[SCM] Samba Shared Repository - branch v4-17-stable updated
Jule Anger
janger at samba.org
Tue Oct 10 14:45:50 UTC 2023
The branch, v4-17-stable has been updated
via 0e746c02f6c CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
via 08f4f363fa6 CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
via 6ff5eed9c5d CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
via 9989568b20c CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
via cbd68f39d52 CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
via c0d6e6db657 CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
via 4e5f060cdc3 CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
via 4c1f1fe39c6 CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
via 92a4df11b2d CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
via 8a9dac9d4e5 CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
via 649bccf87ef CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
via 8de96459777 CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
via 68eda471b8f CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers
via 8b1f1c9f90f CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position
via b59a4266f1b CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper
via 22904d2b9dc CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper
via 4cfec08d7ee CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add()
via 10c4b6ea09f CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers
via b4849183a68 CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper
via d221d0a7902 CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG
via 5313a307148 CVE-2023-4154 s4:dsdb:tests: Fix code spelling
via 119ff0ef752 CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test
via e8b68aa5c9a CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL
via bd5213a918e CVE-2023-4154 librpc ndr/py_security: Export ACE deletion functions to python
via 25585fda53f CVE-2023-4154 libcli security_descriptor: Add function to delete a given ace from a security descriptor
via 347d55084b7 CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
via 45051934ffa CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
via f958415a69f CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
via e6f096c4c8f CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.
via 23199e11545 CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
from f3e7be14a36 VERSION: Disable GIT_SNAPSHOT for the 4.17.11 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-stable
- Log -----------------------------------------------------------------
commit 0e746c02f6cc3b53b941f2b2d9624427020a6890
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 12 16:23:49 2023 +1200
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.
This means that any duplicates will be noticed early not just
in a race condition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 08f4f363fa6e2ee62a6e32db577ee12e26927735
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 12 12:28:49 2023 +1200
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.
Most critically of course this applies to netlogon, lsa and samr.
This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 6ff5eed9c5dbb5b8b27ef34586e63208e958dc2e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 12 19:01:03 2023 +1200
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact. Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 9989568b20c8f804140c22f51548d766a18ed887
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 12 18:59:44 2023 +1200
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit cbd68f39d5255336ddf1559e46c841f14598d2a8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 8 17:58:27 2023 +1200
CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.
Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.
The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access. Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).
Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.
The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit c0d6e6db657135f772fc2b4d1ee8b57bd50a1d54
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 22 15:08:17 2023 +1200
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 4e5f060cdc3ca03cc1d6509ee9b9cdc0b24b5ca9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 8 14:30:19 2023 +1200
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication. Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 4c1f1fe39c6e75a377f46d2f9a60749244c1247a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 8 11:18:46 2023 +1200
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 92a4df11b2dd696f5ba1c283602a6b3435d082ea
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 7 11:56:56 2023 +1200
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 8a9dac9d4e52713152a085730c5d12462322f760
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 7 14:44:28 2023 +1200
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
Rather than fail, if the last run failed to reset things, just force
the DC into the required state.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 649bccf87ef1ad90c2a7219c59285af30ae7ba03
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 7 13:15:40 2023 +1200
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
Thie helps ensure this test is reliable even in spite of errors while
running.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 8de964597772cbbdef8b0fd7cb0d3e71aacd698c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 7 11:55:55 2023 +1200
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.
We rename tests that would otherwise have duplicate names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 68eda471b8f4aeb64bb0e6f2dd72201e47949be7
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 10:03:44 2023 +0100
CVE-2023-4154 libcli/security: add security_descriptor_[s|d]acl_insert() helpers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 2c02378029fff6636b8f19e45af78b265f2210ed)
commit 8b1f1c9f90fd66c333ce1effab8ab78165266bd5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 10:00:11 2023 +0100
CVE-2023-4154 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position
Often it is important to insert an ace at a specific position in the
ACL. As a default we still append by default by using -1, which is the
generic version of passing the number of existing aces.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit c3cb915a67aff6739b72b86d7d139609df309ada)
commit b59a4266f1b17d9aaf1485b09db15b911b470228
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 09:57:43 2023 +0100
CVE-2023-4154 replace: add ARRAY_INSERT_ELEMENT() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 9d8ff0d1e0b2ba7c84af36e1931f5bc99902a44b)
commit 22904d2b9dc4c0db5b7642b3dd3f44ac2fbf4247
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 17 14:08:34 2023 +0100
CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper
This uses ndr_pack/unpack in order to create a deep copy
of the given object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 4627997ddae44265ad35b3234232eb74458c6c34)
commit 4cfec08d7ee7dae1bf42528b31b7c65cdd4600d4
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 10:11:05 2023 +0100
CVE-2023-4154 py_security: allow idx argument to descriptor.[s|d]acl_add()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 9ea06aaf9f57e3c7094553d9ac40fb73057a9b74)
commit 10c4b6ea09f70aebf7cc7381e947ac49c559b27a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 18:03:10 2023 +0100
CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers
They better represent what they are doing, we keep dacl_add_ace()
as wrapper of dacl_prepend_aces() in order to let existing callers
work as before.
In future it would be good to have a dacl_insert_aces() that
would canonicalize the ace order before storing, but that a task
for another day.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit a1109a9bf12e020636b8d66fc54984aac58bfe6b)
commit b4849183a68c35e06f06f5b1ee2539fbfa990b29
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 10 18:25:18 2023 +0100
CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper
This is a more generic api that can be re-used in other places
as well in future. It operates on a security descriptor object instead of
SDDL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 8411e6d302e25d10f1035ebbdcbde7308566e930)
commit d221d0a79022b65df7eecc7b47a859b003345a0f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 14 17:19:27 2023 +1300
CVE-2023-4154 s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG
It's no longer used anywhere.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8b4e6f7b3fb8018cb64deef9b8e1cbc2e5ba12cf)
commit 5313a30714889ba96c68a8809a16697f99febb55
Author: Andreas Schneider <asn at samba.org>
Date: Wed Aug 2 10:44:32 2023 +0200
CVE-2023-4154 s4:dsdb:tests: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670)
commit 119ff0ef75212d21fea5147cf197ef3e53cca33d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jan 27 07:43:40 2023 +1300
CVE-2023-4154 s4:dsdb:tests: Refactor confidential attributes test
Use more specific unittest methods, and remove unused code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2e5d08c908b3fa48b9b374279a331061cb77bce3)
commit e8b68aa5c9ad4ad6fbe11cdfe67d313b41326625
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 1 14:49:06 2023 +1300
CVE-2023-4154 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL
The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now
remove the complexity.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit 82d2ec786f7e75ff6f34eb3357964345b10de091)
commit bd5213a918edef9397ef41c1fe93d3d03264a396
Author: Christian Merten <christian at merten.dev>
Date: Mon Sep 19 23:01:34 2022 +0200
CVE-2023-4154 librpc ndr/py_security: Export ACE deletion functions to python
Exported security_descriptor_sacl_del and security_descriptor_dacl_del as new methods of the
security descriptor class to python.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 84a54d2fa2b1590fdb4e2ea986ded9c39a82cf78)
commit 25585fda53fd2b6c2d7e21e7829945b51e984d07
Author: Christian Merten <christian at merten.dev>
Date: Mon Sep 19 22:47:10 2022 +0200
CVE-2023-4154 libcli security_descriptor: Add function to delete a given ace from a security descriptor
Two functions have been added to delete a given ace from the SACL or the DACL of a security descriptor.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Christian Merten <christian at merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 7efe673fbdcd27ddd23f36281c5f5338681a68fe)
commit 347d55084b76f53f752e9aae9e84a9f775cbec9d
Author: Ralph Boehme <slow at samba.org>
Date: Tue Aug 1 13:04:36 2023 +0200
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow at samba.org>
commit 45051934ffa479b25193f409a0c0fe7740f2415d
Author: Ralph Boehme <slow at samba.org>
Date: Tue Aug 1 12:30:00 2023 +0200
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow at samba.org>
commit f958415a69fdd6324810e16a050e25b821ba204b
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jul 25 17:54:41 2023 -0700
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).
Remove knowfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
commit e6f096c4c8fb3e19fff954c2ddd9c329fb86b06a
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jul 25 17:49:21 2023 -0700
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.
The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.
Add the knownfail.
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
[abartlet at samba.org backported to Samba 4.17 due to conflicts from
context of other new torture tests missing in this version and
changes in smb2cli_create() arguments]
commit 23199e115457e8054c905eedee95ebee114809e0
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jul 25 17:41:04 2023 -0700
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.../smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
lib/param/loadparm.c | 2 +-
lib/replace/replace.h | 15 +
libcli/security/security_descriptor.c | 121 +++++-
libcli/security/security_descriptor.h | 10 +
python/samba/ndr.py | 19 +
python/samba/sd_utils.py | 153 ++++++-
selftest/knownfail | 2 +-
selftest/knownfail.d/dirsync | 13 +
selftest/target/Samba4.pm | 2 +-
source3/param/loadparm.c | 2 +-
source3/rpc_client/local_np.c | 13 +
source3/rpc_server/rpc_host.c | 154 +------
source3/rpc_server/rpcd_classic.c | 45 +-
source3/rpc_server/rpcd_epmapper.c | 33 +-
source3/rpc_server/rpcd_lsad.c | 21 +
source3/rpc_server/rpcd_rpcecho.c | 33 +-
source3/rpc_server/wscript_build | 1 +
source3/selftest/tests.py | 15 +
source3/smbd/open.c | 4 +-
source3/torture/proto.h | 1 +
source3/torture/test_smb2.c | 105 +++++
source3/torture/torture.c | 4 +
source4/dsdb/samdb/ldb_modules/dirsync.c | 33 +-
source4/dsdb/samdb/samdb.h | 1 -
source4/dsdb/tests/python/acl.py | 12 +-
.../dsdb/tests/python/ad_dc_search_performance.py | 2 +-
source4/dsdb/tests/python/confidential_attr.py | 212 ++++-----
source4/dsdb/tests/python/dirsync.py | 473 ++++++++++++++++++---
source4/dsdb/tests/python/ldap.py | 14 +-
source4/dsdb/tests/python/ldap_modify_order.py | 4 +-
source4/dsdb/tests/python/ldap_syntaxes.py | 4 +-
source4/dsdb/tests/python/login_basics.py | 2 +-
source4/dsdb/tests/python/password_settings.py | 4 +-
source4/dsdb/tests/python/passwords.py | 4 +-
source4/dsdb/tests/python/sam.py | 2 +-
source4/dsdb/tests/python/sec_descriptor.py | 14 +-
source4/dsdb/tests/python/token_group.py | 4 +-
source4/dsdb/tests/python/user_account_control.py | 2 +-
source4/librpc/ndr/py_security.c | 62 ++-
source4/rpc_server/wscript_build | 3 +-
source4/torture/smb2/acls.c | 143 +++++++
42 files changed, 1325 insertions(+), 440 deletions(-)
create mode 100644 selftest/knownfail.d/dirsync
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
index 8a217cc7f11..c6642b795fd 100644
--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
@@ -6,6 +6,6 @@
<para>Specifies which DCE/RPC endpoint servers should be run.</para>
</description>
-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
<value type="example">rpcecho</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index f70823fe366..664fae70c9b 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2732,7 +2732,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
/* the winbind method for domain controllers is for both RODC
diff --git a/lib/replace/replace.h b/lib/replace/replace.h
index bd7f6e53e81..bcd5c09bf7c 100644
--- a/lib/replace/replace.h
+++ b/lib/replace/replace.h
@@ -889,6 +889,21 @@ typedef unsigned long long ptrdiff_t ;
#define ARRAY_DEL_ELEMENT(a,i,n) \
if((i)<((n)-1)){memmove(&((a)[(i)]),&((a)[(i)+1]),(sizeof(*(a))*((n)-(i)-1)));}
+/**
+ * Insert an array element by moving the rest one up
+ *
+ */
+#define ARRAY_INSERT_ELEMENT(__array,__old_last_idx,__new_elem,__new_idx) do { \
+ if ((__new_idx) < (__old_last_idx)) { \
+ const void *__src = &((__array)[(__new_idx)]); \
+ void *__dst = &((__array)[(__new_idx)+1]); \
+ size_t __num = (__old_last_idx)-(__new_idx); \
+ size_t __len = sizeof(*(__array)) * __num; \
+ memmove(__dst, __src, __len); \
+ } \
+ (__array)[(__new_idx)] = (__new_elem); \
+} while(0)
+
/**
* Pointer difference macro
*/
diff --git a/libcli/security/security_descriptor.c b/libcli/security/security_descriptor.c
index ba142016389..08f2cf19ee8 100644
--- a/libcli/security/security_descriptor.c
+++ b/libcli/security/security_descriptor.c
@@ -267,9 +267,11 @@ NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
bool add_to_sacl,
- const struct security_ace *ace)
+ const struct security_ace *ace,
+ ssize_t _idx)
{
struct security_acl *acl = NULL;
+ ssize_t idx;
if (add_to_sacl) {
acl = sd->sacl;
@@ -288,15 +290,28 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
acl->aces = NULL;
}
+ if (_idx < 0) {
+ idx = (acl->num_aces + 1) + _idx;
+ } else {
+ idx = _idx;
+ }
+
+ if (idx < 0) {
+ return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
+ } else if (idx > acl->num_aces) {
+ return NT_STATUS_ARRAY_BOUNDS_EXCEEDED;
+ }
+
acl->aces = talloc_realloc(acl, acl->aces,
struct security_ace, acl->num_aces+1);
if (acl->aces == NULL) {
return NT_STATUS_NO_MEMORY;
}
- acl->aces[acl->num_aces] = *ace;
+ ARRAY_INSERT_ELEMENT(acl->aces, acl->num_aces, *ace, idx);
+ acl->num_aces++;
- switch (acl->aces[acl->num_aces].type) {
+ switch (acl->aces[idx].type) {
case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
@@ -307,8 +322,6 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
break;
}
- acl->num_aces++;
-
if (add_to_sacl) {
sd->sacl = acl;
sd->type |= SEC_DESC_SACL_PRESENT;
@@ -327,7 +340,21 @@ static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
const struct security_ace *ace)
{
- return security_descriptor_acl_add(sd, true, ace);
+ return security_descriptor_acl_add(sd, true, ace, -1);
+}
+
+/*
+ insert an ACE at a given index to the SACL of a security_descriptor
+
+ idx can be negative, which means it's related to the new size from the
+ end, so -1 means the ace is appended at the end.
+*/
+
+NTSTATUS security_descriptor_sacl_insert(struct security_descriptor *sd,
+ const struct security_ace *ace,
+ ssize_t idx)
+{
+ return security_descriptor_acl_add(sd, true, ace, idx);
}
/*
@@ -337,7 +364,21 @@ NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
const struct security_ace *ace)
{
- return security_descriptor_acl_add(sd, false, ace);
+ return security_descriptor_acl_add(sd, false, ace, -1);
+}
+
+/*
+ insert an ACE at a given index to the DACL of a security_descriptor
+
+ idx can be negative, which means it's related to the new size from the
+ end, so -1 means the ace is appended at the end.
+*/
+
+NTSTATUS security_descriptor_dacl_insert(struct security_descriptor *sd,
+ const struct security_ace *ace,
+ ssize_t idx)
+{
+ return security_descriptor_acl_add(sd, false, ace, idx);
}
/*
@@ -419,6 +460,72 @@ NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
return security_descriptor_acl_del(sd, true, trustee);
}
+/*
+ delete the given ACE in the SACL or DACL of a security_descriptor
+*/
+static NTSTATUS security_descriptor_acl_del_ace(struct security_descriptor *sd,
+ bool sacl_del,
+ const struct security_ace *ace)
+{
+ uint32_t i;
+ bool found = false;
+ struct security_acl *acl = NULL;
+
+ if (sacl_del) {
+ acl = sd->sacl;
+ } else {
+ acl = sd->dacl;
+ }
+
+ if (acl == NULL) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ for (i=0;i<acl->num_aces;i++) {
+ if (security_ace_equal(ace, &acl->aces[i])) {
+ ARRAY_DEL_ELEMENT(acl->aces, i, acl->num_aces);
+ acl->num_aces--;
+ if (acl->num_aces == 0) {
+ acl->aces = NULL;
+ }
+ found = true;
+ i--;
+ }
+ }
+
+ if (!found) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ acl->revision = SECURITY_ACL_REVISION_NT4;
+
+ for (i=0;i<acl->num_aces;i++) {
+ switch (acl->aces[i].type) {
+ case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+ case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
+ case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
+ acl->revision = SECURITY_ACL_REVISION_ADS;
+ return NT_STATUS_OK;
+ default:
+ break; /* only for the switch statement */
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS security_descriptor_dacl_del_ace(struct security_descriptor *sd,
+ const struct security_ace *ace)
+{
+ return security_descriptor_acl_del_ace(sd, false, ace);
+}
+
+NTSTATUS security_descriptor_sacl_del_ace(struct security_descriptor *sd,
+ const struct security_ace *ace)
+{
+ return security_descriptor_acl_del_ace(sd, true, ace);
+}
/*
compare two security ace structures
*/
diff --git a/libcli/security/security_descriptor.h b/libcli/security/security_descriptor.h
index 7e6df87fefa..354bc17e925 100644
--- a/libcli/security/security_descriptor.h
+++ b/libcli/security/security_descriptor.h
@@ -33,12 +33,22 @@ NTSTATUS security_descriptor_for_client(TALLOC_CTX *mem_ctx,
struct security_descriptor **_csd);
NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
const struct security_ace *ace);
+NTSTATUS security_descriptor_sacl_insert(struct security_descriptor *sd,
+ const struct security_ace *ace,
+ ssize_t idx);
NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
const struct security_ace *ace);
+NTSTATUS security_descriptor_dacl_insert(struct security_descriptor *sd,
+ const struct security_ace *ace,
+ ssize_t idx);
NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
const struct dom_sid *trustee);
NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
const struct dom_sid *trustee);
+NTSTATUS security_descriptor_dacl_del_ace(struct security_descriptor *sd,
+ const struct security_ace *ace);
+NTSTATUS security_descriptor_sacl_del_ace(struct security_descriptor *sd,
+ const struct security_ace *ace);
bool security_ace_equal(const struct security_ace *ace1,
const struct security_ace *ace2);
bool security_acl_equal(const struct security_acl *acl1,
diff --git a/python/samba/ndr.py b/python/samba/ndr.py
index 35b2414e8ae..8369abfb2d0 100644
--- a/python/samba/ndr.py
+++ b/python/samba/ndr.py
@@ -56,6 +56,25 @@ def ndr_print(object):
return ndr_print()
+def ndr_deepcopy(object):
+ """Create a deep copy of a NDR object, using pack/unpack
+
+ :param object: Object to copy
+ :return: The object copy
+ """
+ ndr_pack = getattr(object, "__ndr_pack__", None)
+ if ndr_pack is None:
+ raise TypeError("%r is not a NDR object" % object)
+ data = ndr_pack()
+ cls = type(object)
+ copy = cls()
+ ndr_unpack = getattr(copy, "__ndr_unpack__", None)
+ if ndr_unpack is None:
+ raise TypeError("%r is not a NDR object" % copy)
+ ndr_unpack(data, allow_remaining=False)
+ return copy
+
+
def ndr_pack_in(object, bigendian=False, ndr64=False):
"""Pack the input of an NDR function object.
diff --git a/python/samba/sd_utils.py b/python/samba/sd_utils.py
index 26e80ee2f4a..462bbfbaf18 100644
--- a/python/samba/sd_utils.py
+++ b/python/samba/sd_utils.py
@@ -21,8 +21,11 @@
import samba
from ldb import Message, MessageElement, Dn
from ldb import FLAG_MOD_REPLACE, SCOPE_BASE
-from samba.ndr import ndr_pack, ndr_unpack
+from samba.ndr import ndr_pack, ndr_unpack, ndr_deepcopy
from samba.dcerpc import security
+from samba.ntstatus import (
+ NT_STATUS_OBJECT_NAME_NOT_FOUND,
+)
class SDUtils(object):
@@ -63,19 +66,145 @@ class SDUtils(object):
res = self.ldb.search(object_dn)
return ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
+ def update_aces_in_dacl(self, dn, del_aces=None, add_aces=None,
+ sddl_attr=None, controls=None):
+ if del_aces is None:
+ del_aces=[]
+ if add_aces is None:
+ add_aces=[]
+
+ def ace_from_sddl(ace_sddl):
+ ace_sd = security.descriptor.from_sddl("D:" + ace_sddl, self.domain_sid)
+ assert(len(ace_sd.dacl.aces)==1)
+ return ace_sd.dacl.aces[0]
+
+ if sddl_attr is None:
+ if controls is None:
+ controls=["sd_flags:1:%d" % security.SECINFO_DACL]
+ sd = self.read_sd_on_dn(dn, controls=controls)
+ if not sd.type & security.SEC_DESC_DACL_PROTECTED:
+ # if the DACL is not protected remove all
+ # inherited aces, as they will be re-inherited
+ # on the server, we need a ndr_deepcopy in order
+ # to avoid reference problems while deleting
+ # the aces while looping over them
+ dacl_copy = ndr_deepcopy(sd.dacl)
+ for ace in dacl_copy.aces:
+ if ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
+ try:
+ sd.dacl_del_ace(ace)
+ except samba.NTSTATUSError as err:
+ if err.args[0] != NT_STATUS_OBJECT_NAME_NOT_FOUND:
+ raise err
+ # dacl_del_ace may remove more than
+ # one ace, so we may not find it anymore
+ pass
+ else:
+ if controls is None:
+ controls=[]
+ res = self.ldb.search(dn, SCOPE_BASE, None,
+ [sddl_attr], controls=controls)
+ old_sddl = str(res[0][sddl_attr][0])
+ sd = security.descriptor.from_sddl(old_sddl, self.domain_sid)
+
+ num_changes = 0
+ del_ignored = []
+ add_ignored = []
+ inherited_ignored = []
+
+ for ace in del_aces:
+ if isinstance(ace, str):
+ ace = ace_from_sddl(ace)
+ assert(isinstance(ace, security.ace))
+
+ if ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
+ inherited_ignored.append(ace)
+ continue
+
+ if ace not in sd.dacl.aces:
+ del_ignored.append(ace)
+ continue
+
+ sd.dacl_del_ace(ace)
+ num_changes += 1
+
+ for ace in add_aces:
+ add_idx = -1
+ if isinstance(ace, dict):
+ if "idx" in ace:
+ add_idx = ace["idx"]
+ ace = ace["ace"]
+ if isinstance(ace, str):
+ ace = ace_from_sddl(ace)
+ assert(isinstance(ace, security.ace))
+
+ if ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
+ inherited_ignored.append(ace)
+ continue
+
+ if ace in sd.dacl.aces:
+ add_ignored.append(ace)
+ continue
+
+ sd.dacl_add(ace, add_idx)
+ num_changes += 1
+
+ if num_changes == 0:
+ return del_ignored, add_ignored, inherited_ignored
+
+ if sddl_attr is None:
+ self.modify_sd_on_dn(dn, sd, controls=controls)
+ else:
+ new_sddl = sd.as_sddl(self.domain_sid)
+ m = Message()
+ m.dn = dn
+ m[sddl_attr] = MessageElement(new_sddl.encode('ascii'),
+ FLAG_MOD_REPLACE,
+ sddl_attr)
+ self.ldb.modify(m, controls=controls)
+
+ return del_ignored, add_ignored, inherited_ignored
+
+ def dacl_prepend_aces(self, object_dn, aces, controls=None):
+ """Prepend an ACE (or more) to an objects security descriptor
+ """
+ ace_sd = security.descriptor.from_sddl("D:" + aces, self.domain_sid)
+ add_aces = []
+ add_idx = 0
+ for ace in ace_sd.dacl.aces:
+ add_aces.append({"idx": add_idx, "ace": ace})
+ add_idx += 1
+ _,ai,ii = self.update_aces_in_dacl(object_dn, add_aces=add_aces,
+ controls=controls)
+ return ai, ii
+
def dacl_add_ace(self, object_dn, ace):
- """Add an ACE to an objects security descriptor
+ """Add an ACE (or more) to an objects security descriptor
"""
- desc = self.read_sd_on_dn(object_dn, ["show_deleted:1"])
- desc_sddl = desc.as_sddl(self.domain_sid)
- if ace in desc_sddl:
- return
- if desc_sddl.find("(") >= 0:
- desc_sddl = (desc_sddl[:desc_sddl.index("(")] + ace +
- desc_sddl[desc_sddl.index("("):])
- else:
- desc_sddl = desc_sddl + ace
- self.modify_sd_on_dn(object_dn, desc_sddl, ["show_deleted:1"])
+ _,_ = self.dacl_prepend_aces(object_dn, ace,
+ controls=["show_deleted:1"])
+
+ def dacl_append_aces(self, object_dn, aces, controls=None):
+ """Append an ACE (or more) to an objects security descriptor
+ """
+ ace_sd = security.descriptor.from_sddl("D:" + aces, self.domain_sid)
+ add_aces = []
+ for ace in ace_sd.dacl.aces:
+ add_aces.append(ace)
+ _,ai,ii = self.update_aces_in_dacl(object_dn, add_aces=add_aces,
+ controls=controls)
+ return ai, ii
+
+ def dacl_delete_aces(self, object_dn, aces, controls=None):
+ """Delete an ACE (or more) to an objects security descriptor
+ """
+ del_sd = security.descriptor.from_sddl("D:" + aces, self.domain_sid)
+ del_aces = []
+ for ace in del_sd.dacl.aces:
+ del_aces.append(ace)
+ di,_,ii = self.update_aces_in_dacl(object_dn, del_aces=del_aces,
+ controls=controls)
+ return di, ii
def get_sd_as_sddl(self, object_dn, controls=[]):
"""Return object nTSecutiryDescriptor in SDDL format
diff --git a/selftest/knownfail b/selftest/knownfail
index f9ca4984176..a89616c1dbe 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -151,7 +151,7 @@
^samba4.smb2.acls.*.inheritflags
^samba4.smb2.acls.*.owner
^samba4.smb2.acls.*.ACCESSBASED
-^samba4.ldap.dirsync.python.ad_dc_ntvfs..__main__.ExtendedDirsyncTests.test_dirsync_deleted_items
+^samba4.ldap.dirsync.python.ad_dc_ntvfs..__main__.SimpleDirsyncTests.test_dirsync_deleted_items_OBJECT_SECURITY
#^samba4.ldap.dirsync.python.ad_dc_ntvfs..__main__.ExtendedDirsyncTests.*
^samba4.libsmbclient.opendir.(NT1|SMB3).opendir # This requires netbios browsing
^samba4.rpc.drsuapi.*.drsuapi.DsGetDomainControllerInfo\(.*\)$
diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync
new file mode 100644
index 00000000000..fcf4d469d6e
--- /dev/null
+++ b/selftest/knownfail.d/dirsync
@@ -0,0 +1,13 @@
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_OBJECT_SECURITY_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_unicodePwd_OBJ_SEC_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_unicodePwd_with_GET_CHANGES_OBJ_SEC_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_unicodePwd_with_GET_CHANGES_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_with_GET_CHANGES_OBJECT_SECURITY_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_with_GET_CHANGES\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_OBJECT_SECURITY_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_OBJECT_SECURITY_with_GET_CHANGES_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_with_GET_CHANGES_attr\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_with_GET_CHANGES_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.FilteredDirsyncTests.test_dirsync_with_GET_CHANGES\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.FilteredDirsyncTests.test_dirsync_with_GET_CHANGES_attr\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.FilteredDirsyncTests.test_dirsync_with_GET_CHANGES_insist_on_empty_element\(.*\)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 5cbc5ccf2b8..7033146f46a 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -782,7 +782,7 @@ sub provision_raw_step1($$)
wins support = yes
server role = $ctx->{server_role}
server services = +echo $services
- dcerpc endpoint servers = +winreg +srvsvc
+ dcerpc endpoint servers = +winreg +srvsvc +rpcecho
--
Samba Shared Repository
More information about the samba-cvs
mailing list