[SCM] Samba Shared Repository - branch master updated
Ralph Böhme
slow at samba.org
Wed Mar 29 18:59:01 UTC 2023
The branch, master has been updated
via 76573d6d8f1 s3: libcli: Refuse to connect to any server with zero values for max_trans_size, max_read_size, max_write_size.
via 006fe806782 tests: Add samba3.blackbox.zero_readsize test.
via b755b81d66a test: Add a test for "deny ous"
via f9849dbf4ff tests: Slightly simplify test_idmap_ad.sh
via 3fdf8d15c05 idmap_ad: Add "deny ous" and "allow ous" options
via c9c709e39dd idmap: Initialize struct idmap_ad_context
via 6499a2dcb3b winbind: Add idmap_config_string_list()
via 443572ce420 winbind: Factor out idmap_config_name()
from ffdfb78da7f buildtools: Remove compile_commands.json symlink
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 76573d6d8f168d6e6107af26a434b8c71aaf93af
Author: Jeremy Allison <jra at samba.org>
Date: Tue Mar 21 10:34:46 2023 -0700
s3: libcli: Refuse to connect to any server with zero values for max_trans_size, max_read_size, max_write_size.
There's nothing we can do to such a server (this
now matches the behavior for SMB1).
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15306
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Mar 29 18:58:33 UTC 2023 on atb-devel-224
commit 006fe806782c42e860ed2cf2bc9f6b1b82c3a307
Author: Jeremy Allison <jra at samba.org>
Date: Tue Mar 21 10:31:36 2023 -0700
tests: Add samba3.blackbox.zero_readsize test.
smbclient crashes when smbd has "smb2 max read = 0"
in the [global] section of smb.conf.
We should fail the protocol negotiation with
NT_STATUS_INVALID_NETWORK_RESPONSE in this case.
Adds knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15306
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b755b81d66a2b63e2e0a1fe9406d8f24b91d983e
Author: Volker Lendecke <vl at samba.org>
Date: Tue Mar 7 17:21:56 2023 +0100
test: Add a test for "deny ous"
Not a comprehensive test for all possible combinations, but it shows
the basic functionality, and it found a bug in the initial
implementation :-)
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f9849dbf4ff87e848eb323ca6ca0f612c80c3f95
Author: Volker Lendecke <vl at samba.org>
Date: Tue Mar 7 13:54:47 2023 +0100
tests: Slightly simplify test_idmap_ad.sh
ldbmodify can change multiple objects in one run
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 3fdf8d15c05518aa08770583d4d0172b15a9b389
Author: Volker Lendecke <vl at samba.org>
Date: Fri Nov 18 11:36:28 2022 +0100
idmap_ad: Add "deny ous" and "allow ous" options
With these options, certain OUs can be denied or a list of OUs can be
explicitly permitted for idmapping.
Use case: Administration of OUs in AD has been delegated to people not
100% trusted by the unix server team, this can prevent arbitrary unix
IDs to be assigned by these delegated admins.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c9c709e39dd13680490338fd37caf095f17b70c8
Author: Volker Lendecke <vl at samba.org>
Date: Tue Mar 7 16:08:18 2023 +0100
idmap: Initialize struct idmap_ad_context
We'll add another pointer next that should be initialized to NULL
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6499a2dcb3bc4e6f22af5445517dd3e1ba9efff0
Author: Volker Lendecke <vl at samba.org>
Date: Thu Nov 17 10:43:22 2022 +0100
winbind: Add idmap_config_string_list()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 443572ce4204c338a0e92417a9d0539a9ec2ddfa
Author: Volker Lendecke <vl at samba.org>
Date: Thu Nov 17 10:40:36 2022 +0100
winbind: Factor out idmap_config_name()
3 times is enough, next patch will add a 4th one.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/idmap_ad.8.xml | 31 +++++
libcli/smb/smbXcli_base.c | 11 ++
nsswitch/tests/test_idmap_ad.sh | 54 +++++----
selftest/target/Samba3.pm | 1 +
source3/script/tests/test_zero_readsize.sh | 101 ++++++++++++++++
source3/selftest/tests.py | 12 ++
source3/winbindd/idmap.c | 60 +++++-----
source3/winbindd/idmap_ad.c | 180 ++++++++++++++++++++++++++++-
source3/winbindd/winbindd_proto.h | 3 +
9 files changed, 401 insertions(+), 52 deletions(-)
create mode 100755 source3/script/tests/test_zero_readsize.sh
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml
index 12cdeb60393..b364bbfa231 100644
--- a/docs-xml/manpages/idmap_ad.8.xml
+++ b/docs-xml/manpages/idmap_ad.8.xml
@@ -99,6 +99,37 @@
<para>Default: no</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>deny ous</term>
+ <listitem><para>This parameter is a list of OUs from
+ which objects will not be mapped via the ad idmap
+ module. If <parameter>deny ous</parameter> is set but
+ <parameter>allow ous</parameter> is not set, every
+ object outside the OUs listed in <parameter>deny
+ ous</parameter> is allowed.
+ </para>
+ <para>Default: none</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>allow ous</term>
+ <listitem><para>This parameter is a list of OUs from
+ which objects will be mapped via the ad idmap
+ module. If <parameter>allow ous</parameter> is set but
+ <parameter>deny ous</parameter> is not set, every
+ object outside the OUs <parameter>allow
+ ous</parameter> is denied.
+ </para>
+ <para>
+ If both <parameter>allow ous</parameter> and
+ <parameter>deny ous</parameter> are set,
+ <parameter>deny ous</parameter> is evaluated first,
+ then <parameter>allow ous</parameter> is looked at. If
+ an AD object matches neither, it is denied.
+ </para>
+ <para>Default: none</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index aaf2d405a94..a2a551d0f79 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5128,6 +5128,17 @@ static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
conn->smb2.server.system_time = BVAL(body, 40);
conn->smb2.server.start_time = BVAL(body, 48);
+ if (conn->smb2.server.max_trans_size == 0 ||
+ conn->smb2.server.max_read_size == 0 ||
+ conn->smb2.server.max_write_size == 0) {
+ /*
+ * We can't connect to servers we can't
+ * do any operations on.
+ */
+ tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+
security_offset = SVAL(body, 56);
security_length = SVAL(body, 58);
diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh
index aef74bead96..7ae112ada71 100755
--- a/nsswitch/tests/test_idmap_ad.sh
+++ b/nsswitch/tests/test_idmap_ad.sh
@@ -70,20 +70,30 @@ add: loginShell
loginShell: /bin/tcsh
add: gecos
gecos: Administrator Full Name
-EOF
-cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD"
dn: CN=Domain Users,CN=Users,$BASE_DN
changetype: modify
add: gidNumber
gidNumber: 2000001
-EOF
-cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD"
dn: CN=Domain Admins,CN=Users,$BASE_DN
changetype: modify
add: gidNumber
gidNumber: 2000002
+
+dn: ou=sub,$BASE_DN
+changetype: add
+objectClass: organizationalUnit
+
+dn: cn=forbidden,ou=sub,$BASE_DN
+changetype: add
+objectClass: user
+samaccountName: forbidden
+uidNumber: 2000003
+gidNumber: 2000001
+unixHomeDirectory: /home/forbidden
+loginShell: /bin/tcsh
+gecos: User in forbidden OU
EOF
#
@@ -95,18 +105,12 @@ dn: CN=Administrator,CN=Users,$TRUST_BASE_DN
changetype: modify
add: uidNumber
uidNumber: 2500000
-EOF
-cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
- -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
dn: CN=Domain Users,CN=Users,$TRUST_BASE_DN
changetype: modify
add: gidNumber
gidNumber: 2500001
-EOF
-cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
- -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
dn: CN=Domain Admins,CN=Users,$TRUST_BASE_DN
changetype: modify
add: gidNumber
@@ -153,6 +157,20 @@ test "$out" = "$DOMAIN_SID-512"
ret=$?
testit "Test gid lookup of Domain Admins" test $ret -eq 0 || failed=$(expr $failed + 1)
+#
+# Test 5: Make sure deny_ou is really denied
+# This depends on the "deny ous" setting in Samba3.pm
+#
+
+sid="$($wbinfo -n $DOMAIN/forbidden | awk '{print $1}')"
+testit "Could create forbidden" test -n "$sid" || failed=$(expr $failed + 1)
+if [ -n "$sid" ]
+then
+ uid="$($wbinfo --sid-to-uid $sid)"
+ testit "Can not resolve forbidden user" test -z "$uid" ||
+ failed=$(($failed + 1))
+fi
+
#
# Trusted domain test 1: Test uid of Administrator, should be 2500000
#
@@ -209,20 +227,22 @@ delete: loginShell
loginShell: /bin/tcsh
delete: gecos
gecos: Administrator Full Name
-EOF
-cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD"
dn: CN=Domain Users,CN=Users,$BASE_DN
changetype: modify
delete: gidNumber
gidNumber: 2000001
-EOF
-cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD"
dn: CN=Domain Admins,CN=Users,$BASE_DN
changetype: modify
delete: gidNumber
gidNumber: 2000002
+
+dn: cn=forbidden,ou=sub,$BASE_DN
+changetype: delete
+
+dn: ou=sub,$BASE_DN
+changetype: delete
EOF
#
@@ -234,18 +254,12 @@ dn: CN=Administrator,CN=Users,$TRUST_BASE_DN
changetype: modify
delete: uidNumber
uidNumber: 2500000
-EOF
-cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
- -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
dn: CN=Domain Users,CN=Users,$TRUST_BASE_DN
changetype: modify
delete: gidNumber
gidNumber: 2500001
-EOF
-cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
- -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
dn: CN=Domain Admins,CN=Users,$TRUST_BASE_DN
changetype: modify
delete: gidNumber
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 15b13f2920f..b4fa99c7388 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1390,6 +1390,7 @@ sub setup_ad_member_idmap_ad
idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
idmap config $dcvars->{DOMAIN} : unix_primary_group = yes
idmap config $dcvars->{DOMAIN} : unix_nss_info = yes
+ idmap config $dcvars->{DOMAIN} : deny ous = \"ou=sub,DC=samba2008r2,DC=example,DC=com\"
idmap config $dcvars->{TRUST_DOMAIN} : backend = ad
idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999
gensec_gssapi:requested_life_time = 5
diff --git a/source3/script/tests/test_zero_readsize.sh b/source3/script/tests/test_zero_readsize.sh
new file mode 100755
index 00000000000..f859599ba89
--- /dev/null
+++ b/source3/script/tests/test_zero_readsize.sh
@@ -0,0 +1,101 @@
+#!/usr/bin/env bash
+#
+# Test setting smb2 max read = 0.
+#
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15306
+#
+
+if [ $# -lt 6 ]; then
+ cat <<EOF
+Usage: $0 SERVERCONFFILE SMBCLIENT SMBCONTROL SERVER SHARE PREFIX
+EOF
+ exit 1
+fi
+
+CONF=${1}
+shift 1
+SMBCLIENT=${1}
+shift 1
+SMBCONTROL=${1}
+shift 1
+SERVER=${1}
+shift 1
+SHARE=${1}
+shift 1
+PREFIX=${1}
+shift 1
+
+SMBCLIENT="$VALGRIND ${SMBCLIENT}"
+ADDARGS="$@"
+
+incdir=$(dirname "$0")/../../../testprogs/blackbox
+. "$incdir"/subunit.sh
+
+failed=0
+
+#
+# Setup function
+#
+do_setup()
+{
+ rm -f "${PREFIX}/zero_read_testfile"
+ rm -f "${PREFIX}/zero_read_testfile_get"
+ dd if=/dev/zero of="${PREFIX}/zero_read_testfile" bs=1024 count=1
+ global_inject_conf="$(dirname "${SERVERCONFFILE}")/global_inject.conf"
+ echo "smb2 max read = 0" >"$global_inject_conf"
+ ${SMBCONTROL} ${CONF} smbd reload-config
+}
+
+do_cleanup()
+{
+ rm -f "${PREFIX}/zero_read_testfile"
+ rm -f "${PREFIX}/zero_read_testfile_get"
+ global_inject_conf="$(dirname "${SERVERCONFFILE}")/global_inject.conf"
+ rm "$global_inject_conf"
+ ${SMBCONTROL} ${CONF} smbd reload-config
+}
+
+test_smb2_zero_readsize()
+{
+ local tmpfile="$PREFIX/smbclient.in.$$"
+
+ cat >"$tmpfile" <<EOF
+lcd $PREFIX
+put zero_read_testfile zero_read_testfile_put
+get zero_read_testfile_put zero_read_testfile_get
+del zero_read_testfile_put
+quit
+EOF
+
+ local cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/$SHARE -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval "$cmd")
+ ret=$?
+
+ # Check for smbclient error.
+ # We should have failed the protocol negotiation, returning 1.
+ if [ $ret != 1 ]; then
+ echo "smbclient protocol negotiation succeeded (should have failed) zero read testfile $ret"
+ echo "$out"
+ return 1
+ fi
+
+ # We should get NT_STATUS_INVALID_NETWORK_RESPONSE
+ echo "$out" | grep NT_STATUS_INVALID_NETWORK_RESPONSE
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ echo "Should get NT_STATUS_INVALID_NETWORK_RESPONSE"
+ echo "$out"
+ return 1
+ fi
+ rm "$tmpfile"
+ return 0
+}
+
+do_setup
+
+testit "smb2_zero_readsize" test_smb2_zero_readsize || failed=$((failed + 1))
+
+do_cleanup
+
+testok "$0" "$failed"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 293882ea69f..98b4eb361c3 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1415,6 +1415,18 @@ plantestsuite("samba3.blackbox.chdir-cache", "simpleserver:local",
'$PREFIX',
'simpleserver'])
+plantestsuite("samba3.blackbox.zero_readsize",
+ "simpleserver:local",
+ [os.path.join(samba3srcdir,
+ "script/tests/test_zero_readsize.sh"),
+ configuration,
+ os.path.join(bindir(), "smbclient"),
+ os.path.join(bindir(), "smbcontrol"),
+ '$SERVER_IP',
+ "tmp",
+ "$PREFIX",
+ "-mSMB2"])
+
plantestsuite("samba3.blackbox.netfileenum", "simpleserver:local",
[os.path.join(samba3srcdir,
"script/tests/test_netfileenum.sh"),
diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
index eee28992929..53b860b51d7 100644
--- a/source3/winbindd/idmap.c
+++ b/source3/winbindd/idmap.c
@@ -177,50 +177,50 @@ static bool idmap_init(void)
return true;
}
+static int idmap_config_name(const char *domname, char *buf, size_t buflen)
+{
+ int len = snprintf(buf, buflen, "idmap config %s", domname);
+ SMB_ASSERT(len > 0);
+ return len + 1;
+}
+
const char *idmap_config_const_string(const char *domname, const char *option,
const char *def)
{
- int len = snprintf(NULL, 0, "idmap config %s", domname);
+ int len = idmap_config_name(domname, NULL, 0);
+ char config_option[len];
+ idmap_config_name(domname, config_option, sizeof(config_option));
- if (len == -1) {
- return NULL;
- }
- {
- char config_option[len+1];
- snprintf(config_option, sizeof(config_option),
- "idmap config %s", domname);
- return lp_parm_const_string(-1, config_option, option, def);
- }
+ return lp_parm_const_string(-1, config_option, option, def);
}
bool idmap_config_bool(const char *domname, const char *option, bool def)
{
- int len = snprintf(NULL, 0, "idmap config %s", domname);
+ int len = idmap_config_name(domname, NULL, 0);
+ char config_option[len];
+ idmap_config_name(domname, config_option, sizeof(config_option));
- if (len == -1) {
- return def;
- }
- {
- char config_option[len+1];
- snprintf(config_option, sizeof(config_option),
- "idmap config %s", domname);
- return lp_parm_bool(-1, config_option, option, def);
- }
+ return lp_parm_bool(-1, config_option, option, def);
}
int idmap_config_int(const char *domname, const char *option, int def)
{
- int len = snprintf(NULL, 0, "idmap config %s", domname);
+ int len = idmap_config_name(domname, NULL, 0);
+ char config_option[len];
+ idmap_config_name(domname, config_option, sizeof(config_option));
- if (len == -1) {
- return def;
- }
- {
- char config_option[len+1];
- snprintf(config_option, sizeof(config_option),
- "idmap config %s", domname);
- return lp_parm_int(-1, config_option, option, def);
- }
+ return lp_parm_int(-1, config_option, option, def);
+}
+
+const char **idmap_config_string_list(const char *domname,
+ const char *option,
+ const char **def)
+{
+ int len = idmap_config_name(domname, NULL, 0);
+ char config_option[len];
+ idmap_config_name(domname, config_option, sizeof(config_option));
+
+ return lp_parm_string_list(-1, config_option, option, def);
}
bool domain_has_idmap_config(const char *domname)
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index d08052e8a97..5c9fe07db95 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -34,6 +34,8 @@
#include "source3/libads/sitename_cache.h"
#include "source3/libads/kerberos_proto.h"
#include "source3/librpc/gen_ndr/ads.h"
+#include "source3/lib/global_contexts.h"
+#include <ldb.h>
struct idmap_ad_schema_names;
@@ -45,6 +47,10 @@ struct idmap_ad_context {
bool unix_primary_group;
bool unix_nss_info;
+
+ struct ldb_context *ldb;
+ struct ldb_dn **deny_ous;
+ struct ldb_dn **allow_ous;
};
static NTSTATUS idmap_ad_get_context(struct idmap_domain *dom,
@@ -434,6 +440,42 @@ static int idmap_ad_context_destructor(struct idmap_ad_context *ctx)
return 0;
}
+static struct ldb_dn **str_list_to_dns(TALLOC_CTX *mem_ctx,
+ const char *dbgmsg,
+ struct ldb_context *ldb,
+ const char **strlist)
+{
+ size_t i, num_dns = str_list_length(strlist);
+ char *dbgstr = NULL;
+ struct ldb_dn **dns = NULL;
+
+ dns = talloc_array(mem_ctx, struct ldb_dn *, num_dns);
+ if (dns == NULL) {
+ TALLOC_FREE(dbgstr);
+ return NULL;
+ }
+
+ dbgstr = talloc_strdup(talloc_tos(), "");
+
+ for (i = 0; i < num_dns; i++) {
+ dns[i] = ldb_dn_new(dns, ldb, strlist[i]);
+ if (dns[i] == NULL) {
+ DBG_WARNING("ldb_dn_new(%s) failed\n", strlist[i]);
+ TALLOC_FREE(dns);
+ return NULL;
+ }
+ talloc_asprintf_addbuf(
+ &dbgstr,
+ "%s ",
+ ldb_dn_get_extended_linearized(dbgstr, dns[i], 1));
+ }
+
+ DBG_DEBUG("%s %s\n", dbgmsg, dbgstr);
+ TALLOC_FREE(dbgstr);
+
+ return dns;
+}
+
static NTSTATUS idmap_ad_context_create(TALLOC_CTX *mem_ctx,
struct idmap_domain *dom,
const char *domname,
@@ -441,10 +483,12 @@ static NTSTATUS idmap_ad_context_create(TALLOC_CTX *mem_ctx,
{
struct idmap_ad_context *ctx;
const char *schema_mode;
+ const char **allow = NULL;
+ const char **deny = NULL;
NTSTATUS status;
TLDAPRC rc;
- ctx = talloc(mem_ctx, struct idmap_ad_context);
+ ctx = talloc_zero(mem_ctx, struct idmap_ad_context);
if (ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -483,10 +527,120 @@ static NTSTATUS idmap_ad_context_create(TALLOC_CTX *mem_ctx,
return NT_STATUS_LDAP(TLDAP_RC_V(rc));
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list