoded in four bytes rather than five.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 9924dd976183ea62b08f116f8b8bacc698bb9b95
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:50:26 2021 +1200
tests/krb5: Add methods to obtain the length of checksum types
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit c6badf818e9db44461979a931c74fc5ab6e80132
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:46:42 2021 +1200
tests/krb5: Calculate expected salt if not given explicitly
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:40:59 2021 +1200
security.idl: Add well-known SIDs for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit ff2f38fae79220e16765e17671972f9a55eb7cce
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:39:19 2021 +1200
krb5pac.idl: Add ticket checksum PAC buffer type
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 95d8cdf0c361b6e3398614d28b0fb120c81649a9
Author: Uri Simchoni <uri at samba.org>
Date: Sun Sep 12 22:23:53 2021 +0300
tsocket: set errno on some failures of tsocket_address_inet_from_strings
Fix setting errno on all failure modes of
tsocket_address_inet_from_strings.
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Sep 13 22:27:59 UTC 2021 on sn-devel-184
commit 7217c67a4ad70bab524cd67f76c74afa240cdf29
Author: Uri Simchoni <uri at samba.org>
Date: Sat Sep 11 22:57:06 2021 +0300
selftest: add a unit test for tsocket_address_inet_from_strings
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 6b9b0439d849d26797b6ce9e27b85188f427c5b2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 10 05:00:39 2021 +1200
heimdal: Remove lex.yy.c file left over from a bug in lexyacc.sh
This file was incorrectly added in 6a27fbbfc4c51ae1635b8a5fa51c470ebc9f01e2,
was never referenced on our build system and should have been
removed with c51c15144e3fbdd3ebed301a077c687e23882e09 at least.
That script had a bug and did not remove this filename if
the particular version of lex generated it, and so it
likely was added to git as a result.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
Autobuild-User(master): Uri Simchoni <uri at samba.org>
Autobuild-Date(master): Mon Sep 13 05:41:30 UTC 2021 on sn-devel-184
commit 5950fc66e017e5712a5bafbce16c92484eee4c16
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 9 20:43:11 2021 +1200
build: Make Python 3.6 the minimum to build now oss-fuzz is upgraded
The exception to allow building, but not operating, with Python 3.5
was only because oss-fuzz provided only Python 3.5 on Ubuntu 16.04.
Ubuntu 20.04 is now the base image provided, so this exception can
be removed.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
commit 926db374a615e88003c99a476f45981beb30f8cf
Author: Ralph Boehme <slow at samba.org>
Date: Sat Sep 11 12:33:37 2021 +0200
smbd: fix "ea support = no"
Introduced by de83946311d8c1f007c236751280e9f101cc3a29.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14829
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Sep 11 21:48:01 UTC 2021 on sn-devel-184
commit ed35fce4fe48b1fa26854a7b4bb151b5c5fb6fc6
Author: Ralph Boehme <slow at samba.org>
Date: Mon Aug 9 19:30:21 2021 +0200
vfs_btrfs: fix btrfs_fget_compression()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14790
RB: vfs_btrfs compression support broken
Reported-by: noel.kuntze at thermi.consulting
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Sep 10 18:16:18 UTC 2021 on sn-devel-184
commit b053bea0af2b2f059d7ed2c920f283d82339022f
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:27:51 2021 +0200
s4/torture/masktest: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Sep 10 16:02:10 UTC 2021 on sn-devel-184
commit 0c47f244312f193c299d5b5b7b00db90364f8c8e
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:27:13 2021 +0200
s4/torture/locktest: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f6be1c18bf78db9e45be953d95ef8581daed5b4b
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:26:01 2021 +0200
s4/torture/gentest: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ecb27e02e113c597f952457e8a7803325c4c620e
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:25:30 2021 +0200
s4/regtree: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ac86779fe490318a943ab90e5d117537e839b55f
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:23:59 2021 +0200
s4/regshell: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 604ce3d85a879aa50c045b1f36c0580748b72eb7
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:22:12 2021 +0200
s4/regpatch: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5c75b5bdeb9b39843f115fe07f1a44689af3fcc5
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:21:31 2021 +0200
s4/regdiff: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 08532b3d2e0f66ee524401b8b939b3af31b6b7cd
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:16:30 2021 +0200
s4/cifsdd: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ac292ec428ea8ef6702e028c15077818000dfa87
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:15:49 2021 +0200
testparm: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b851d48277f226ff825b4aaf17483e2d91c54451
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:14:40 2021 +0200
split_tokens: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5562674a2188d4e11fbdfcbed7bf1fba02af9e90
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:13:48 2021 +0200
smbtree: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d841457aedd8715ceacb20af8f1ae42cbf8ebf49
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:12:57 2021 +0200
smbget: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 46a0da16710f99f33780d030557562e1a52a8cba
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:12:21 2021 +0200
smbcquotas: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3755304b6efb98739aca3aa121c095302b09e631
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:11:43 2021 +0200
smbcacls: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5a2b4ba059809a1e16124bf448a9398822fe5c80
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:11:07 2021 +0200
sharesec: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 246d4f7b934fbfa75d967aee1ff6bd64866995d1
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:10:39 2021 +0200
regedit: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 372adfda9f0aa8f91db6b5dc4357d848baa9fab3
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:09:34 2021 +0200
profiles: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit bcc4756d8293e452d09a6a73005302eddb6c1f28
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:08:59 2021 +0200
pdbedit: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5536e7981c3902014e91cdfa5bd9a17276e41be7
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:08:37 2021 +0200
ntlm_auth: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ff6a16806f6a030a36179b1e9db699ae72670db4
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:07:48 2021 +0200
nmblookup: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c84916fef5520795d54a29e8e8e2817dd8322f30
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:06:54 2021 +0200
mvxattr: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 72a6cf1a8a2903518488cff1bdadd001c5b0b281
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:05:58 2021 +0200
log2pcaphex: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4056bebf05f4d1e0bfcbc5fe53d63b3bab9e031f
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:05:02 2021 +0200
s3/async-tracker: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 96ab7909bd9eea14ba3aad535c28d53c184341a2
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:04:21 2021 +0200
vfstest: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e3c5516dc578aee25aaaac1ab7a66ede9d313be0
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:03:21 2021 +0200
pdbtest: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6afa1b3485cef59676dbccf0276bdfa289e009b4
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 07:01:56 2021 +0200
rpcclient: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d5f360723349c26a50472188e4f299def5b82742
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 06:56:36 2021 +0200
s3/param: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 08512e3a54180253445a16e976dd4f6ef4f2a799
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 06:30:45 2021 +0200
source3/lib/smbconf: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 98c977f44b6086e2c5cec52451078a6ade81d4a8
Author: Ralph Boehme <slow at samba.org>
Date: Thu Sep 9 18:15:51 2021 +0200
nmblookup: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6845051266a785bc26356e296bd716162e8a133e
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 05:50:07 2021 +0200
s4/smbclient: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4053a59d8dc95ff4de2f6f5c50f7007b6456141f
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 05:46:27 2021 +0200
smbstatus: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c87cc09315a169300e57a58b88587e54fcf29d8f
Author: Ralph Boehme <slow at samba.org>
Date: Thu Sep 9 18:14:36 2021 +0200
texpect: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d179c4f49b37dbcd04197b8cc31933e19dd8ac9a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 9 16:45:37 2021 +0200
smbclient: don't ignore unknown options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 09fd46aa1cb6c1e24948b7d370a4851191b205b2
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 11:29:35 2021 +0200
selftest: remove unsupported smbcacls option --get
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 29910da882d75b20d63714a1365a7b0dba6904a7
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 11:22:07 2021 +0200
lib/cmdline: restore s3 option name --max-protocol for MAXPROTOCOL from 4.14
s4 used --maxprotocol, s3 used --max-protocol. We should continue supporting
--max-protocol.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9a3b7f1338e2947aa1cbf1ae34d0e1e7cb692ee9
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 11:21:19 2021 +0200
manpages: remove duplicate options from smbclient
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit fdfc475000f606cc9e4ac160350f7ced64749589
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 10 11:09:25 2021 +0200
selftest: fix ---configfile option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8f3ef4e6c5a440c6582f7af268c6c27c8a2273d4
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 9 11:11:03 2021 +0200
lib/cmdline: fix --configfile handling of POPT_COMMON_CONFIG_ONLY used by ntlm_auth
ntlm_auth only every knew about '--configfile' without the '-s' alias,
keep it that way and make sure we actually process the argument via
the OPT_CONFIGFILE handling.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit efba2c445c511f27e220c2c92d507a772ee82bc1
Author: David Mulder <dmulder at suse.com>
Date: Wed Sep 8 07:46:26 2021 -0600
gpo: Add Chromium Group Policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Sep 9 20:42:35 UTC 2021 on sn-devel-184
commit 1047acce9d4d04d41ea7e1ba8f58633c8df98a70
Author: David Mulder <dmulder at suse.com>
Date: Wed Sep 8 07:45:56 2021 -0600
gpo: Test Chromium Group Policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2c18a982537ea1a62e4d802c9ae0ef06b36158dc
Author: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Date: Fri Oct 5 09:35:40 2018 +0100
Don't use sysconf(_SC_NGROUPS_MAX) on macOS for getgroups()
On MacOS sysconf(_SC_NGROUPS_MAX) always returns 16. However, this is not
the value used by getgroups(2). MacOS uses nested groups but getgroups(2)
will return the flattened list which can easily exceed 16 groups. In my
testing getgroups() already returns 16 groups on a freshly installed
system. And on a 10.14 system the root user is in more than 16 groups by
default which makes it impossible to run smbd without this change.
Setting _DARWIN_UNLIMITED_GETGROUPS allows getgroups() to return more than
16 groups. This also changes set_unix_security_ctx() to only set up to
16 groups since that is the limit for initgroups() according to the manpage.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8773
Signed-off-by: Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Sep 9 17:43:19 UTC 2021 on sn-devel-184
commit 9e7d2d9794af7251c42cb22f23ee9f86c6ea05c1
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Jul 9 17:25:32 2021 +1000
ctdb-daemon: Don't mark a node as unhealthy when connecting to it
Remote nodes are already initialised as UNHEALTHY when the node list
is initialised at startup (ctdb_load_nodes_file() calls
convert_node_map_to_list()) and when disconnected (ctdb_node_dead()).
So, drop this code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Thu Sep 9 02:38:34 UTC 2021 on sn-devel-184
commit 7f697b1938efb3972f03f25546bf807d5af9a26c
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Jul 27 15:50:54 2021 +1000
ctdb-daemon: Ignore flag changes for disconnected nodes
If this node is not connected to a node then we shouldn't know
anything about it. The state will be pushed later by the recovery
master.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
commit ae10a8a4b70e53ea3be6257d1f86f2d9a56aa62a
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Jul 8 11:11:11 2021 +1000
ctdb-daemon: Simplify ctdb_control_modflags()
Now that there are separate disable/enable controls used by the ctdb
tool this control can ignore any flag updates for the current nodes.
These only come from the recovery master, which depends on being able
to fetch flags for all nodes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 916c5ee131dc5c7f1d9c3540147d1f915c8302ad
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Jan 17 19:04:34 2018 +1100
ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete
CTDB_SRVID_SET_NODE_FLAGS is no longer sent so drop monitor_handler()
and replace with srvid_not_implemented(). Mark the SRVID obsolete in
its comment.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit e75256767fffc6a7ac0b97e58737a39c63c8b187
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Jul 8 11:32:20 2021 +1000
ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS
The code that handles this message is
ctdb_recoverd.c:monitor_handler(). Although it appears to do
something potentially useful, it only logs the flags changes. All
changes made are to local structures - there are no actual
side-effects.
It used to trigger a takeover run when the DISABLED flag changed.
This was dropped back in commit
662f06de9fdce7b1bc1772a4fbe43de271564917.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 0132bd5a2233193256af434a37506f86ed62c075
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Jul 8 11:34:49 2021 +1000
ctdb-daemon: Modernise remaining debug macro in this function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit b6d25d079e30919457cacbfbbfd670bf88295a9c
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Jul 8 11:29:38 2021 +1000
ctdb-daemon: Update logging for flag changes
When flags change, promote the message to NOTICE level and switch the
message to the style that is currently generated by
ctdb-recoverd.c:monitor_handler(). This will allow monitor_handler()
to go away in future.
Drop logging when flags do not change. The recovery master now logs
when it pushes flags for a node, so the lack of a corresponding
"changed flags" message here indicates that no update was required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit eec44e286250a6ee7b5c42d85d632bdc300a409f
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Jul 9 15:13:49 2021 +1000
ctdb-daemon: Correct the condition for logging unchanged flags
Don't trust the old flags from the recovery master.
Surrounding code will change in future comments, including the use of
old-style debug macros, so just make this change clear.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 5914054698dab934fd4db5efb9d211b2fdc40bb9
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Jul 9 14:37:19 2021 +1000
ctdb-tools: Use disable and enable controls in tool
Note that there a change from broadcast to a directed control here.
This is OK because the recovery master will push flags if any nodes
disagree with the canonical flags fetched from a node.
Static function ctdb_ctrl_modflags() is no longer used to drop it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 6fe6a54e7f32e650be6ab36041159081dbde5165
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Jul 9 14:32:12 2021 +1000
ctdb-client: Add client code for disable/enable controls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 15a6489c288b3adb635a728cb2049621ab1a07f7
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Jul 9 14:12:59 2021 +1000
ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 60c1ef146538d90f97b7823459f7548ca5fa6dd3
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Jul 9 14:02:28 2021 +1000
ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED
DISABLED is UNHEALTHY | PERMANENTLY_DISABLED, which is not what is
intended here. Luckily, it doesn't do any harm because nodes are
marked unhealthy at startup anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 1ac7bc7532b2fad791d0e53effa7c64cdc73c4eb
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Jul 9 14:01:33 2021 +1000
ctdb-daemon: Factor out a function to get node structure from PNN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit e0a7b5a9e866452b1faaed86a105492fe7b237e2
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Jul 28 10:27:42 2021 +1000
ctdb-daemon: Add a helper variable
Simplifies a subsequent change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 6845dca87e6ffc5e449fb78d23eb9c7a22698b80
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Jul 9 12:10:12 2021 +1000
ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 49dc5d8cd2d3767044ac69cbd25c8210d11cadf7
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Jul 8 17:28:20 2021 +1000
ctdb-protocol: Add new controls to disable and enable nodes
These are CTDB_CONTROL_DISABLE_NODE and CTDB_CONTROL_ENABLE_NODE.
For consistency these match CTDB_CONTROL_STOP_NODE and
CTDB_CONTROL_CONTINUE_NODE. It would be possible to add a single
control but it would need to take data.
The aim is to finally fix races in flag handling. Previous fixes have
improved the situation but they have only narrowed the race window.
The problem is that the recovery daemon on the master node pushes
flags to nodes the same way that disable and enable are implemented.
So the following sequence is still racy:
1. Node A is disabled
2. Recovery master pulls flags from all nodes including A
3. Node A is enabled
4. Recovery master notices A is disabled and pushes a flag update to
all nodes including node A
5. Node A is erroneously marked disabled
Node A can not tell if the MODIFY_FLAGS control is from a "ctdb
disable" command or a flag update from the recovery master.
The solution is to use a different mechanism for disable/enable and
for a node to ignore MODIFY_FLAGS controls for their own flags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 8305f6a7f132f03b0bbdb26692b7491fd3f6c24f
Author: Martin Schwenke <martin at meltin.net>
Date: Sun Jul 11 22:17:08 2021 +1000
ctdb-recoverd: Push flags for a node if any remote node disagrees
This will usually happen if flags on the node in question change, so
keeping the code simple and pushing to all nodes won't hurt. When all
nodes come up there might be differences in connected nodes, causing
such "fix ups". Receiving nodes will ignore no-op pushes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 620d07871420cdbfa055c1ace75ec1ac4c32721d
Author: Martin Schwenke <martin at meltin.net>
Date: Sun Jul 11 21:28:43 2021 +1000
ctdb-recoverd: Update the local node map before pushing out flags
The resulting code structure looks a little weird. However, there is
another condition that requires the flags to be pushed that will be
inserted before the continue statement in a subsequent commit..
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 82a075d4d734588a42fca7ebaf529892d1eba853
Author: Martin Schwenke <martin at meltin.net>
Date: Sun Jul 11 20:40:10 2021 +1000
ctdb-recoverd: Add a helper variable
Improves readability and simplifies subsequent changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
commit 4366c3bb71fe9c083dedeae8798547b64a64d2b4
Author: Uri Simchoni <uri at samba.org>
Date: Tue Sep 7 18:39:12 2021 +0300
gitlab-ci: run samba-fuzz autobuild target on Ubuntu 20.04-based image
REF: https://github.com/google/oss-fuzz/issues/6301#issuecomment-911705365
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep 9 01:45:09 UTC 2021 on sn-devel-184
commit 4f300d672a8ef1820e68bc82833de4f5d4c0996e
Author: Uri Simchoni <uri at samba.org>
Date: Mon Sep 6 22:55:55 2021 +0300
fuzzing/oss-fuzz: strip RUNPATH from dependencies
Strip all RUNPATH headers from all dependency shared objects that
we copy to the fuzzing target, as those libraries aren't placed
in their original place.
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f94b1d3b31f2fb5bdbfce7b5f79d80f098b91975
Author: Uri Simchoni <uri at samba.org>
Date: Sat Sep 4 10:30:56 2021 +0300
fuzzing/oss-fuzz: fix samba build script for Ubuntu 20.04
Add a linker flag to generate fuzzer binaries with an RPATH
header instead of RUNPATH.
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 541f9ee5ab66b41a2a8d9c54183b095ad99f3769
Author: Uri Simchoni <uri at samba.org>
Date: Sat Sep 4 10:11:58 2021 +0300
fuzzing/oss-fuzz: fix RPATH comments for post-Ubuntu-16.04 era
Remove what appears to be a copy+paste error in one place, and
explain that RPATH/RUNPATH is set by the linker, not by chrpath
utility.
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e608dcd2d6736505022d0f9d1e008333bb70f1af
Author: Uri Simchoni <uri at samba.org>
Date: Sat Sep 4 11:01:56 2021 +0300
configure: allow configure script to accept parameters with spaces
Specifically this enables passing two linker flags to the --fuzz-target-ldflags
configure argument.
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2fe8d3eeac4cddedfeac936ce785c2c6f12d86ef
Author: Uri Simchoni <uri at samba.org>
Date: Fri Sep 3 18:46:17 2021 +0000
fuzzing/oss-fuzz: fix image build recipe for Ubuntu 20.04
Update the build_image.sh script to install Ubuntu 20.04 packages
instead of Ubuntu 16.04 on the oss-fuzz container - this will
allow the oss-fuzz container to be based on Ubuntu 20.04.
REF: https://github.com/google/oss-fuzz/issues/6301#issuecomment-911705365
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 18e08c709002506fe217ca6a7a098fcdc00f8c29
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 10 09:20:45 2021 +1200
docs: Avoid duplicate information on USER and PASSWD, reference the common section
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Sep 9 00:52:09 UTC 2021 on sn-devel-184
commit 9b50d2e52e6c85bc3ab991cd8a4b870aff397bda
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 10 09:14:08 2021 +1200
docs: Document all the other ways to send a password to smbclient et al
This was previously hidden knowlege not easily available to
administrators and end users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a363742635c54a6cb19363f4be9d2be2b731a5e6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 10 09:13:15 2021 +1200
docs: Ensure to rebuild manpages if samba.entities or samba.version changes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 867c6ff9f3f28ab4bfa0cb1660889f3f5be0d111
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 8 15:10:14 2021 +0200
docs-xml: use upper case for "{client,server} smb3 {signing,encryption} algorithms" values
This matches what smbstatus prints out. Note there's also the removal of
an '-' in "hmac-sha-256" => HMAC-SHA256".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14825
RN: "{client,server} smb3 {signing,encryption} algorithms" should use the same strings as smbstatus output
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Sep 8 16:37:07 UTC 2021 on sn-devel-184
commit 16e907f8415ed28e678112f22d1813f09da136f9
Author: Alenka Glukhovskaya <alenka at altlinux.org>
Date: Tue May 18 19:05:23 2021 +0400
Added russian translate file
Signed-off-by: Alenka Glukhovskaya <alenka at altlinux.org>
Signed-off-by: Elena Mishina <lepata at altlinux.org>
Reviewed-by: David Mulder <dmulder at suse.com>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): David Mulder <dmulder at samba.org>
Autobuild-Date(master): Wed Sep 8 15:44:42 UTC 2021 on sn-devel-184
commit 91c024dfd8ecf909f23ab8ee3816ae6a4c9b881c
Author: Jeremy Allison <jra at samba.org>
Date: Tue Sep 7 17:39:38 2021 -0700
s3: auth: Andrew noticed f585f01148ab2d8f84c96b12e018742f5f17bcb0 doesn't keep the same logic.
This should make it identical.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Sep 8 06:38:21 UTC 2021 on sn-devel-184
commit 2b86cff4a4df81e37ca9a4d95b8b928b0a912633
Author: Ralph Boehme <slow at samba.org>
Date: Sun Sep 5 15:09:12 2021 +0200
lib/replace: drop runtime copy_file_range() check
This reverts commit 4354823c5146753ef8a3791bc8562379096659b8
"libreplace: properly execute SYS_copy_file_range check".
We now use a runtime check in the user of copy_file_range().
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Sep 7 19:24:57 UTC 2021 on sn-devel-184
commit 3347bfce9ee8b20c09dec2c0c5eb69b0c4bdb743
Author: Volker Lendecke <vl at samba.org>
Date: Tue Sep 7 15:04:16 2021 +0200
samba_dnsupdate: Fix deprecation warnings
We should not call samba-tool with -k anymore
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 6ebed6b505aebb58726322b7c4e7f736e02773ce
Author: Volker Lendecke <vl at samba.org>
Date: Tue Sep 7 14:25:34 2021 +0200
samba-tool: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ba237d9403cf45bf71e5d943b92c15e9c494fb0f
Author: Volker Lendecke <vl at samba.org>
Date: Sun Sep 5 09:13:25 2021 +0200
auth: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f585f01148ab2d8f84c96b12e018742f5f17bcb0
Author: Volker Lendecke <vl at samba.org>
Date: Sun Sep 5 08:59:13 2021 +0200
auth: Simplify is_our_machine_account()
Use strnequal instead of duplicating a string
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 44566f59d8f8fa2ba5dd1239d4a3265bcdc44297
Author: Volker Lendecke <vl at samba.org>
Date: Thu Jan 28 10:56:51 2021 +0100
rpc_server3: Include the right "dcerpc.h" from a SAMBA_SUBSYSTEM
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 28686f8713958726085bd38a0889aa7725c95371
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 3 14:04:22 2021 +0200
s4/samba: POPT_COMMON_DAEMON
Note: this also changes logging to go to stderr instead of stdout which is the
same behaviour as smbd, nmbd and winbindd (starting with 4.15).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14803
RN: smbd/winbindd started in daemon mode generate output on stderr/stdout
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon Sep 6 14:23:15 UTC 2021 on sn-devel-184
commit 9d82454cdfc2b4b8007c7b54b3afd5686f49be19
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 3 12:25:00 2021 +0200
winbindd: use POPT_COMMON_DAEMON
Note: this also changes logging to go to stderr instead of stdout which is the
same behaviour as smbd and nmbd (starting with 4.15).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14803
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit a20f63b384750d389aeafd4bd5e229aed72cb271
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 3 12:14:19 2021 +0200
nmbd: use POPT_COMMON_DAEMON
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14803
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit ae22442db437061aada6427adde205cd13f1d202
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 3 07:33:39 2021 +0200
smbd: use POPT_COMMON_DAEMON
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14803
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 877183ac0b57f5b2902446e41bb6ab3191f84fa6
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 3 07:28:45 2021 +0200
lib/cmdline: restore pre-4.15 logging behaviour for daemons
For servers ensure logging is configured to go to a logfile unless in
interactive mode by calling setup_logging() before lp_load_global() is
called.
In 4.14 servers had the chance to call setup_logging(getprogname(),
DEBUG_FILE) before they called lp_load_*() explicitly in the server.
Now in 4.15 lp_load_*() is called internally when parsing the command
line arguments triggered by the server running the poptGetNextOpt()
loop, so it's too late when the server calls
setup_logging(getprogname(), DEBUG_FILE) as lots of debugging from
lp_load_()* was already written to DEBUG_DEFAULT_STDERR.
Note that there's a chicken and egg problem *within* this patchset:
this change here breaks stdout logging for servers until the servers
are converted to use the new POPT_COMMON_DAEMON. The only way to
address that would be squashing all changes into one patchset, but for
the sake of reviewability (is that an actual english word? :)) I chose
to split the changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14803
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit aaa3c6a4132d2e739958e168e7dc3e78dfa4a72e
Author: Ralph Boehme <slow at samba.org>
Date: Fri Sep 3 07:22:18 2021 +0200
lib/cmdline: add POPT_COMMON_DAEMON daemon popt options
Note: interactive=true implies fork=false. This matches the semantics
that currently 3/4 daemons implement manually.
Not used so far, no change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14803
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 2f2c53c4f8f59a497bc33a24e5e0fc15ea076876
Author: Jeremy Allison <jra at samba.org>
Date: Thu Sep 2 14:40:53 2021 -0700
s3: smbd: Fix openat_pathref_fsp() to cope with FIFO's in the filesystem.
Remove skip test for the DISABLE_OPATH case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14816
RN: Fix pathref open of a filesystem fifo in the DISABLE_OPATH build
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon Sep 6 09:51:54 UTC 2021 on sn-devel-184
commit a54d9ffc87ebe602a0e7c48e35643ed2ff1a00bc
Author: Jeremy Allison <jra at samba.org>
Date: Thu Sep 2 15:32:27 2021 -0700
s3: smbd: Add fifo test for the DISABLE_OPATH case.
Currently we hang when trying to list a directory
containing a fifo when configured with DISABLE_OPATH.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14816
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6590bb0b77c641f0d4686b39c713c1405ffb64f5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 6 08:52:21 2021 +1200
selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes
If two of these unit tests run in the same second they could
select the same name, as the name was only based on the time
and a common prefix.
As observed by Jeremy Allison. Thanks for the report!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14819
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Sep 6 02:32:51 UTC 2021 on sn-devel-184
commit ae57d22e45b33537e9fca5969e9b68abd1ad633f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 25 12:03:08 2021 +1200
s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4
Since 5c0345ea9bb34695dcd7be6c913748323bebe937 this
would not have been implicitly cached via the ldb_wrap
cache, due to the recording of the remote IP address
(which is a good thing).
This creates a more explicit and direct correct
cache on the connection.
The common code, including the SCHANNEL check is
placed into a helper function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14807
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sun Sep 5 03:19:26 UTC 2021 on sn-devel-184
commit b40761b42e889369599c5eb355028ba377c43b49
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 25 09:54:04 2021 +0000
selftest: Add a test for LookupSids3 and LookupNames4 in python
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14807
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8affe4a1e625104de4ca024fdc3e9cd96498aff3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 25 09:41:11 2021 +1200
dsdb: Be careful to avoid use of the expensive talloc_is_parent()
The wrong talloc API was selected while addressing a memory leak.
commit ee2fe56ba0ef6626b634376e8dc2185aa89f8c99
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date: Tue Nov 27 11:07:44 2018 +1300
drepl: memory leak fix
Fixes a memory leak where schema reference attached to ldb
instance is lost before it can be freed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14042
Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming at samba.org>
Autobuild-Date(master): Wed Jul 17 06:17:10 UTC 2019 on sn-devel-184
By using talloc_get_parent() walking the entire talloc tree is
avoided.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14806
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 75a5ed66731e947fa16af81aab7649d1fddec45f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Sep 4 13:11:08 2021 +1200
selftest: Only run samba_tool_drs_showrepl test once
This test is not slow, but there is no value running it twice.
Running this test twice just increases the chances we might
loose a race as it shows and validates live replication data.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e8b4599e0935290c5e59df9fd4f695ad8d6f361c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Sep 4 12:28:20 2021 +1200
selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl
These now run in the disconnected sets schema_dc/schema_pair_dc and
ad_dc/vampire_dc/promoted_dc. By aiming at different sets ofservers
we can't cause cross-contamination in terms of which servers are
listed as outbound connections.
Also, by running the tests only once we reduce the chaces of trouble
by half.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 02b187303369d3ce0c19dfb72ffa78f86a3911f0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 16:48:55 2021 +1200
Fix Python docstrings
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Sep 4 00:55:32 UTC 2021 on sn-devel-184
commit b59fc43523fb795bfab6846c266474873a15fdb9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 11 11:21:21 2021 +1200
python: Fix usage strings
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ad3498ab1643459719cdef24903379245ee9cefe
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 14 16:06:31 2021 +1200
libcli/smb: Don't call memcpy() with a NULL pointer
Doing so is undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3d490c225b5beff668ec8be714d1f197b794dc9b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 17:14:44 2021 +1200
s4/dnsserver: Fix NULL check
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 15f0d34d34926f576dc179f65ba397ad137baf46
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 14 16:09:01 2021 +1200
s4/dnsserver: Don't call memcpy() with a NULL pointer
Doing so is undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit efcd1af17b4dde0a075cef135ef6bf73a56a1bcc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 14 16:10:09 2021 +1200
dsdb/samdb/ldb_modules: Use correct member of union
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 59ed09928541d40df72592419247add608a54aca
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 25 15:34:58 2021 +0200
third_party: Update waf to version 2.0.22
New in waf 2.0.22
* Fix stdin propagation with faulty vcvarsall scripts #2315
* Enable mixing Unix-style paths with destdir on Windows platforms #2337
* Fix shell escaping unit test parameters #2314
* Improve extras/clang_compilation_database and extras/swig compatibility #2336
* Propagate C++ flags to the Cuda compiler in extras/cuda #2311
* Fix detection of Qt 5.0.0 (preparation for Qt6) #2331
* Enable Haxe processing #2308
* Fix regression in MACOSX_DEPLOYMENT_TARGET caused by distutils #2330
* Fix extras/wafcache concurrent trimming issues #2312
* Fix extras/wafcache symlink handling #2327
The import was done like this:
./third_party/waf/update.sh
Then changing buildtools/bin/waf and buildtools/wafsamba/wafsamba.py
by hand.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep 2 21:22:17 UTC 2021 on sn-devel-184
commit e41bc0f43f6d86d554f37881263c43c356994726
Author: Andreas Schneider <asn at samba.org>
Date: Thu Aug 26 14:52:14 2021 +0200
third_party: Add a script to update waf
./third_party/waf/update.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d0f6d54354b02f5591706814fbd1e4844788fdfa
Author: Ralph Boehme <slow at samba.org>
Date: Fri Aug 20 15:04:49 2021 +0200
winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14804
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Sep 2 15:20:06 UTC 2021 on sn-devel-184
commit 39c2ec72cb77945c3eb611fb1d7d7e9aad52bdfd
Author: Ralph Boehme <slow at samba.org>
Date: Tue Aug 31 17:04:56 2021 +0200
winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14804
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 10baaf08523200e47451aa1862430977b0365b59
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 31 22:38:01 2021 +1200
tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
This allows our code to still pass with the error code that
MIT and Heimdal have chosen
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Sep 2 14:28:31 UTC 2021 on sn-devel-184
commit b0f4455e524cbbfb13202220e7095f466b083a2f
Author: Luke Howard <lukeh at padl.com>
Date: Tue Aug 31 17:38:16 2021 +1200
kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour.
[abartlet at samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd
and knownfail added]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ebd673e976aea5dd481a75f180fd526995c4fda0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 31 19:42:33 2021 +1200
tests/krb5: Allow expected_error_mode to be a container type
This allows a range of possible error codes to be checked against, for
cases when the particular error code returned is not so important.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 24914ae17d49f634fafc1bdeb88859293da05f79
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:37:16 2021 +1200
tests/krb5: Add tests for omitting sname in inner request
Note: the test 'test_fast_tgs_inner_no_sname' crashes the MIT KDC.
This is fixed in MIT Krb5 commit d775c95af7606a51bf79547a94fa52ddd1cb7f49
and was given CVE-2021-37750
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c6d7e19ecfb264c6f79df5a20e830e4ea6fdb340
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:26:45 2021 +1200
tests/krb5: Allow specifying parameters specific to the inner FAST request body
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit bbbb13caf7bd2440c80f4f4775725b7863d16a5b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:02:04 2021 +1200
tests/krb5: Add tests for omitting sname in request
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1e4d757394a0bbda587d5ff91801f88539b712b1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:00:37 2021 +1200
tests/krb5: Check PADATA-PW-SALT element in e-data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e373c6461a88c44303ea8cdbebc2d78dd15dec4a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:00:21 2021 +1200
tests/krb5: Check e-data element for TGS-REP errors without FAST
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3330eaf39c6174f2d90fe4d8e016efb97005d1e5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 10:43:06 2021 +1200
tests/krb5: Remove harmful and a-typical return in as_req testcase
A test in a TestCase class should not return a value, the
test is determined by the assertions raised.
Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2]
to not always be filled, so we need to remove this
rudundent code.
This also fixes a *lot* of tests against the MIT KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b8e2515552ffa158fab1e86a39004de4cc419da5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 12:25:06 2021 +1200
CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would
crash the Heimdal KDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0cb4b939f192376bf5e33637863a91a20f74c5a5
Author: Luke Howard <lukeh at padl.com>
Date: Fri Aug 27 11:42:48 2021 +1000
CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
In tgs_build_reply(), validate the server name in the TGS-REQ is present before
dereferencing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
[abartlet at samba.org backported from from Heimdal
commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference
to an earlier patch by Joseph Sutton]
RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 15f9f040fe537ebd30419a4751aa0f13b20f242b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 16:52:29 2021 +1200
tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST
Note: This test crashed the MIT KDC prior to MIT commit
fc98f520caefff2e5ee9a0026fdf5109944b3562 which was given
CVE-2021-36222.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 36798f5b651a02b74b6844c024101f7a026f1f68
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 14:43:53 2021 +1200
tests/krb5: Make cname checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 79dda329f2a8382f1e46b50f4b9692e78d687826
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:35:59 2021 +1200
tests/krb5: Make e-data checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC, instead failing when obtaining a TGT for the user or machine.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d9edad89f3b268c6da8f988a42f8cf2a3b697fe7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 20:53:45 2021 +1200
Update common on currently supported Fedora versions
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5805a7c49aa13b578a717cbbc46460741d325c65
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 20:55:40 2021 +1200
bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e9c8ac4adbca2f8cb45470ccb45a45039188a285
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 20:45:03 2021 +1200
bootstrap: Update to get newer krb5 on Fedora 34
We need the update FEDORA-2021-20b495cb94 (krb5) to
get a fix for CVE-2021-37750 (explicit NULL deref on KDC)
so our CI will pass as we have a test for this.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 40b65fcb5830c6168a3032eb12bb4c8acc940bb3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 09:40:08 2021 +1200
script/autobuild.py: Restore MIT ADDC tests against fl2008*
Commit 7387da74e6f0e33de5f80b9a5e59f268541f52cd incorrectly
ran the fl2000dc and fl2003dc tests twice, rather than the
fl2008dc and fl2008r2dc tests in samba-ad-dc-4b-mitkrb5.
(Now ad-dc-mit-4b)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14815
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Thu Sep 2 05:56:12 UTC 2021 on sn-devel-184
commit 17ae0319db53a7b88e7fb44a9e2fd4bf1d1daa0e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 14:54:39 2021 +1200
selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass
This generates a single test per bit which is easier to
debug. Elsewhere we use this pattern where we want to
be able to put some cases in a knownfail, which is otherwise
not possible.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 60f1b6cf0ef0bf6736d8db9c53fa48fe9f3d8e75
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 14:51:27 2021 +1200
selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass
This generates a single test per bit which is easier to
debug. Elsewhere we use this pattern where we want to
be able to put some cases in a knownfail, which is otherwise
not possible.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 8701ce492fc3a209035b152961d8c17e801b082a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 14:37:06 2021 +1200
selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify()
This is a nice easy example of how the test generation
code works, and it combined nicely with the earlier
patch to return string names from the UF_ constants.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit fb6c0b9e2a10c9559d3e056bb020bd2c990da998
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 13:03:15 2021 +1200
pydsdb: Add API to return strings of known UF_ flags
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 8c455268165f0bbfce17407df2c1746a0e03f828
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 10:10:56 2021 +1200
selftest: Use addCleanup rather than tearDown in user_account_control.py
self.addCleanup() is called regardless of the test failure or error status
and so is more reliable, particularly during development.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 8b078bbf8717b9407cdbc1588dd065164ab78e1b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 30 10:07:31 2021 +1200
selftest: Modernise user_account_control.py tests use a common self.OU
We set and use a single self.OU to ensure consistancy and
reduce string duplication.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 1209c89dcf6371bbfa4f3929a47a573ef2916c1a
Author: Bjoern Jacke <bj at sernet.de>
Date: Tue Aug 17 11:39:24 2021 +0000
util_sock: fix assignment of sa_socklen
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14800
Autobuild-User(master): Björn Jacke <bjacke at samba.org>
Autobuild-Date(master): Tue Aug 31 09:54:35 UTC 2021 on sn-devel-184
commit 638c6d423e78ae7b4429c7157c7e86af2313936a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Aug 26 16:30:37 2021 +1200
selftest: Remove skip of samba4.rpc.unixinfo
This test, and the rpcclient getwpuid call on a "real" system
with nss_winbind (under docker in my test) also works fine.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14691
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 31 00:12:53 UTC 2021 on sn-devel-184
commit d5118eb68adc82bede5391821e1db624d119eaec
Author: David Mulder <dmulder at suse.com>
Date: Wed Aug 25 13:05:28 2021 -0600
gpo: Add Group Policy Firefox Extension
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Aug 30 21:57:09 UTC 2021 on sn-devel-184
commit c5bbb1777ecd595d8472380302949f45bf50dcf8
Author: David Mulder <dmulder at suse.com>
Date: Wed Aug 25 13:04:47 2021 -0600
gpo: Test Group Policy Firefox Extension
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit fead05a45556993b80a84fe9bb07b10debb4ae62
Author: Ralph Boehme <slow at samba.org>
Date: Thu Aug 5 12:08:00 2021 +0200
vfs_gpfs: deal with pathrefs fsps in smbd_gpfs_set_times()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Aug 26 20:08:51 UTC 2021 on sn-devel-184
commit 93a48399f427d114df63b434e7fcddc62a1d9ce5
Author: Ralph Boehme <slow at samba.org>
Date: Thu Aug 5 12:05:16 2021 +0200
lib/gpfswrap: add gpfs_set_times_path() wrapper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 1bbdb81899be6c1da6fa9a63bf16a00401e09399
Author: Ralph Boehme <slow at samba.org>
Date: Fri Aug 13 11:55:16 2021 +0200
vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fntimes()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 9a237e168a4bbd5665bd40d521506ca3a6825198
Author: Ralph Boehme <slow at samba.org>
Date: Thu Aug 5 11:58:58 2021 +0200
vfs_gpfs: pass fsp to smbd_gpfs_set_times()
No change in behaviour. Prepares for dealing with pathref fsps in
smbd_gpfs_set_times().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 443608ee8122a2c17258db8dca9885bb524957af
Author: Ralph Boehme <slow at samba.org>
Date: Thu Aug 5 11:55:30 2021 +0200
vfs_gpfs: deal with pathref fsps in vfs_gpfs_fntimes()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 882a466ea5f45e5e2197f2408ccd560383e13c3f
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jul 1 16:08:02 2021 +0200
vfs_gpfs: add sys_proc_fd_path() fallback to vfs_gpfs_fset_dos_attributes()
gpfs_set_winattrs() is a modifying operation, my expectation thus is that it is
not allowed on pathref (O_PATH) handles even though a recent Linux kernel commit
44a3b87444058b2cb055092cdebc63858707bf66 allowed calling utimensat() on pathref
handles.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771
RN: Some VFS operations on pathref (O_PATH) handles fail on GPFS
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 3679f54f178ba6ddb940cc66f701e9b3a1dd543d
Author: Ralph Boehme <slow at samba.org>
Date: Fri Aug 13 11:39:05 2021 +0200
vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fset_dos_attributes()
This API call has existed for a long time, so we can safely assume that this
always works.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771
Pair-Programmed-With: Christof Schmitt <cs at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Christof Schmitt <cs at samba.org>
commit fde1b98143568fc816165502583f72e73b5d6b71
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jul 29 19:28:14 2021 +0200
vfs_gpfs: add path based fallback for gpfswrap_fstat_x() on pathref handles
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 730f8c49a9bc8333f0b722ad65e4e587421c21ec
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jul 29 15:53:04 2021 +0200
vfs_gpfs: check for O_PATH support in gpfswrap_fstat_x()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 1a3ac7a940fbb4ad8575ee3b0c56c9de2bf4b1f6
Author: Ralph Boehme <slow at samba.org>
Date: Fri Aug 6 12:05:44 2021 +0200
vfs_gpfs: make vfs_gpfs_connect() a no-op on IPC shares
We don't ever expect any filesystem IO operations to be called on an IPC shares,
so there's no need to initialize the module here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 070dce224bbe190266682c5e362bc2b0ed798ecc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 11 16:23:24 2021 +0200
vfs_gpfs: don't check for struct gpfs_config_data in vfs_gpfs_[l]stat()
This is unused and the config object won't be avilable for IPC$ anymore with the
next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 145e739c440d39651d4f3d30682035ab868488ba
Author: Ralph Boehme <slow at samba.org>
Date: Fri Aug 6 12:03:38 2021 +0200
vfs_gpfs: call SMB_VFS_NEXT_CONNECT() before running some module initialization code
No change in behaviour. Prepares for a subsequent commit that checks for IPC shares.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit bcd6bed7b8611654a7e9752b258541f89414b020
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jul 30 15:17:44 2021 +0200
smbd: avoid calling creating a pathref in smb_set_file_dosmode()
We already have a fsp with a valid fsp->base_fsp if it's a stream.
Also remove the struct smb_filename arg, it's not needed, the only caller
already checks for a valid fsp.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
commit 5d53b848f60efbb71e4cd2f51f33a06369ca9055
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 25 16:33:03 2021 +0200
wafsamba: always generate compile_commands.json again, but only when the samba dependencies changed
This means the costs of the generation on a empty build are not paid
anymore, which was the reason for the explicit --enable-clangdb option.
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Aug 26 13:06:09 UTC 2021 on sn-devel-184
commit 9b9fd2a0d9ca81aa16ddfe2f7e219b94e2ac158b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 16 14:46:31 2021 +1200
mit-kdc: Remove build time support for KDB_API < 10
The previous commits restricted to MIT KDC build to MIT 1.19 and this removes the
#ifdef in the code of what will become untested code.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Aug 26 07:05:44 UTC 2021 on sn-devel-184
commit 554bdfa8a04fd95c710b486890277dd92f685f2f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 16 14:25:54 2021 +1200
build: Move minimum MIT krb5 version to 1.19 to align with what is tested
This avoid shipping untested code and aligns with the version
used in GitLab CI for all the MIT builds.
The "bronze bit" (CVE-2020-17049) security fixes will need
a new MIT KDB version in any case, this prepares the ground
by removing the older version support.
(knownfail_mit_kdc updates taken from a patch by
Andreas Schneider <asn at samba.org> that did this optionally)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ff267c3c790c0ae9f276225f67fb543d6371cb53
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 16 13:53:58 2021 +1200
autobuild.py: Do not build MIT builds by default (eg sn-devel)
This avoids the need for MIT KDC tests and the MIT KDC glue code to
operate against the older MIT 1.16 found on Ubuntu 18.04, which
is our current build environment.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 649b0741e17909afce762a5b84c1231600eec5f0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 16 13:52:04 2021 +1200
gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC
Fedora packages current MIT builds pretty fast so we base our
MIT KDC tests there, as this avoids backporting and tests against
the most current code.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6145c388d201d817444322dee67ca1ec1989ecd1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 18 14:59:47 2021 +1200
gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos
Because the MIT KDC builds are moving to current MIT and out of the default autobuild
this ensures that on our default host, which is closer to what most of our
users operate, Samba still works with Kerberos.
This uses the ktest environment that does not require the KDC to exist
and instead uses a static ccache and keytab.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 167ad96136b42b5cb601decc0fc68c9603c8b172
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 16 13:40:39 2021 +1200
autobuild.py: Explain why each job is removed from the default set
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a41425ebd0f6f2e9e84e2462e7458d04267cd524
Author: Jeremy Allison <jra at samba.org>
Date: Wed Aug 25 09:57:05 2021 -0700
s4: ntvfs: Missed comma in 24c09f913d82528ada14013e3d673d277cf04a93, string would be concatenated.
Sorry for the mistake, I missed that in the review.
Caught by Coverity.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Aug 25 18:02:05 UTC 2021 on sn-devel-184
commit 857045f3a236dea125200dd09279d677e513682b
Author: Jeremy Allison <jra at samba.org>
Date: Mon Aug 23 17:42:40 2021 -0700
s3: smbd: In create_conn_struct_cwd(), don't TALLOC_FREE() an unallocated pointer on error.
Just return the status - if create_conn_struct_as_root() fails
the connection struct never gets returned.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14809
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Aug 25 17:09:23 UTC 2021 on sn-devel-184
commit b4d8c62c4e8191e05fd03dd096a0bc989e224ed3
Author: Jeremy Allison <jra at samba.org>
Date: Mon Aug 23 17:40:42 2021 -0700
s3: mdssvc: Correctly disconnect the VFS connection inside the mds_ctx destructor.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14809
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6248eab51039712b183df915533a76378f48e138
Author: Björn Jacke <bj at sernet.de>
Date: Mon Jun 28 17:00:54 2021 +0200
mangle_hash2: remove LOCK$ from list of reserved names
see also:
https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file?redirectedfrom=MSDN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8776
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 24 19:26:59 UTC 2021 on sn-devel-184
commit c653f8054ea222e0609c98c0121f2e0a26a5954f
Author: Björn Jacke <bj at sernet.de>
Date: Mon Jun 28 16:56:18 2021 +0200
mangle_hash2: add missing COM/LPT ports that are also reserved names
see also:
https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file?redirectedfrom=MSDN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8776
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 24c09f913d82528ada14013e3d673d277cf04a93
Author: Björn Jacke <bj at sernet.de>
Date: Mon Jun 28 16:55:04 2021 +0200
ntvfs: add missing COM/LPT ports that are also reserved names
see also:
https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file?redirectedfrom=MSDN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8776
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2a20c8b2b1659e055dbedcb074e0f49a88b9b8cc
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jun 12 10:03:16 2021 +0200
rpcclient: Add unixinfo commands
The unixinfo pipe might go away in the future, but right now we have
it around. This code is simple and can go away again when unixinfo
dies.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 24 18:22:56 UTC 2021 on sn-devel-184
commit 76b7bc5fc06cb64ab3e43c3d26c09dc0aa605199
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jun 19 17:05:39 2021 +0200
winbindd: NULL-initialize a pointer
Patches from the dcerpc patchset will create warnings out of this not
being initialized.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d244d16ca9d28e69494e68f8f3dd1b9b504269d3
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 6 14:03:55 2021 +0200
rpc_client: Align cli_api_pipe_send() with tevent_req() conventions
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 17b6c25bda02dc70dca719e667cc0e285918af6e
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 6 14:05:30 2021 +0200
rpc_client: Use tevent_req_nterror() properly in cli_api_pipe
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 730e2903b2f967dbc30f84692c8e3bf83d9453e4
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 3 12:13:13 2021 +0200
rpc_client: Make rpc_pipe_open_tcp() static
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 19482ebb7480ce10bce33c5c6c683c8bab8b8b35
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 3 09:37:12 2021 +0200
torture: Remove rpc_open_tcp test program
Its initial commit in 2008 stated that it still needs to be integrated
into the test suite. As far as I can see, this never happened.
Why remove it? Without this we can make rpc_open_tcp() static for
easier refactoring.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 965ebcae7636c44ba40af1eda50cb819ce10b4c8
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 6 12:11:32 2021 +0200
rpc_client: Simplify get_complete_frag_send()
tevent_req_oom() and tevent_req_nomem() instead of explicit
NT_STATUS_NO_MEMORY; do an early return if done.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7df7bf44e55d4ca63f3cf22a6d75efe28cf64371
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 6 12:12:31 2021 +0200
rpc_client: Simplify get_complete_frag_got_header()
tevent_req_nterror() returns a bool, no separate check required
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 39c0e3ea2ea0644dbe827e243efb0c7350d904bb
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 6 12:12:58 2021 +0200
rpc_client: Simplify get_complete_frag_got_header()
Use tevent_req_oom()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 68a3e478d1c09c337c4eb0fe4d18fa775038bb79
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 6 12:14:23 2021 +0200
rpc_client: Simplify get_complete_frag_got_rest()
tevent_req_simple_finish_ntstatus() is made precisely for this simple
case where we just pass on a subreq's NTSTATUS
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f8c828b87ddaf8af245e6671590cfc8ef8ed9ee2
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 6 14:16:22 2021 +0200
rpc_client: Simplify rpc_api_pipe_auth3_done()
Use tevent_req_simple_finish_ntstatus()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit dc4371f7d6224b045bfcbc4cc78147ed2469868f
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 6 14:18:26 2021 +0200
rpc_client: Avoid casts
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 56328aef8eb8777500df4f31a8bfb7ce970087fa
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 6 14:21:23 2021 +0200
rpc_client: Use tevent_req_nterror() properly
Signed-off-by: Volker Lendecke <vl at samba.org>
commit d11688059f9920f9a565eac06699d58b7e3e828a
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 6 14:22:47 2021 +0200
rpc_client: Simplify rpccli_bh_disconnect_recv()
Use tevent_req_simple_recv_ntstatus()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3bfc7802ef5b93c4ba19d3d0a27b706f25ab4b2a
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jul 25 15:55:46 2021 +0200
winbind: Remove an unused include
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8c7b41063c9509e93df14bffb4d9c142abc60737
Author: Volker Lendecke <vl at samba.org>
Date: Sat Aug 7 10:26:03 2021 +0200
rpc_client: Adapt rpc_write_send() to tevent_req conventions
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 398e38400d1a5e35d502e9c9764878a8175f8285
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 10 15:56:57 2021 +0200
rpc_client: Adapt rpc_api_pipe_send() to recent coding conventions
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e8dda8421b3a4c8ac0e3c49d5787662d6f74fb54
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 10 16:12:19 2021 +0200
rpc_client: Use ndr_syntax_id_equal() in check_bind_response()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 89a0f256e218a53b0eeafdc3150b889557574d70
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 10 16:13:09 2021 +0200
rpc_client: Use struct init/assignment
Don't leave structures/unions partially uninitialized
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a3f7f279ff0663eb25c24cfcc2104e98e210a210
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 13 15:51:07 2021 +0200
rpc_client: Adapt rpc_pipe_bind_send() to talloc_req conventions
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c4aea464bb0eebdf1a7db2564e5d9ca37baf11f5
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 13 16:05:00 2021 +0200
rpc_client: Avoid ZERO_STRUCTP in prepare_verification_trailer()
Direct struct assignments are easier to read for me, but YMMV.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2a4e785040dbdc687061afa246b56fb07802f0e7
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 13 16:15:16 2021 +0200
rpc_client: Adapt rpc_api_pipe_req_send() to talloc_req conventions
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 106c04689e1855e5631f0a10e685c55134315a26
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 17 07:42:48 2021 +0200
rpc_client: Slightly simplify rpc_api_pipe_req_send()
tevent_req_create() zero-initializes "state"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b0c065773e9e0d1a55aa794997835ca5a52443a8
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 17 07:49:27 2021 +0200
rpc_client: Early TALLOC_FREE() in prepare_verification_trailer()
We don't need "t" from here on anymore
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3e3cc4eae9ab779a61496061da34fc4289785769
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 3 09:09:28 2021 +0200
rpc_client: Fix a small memleak
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit dbb1226c7ce7fa5b6fe5de1fc540e01fbec9b553
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 17 16:28:31 2021 +0200
libsmb: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3fb8eebfe304f715bb63aeefa60b3b76e30288a8
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 17 16:52:24 2021 +0200
rpc_client: Slightly simplify rpc_transport_np_init_pipe_open()
Avoid an unnecessary else, use tevent_req_nterror() in if-clause
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8b45a42bc8b9c4efbbc7a4c64dd7fa599c3dccc4
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 17 17:10:17 2021 +0200
lib: Improve comment wording
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7e810091fcf49663055f46f6800160ad5972b261
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 17 17:20:03 2021 +0200
rpc_server: Fix a comment
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 12942576b326e64017e84d98163470a891df1860
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 17 17:20:21 2021 +0200
rpc_server: Simplify _samr_CreateUser2()
Use a variable that we just set a line before, don't duplicate the
priv name.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 95a2540d0b81e8041b20333be4823a5e03570517
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 17 17:24:45 2021 +0200
rpc_server: Align integer types
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit da74089533a52dd92abe7df11f2f5e8be2f6adca
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 17 17:59:49 2021 +0200
rpc_server: Remove an unused function declaration
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 2154bb50f682fb0e2fe3b6216933ef4f66c62ab9
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 17 20:18:45 2021 +0200
rpc_server: Slightly simplify set_user_info_18()
Instead of adding the NULL check to data_blob_talloc_zero() put "out"
on the stack.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ebac118da5b041862af65bbede2bf3bc39a0b27c
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 17 20:18:45 2021 +0200
rpc_server: Slightly simplify set_user_info_21()
Instead of adding the NULL check to data_blob_talloc_zero() put "out"
on the stack.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b79ed122e53545ed6117b790dacb7a70ff897783
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 17 20:37:04 2021 +0200
rpc_server: Simplify open_np_file()
No need to go via a string to create the SID describing the SMB3
encryption, we can directly use sid_append_rid().
This by the way fixes a bug: SID_MAX_SIZE is the maximum length of the
binary SID, not the maximum string length for a SID.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9857c562568a718bb14ba49c644db9181aa7110e
Author: Volker Lendecke <vl at samba.org>
Date: Wed Aug 18 06:21:52 2021 +0200
librpc: Simplify GUID_hexstring()
A temporary talloc context seems unnecessary to me.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0cddd3f2d66b3fb3af73d42df6c4d42aff7863d7
Author: Volker Lendecke <vl at samba.org>
Date: Wed Aug 18 06:25:00 2021 +0200
librpc: Simplify GUID_string2() by using GUID_buf_string()
Avoid unnecessary talloc
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5e2ac224b79574ee07c82e5e58c8ba17c0299b09
Author: Volker Lendecke <vl at samba.org>
Date: Wed Aug 18 06:27:52 2021 +0200
librpc: Simplify GUID_zero() with a direct struct return
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 78942ad7d17a92cd39d9c46ae1b8348e9673ac30
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 23 20:45:50 2021 +1200
samba-tool domain backup: Use tdbbackup on metadata.tdb
metadata.tdb is inside sam.ldb.d/ but should be backed up with tdbbackup.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Aug 24 13:22:04 UTC 2021 on sn-devel-184
commit 958931ad379af26dcbc55cfbc49e7886ef8e0550
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 23 18:14:16 2021 +1200
samba-tool: Rework transations/locks to hold a lock during mdb backup
We now also get sidForRestore under that lock, rather than
after the backup.
This avoids using the database again after the backup process
While not entirely clear how/why this matters with LMDB
as seen in Fedora 34, likely due to the same issues
seen with 0.9.26 or later fixed by commmit
bb3dcd403ced922574a89011dd3814c4fe87dd76.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 423f808ff48e297745f576a52b2118c4b920a3e4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 23 19:41:15 2021 +1200
samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb
This avoids opening the database again by having the caller pass in
the DB open
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 2d6cdb5421810b0027cb78307abd8a8c855c5244
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 24 10:14:14 2021 +0200
selftest: Add python path for compiled python modules like ldb
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 72b4fe93f15e414ca3e7d7f0e77a5f0aae90556a
Author: Jeremy Allison <jra at samba.org>
Date: Thu Aug 19 15:43:52 2021 -0700
s3: smbd: Ensure all returns from OpenDir() correctly set errno.
Complex code paths inside open_internal_dirfsp() can return an
NTSTATUS, but trample on the matching errno. We need to make
sure if open_internal_dirfsp() fails, errno matches the NTSTATUS
return.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14805
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Fri Aug 20 09:56:49 UTC 2021 on sn-devel-184
commit 649f544ab2cf564cdecf545c549ca9703cb5cda4
Author: Jeremy Allison <jra at samba.org>
Date: Mon Jul 19 15:10:41 2021 -0700
s3: VFS: streams_depot: Allow "streams directory" outside of share path to work again.
As we're dealing with absolute paths here, we just need
to temporarily replace the connectpath whilst enumerating
streams.
Remove knownfail file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14760
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Aug 19 17:04:44 UTC 2021 on sn-devel-184
commit 1e3232006d688fa999fb8314ce948ffb45a50e71
Author: Jeremy Allison <jra at samba.org>
Date: Mon Jul 19 14:52:32 2021 -0700
s3: VFS: vfs_streams_depot: Factor out the code that gets the absolute stream rootdir into a function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14760
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
commit 5fdf4219c6db6d81ebe608c4313c9c9aea6dbc7c
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jul 20 17:50:49 2021 -0700
s3: selftest: Add a test for vfs_streams_depot with the target path outside of the share.
Mark as knownfail.d/simpleserver_streams
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14760
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
commit 161cee6f36b1642e2096a64a4eec22a1ebf82aa2
Author: Noel Power <noel.power at suse.com>
Date: Thu Aug 19 12:13:27 2021 +0100
s4: torture: CHECK ret value and fail if false
If we reach 'done' with ret == false without setting
the torture result we get unexpected results e.g.
Exception: Exception: Unknown error/failure. Missing torture_fail() or torture_assert_*() call?
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14760
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 984a0db00c3f2e38b568a75eb1944f4d7bb7f854
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:58:44 2021 +1200
tests/krb5: Add FAST tests
Example command:
SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \
KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184
commit b7b62957bdce9929fabd3812b9378bdbd6c12966
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Jun 10 09:56:58 2021 +1200
initial FAST tests
Currently incomplete, and tested only against MIT Kerberos.
[abartlet at samba.org
Originally "WIP inital FAST tests"
Samba's general policy that we don't push WIP patches, we polish
into a 'perfect' patch stream.
However, I think there are good reasons to keep this patch distinct
in this particular case.
Gary is being modest in titling this WIP (now removed from the title
to avoid confusion). They are not WIP in the normal sense of
partially or untested code or random unfinished thoughts. The primary
issue is that at that point where Gary had to finish up he had
trouble getting FAST support enabled on Windows, so couldn't test
against our standard reference. They are instead good, working
initial tests written against the RFC and tested against Samba's AD DC
in the mode backed by MIT Kerberos.
This preserves clear authorship for the two distinct bodies of work,
as in the next patch Joseph was able to extend and improve the tests
significantly. ]
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit aa2c221f4e1bfc3403de857e62eaeaee1577560c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:49:58 2021 +1200
tests/krb5: Check PADATA-FX-ERROR in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 66e1eb58bedf036ad25a868993d44480c4e0e055
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 11:50:16 2021 +1200
tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0c857f67a3a4a27aa4b799c9a61a1a1b59932c07
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:50:20 2021 +1200
tests/krb5: Check PADATA-PAC-OPTIONS in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 29070e74baa18d94642efcd36930b9bab216e10c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:29:39 2021 +1200
tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ab4e7028a6ac01eab9531c8a26507a912df54278
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 20:49:25 2021 +1200
tests/krb5: Make check_rep_padata() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 95b54078c2f82179283dfc397c4ec1f36d5edfe7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:49:12 2021 +1200
tests/krb5: Check PADATA-FX-COOKIE in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 2f7919db395c24f6890ffe4ee46a5e34df95fccd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:36:56 2021 +1200
tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 44a44109db96eab08a3da3683c34446bc13b295b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:42:26 2021 +1200
tests/krb5: Adjust reply padata checking depending on whether FAST was sent
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 056fb71832e7aa16132c58ff393ab8b752ef6a93
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:31:39 2021 +1200
tests/krb5: Check reply FAST padata if request included FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 7a27b75621908a4a6449efaecb54eb20fa45aca0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:25:39 2021 +1200
tests/krb5: Check sname is krbtgt for FAST generic error
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit dbe98005d5873440063b91e56679937149535be7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:15:00 2021 +1200
tests/krb5: Add get_krbtgt_sname() method
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5edbabeb26e110648d4588c90843e4715ec1ac5c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:26:06 2021 +1200
tests/krb5: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 705e45e37f4752e283a80626be10c38b29232359
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:35:32 2021 +1200
tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 79b9aac65b7dbdc58275368eae9feb7d87bf6dab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:21:14 2021 +1200
tests/krb5: Add check_rep_padata() method to check padata in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1389ba346df81c9ea1e1143c4e819212939f6aeb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:20:09 2021 +1200
tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ea1ed63e8819926db1cf15974009601c7d37e944
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:18:29 2021 +1200
tests/krb5: Include authdata in kdc_exchange_dict
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 2ee87dbf08e66e1dc812430026bfe214f9f5503d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:05:59 2021 +1200
tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
This is useful for testing the 'hide client names' FAST option.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0c029e780cf16a49c674593e8329eaf3b87aec69
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:34:49 2021 +1200
tests/krb5: Check encrypted-pa-data
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 99e3b909edf27c751b959a3d0b672ddd2b7140e2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:21:01 2021 +1200
tests/krb5: Add methods to determine whether elements were included in the request
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit dc7dac95ec509d90d8372005cd7b13fabd8e64c6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:20:44 2021 +1200
tests/krb5: Add functions to get dicts of request padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d878bd6404d26c8be45bb2016ec206ed79d4ef6e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:42:57 2021 +1200
tests/krb5: Check FAST response
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4ca05402b36ba13a987b07b2402906764d3cd49b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:10:13 2021 +1200
tests/krb5: Add method to verify ticket checksum for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b62488113f6053755f9be9faa9b757e7193074fa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:04:37 2021 +1200
tests/krb5: Add method to check PA-FX-FAST-REPLY
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 16ce1a1d304b87ed5b390fb87a4542c7c9a484fb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:01:36 2021 +1200
tests/krb5: Allow specifying parameters specific to the outer request body
This is useful for testing FAST.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0df385fc49cc2693c195209936a29e31216df16d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:33:24 2021 +1200
tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5c2cd71ae704b853a886c8af5e3cf50b53af7f9e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:33:10 2021 +1200
tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d554b6dc0f4e14d154e487dc2a842321aa746155
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:19:46 2021 +1200
tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
This is needed for FAST.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 74f332c6f9e31b933837cefee69b219054970713
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 20:49:12 2021 +1200
tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
This method will also be useful in checking TGS-REP error replies.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 080894067469d60e2c71961c2d1c1990ba15b917
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:49:05 2021 +1200
tests/krb5: Add methods to calculate keys for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit aafc86896969d02ff1daecdf2668bfa642860082
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:47:18 2021 +1200
tests/krb5: Add method to generate FAST encrypted challenge padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 69a66c0d2a7ed415c8d8acdb8da0f2f3d1abf60d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:23:26 2021 +1200
tests/krb5: Add more methods to create ASN1 objects for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ec702900295100ae4e48ba57242eee6670bf30d6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:21:07 2021 +1200
tests/krb5: Add more ASN1 definitions for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 025737deb5325d25b2ae4c57583c24ae1d0eca33
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 13:59:36 2021 +1200
tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b6f96dd6395a30e15fa906959cbe665757aaba8d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:06:35 2021 +1200
tests/krb5: Ensure generated padata is not None
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4824dd4e9f40abcbd4134b79e2b2b8fb960f47e7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 19:27:02 2021 +1200
tests/krb5: Add generate_ap_req() method
This method will be useful to generate an AP-REQ for use as FAST armor.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4951a105b0448854115a7ecc3d867be6f34b0dcf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 12:52:42 2021 +1200
tests/krb5: Check nonce in EncKDCRepPart
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6df0e406f1f823bf4d65cd478eb6f2424b69adcc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:39:37 2021 +1200
tests/krb5: Make checking less strict
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 98dc19e8c817fc66e253e544874a45b17b8bfa7b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:34:19 2021 +1200
tests/krb5: Check version number of obtained ticket
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3d1066e923815782036bd11524fda110a2528951
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:39:42 2021 +1200
tests/krb5: Assert that more variables are not None
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ba3c92f77b20e1e0d298cd92399dc69535739c27
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:37:48 2021 +1200
tests/krb5: Ensure in assertElementPresent() that container elements are not empty
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 78818655505b3183251940e86270cd40bae73206
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:06:15 2021 +1200
tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
This means that there can no longer be surprises where a test receives a
reply when it was expecting an error, or vice versa.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 8fe9589da2d8fe6f5c47770c618ebabe028f6a95
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:35:40 2021 +1200
tests/krb5: Include kdc_options in kdc_exchange_dict
Make kdc_options an element of kdc_exchange_dict instead of a parameter
to _generic_kdc_exchange(). This allows testing code to adjust the reply
checking based on the options that were specified in the request.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 21c64fda8f98d451e028ea483dbe351b1280390c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:32:52 2021 +1200
tests/krb5: Always specify expected error code
Now the expected error code is always determined by the test code itself
rather than by generic_check_as_error().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 28fb50f511f3f693709aa9b41c001d6a5f9c3329
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:19:04 2021 +1200
tests/krb5: Add check_reply() method to check for AS or TGS reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f5689bb8fab82d5fcbdbd3c63b86e7618834aac5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:22:09 2021 +1200
tests/krb5: Add method to calculate account salt
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 50d743bafc7aa9f7b4688bae652a501001e9fdbb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:19:57 2021 +1200
tests/krb5: Add more methods for obtaining machine and service credentials
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4790b6b04ae145a2ebb418dd734487a6ba28a30c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 11:25:55 2021 +1200
tests/krb5: Allow specifying additional details when creating an account
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ce379edf2e135b105b18d35e24d732389de94291
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 3 15:58:19 2021 +1200
tests/krb5: Use encryption with admin credentials
This ensures that account creation using admin credentials succeeds.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit bab7503e3043002b1422b00f40cd03a0a29538aa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:27:17 2021 +1200
tests/krb5: Add get_EpochFromKerberosTime()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit fe8912e4a85c5fd614ad3079b041c0e1975958e3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:27:47 2021 +1200
tests/krb5: Make _test_as_exchange() return value more consistent
Always return the reply and the kdc_exchange_dict so that the caller has
more potentially useful information.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit cb332d83008aa97a60eaca9e008054f641d514d6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:51:54 2021 +1200
tests/krb5: Add method to return dict containing padata elements
This makes checking multiple padata elements easier.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f5a906f74f9665a894db3c13722022f732180620
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:18:38 2021 +1200
tests/krb5: Add get_enc_timestamp_pa_data_from_key()
This makes it easier to create encrypted timestamp padata when the key
has already been obtained.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 2c80f7f851a7a4ffbcde2c42b2c383b683b67731
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:16:01 2021 +1200
tests/krb5: Refactor get_pa_data()
The function now returns a single padata object rather than a list,
making it easier to combine multiple padata elements into a request. The
new name 'get_enc_timestamp_pa_data' also makes it clearer as to what
the method generates.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a5e5f8fdfe8b6952592d7d682af893c79080826f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:24:52 2021 +1200
tests/krb5: Allow cf2 to automatically use the enctype of the first key
RFC6113 states: "Unless otherwise specified, the resulting enctype of
KRB-FX-CF2 is the enctype of k1." This change means the enctype no
longer has to be specified manually.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 17d5a267298ccd7272e86fd24c2c608511cf46b7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 11:28:37 2021 +1200
tests/krb5: Use credentials kvno when creating password key
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d6a242e20004217a0ce02dc4ef620a121e5944da
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:07:59 2021 +1200
tests/krb5: Check Kerberos protocol version number
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 8194b2a2611c6b1db2d29ec22c70e14decd1784b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 17:00:09 2021 +1200
tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a0c6538a97126671f9c7bcf3b581f3d98cbc7fd1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:06:29 2021 +1200
tests/krb5: Fix encpart_decryption_key with MIT KDC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit bad5f4ee5fdf64ca9d775233fec24975e0b510bf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:12:34 2021 +1200
tests/krb5: Fix callback_dict parameter
Items contained in a default-created callback_dict should not be carried
over between unrelated calls to {as,tgs}_as_exchange_dict().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 67ff72395cec2e5170c0ebae8db416a1f226df72
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:14:08 2021 +1200
tests/krb5: Fix including enc-authorization-data
Remove the EncAuthorizationData parameters from AS_REQ_create(), since
it should only be present in the TGS-REQ form. Also, fix a call to
EncryptedData_create() to supply the key usage when creating
enc-authorization-data.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a2b183c179e74634438c85a4b35518836ba59e47
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 13:49:27 2021 +1200
tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 41c3e410344280d691e5a21fa5240ef52e71bd2d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 3 15:03:00 2021 +1200
tests/krb5: Simplify Python syntax
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 38b3a361819c716adb773fb3b4507c28d7d26c0d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:10:32 2021 +1200
tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1320ac0f91a9b0fc8156840ec498059ee10b5a2d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:01:39 2021 +1200
tests/krb5: Remove unneeded statements
A return statement is redundant as the last statement in a method, as
methods will otherwise return None. Also, code blocks consisting of a
single 'pass' statement can be safely omitted.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit df6623363a7ec1a13af48a09e1d29fa8784e825c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:00:09 2021 +1200
tests/krb5: formatting
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 7013a8edd1f628b8659f0836f3b37ccf13156ae2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:17:52 2021 +1200
tests/krb5: Fix method name typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 9eb4c4b7b1c2e8d124456e6a57262dc9c02d67d4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:26:17 2021 +1200
tests/krb5: Fix comment typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4797ced89095155c01e44727cf8b66ee4fb39710
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:15:23 2021 +1200
tests/krb5: Fix ms_kile_client_principal_lookup_test errors
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6818d204897d0b7946dcfbedf79cd53fb9b3f159
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 20 10:48:41 2021 +1200
pygensec: Don't modify Python bytes objects
gensec_update() and gensec_unwrap() can both modify their input buffers
(for example, during the inplace RRC operation on GSSAPI tokens).
However, buffers obtained from Python bytes objects must not be modified
in any way. Create a copy of the input buffer so the original isn't
modified.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 814df05f8c10e9d82e6082d42ece1df569db4385
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 19 17:29:39 2021 +1200
pygensec: Fix memory leaks
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4809f4a6ee971bcd9767839c729b636b7582fc02
Author: Ralph Boehme <slow at samba.org>
Date: Sat Aug 7 10:52:28 2021 +0000
registry: check for running as root in clustering mode
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14787
RN: net conf list crashes when run as normal user
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Aug 17 11:23:15 UTC 2021 on sn-devel-184
commit fd19cae8d2f21977d8285efd3f29e2b480d241e9
Author: Ralph Boehme <slow at samba.org>
Date: Sat Aug 7 10:51:38 2021 +0000
s3/lib/dbwrap: check if global_messaging_context() succeeded
The subsequent messaging_ctdb_connection() will fail an assert if messaging is
not up and running, maybe it's a bit better to add a check if
global_messaging_context() actually succeeded.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14787
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1ce08f72a9e2558e8720b463e68174e430a67654
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 16 12:42:47 2021 +0200
testsuite: Fix build with gcc >= 11.1.1
Pair-Programmed-With: Jeremy Allison <jra at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Aug 16 17:20:37 UTC 2021 on sn-devel-184
commit 86fddfa3116a8dec86e02088a3abc3859f38a251
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 16 12:39:31 2021 +0200
lib:replace: Remove trailing spaces from testsuite.c
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0f26dbe0d0907e16a2c1b10c620a9db5b1b6b4ab
Author: David Mulder <dmulder at suse.com>
Date: Fri Jul 23 09:28:21 2021 -0600
gpo: Print getcert message to debug
Otherwise re-running gpupdate to enforce policy
displays 'already exists' messages, which
confusingly appear to be a failure, but are
actually intentional behavior.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Aug 13 20:06:31 UTC 2021 on sn-devel-184
commit e3a956e075b6030534463689b820eb037aeed4f3
Author: David Mulder <dmulder at suse.com>
Date: Thu Jul 22 10:37:41 2021 -0600
gpo: Decode the bytes for cepces-submit failure
When displaying the error from cepces-submit,
make sure to decode the bytes (otherwise it is
hard to read). Also print the error to debug
instead of warn (it may dump a traceback).
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7a04052dad4b52a20d47805a41b892bb4fecb433
Author: David Mulder <dmulder at suse.com>
Date: Thu Jul 22 10:16:42 2021 -0600
gpo: Ignore symlink failure on sscep renew
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 80e3daed120b5ed71ffd58427e5d8910b6bdb3a1
Author: David Mulder <dmulder at suse.com>
Date: Tue Jul 20 11:14:28 2021 -0600
gpo: Apply Group Policy User Scripts
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f04431b1d24d83dea700a2443c4a3600d623dfd4
Author: David Mulder <dmulder at suse.com>
Date: Tue Jul 20 11:13:21 2021 -0600
gpo: Test Group Policy User Scripts
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit cd63893d4e773cef8a32d75e8177c6af3f6367d6
Author: David Mulder <dmulder at suse.com>
Date: Tue Jul 20 13:48:42 2021 -0600
gpo: Enable Scripts ADMX for User Policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 6d676cac41d0f84d5396a67bd445ef8cfd4b8e0c
Author: David Mulder <dmulder at suse.com>
Date: Tue Jul 20 09:13:06 2021 -0600
gpo: Enable user policy application
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1641e6c528e027dbfff96a834b94a8654a03a168
Author: Ralph Boehme <slow at samba.org>
Date: Thu Aug 12 18:31:40 2021 +0200
libreplace: remove now unused USE_COPY_FILE_RANGE define
The only user was removed in the previous commit. We still need the preceeding
checks however, based on that replace.c provides a copy_file_range() fallback.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14795
RN: copy_file_range() may fail with EOPNOTSUPP
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Aug 13 11:45:17 UTC 2021 on sn-devel-184
commit c25f72f401842a18cab1db2bab89deec78274d93
Author: Ralph Boehme <slow at samba.org>
Date: Thu Aug 12 18:23:21 2021 +0200
vfs_default: detect EOPNOTSUPP and ENOSYS errors from copy_file_range()
When building in a RHEL 7 container on a RHEL 8 host, the current configure
check will detect a working SYS_copy_file_range() syscall.
Later when the resulting smbd binary is run in a RHEL 7 container on a RHEL
7 (vs 8 on the build host) host, SYS_copy_file_range() will fail with
EOPNOTSUPP.
Since the kernel support for copy_file_range() included a fallback in case
filesystems didn't implement it, the caching of copy_file_range() support can be
made a global via the static try_copy_file_range bool, there's no need to deal
with per-fileystem behaviour differences. For the curious: SYS_copy_file_range()
appeared in Linux 4.5, fallback code being vfs_copy_file_range() ->
do_splice_direct().
On current kernels the fallback function is generic_copy_file_range() (which
still calls do_splice_direct()) called from the filesystem backends directly or
from vfs_copy_file_range() -> do_copy_file_range().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14795
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 25941a1f97229ef27ee5ac7cc6bc9e7a300fcca0
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 11 14:58:39 2021 +0200
s3:winbindd: Pass the right variable to the debug message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14779
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Aug 12 20:08:25 UTC 2021 on sn-devel-184
commit 45f6bf1824f229dd138280eed1fff61a1e291897
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 11 12:07:57 2021 +0200
s3:winbind: Do not start if the priviliged socket path is too long
https://bugzilla.samba.org/show_bug.cgi?id=14792
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 8858cf72af1cc15784749e58f184559a839dd4ef
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 11 13:26:41 2021 +0200
wscript: fix installing pre-commit with 'git worktree'
.git is not always a directory, with 'git worktree' it's a file.
'git rev-parse --git-path hooks' is the generic way to find the
patch for the githooks.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Aug 12 08:56:13 UTC 2021 on sn-devel-184
commit c7f85146cb50795afcbb1c607e87d163d241c79a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 11 13:26:41 2021 +0200
script/bisect-test.py: add support git worktree
.git is not always a directory, with 'git worktree' it's a file.
Note we could also use 'git rev-parse --show-toplevel', but that's
a patch for another day.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 2e2d2eaa10499537c9af07dd866ac8e613c3da02
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 11 13:26:41 2021 +0200
wafsamba: add support git worktree to vcs_dir_contents()
.git is not always a directory, with 'git worktree' it's a file.
Note we could also use 'git rev-parse --show-toplevel', but that's
a patch for another day.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 289b7a1595ab13a200cfb327604e4b9296fa81e0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 11 15:30:12 2021 +0200
s3:libsmb: close the temporary IPC$ connection in cli_full_connection()
We don't need the temporary IPC$ connection used for the
SMB1 UNIX CIFS extensions encryption setup anymore,
so we can also let the server close it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14793
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Aug 11 23:03:11 UTC 2021 on sn-devel-184
commit 21302649c46441ea325c66457294225ddb1d6235
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 11 14:33:24 2021 +0200
s3:libsmb: start encryption as soon as possible after the session setup
For the SMB1 UNIX CIFS extensions we create a temporary IPC$ tcon,
if there's no tcon yet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14793
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c013509680742ff45b2f5965a5564015da7d466b
Author: Jeremy Allison <jra at samba.org>
Date: Fri Aug 6 23:33:06 2021 -0700
s3: smbd: For FSCTL calls that go async, add the outstanding tevent_reqs to the aio list on the file handle.
Remove knownfails.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14769
RN: smbd panic on force-close share during offload write
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Aug 11 20:02:57 UTC 2021 on sn-devel-184
commit 7e7ea761a37f46f758582981bc40404ffd815513
Author: Jeremy Allison <jra at samba.org>
Date: Fri Aug 6 10:54:31 2021 -0700
s4: torture: Add test for smb2.ioctl.bug14769.
Add knownfails.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14769
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c551d33c6bd2e74ea3a36bec5575a70d6833b98a
Author: Jeremy Allison <jra at samba.org>
Date: Thu Aug 5 16:07:09 2021 -0700
s3: smbd: Call smbd_fsctl_torture_async_sleep() when we get FSCTL_SMBTORTURE_FSP_ASYNC_SLEEP.
Now all we need is the client-side test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14769
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 0f4a8d26888ec156979a00480ed9886dcac7d426
Author: Jeremy Allison <jra at samba.org>
Date: Thu Aug 5 16:04:38 2021 -0700
s3: smbd: Add smbd_fsctl_torture_async_sleep() server-side code.
Commented out as not yet called.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14769
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 62cd95096a76d5064b105c1b4971fa3eabd5f85d
Author: Jeremy Allison <jra at samba.org>
Date: Thu Aug 5 11:01:44 2021 -0700
s3: libcli: Add FSCTL_SMBTORTURE_FSP_ASYNC_SLEEP.
Prepare for async FSCTL tests on an fsp.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14769
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6b6770c2ba83bf25da31623443c19a8de34e5ba4
Author: Jeremy Allison <jra at samba.org>
Date: Thu Aug 5 13:14:16 2021 -0700
s3: smbd: Split out smb2_ioctl_smbtorture() into a separate file.
We will be adding async supporting code to this, and we don't want to
clutter up smb2_ioctl.c.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14769
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 4354823c5146753ef8a3791bc8562379096659b8
Author: Ralph Boehme <slow at samba.org>
Date: Sat Aug 7 17:18:25 2021 +0200
libreplace: properly execute SYS_copy_file_range check
It seems some systems (like Centos 7) have the SYS_copy_file_range define but
fail the syscall when actually being called. The current configure check is only
compiled, not run so erroneously reports a working SYS_copy_file_range.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14786
RN: Insufficient libreplace check for SYS_copy_file_range check
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 10 19:37:14 UTC 2021 on sn-devel-184
commit 22a58a51846749495613e5b572c31ba4752bc61b
Author: Ralph Boehme <slow at samba.org>
Date: Sat Aug 7 17:18:08 2021 +0200
libreplace: properly give headers to conf.CHECK_CODE when checking for copy_file_range_syscall
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14786
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 45a33b25c4e6b1db5d2dfa6297ccb390220a7c80
Author: Ralph Boehme <slow at samba.org>
Date: Mon Aug 9 15:12:31 2021 +0200
s3/rpc_server: track the number of policy handles with a talloc destructor
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14783
RN: smbd "deadtime" parameter doesn't work anymore
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 10 18:41:43 UTC 2021 on sn-devel-184
commit 39db53a1391769fc6476fa55b02add08f1b8cd75
Author: Ralph Boehme <slow at samba.org>
Date: Mon Aug 9 12:31:07 2021 +0200
selftest: add a test for the "deadtime" parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14783
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 62f206a249a967f427a70730c1760885a72eb080
Author: Volker Lendecke <vl at samba.org>
Date: Wed Dec 16 18:35:50 2020 +0100
smbd: Simplify mark_share_mode_disconnected()
We can use reset_share_mode_entry() for this purpose. 32 lines less
code.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Aug 6 18:09:06 UTC 2021 on sn-devel-184
commit 9e8f7910b299fca75a1fdb11013036d0a34be4be
Author: Volker Lendecke <vl at samba.org>
Date: Fri Dec 18 13:04:47 2020 +0100
smbd: Fix fetch_share_mode_send() error return
The "return" is unnecessary here, but in case the code changes later
on, it won't be forgotten. Also, we need to tell the callers that we
found an invalid record.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a1cbb8bc448f9cd1de4afd07fa982d223a176891
Author: Volker Lendecke <vl at samba.org>
Date: Fri Dec 18 14:57:08 2020 +0100
net: Use dbwrap_do_locked() in wipedbs_delete_records()
Eventually I'd like to get rid of dbwrap_fetch_locked()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 1881240d46850581ece52ca10c4af1a7797ca549
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 15 17:15:21 2020 +0100
libsmbclient: Avoid a call to SMBC_errno() in SMBC_notify_ctx()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 009b6e748ea67215f6bd593fc57af3b6b48b09a0
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 15 17:15:21 2020 +0100
libsmbclient: Avoid a call to SMBC_errno() in SMBC_attr_server()
I think this also fixes the errno return, cli_shutdown() can do a lot and set
errno in between.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4bd69f1e1a5c04b76e79cb0b92db773356554e75
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 15 17:15:21 2020 +0100
libsmbclient: Avoid a call to SMBC_errno() in SMBC_splice_ctx()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 19df9a2edf14201589c66d96c252649c8fb0bc69
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 15 17:15:21 2020 +0100
libsmbclient: Avoid a call to SMBC_errno() in SMBC_read_ctx()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5e98b7dfc03afe8ed2eff809134c7922d17af9a2
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 15 17:15:21 2020 +0100
libsmbclient: Avoid a call to SMBC_errno() in SMBC_open_ctx()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7c2b6a71dced8cfd2fcea138660089924aaf5a46
Author: Volker Lendecke <vl at samba.org>
Date: Tue Dec 15 17:15:21 2020 +0100
libsmbclient: Avoid a call to SMBC_errno() in SMBC_chmod_ctx()
Directly use the return value from cli_setatr(), don't go via the cli_state
struct member
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e80d390b4bd4cb60adf8ec3eaea079fc83c3a898
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 3 09:09:05 2021 +0200
lib: Use TALLOC_FREE() in data_blob_free()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit cac5e8287a76b99b069de800d2141d5da969b241
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 3 08:46:11 2021 +0200
rpc_client: Avoid two casts with proper printf specifiers
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit cf8601e785d8b2e8a68ddc562b3cd6fe466cdfad
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 3 08:43:57 2021 +0200
rpc_client: Save 65 .text bytes with -Os
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit c8768551fb50b0fdd60d26a9c32742f0f41af955
Author: Volker Lendecke <vl at samba.org>
Date: Tue Aug 3 08:40:59 2021 +0200
rpc_client: Simplify create_rpc_bind_req()
In former times this switch statement had more than one branch
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f6c9e2800e64690dd0060eafbed57af858e61aff
Author: Volker Lendecke <vl at samba.org>
Date: Thu Jul 29 10:13:37 2021 +0200
rpc_client: Replace ZERO_STRUCTP with struct assignment
Give the compiler simpler hints
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit dbb1047e4744d4d6187bfe6487b6b7cb39a943ee
Author: Volker Lendecke <vl at samba.org>
Date: Thu Jul 29 08:55:45 2021 +0200
rpc_client: Simplify rpc_pipe_bind_step_one_done()
With just one case handled specially in a switch statement and the
rest being default:, a simple if-statement can reduce indentation.
Best viewed with "git show -b".
I wonder if the second "if (pauth->auth_type == DCERPC_AUTH_TYPE_NONE)"
leads to reachable code, this should have been taken care of already
further up. But for now I did the 1:1 translation of existing code.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5cb5fadce4e410e6c6e9bbc0b3e953e44e8c58d5
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jul 25 10:26:30 2021 +0200
libnetapi: Save lines with any_nt_status_not_ok()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit de1b95791cbb9b3198b8211db41bc07becbe2ef5
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jul 25 10:22:37 2021 +0200
net: Align some integer types
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 3eaa2bcb89d310ce80137226c86bc2a5d8ea586c
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jul 25 09:51:10 2021 +0200
net3: Simplify name_to_sid(): dom_sid_parse checks for "S-" prefix
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4a99fe42e67e092cfe86281ce6970cf5ae7f0991
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jul 25 09:46:34 2021 +0200
net3: Save a few lines with any_nt_status_not_ok()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit d2a08f5d679a7f426bd7fb87b0a684c25ca72c12
Author: Volker Lendecke <vl at samba.org>
Date: Fri Jul 23 08:47:47 2021 +0200
samdb: Fix an uninitialized variable read
When the "(status == LDB_SUCCESS && msg != NULL)" condition in this
routine is not evaluating to true, "new_rid" is read uninitialized,
comparing it against ~0. Initialize new_rid and compare it against
UINT32_MAX instead of ~0.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 621f561a9c2c3fa905211643ae18cceb92ca5dea
Author: Volker Lendecke <vl at samba.org>
Date: Fri Jul 23 08:46:51 2021 +0200
lib;smbd: Fix the -Os build by initializing variables
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit fa8c0379b50f675e0f072a27448bf2c8c3d7b3d0
Author: Volker Lendecke <vl at samba.org>
Date: Fri Jul 23 08:27:37 2021 +0200
lib: Fix a potential error path memleak
Don't directly overwrite the pointer for a realloc. On failure, the
original pointer is still valid.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit e52ce697d9ed1962a4fae1dbb5ad09b1883b8dfc
Author: Volker Lendecke <vl at samba.org>
Date: Wed Jul 21 08:28:20 2021 +0200
rpcclient: Align integer types
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 069d23f0a717ac520560f853a5f34fd4fd92d220
Author: David Gajewski <dgajews at math.utoledo.edu>
Date: Mon Aug 2 14:38:41 2021 -0700
s3: VFS: solarisacl: Fix compile error (missed variable rename).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14773
Signed-off-by: David Gajewski <dgajews at math.utoledo.edu>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Aug 6 17:19:57 UTC 2021 on sn-devel-184
commit 7e6b818fea5541fbedaa68624ca76ebc1fbbf501
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 2 11:21:51 2021 +1200
ktutil: Print the numeric enctype if krb5_enctype_to_string() fails
Sadly krb5_enctype_to_string() fails when des-cbc-crc encyrption
type is removed, leaving a failure the operate rather than
falling back to anything useful.
So fall back to printing 3 in the absense of anything more
useful. A future fix could be to hard-code this mapping
in the smb_krb5_enctype_to_string() wrapper.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Aug 6 05:53:44 UTC 2021 on sn-devel-184
commit 4d44db0208ad604b270d8659e2c5d4a079941423
Author: Volker Lendecke <vl at samba.org>
Date: Thu Aug 5 12:58:52 2021 +0200
docs: Add vfs_expand_msdfs manpage
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12707
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Aug 5 18:09:11 UTC 2021 on sn-devel-184
commit 104fc3539090ae9e161945ef9d18d897e3b71fed
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jul 15 08:48:37 2021 +0200
mit-samba: Only set the function opening bracket once
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Aug 5 10:33:18 UTC 2021 on sn-devel-184
commit 60159e03850f88cdee332ba65939cfe4582cb5e1
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 12 13:05:59 2021 +0200
mit-samba: Use talloc_get_type_abort() instead of casting
This is safer to use and fixes compiler warnings.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dd8138236bec3635c25e5b482b7a14faa0a9c36b
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jun 11 16:15:10 2018 +0200
mit-samba: Send the logging to the kdc log facility
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 41d906301b8d13f831b155dcec37d88889b9f36c
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jul 14 12:49:11 2021 +0200
mit-samba: Define debug class for kdb module
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4f093ae6c9ee5b3e0f98b47fbacb0e37fad62052
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jul 16 18:53:24 2021 -0700
s3: VFS: ceph. Fix enumerating directories. dirfsp->fh->fd != AT_FDCWD in this case.
Same as the fix for glusterfs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14766
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Aug 5 06:15:14 UTC 2021 on sn-devel-184
commit 000f389d09ec9e9906d5e2a0aa317c471c5f5b96
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 3 13:20:40 2021 +0200
gitlab: Use shorter names for Samba AD DC env with MIT KRB5
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14779
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Aug 3 20:35:49 UTC 2021 on sn-devel-184
commit aab5cc95e224fef0efafeb1c37a4eb414aee65a0
Author: Andreas Schneider <asn at samba.org>
Date: Tue Aug 3 11:04:37 2021 +0200
s3:winbindd: Add a check for the path length of 'winbindd socket directory'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14779
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e2962b4262fc4a7197a3fcbd010fcfaca781baea
Author: Andreas Schneider <asn at samba.org>
Date: Mon Aug 2 17:43:01 2021 +0200
configure: Do not put arguments into double quotes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14777
This could create an issue that arguments don't get split by python and then the
following could happen:
./configure --libdir=/usr/lib64 --enable-clangdb
LIBDIR='/usr/lib64 --enable-clangdb'
This ends then up in parameters.all.xml:
<!ENTITY pathconfig.LIBDIR '/usr/lib64 --enable-clangdb'>
The python parser then errors out:
xml.etree.ElementTree.ParseError: not well-formed (invalid token)
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Aug 3 18:36:37 UTC 2021 on sn-devel-184
commit 93bac5f12240597e1e92291de70a7000a403baca
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Aug 2 14:17:47 2021 +0200
winbindd_pam: add NT4 DC handling into winbind_samlogon_retry_loop()
Handle the case where a NT4 DC does not fill in the acct_flags in
the samlogon reply info3. Yes, in 2021, there are still admins
arround with real NT4 DCs.
NT4 DCs reject authentication with workstation accounts with
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, even if
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT is specified.
We no longer call dcerpc_samr_QueryUserInfo(level=16)
to get the acct_flags, as we only ever got
ACB_NORMAL back (maybe with ACB_PWNOEXP in addition),
which is easy to calculate on our own.
This was removed in commit (for 4.15.0rc1):
commit 73528f26eea24033a7093e5591b8f89ad2b8644e
Author: Ralph Boehme <slow at samba.org>
AuthorDate: Mon Jan 11 14:59:46 2021 +0100
Commit: Jeremy Allison <jra at samba.org>
CommitDate: Thu Jan 21 22:56:20 2021 +0000
winbind: remove legacy flags fallback
Some very old NT4 DCs might have not returned the account flags filled in. This
shouldn't be a problem anymore. Additionally, on a typical domain member server,
this request is (and can only be) send to the primary domain, so this will not
work with accounts from trusted domains.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Jan 21 22:56:20 UTC 2021 on sn-devel-184
It means one more caller of the problematic cm_connect_sam()
function is removed! SAMR connections may not be allowed for
machine accounts with modern AD DCs.
For network logons NT4 DCs also skip the
account_name, so we have to fallback to the
one given by the client. We have code to cope
with that deeply hidden inside of netsamlogon_cache_store().
Up to Samba 4.7 netsamlogon_cache_store() operated on the
info3 structure that was passed to the caller of winbind_dual_SamLogon()
and pass propagated up to auth_winbind in smbd.
But for Samba 4.8 the following commit:
commit f153c95176b7759e10996b24b66d9917945372ed
Author: Ralph Boehme <slow at samba.org>
Date: Mon Dec 11 16:25:35 2017 +0100
winbindd: let winbind_dual_SamLogon return validation
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
actually changed the situation and only a temporary info3 structure
was passed into netsamlogon_cache_store(), which means
account_name was NULL and get propagated as "" into auth_winbind
in smbd, where getpwnam() is no longer possible and every
smb access gets NT_STATUS_LOGON_FAILURE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14772
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Aug 3 11:10:27 UTC 2021 on sn-devel-184
commit 23e5b7cc79b006ae9260d3723e6c44ad66589382
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 26 10:18:05 2021 +0200
s4:torture: Add rpc netlogon fips test
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Aug 3 10:18:26 UTC 2021 on sn-devel-184
commit f1df0c4d0ad43ed1726ba961810078059b990be3
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 26 10:17:38 2021 +0200
s4:torture: Remove trailing whitespaces in rpc.c
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fd5b315805c6c1a4af64e9db57771d864f631207
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jul 28 11:57:02 2021 +0200
s4:selftest: Pass environ to plansmbtorture4testsuite()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e8a2c2fe4e75c2e6a690ea75045942ec9730c5dc
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jul 28 11:56:12 2021 +0200
selftest: Fix setting environ for plansmbtorture4testsuite()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d6c7a2a7003a2c081aa1ed710a84941bc8f331bf
Author: Andreas Schneider <asn at samba.org>
Date: Thu Sep 3 15:58:56 2020 +0200
netlogon:schannel: If weak crypto is disabled, do not announce RC4 support.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 17cc20ebe602b619461efa215ac75fed8e0d6338
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 26 10:13:52 2021 +0200
s4:libnet: Allow libnet_SetPassword() for encrypted SMB connections
This is needed for smbtorture to join a domain in FIPS mode.
FYI: The correct way would be to join using LDAP as the s3 code is doing it. But
this requires a bigger rewrite.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1326e7d65d1feff53303df35b2d641660a5babc0
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 26 10:12:56 2021 +0200
s4:libnet: Remove trailing whitespaces
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 868a9577d6a1da6d1aa1738adaa541038ec3c1cd
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 26 10:02:13 2021 +0200
s4:rpc_server: Allow to set user password in FIPS mode
Only in case we have an SMB encrypted connection ...
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2daf3e79751d11a31a1e44d21b70517356301ee7
Author: Andreas Schneider <asn at samba.org>
Date: Fri Apr 23 16:32:27 2021 +0200
auth:gensec: Use lpcfg_weak_crypto()
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6d928eb1e8ea44f0d0aea4ec9b1b7c385a281193
Author: Ralph Boehme <slow at samba.org>
Date: Tue Jun 29 12:47:34 2021 +0200
smbd: only open full fd for directories if needed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14700
RN: File owner not available when file unreadable
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Aug 2 18:05:04 UTC 2021 on sn-devel-184
commit e71e373a07e467ff2d2328f39bd2bc285e2ba840
Author: Ralph Boehme <slow at samba.org>
Date: Sat May 8 21:45:25 2021 +0200
smbd: drop requirement for full open for READ_CONTROL_ACCESS, WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS
This was needed before we had pathref fsps, with pathref fsps we can do
operation requiring WRITE_OWNER_ACCESS, WRITE_DAC_ACCESS and READ_CONTROL_ACCESS
on the pathref fsp.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14700
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7818513053aabda046645583fa5bb79a03e2b5ac
Author: Volker Lendecke <vl at samba.org>
Date: Fri Jul 30 11:43:08 2021 +0200
samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry"
With the above combination, some flavor of lp_load() already
initializes global_event_ctx, for which the closeall_except() later on
will happily close the epoll fd for. If we want to close all file
descriptors at startup, this must be the very first thing overall.
Can't really write a proper test for this with knownfail that is
removed with the fix, because if we have clustering+include=registry,
the whole clusteredmember environment does not even start up.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Sat Jul 31 16:58:41 UTC 2021 on sn-devel-184
commit 2acad27686074029ac83c66b42bb37eea380f449
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jul 14 19:11:05 2021 -0700
s3: smbd: Don't leak meta-data about the containing directory of the share root.
This is a subtle one. In smbd_dirptr_get_entry() we now
open a pathref fsp on all entries - including "..".
If we're at the root of the share we don't want
a handle to the directory above it, so silently
close the smb_fname->fsp for ".." names to prevent
it from being used to return meta-data to the client
(more than we already have done historically by
calling pathname functions on "..").
The marshalling returned entries and async DOS
code copes with smb_fname->fsp == NULL perfectly
well.
Only in master, but will need fixing for 4.15.rc1
or 2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Jul 28 15:07:54 UTC 2021 on sn-devel-184
commit b004ebb1c62742346b84ecb9d52c783173528fac
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jul 14 21:30:09 2021 -0700
s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 696972c832c98fefab8df85f3d81b900ecbf9453
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 14:15:06 2021 +0200
selftest: Remove fips env variables from client env
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Jul 28 07:12:55 UTC 2021 on sn-devel-184
commit ebd00fbdd058ddfe44610d179b3f0d4fd5147df4
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 16:06:07 2021 +0200
selftest: Pass env variables to fips tests
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a324fc01b4d19ac980b7f844a93c6456aa1c6d8f
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 14:11:39 2021 +0200
s4:selftests: Pass env variables to fips tests
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit eabf9803ecfa078b9138484d9c9f41a4803e5a60
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 14:06:33 2021 +0200
s3:selftests: Pass env variables to fips tests
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 48289b6964d28e153fec885aceca02c6a9b436ef
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 13:45:03 2021 +0200
selftest: Add support for setting ENV variables in plantestsuite()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3db299e586fd9464b6e1b145f29b10c8ae325d3a
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 13:25:59 2021 +0200
selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 18976a9568b23759060377d09304e9d7badb143a
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 08:50:54 2021 +0200
selftest: Re-format long lines in selftesthelpers.py
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7fb741b3b1ac7c2bac355b77cf71cd8881d58d5b
Author: Pavel Filipenský <pfilipen at redhat.com>
Date: Thu Jul 22 14:11:51 2021 +0200
krb5_wrap: remove unused code
Signed-off-by: Pavel Filipenský <pfilipen at redhat.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Jul 27 10:09:03 UTC 2021 on sn-devel-184
commit 7b796b5bb735295bde252cd52283591b720d8d6e
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jul 21 16:06:15 2021 +0200
lib:cmdline: Use lp_load_global() for servers
As for client we need to enable support for 'config backend = registry'.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Jul 22 14:47:09 UTC 2021 on sn-devel-184
commit 11c9eb0ccc34c4731fe7822768ba2b67aaea606a
Author: Günther Deschner <gd at samba.org>
Date: Mon Nov 9 17:08:27 2020 +0100
s3-torture: Only install vfstest manpage when vfstest binary gets installed.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Wed Jul 21 13:41:26 UTC 2021 on sn-devel-184
commit bb7b957e2c5d940191cb1202ade6fea7a0cce4c0
Author: Günther Deschner <gd at samba.org>
Date: Mon Nov 9 15:12:21 2020 +0100
s3-torture: give torture test binaries their own wscript_build
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ee9dfff617ad21d81369d7ef2ea35d7caab82fec
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jul 21 09:32:42 2021 +0200
bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Jul 21 12:18:30 UTC 2021 on sn-devel-184
commit e51e9d014598241e1cb8b525cce9e9c6b9e4e98f
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jul 21 09:17:31 2021 +0200
python:waf: Correctly check for python-dateutil
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 84b9f58616e0a4c5b36b1c2d4fee7928fbf9edc4
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 20 14:58:09 2021 +0200
s3:tests: Add smbclient kerberos tests for ad_dc and ad_dc_fips
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Jul 21 07:19:00 UTC 2021 on sn-devel-184
commit 42e3fda5be56cb96139093ca98e4dfb6817aea39
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 20 19:06:28 2021 +0200
autobuild: Exclude fips envs from samba and samba-mitkrb5
The FIPS envs only work on Fedora. Ubuntu doesn't have FIPS support!
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit e0fa3e359f16b26122d49ad79372e3923f5ded77
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 20 15:55:53 2021 +0200
bootstrap: Install krb5-workstation on Fedora based distros
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 0ac71061044e2ee47f4de3a319ad2386128066fc
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 15 13:20:22 2021 +0200
s3:smbd: really support AES-256* in the server
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14764
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Jul 20 16:13:28 UTC 2021 on sn-devel-184
commit 407b458242cd11bdb3ab219dc58b3ffb070b0e7c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 19 18:38:06 2021 +0200
s4:torture/smb2: add tests to check all signing and encryption algorithms
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14764
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5512416a8fbe00a7a5343afe0d50846e0a8f342b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 9 10:40:04 2021 +0100
gnutls: allow gnutls_aead_cipher_encryptv2 with gcm before 3.6.15
The memory leak bug up to 3.6.14 was only related to ccm, but gcm was
fine.
This avoids talloc+memcpy on more systems, e.g. ubuntu 20.04,
and brings ~ 20% less cpu overhead, see:
https://hackmd.io/@asn/samba_crypto_benchmarks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14764
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f97f94e93b03495cf03d08873de5f3b912a003a0
Author: David Mulder <dmulder at suse.com>
Date: Mon Jul 19 11:36:09 2021 -0600
gpo: Improve debug when extension fails to apply
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4a5f6d88ff0b2eebf86403ba25504e1bf2c59d53
Author: David Mulder <dmulder at suse.com>
Date: Mon Jul 19 11:18:53 2021 -0600
gpo: Warn when fetching the supported templates fails
When Certificate Auto Enrollment fails to fetch
the list of supported templates, display a
warning.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a92b05ec7b407a19da0cd7c2533c5b49dfbe4392
Author: David Mulder <dmulder at suse.com>
Date: Mon Jul 19 11:11:56 2021 -0600
gpo: Ensure Network Device Enrollment Service if sscep fails
Prompt the user to check that Network Device
Enrollment Service is installed and configured
if sscep fails to download the certificate root
chain.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit bedeeb0b596f563e0918cd5f7195ed6aed0817ce
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 19 12:57:50 2021 +0200
tdb: version 1.4.5
* fix standalone usage of tdb.h
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Jul 20 11:48:38 UTC 2021 on sn-devel-184
commit aacd3ecb45ab04cb2f8a38a385a45bdca6d88cd2
Author: Günther Deschner <gd at samba.org>
Date: Fri Jul 16 17:29:40 2021 +0200
tdb: Fix invalid syntax in tdb.h
Defining _PUBLIC_ in the same way as in talloc.h resolves an issue with
a previous fix for Solaris Studio compiler 12.4 that prefixed all calls
in tdb.h with _PUBLIC_. Thanks to Lukas Slebodnik
<lslebodn at redhat.com>.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14762
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b724c1e6a660eb6b9ceaf3c81d6dac0b0562206d
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Apr 27 15:45:17 2021 +1000
utils: Avoid pylint warning
pylint warns:
Use lazy % formatting in logging functions
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Jose A. Rivera <jarrpa at samba.org>
Autobuild-User(master): Martin Schwenke <martins at samba.org>
Autobuild-Date(master): Tue Jul 20 05:29:18 UTC 2021 on sn-devel-184
commit 319e27343d7ee5f7f6045a19747ba85fb4bef768
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Apr 27 15:37:43 2021 +1000
utils: Reformat lines that are longer than 80 columns
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Jose A. Rivera <jarrpa at samba.org>
commit 98c7a38b711d38ac756ca7e34769eb277904f7d0
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Apr 27 14:56:20 2021 +1000
utils: Tweak exception handling to stop flake8 complaining
Don't bother with "as e" to avoid warning about unused variable.
Don't use bare "except:" (though pylint still complains about this
version).
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Jose A. Rivera <jarrpa at samba.org>
commit 12d3e215a6096fc9862642b98dd8bca1421f2cae
Author: Martin Schwenke <martin at meltin.net>
Date: Wed May 26 11:18:04 2021 +1000
utils: Simplify log level logic, drop global variable
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Jose A. Rivera <jarrpa at samba.org>
commit e323d16a9d11c63640fca186c6f5a29360fb3c7b
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Apr 27 14:50:15 2021 +1000
utils: Inline defaults and help strings
Removes an unnecessary level of indirection: defaults and help strings
are now where they are expected. Also removes some global variables.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Jose A. Rivera <jarrpa at samba.org>
commit af5aecced12a8f6a9259602f8ddf3662fe6c1ba0
Author: Martin Schwenke <martin at meltin.net>
Date: Wed May 26 10:57:07 2021 +1000
utils: Move argument processing into function and call from main()
Removes the need for the global variables currently associated with
this processing. Also removes unnecessarily double-handling the
defaults, which are assigned to the global variables and set via
add_argument().
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Jose A. Rivera <jarrpa at samba.org>
commit e66637a079c070d29c685b6315e5427679dc778a
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Apr 27 13:00:49 2021 +1000
utils: Reorder imports so that standard imports are first
Avoids numerous pylint warnings.
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Jose A. Rivera <jarrpa at samba.org>
commit bd0b2bb6ee9d03a259e7d7e9f4397f4dbe3f1b91
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Apr 27 12:59:17 2021 +1000
utils: Clean up ctdb_etcd_lock using autopep8
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Jose A. Rivera <jarrpa at samba.org>
commit 939aed0498269df3c1e012f3b68c314b583f25bd
Author: Martin Schwenke <martin at meltin.net>
Date: Tue Apr 27 15:46:14 2021 +1000
utils: Use Python 3
Due to the number of flake8 and pylint warnings it is unclear if the
source has Python 3 incompatibilities. These will be cleaned up in
subsequent commits.
Signed-off-by: "L.P.H. van Belle" <belle at bazuin.nl>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Jose A. Rivera <jarrpa at samba.org>
commit d961830cb59f89b99b6bf0715fa2921e0af7b2ba
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jun 26 14:21:49 2021 +0200
examples: Make winreg.py sample work with python3 in current master
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Jul 19 17:44:08 UTC 2021 on sn-devel-184
commit 63cc92501e98ee3adeb458fca6d7559f49518f6d
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jul 15 16:52:02 2021 +0200
gitignore: Add .cache directory
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Jul 19 15:27:14 UTC 2021 on sn-devel-184
commit b4a301a6b7647e2deffe5b086e35b180a5c99ec8
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jul 15 16:50:56 2021 +0200
selftest: Add PYTHONPATH for lsp servers to devel_env.sh
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 1f047831c1685542740f21dcc47596e32bb63e22
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jul 14 11:38:39 2021 +0200
s3:utils: Use better error message for smbtree
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Jul 16 03:45:19 UTC 2021 on sn-devel-184
commit 155348cda65b441a6c4db1ed84dbf1682d02973c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 29 15:42:56 2021 +0200
libcli/smb: allow unexpected padding in SMB2 READ responses
Make use of smb2cli_parse_dyn_buffer() in smb2cli_read_done()
as it was exactly introduced for a similar problem see:
commit 4c6c71e1378401d66bf2ed230544a75f7b04376f
Author: Stefan Metzmacher <metze at samba.org>
AuthorDate: Thu Jan 14 17:32:15 2021 +0100
Commit: Volker Lendecke <vl at samba.org>
CommitDate: Fri Jan 15 08:36:34 2021 +0000
libcli/smb: allow unexpected padding in SMB2 IOCTL responses
A NetApp Ontap 7.3.7 SMB server add 8 padding bytes to an
offset that's already 8 byte aligned.
RN: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Pair-Programmed-With: Volker Lendecke <vl at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Jan 15 08:36:34 UTC 2021 on sn-devel-184
RN: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Jul 15 23:53:55 UTC 2021 on sn-devel-184
commit 1faf15b3d0f41fa8a94b76d1616a4460ce0c6fa4
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 29 15:24:13 2021 +0200
libcli/smb: make smb2cli_ioctl_parse_buffer() available as smb2cli_parse_dyn_buffer()
It will be used in smb2cli_read.c soon...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ef57fba5dbf359b204ba952451e1e33ed68f1c91
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 5 17:49:00 2021 +0200
s3:smbd: implement FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8
This turns the 'smb2.read.bug14607' test from 'skip' into 'xfailure',
as the 2nd smb2cli_read() function will now return
NT_STATUS_INVALID_NETWORK_RESPONSE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5ecac656fde4e81aa6e51e7b3134ea3fb75f564a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 5 17:49:00 2021 +0200
s3:smbd: introduce a body_size variable in smbd_smb2_request_read_done
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b3c9823d907b91632679e6f0ffce1b7192e4b9b6
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 6 16:24:59 2021 +0200
s4:torture/smb2: add smb2.read.bug14607 test
This test will use a FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8
in order to change the server behavior of READ responses regarding
the data offset.
It will demonstrate the problem in smb2cli_read*() triggered
by NetApp Ontap servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit f813f8a54ae79dd74a99593aeacb252061688807
Author: David Mulder <dmulder at suse.com>
Date: Mon Jul 12 15:18:04 2021 -0600
Update WHATSNEW for Certificate Auto Enrollment
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Jul 15 20:03:45 UTC 2021 on sn-devel-184
commit fd6df5356b7aa180d538a734799b640c1430eb47
Author: David Mulder <dmulder at samba.org>
Date: Fri Jul 2 20:44:43 2021 +0000
gpo: Test Certificate Auto Enrollment Policy
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9f0e6f3c0631fdd8bd9580db382d00c2ea4f3c57
Author: David Mulder <dmulder at suse.com>
Date: Mon Jun 28 09:06:09 2021 -0600
gpo: Fix up rsop output of ca certificate
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 9c0a174af2007476cbff859f962a2667bc5004bf
Author: David Mulder <dmulder at suse.com>
Date: Thu Jun 17 09:13:12 2021 -0600
gpo: Add Certificate Auto Enrollment Policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit cca9ce5977c42ccffe4d459193ff1cfa011680c3
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jul 15 09:42:49 2021 +0200
WHATSNEW: Start release notes for Samba 4.16.0pre1.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Jule Anger <janger at samba.org>
commit 34b168b4a1ccc13a67cc073b147d6a27e26a8ca8
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jul 15 09:38:41 2021 +0200
VERSION: Bump version up to 4.16.0pre1...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Jule Anger <janger at samba.org>
-----------------------------------------------------------------------
--
Samba Shared Repository
More information about the samba-cvs
mailing list