[SCM] Samba Shared Repository - branch v4-20-test updated
Jule Anger
janger at samba.org
Tue Jun 18 08:34:02 UTC 2024
The branch, v4-20-test has been updated
via 5b90acbef15 s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share
via 4b4b0152fd7 selftest: Add a python blackbox test for some misc (widelink) DFS tests
via dceb2e56b63 script/autobuild.py: Add test for --vendor-name and --vendor-patch-revision
via 5d593a735d3 build: Add --vendor-name --vendor-patch-revision options to ./configure
via f46faceae1f ctdb/docs: Include ceph rados namespace support in man page
via 9110627bc24 ctdb/ceph: Add optional namespace support for mutex helper
via df54d3fdda9 s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored
via 89817ed2165 s4:dns_server: correctly sign dns update responses with gss-tsig like Windows
via fdd61d60caa s4:dns_server: dns_verify_tsig should return REFUSED on error
via f663b386156 s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section
via 3b36f447040 s4:dns_server: use tkey->algorithm if available in dns_sign_tsig()
via 299818567ea s4:dns_server: use the client provided algorithm for the fake TSIG structure
via 7ddd758da50 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG
via 6e395cabf38 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY
via ed8ef00c297 s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED
via a7f3293ddf7 python:tests/dns_tkey: add test_update_tsig_record_access_denied()
via 9137bb66ab4 s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey
via 5a98bc50263 python:tests/dns_base: add get_unpriv_creds() helper
via ff0afdd1b05 python:tests/dns_tkey: let test_update_tsig_windows() actually pass against windows 2022
via bda80382eb5 python:tests/dns_base: let verify_packet() work against Windows
via fdfd4e8adce python:tests/dns_tkey: test bad and changing tsig algorithms
via 7dabac46b5a python:tests/dns_tkey: add gss.microsoft.com tsig updates
via 6438249cf1e python:tests/dns_tkey: let us have test_update_gss_tsig_tkey_req_{additional,answers}()
via 501a25a1f07 python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and invalid algorithms
via c7a936ecd27 python:tests/dns_base: maintain a dict with tkey related state
via da7c313740d python:tests/dns_base: let dns_transaction_udp() take allow_{remaining,truncated}=True
via 85784854629 python:tests/dns_base: pass tkey_trans(expected_rcode)
via e58fe908371 python:tests/dns_base: let tkey_trans() take tkey_req_in_answers
via 12d4e452410 python:tests/dns_base: let tkey_trans() and sign_packet() take algorithm_name as argument
via 9cfc2e24331 python:tests/dns_tkey: make use of self.assert_echoed_dns_error()
via f7f0518b46a python:tests/dns_base: add self.assert_echoed_dns_error()
via c00749edb35 python:tests/dns_base: let dns_transaction_tcp() handle short receives
via 3bd80a2545a python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet()
via 19fc5bb6b9d python:tests/dns_base: generate a real signature in bad_sign_packet()
from 8b8fef4c9c8 third_party: Update socket_wrapper to version 1.4.3
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test
- Log -----------------------------------------------------------------
commit 5b90acbef156174ea65014a298f926218a760c4e
Author: Noel Power <noel.power at suse.com>
Date: Fri Jun 7 19:35:47 2024 +0100
s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share
This patch also removes known fail for existing test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Jun 11 19:31:40 UTC 2024 on atb-devel-224
(cherry picked from commit 788ef8f07c75d5e6eca5b8f18d93d96f31574267)
[noel.power at suse.com backported to Samba 4.20 minor change to use
4.20 create_open_symlink_err fn instead of read_symlink_reparse]
Autobuild-User(v4-20-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-20-test): Tue Jun 18 08:33:30 UTC 2024 on atb-devel-224
commit 4b4b0152fd7cce2923ffcfe04eb07de4cc8721d7
Author: Noel Power <noel.power at suse.com>
Date: Tue Jun 11 11:19:50 2024 +0100
selftest: Add a python blackbox test for some misc (widelink) DFS tests
On master attempting to chdir into a nested dfs link
e.g. cd dfslink (works)
cd dfslink/another_dfslink (fails)
[1] Add a test for this scenario (nested chdir)
[2] Add test for enumerating a dfs link in root of dfs share
[3] Add a test to check case insensitive chdir into dfs link on widelink
enabled share
Add knownfails for tests 1 and 3
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
(cherry picked from commit 7f1de90f72d6e8287aec6ab1d9f7776b7df624e5)
commit dceb2e56b63c27ebe174b58c2bd5fab1fd3e4415
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu May 30 21:13:01 2024 +1200
script/autobuild.py: Add test for --vendor-name and --vendor-patch-revision
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15654
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
RN: We have added new options --vendor-name and --vendor-patch-revision arguments
to ./configure to allow distributions and packagers to put their name in the Samba
version string so that when debugging Samba the source of the binary is obvious.
[abartlet at samba.org adapted to 4.20 still having the seperate LDB build system
from commit 72112d4814eb3872016c1168c477531be835a1f9]
commit 5d593a735d371774b5a8847a4e820c894ec3e25f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu May 30 10:50:12 2024 +1200
build: Add --vendor-name --vendor-patch-revision options to ./configure
These options are for packagers and vendors to set so that when
Samba developers are debugging an issue, we know exactly which
package is in use, and so have an idea if any patches have been
applied.
This is included in the string that a Samba backtrace gives,
as part of the PANIC message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15654
REF: https://lists.samba.org/archive/samba-technical/2024-May/138992.html
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 651fb94c374c7f84405d960a9e0a0fd7fcb285dd)
commit f46faceae1fb5ad81dd1c099e99e3e3cf7a0701e
Author: Günther Deschner <gd at samba.org>
Date: Fri Jun 7 14:40:07 2024 +0530
ctdb/docs: Include ceph rados namespace support in man page
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15665
Document the new optional argument to specify the namespace to be
associated with RADOS objects in a pool.
Pair-Programmed-With: Anoop C S <anoopcs at samba.org>
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Autobuild-User(master): Anoop C S <anoopcs at samba.org>
Autobuild-Date(master): Fri Jun 14 07:42:25 UTC 2024 on atb-devel-224
(cherry picked from commit 35f6c3f3d4a5521e6576fcc0dd7dd3bbcea041b2)
commit 9110627bc24c5eda24d38a296cc72b2ffae54832
Author: Günther Deschner <gd at samba.org>
Date: Fri Jun 7 14:39:37 2024 +0530
ctdb/ceph: Add optional namespace support for mutex helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15665
RADOS objects within a pool can be associated to a namespace for
logical separation. librados already provides an API to configure
such a namespace with respect to a context. Make use of it as an
optional argument to the helper binary.
Pair-Programmed-With: Anoop C S <anoopcs at samba.org>
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
(cherry picked from commit d8c52995f68fe088dd2174562faee69ed1c95edd)
commit df54d3fdda9cf9ad526c25fa13bca2daf75df356
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 30 14:52:22 2024 +0200
s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored
If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Jun 6 03:18:16 UTC 2024 on atb-devel-224
(cherry picked from commit ed61c57e02309b738e73fb12877a0a565b627724)
commit 89817ed2165320185d7254872a5c875cb04f12d1
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 30 14:39:28 2024 +0200
s4:dns_server: correctly sign dns update responses with gss-tsig like Windows
This means we no longer generate strange errors/warnings
in the Windows event log nor in the nsupdate -g output.
Note: this is a only difference between gss-tsig and
the legacy gss.microsoft.com algorithms.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 76fec2668e73b9d15447abee551d5c04148aaf27)
commit fdd61d60caa96ca585f94916873a3485de1acf5b
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 30 14:42:53 2024 +0200
s4:dns_server: dns_verify_tsig should return REFUSED on error
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit db350bc573b378fb0615bdd8592cc9c62f6db146)
commit f663b386156afec4a8d8bd5f99b5ffe7f365f144
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 30 14:41:21 2024 +0200
s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5906ed94f2c5c68e83c63e7c201534eeb323cfe7)
commit 3b36f447040d28bfc6494e84edbf98f947cba2a3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 31 08:38:24 2024 +0200
s4:dns_server: use tkey->algorithm if available in dns_sign_tsig()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ae7538af04435658d2ba6dcab109beecb6c5f13e)
commit 299818567ea8238a791942428bcf9887e9738ac8
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 31 08:38:24 2024 +0200
s4:dns_server: use the client provided algorithm for the fake TSIG structure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bd0235cd515d5602ed9501bfc810a2487364ea10)
commit 7ddd758da50cc04a527061209c2f809b66b56f1f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 31 08:38:24 2024 +0200
s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3467d1491490830d61d16cb6278051daf48466fc)
commit 6e395cabf38b6ad42fbdcb56e72f08940cb070f3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 31 08:38:24 2024 +0200
s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fa0f23e69eaf4f475bc9dc9aa0e23c7bd5208250)
commit ed8ef00c297026350ea79e79248f2b9a0eaabe6b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 31 08:36:40 2024 +0200
s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a56627b0d125ef7b456bebe307087f324f1f0422)
commit a7f3293ddf764aa370db0147e245d73b687f29e4
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 11:40:51 2024 +0200
python:tests/dns_tkey: add test_update_tsig_record_access_denied()
This demonstrates that access_denied is only generated if the client
really generates a change in the database.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 708a6fae6978e1462e1a53f4ee08f11b51a5637a)
commit 9137bb66ab48d1220d88537c9a403a376439da28
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 11:39:56 2024 +0200
s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 753428a3b6c488c4aacea04d2ddb9ea73244695a)
commit 5a98bc50263c03a8302587f8f5e6baf62e1234b5
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 11:39:56 2024 +0200
python:tests/dns_base: add get_unpriv_creds() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 88457da00d4110b419f7a7ccabcd542fa77e463f)
commit ff0afdd1b056d26af785fc34209eded06615c9a4
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 13:17:54 2024 +0200
python:tests/dns_tkey: let test_update_tsig_windows() actually pass against windows 2022
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 848318338b2972f331e067bf1c8d6c7dac0748c8)
commit bda80382eb5f501eda1764c57832c8a386490427
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 13:17:54 2024 +0200
python:tests/dns_base: let verify_packet() work against Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8324d0739dfdd0a081c403e298a9038ee7df681f)
commit fdfd4e8adcee923909a0dc64cce5c867fb6c2a23
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 17:26:39 2024 +0200
python:tests/dns_tkey: test bad and changing tsig algorithms
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit de4ed363d378f2065a4634f94af80ea0e3965c96)
commit 7dabac46b5ac13949c450424d54f8cf4b39733e0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 17:18:34 2024 +0200
python:tests/dns_tkey: add gss.microsoft.com tsig updates
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b9b03ca503c43c7ee06df6c331839bd47f9eac8c)
commit 6438249cf1e52375c343f61dce8100cba614997e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 14:15:45 2024 +0200
python:tests/dns_tkey: let us have test_update_gss_tsig_tkey_req_{additional,answers}()
Also test using the additional record in the answers section.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3c7cb85eaf8371be55a371601cc354440dab7a94)
commit 501a25a1f07dc71699ae9610010b13d05d652573
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 16:41:12 2024 +0200
python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and invalid algorithms
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 740bda87a80b97816d892e8f7aae28759f6916ec)
commit c7a936ecd2723440f46eb1423135fcb391164943
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 14:10:52 2024 +0200
python:tests/dns_base: maintain a dict with tkey related state
This will allow tests to backup the whole state
and mix them.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b0af60e7850e656ef98edeac657c66b853080dab)
commit da7c313740d01f85c1c2f4e0c6bdecaa5bedbbfa
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 14:14:11 2024 +0200
python:tests/dns_base: let dns_transaction_udp() take allow_{remaining,truncated}=True
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1b1e7e06cf6ebd283de73c351267d53b42663d2f)
commit 85784854629c406f23cc46f075012696b59b392c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 16:07:53 2024 +0200
python:tests/dns_base: pass tkey_trans(expected_rcode)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 27d92fa808c6617353c36fdb230504e880f4925b)
commit e58fe908371c46b9e0e4518e7f9614ac796a584a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 14:08:13 2024 +0200
python:tests/dns_base: let tkey_trans() take tkey_req_in_answers
It's possible to put the additional into the answers section,
so we should be able to test that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cd747307d845f3cff723a7916aeeb31458f19202)
commit 12d4e452410f29cb23e130ddeaf44592ba98b7b2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 13:17:54 2024 +0200
python:tests/dns_base: let tkey_trans() and sign_packet() take algorithm_name as argument
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f8dfa9b33bdedffbe2e3b6e229ffae4beb3c712e)
commit 9cfc2e24331139dd4f8a4d2feb3bf335bd8cb049
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 13:35:58 2024 +0200
python:tests/dns_tkey: make use of self.assert_echoed_dns_error()
Failed DNS updates just echo the request flaged as response,
all other elements are unchanged.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6e997f93d53ac45af79aec030bad73f51bdc5629)
commit f7f0518b46a9d5c26fc6a362105c463bc6865817
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 13:35:58 2024 +0200
python:tests/dns_base: add self.assert_echoed_dns_error()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ce591464cb12ab00a5d5752a7cea5f909c3c3f1b)
commit c00749edb35115e111739473d7db57f33bff55a3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 31 08:07:24 2024 +0200
python:tests/dns_base: let dns_transaction_tcp() handle short receives
With socket_wrapper we only get 1500 byte chunks...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c741d0f3969abe821e8ee2a10f848159eb2749fe)
commit 3bd80a2545a57b88e58cedf5f9d7281fef15b361
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 13:16:40 2024 +0200
python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c594cbad4af97031bb7b5b0eb2fb228b00acf646)
commit 19fc5bb6b9d75ddb1b031817c7ee7688d7ca587f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 29 13:11:24 2024 +0200
python:tests/dns_base: generate a real signature in bad_sign_packet()
We just destroy the signature bytes but keep the header unchanged.
This makes it easier to look at it in wireshark.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ae23d512a724650ae2de1178ac43deff8266aa56)
-----------------------------------------------------------------------
Summary of changes:
buildtools/wafsamba/samba_version.py | 5 +
ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml | 4 +-
ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c | 50 +++-
python/samba/tests/blackbox/misc_dfs_widelink.py | 86 ++++++
python/samba/tests/dns_base.py | 213 ++++++++++-----
python/samba/tests/dns_tkey.py | 325 ++++++++++++++++++++---
python/samba/tests/join.py | 2 +-
script/autobuild.py | 3 +-
source3/smbd/files.c | 18 ++
source4/dns_server/dns_crypto.c | 49 +++-
source4/dns_server/dns_query.c | 27 +-
source4/dns_server/dns_update.c | 11 +
source4/dns_server/dnsserver_common.c | 2 +
source4/selftest/tests.py | 9 +-
wscript | 20 ++
15 files changed, 705 insertions(+), 119 deletions(-)
create mode 100644 python/samba/tests/blackbox/misc_dfs_widelink.py
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/samba_version.py b/buildtools/wafsamba/samba_version.py
index 31103e0f8c4..576168f5723 100644
--- a/buildtools/wafsamba/samba_version.py
+++ b/buildtools/wafsamba/samba_version.py
@@ -253,6 +253,11 @@ def samba_version_file(version_file, path, env=None, is_install=True):
print("Failed to parse line %s from %s" % (line, version_file))
raise
+ if "SAMBA_VERSION_VENDOR_SUFFIX" in env:
+ version_dict["SAMBA_VERSION_VENDOR_SUFFIX"] = env.SAMBA_VERSION_VENDOR_SUFFIX
+ if "SAMBA_VERSION_VENDOR_PATCH" in env:
+ version_dict["SAMBA_VERSION_VENDOR_PATCH"] = str(env.SAMBA_VERSION_VENDOR_PATCH)
+
return SambaVersion(version_dict, path, env=env, is_install=is_install)
diff --git a/ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml b/ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml
index f558f873d9a..93d79cea5dc 100644
--- a/ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml
+++ b/ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml
@@ -29,12 +29,14 @@
<manvolnum>5</manvolnum></citerefentry>:
</para>
<screen format="linespecific">
-cluster lock = !ctdb_mutex_ceph_rados_helper [Cluster] [User] [Pool] [Object]
+cluster lock = !ctdb_mutex_ceph_rados_helper [Cluster] [User] [Pool] [Object] [Timeout] [-n Namespace]
Cluster: Ceph cluster name (e.g. ceph)
User: Ceph cluster user name (e.g. client.admin)
Pool: Ceph RADOS pool name
Object: Ceph RADOS object name
+Timeout: Ceph RADOS lock duration in seconds (optional)
+Namespace: Ceph RADOS pool namespace (optional)
</screen>
<para>
The Ceph cluster <parameter>Cluster</parameter> must be up and running,
diff --git a/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c b/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c
index 7d868a38b23..46566c97a83 100644
--- a/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c
+++ b/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c
@@ -42,9 +42,18 @@
static char *progname = NULL;
+static void usage(void)
+{
+ fprintf(stderr, "Usage: %s <Ceph Cluster> <Ceph user> "
+ "<RADOS pool> <RADOS object> "
+ "[lock duration secs] [-n RADOS namespace]\n",
+ progname);
+}
+
static int ctdb_mutex_rados_ctx_create(const char *ceph_cluster_name,
const char *ceph_auth_name,
const char *pool_name,
+ const char *namespace,
rados_t *_ceph_cluster,
rados_ioctx_t *_ioctx)
{
@@ -87,6 +96,10 @@ static int ctdb_mutex_rados_ctx_create(const char *ceph_cluster_name,
return ret;
}
+ if (namespace != NULL) {
+ rados_ioctx_set_namespace(ioctx, namespace);
+ }
+
*_ceph_cluster = ceph_cluster;
*_ioctx = ioctx;
@@ -145,6 +158,7 @@ struct ctdb_mutex_rados_state {
const char *ceph_cluster_name;
const char *ceph_auth_name;
const char *pool_name;
+ const char *namespace;
const char *object;
uint64_t lock_duration_s;
int ppid;
@@ -295,15 +309,13 @@ static int ctdb_mutex_rados_mgr_reg(rados_t ceph_cluster)
int main(int argc, char *argv[])
{
int ret;
+ int opt;
struct ctdb_mutex_rados_state *cmr_state;
progname = argv[0];
- if ((argc != 5) && (argc != 6)) {
- fprintf(stderr, "Usage: %s <Ceph Cluster> <Ceph user> "
- "<RADOS pool> <RADOS object> "
- "[lock duration secs]\n",
- progname);
+ if (argc < 5) {
+ usage();
ret = -EINVAL;
goto err_out;
}
@@ -325,15 +337,36 @@ int main(int argc, char *argv[])
cmr_state->ceph_auth_name = argv[2];
cmr_state->pool_name = argv[3];
cmr_state->object = argv[4];
- if (argc == 6) {
+
+ optind = 5;
+ while ((opt = getopt(argc, argv, "n:")) != -1) {
+ switch(opt) {
+ case 'n':
+ cmr_state->namespace = optarg;
+ break;
+ default:
+ usage();
+ ret = -EINVAL;
+ goto err_ctx_cleanup;
+ }
+ }
+
+ if (argv[optind] != NULL) {
/* optional lock duration provided */
char *endptr = NULL;
- cmr_state->lock_duration_s = strtoull(argv[5], &endptr, 0);
- if ((endptr == argv[5]) || (*endptr != '\0')) {
+ cmr_state->lock_duration_s = strtoull(argv[optind], &endptr, 0);
+ if ((endptr == argv[optind]) || (*endptr != '\0')) {
fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
ret = -EINVAL;
goto err_ctx_cleanup;
}
+ if (argv[++optind] != NULL) {
+ /* incorrect count or format for optional arguments */
+ usage();
+ ret = -EINVAL;
+ goto err_ctx_cleanup;
+ }
+
} else {
cmr_state->lock_duration_s
= CTDB_MUTEX_CEPH_LOCK_DURATION_SECS_DEFAULT;
@@ -398,6 +431,7 @@ int main(int argc, char *argv[])
ret = ctdb_mutex_rados_ctx_create(cmr_state->ceph_cluster_name,
cmr_state->ceph_auth_name,
cmr_state->pool_name,
+ cmr_state->namespace,
&cmr_state->ceph_cluster,
&cmr_state->ioctx);
if (ret < 0) {
diff --git a/python/samba/tests/blackbox/misc_dfs_widelink.py b/python/samba/tests/blackbox/misc_dfs_widelink.py
new file mode 100644
index 00000000000..7948590d710
--- /dev/null
+++ b/python/samba/tests/blackbox/misc_dfs_widelink.py
@@ -0,0 +1,86 @@
+# Blackbox tests for DFS (widelink)
+#
+# Copyright (C) Noel Power noel.power at suse.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from samba.tests import BlackboxTestCase, BlackboxProcessError
+from samba.samba3 import param as s3param
+
+from samba.credentials import Credentials
+
+import os
+
+class DfsWidelinkBlockboxTestBase(BlackboxTestCase):
+
+ def setUp(self):
+ super().setUp()
+ self.lp = s3param.get_context()
+ self.server = os.environ["SERVER"]
+ self.user = os.environ["USER"]
+ self.passwd = os.environ["PASSWORD"]
+ self.creds = Credentials()
+ self.creds.guess(self.lp)
+ self.creds.set_username(self.user)
+ self.creds.set_password(self.passwd)
+ self.testdir = os.getenv("TESTDIR", "msdfs-share-wl")
+ self.share = os.getenv("SHARE", "msdfs-share-wl")
+ self.dirpath = os.path.join(os.environ["LOCAL_PATH"],self.testdir)
+ # allow a custom teardown function to be defined
+ self.cleanup = None
+ self.cleanup_args = []
+
+ def tearDown(self):
+ try:
+ if (self.cleanup):
+ self.cleanup(self.cleanup_args)
+ except Exception as e:
+ print("remote remove failed: %s" % str(e))
+
+ def build_test_cmd(self, cmd, args):
+ cmd = [cmd, "-U%s%%%s" % (self.user, self.passwd)]
+ cmd.extend(args)
+ return cmd
+
+ def test_ci_chdir(self):
+ parent_dir = "msdfs-src1"
+ dirs = [parent_dir, parent_dir.upper()]
+ # try as named dir first then try upper-cased version
+ for adir in dirs:
+ smbclient_args = self.build_test_cmd("smbclient", ["//%s/%s" % (self.server, self.share), "-c", "cd %s" % (adir)])
+ try:
+ out_str = self.check_output(smbclient_args)
+ except BlackboxProcessError as e:
+ print(str(e))
+ self.fail(str(e))
+
+ def test_nested_chdir(self):
+ parent_dir = "dfshop1"
+ child_dir = "dfshop2"
+ smbclient_args = self.build_test_cmd("smbclient", ["//%s/%s" % (self.server, self.share), "-c", "cd %s/%s" % (parent_dir,child_dir)])
+ try:
+ out_str = self.check_output(smbclient_args)
+ except BlackboxProcessError as e:
+ print(str(e))
+ self.fail(str(e))
+
+ def test_enumerate_dfs_link(self):
+ smbclient_args = self.build_test_cmd("smbclient", ["//%s/%s" % (self.server, self.share), "-c", "dir"])
+ try:
+ out_str = self.check_output(smbclient_args)
+ except BlackboxProcessError as e:
+ print(str(e))
+ self.fail(str(e))
+ out_str = out_str.decode()
+ self.assertIn("msdfs-src1", out_str)
diff --git a/python/samba/tests/dns_base.py b/python/samba/tests/dns_base.py
index d320a0e9183..43a62b1ac57 100644
--- a/python/samba/tests/dns_base.py
+++ b/python/samba/tests/dns_base.py
@@ -20,6 +20,7 @@ from samba.tests import TestCaseInTempDir
from samba.dcerpc import dns, dnsp
from samba import gensec, tests
from samba import credentials
+from samba import NTSTATUSError
import struct
import samba.ndr as ndr
import random
@@ -76,6 +77,24 @@ class DNSTest(TestCaseInTempDir):
self.assertEqual(p_opcode, opcode, "Expected OPCODE %s, got %s" %
(opcode, p_opcode))
+ def assert_dns_flags_equals(self, packet, flags):
+ "Helper function to check opcode"
+ p_flags = packet.operation & (~(dns.DNS_OPCODE|dns.DNS_RCODE))
+ self.assertEqual(p_flags, flags, "Expected FLAGS %02x, got %02x" %
+ (flags, p_flags))
+
+ def assert_echoed_dns_error(self, request, response, response_p, rcode):
+
+ request_p = ndr.ndr_pack(request)
+
+ self.assertEqual(response.id, request.id)
+ self.assert_dns_rcode_equals(response, rcode)
+ self.assert_dns_opcode_equals(response, request.operation & dns.DNS_OPCODE)
+ self.assert_dns_flags_equals(response,
+ (request.operation | dns.DNS_FLAG_REPLY) & (~(dns.DNS_OPCODE|dns.DNS_RCODE)))
+ self.assertEqual(len(response_p), len(request_p))
+ self.assertEqual(response_p[4:], request_p[4:])
+
def make_name_packet(self, opcode, qid=None):
"Helper creating a dns.name_packet"
p = dns.name_packet()
@@ -112,6 +131,8 @@ class DNSTest(TestCaseInTempDir):
return self.creds.get_realm().lower()
def dns_transaction_udp(self, packet, host,
+ allow_remaining=False,
+ allow_truncated=False,
dump=False, timeout=None):
"send a DNS query and read the reply"
s = None
@@ -128,8 +149,22 @@ class DNSTest(TestCaseInTempDir):
recv_packet = s.recv(2048, 0)
if dump:
print(self.hexdump(recv_packet))
- response = ndr.ndr_unpack(dns.name_packet, recv_packet)
+ if allow_truncated:
+ # with allow_remaining
+ # we add some zero bytes
+ # in order to also parse truncated
+ # responses
+ recv_packet_p = recv_packet + 32*b"\x00"
+ allow_remaining = True
+ else:
+ recv_packet_p = recv_packet
+ response = ndr.ndr_unpack(dns.name_packet, recv_packet_p,
+ allow_remaining=allow_remaining)
return (response, recv_packet)
+ except RuntimeError as re:
+ if s is not None:
+ s.close()
+ raise AssertionError(re)
finally:
if s is not None:
s.close()
@@ -151,11 +186,26 @@ class DNSTest(TestCaseInTempDir):
tcp_packet += send_packet
s.sendall(tcp_packet)
- recv_packet = s.recv(0xffff + 2, 0)
+ recv_packet = b''
+ length = None
+ for i in range(0, 2 + 0xffff):
+ if len(recv_packet) >= 2:
+ length, = struct.unpack('!H', recv_packet[0:2])
+ remaining = 2 + length
+ else:
+ remaining = 2 + 12
+ remaining -= len(recv_packet)
+ if remaining == 0:
+ break
+ recv_packet += s.recv(remaining, 0)
if dump:
print(self.hexdump(recv_packet))
response = ndr.ndr_unpack(dns.name_packet, recv_packet[2:])
+ except RuntimeError as re:
+ if s is not None:
+ s.close()
+ raise AssertionError(re)
finally:
if s is not None:
s.close()
@@ -217,18 +267,41 @@ class DNSTKeyTest(DNSTest):
self.creds.set_username(tests.env_get_var_value('USERNAME'))
self.creds.set_password(tests.env_get_var_value('PASSWORD'))
self.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
+
+ self.unpriv_creds = None
+
self.newrecname = "tkeytsig.%s" % self.get_dns_domain()
- def tkey_trans(self, creds=None):
+ def get_unpriv_creds(self):
+ if self.unpriv_creds is not None:
+ return self.unpriv_creds
+
+ self.unpriv_creds = credentials.Credentials()
+ self.unpriv_creds.guess(self.lp_ctx)
+ self.unpriv_creds.set_username(tests.env_get_var_value('USERNAME_UNPRIV'))
+ self.unpriv_creds.set_password(tests.env_get_var_value('PASSWORD_UNPRIV'))
+ self.unpriv_creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
+
+ return self.unpriv_creds
+
+ def tkey_trans(self, creds=None, algorithm_name="gss-tsig",
+ tkey_req_in_answers=False,
+ expected_rcode=dns.DNS_RCODE_OK):
"Do a TKEY transaction and establish a gensec context"
if creds is None:
creds = self.creds
- self.key_name = "%s.%s" % (uuid.uuid4(), self.get_dns_domain())
+ mech = 'spnego'
+
+ tkey = {}
+ tkey['name'] = "%s.%s" % (uuid.uuid4(), self.get_dns_domain())
+ tkey['creds'] = creds
+ tkey['mech'] = mech
+ tkey['algorithm'] = algorithm_name
p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
- q = self.make_name_question(self.key_name,
+ q = self.make_name_question(tkey['name'],
dns.DNS_QTYPE_TKEY,
dns.DNS_QCLASS_IN)
questions = []
@@ -236,30 +309,30 @@ class DNSTKeyTest(DNSTest):
self.finish_name_packet(p, questions)
r = dns.res_rec()
- r.name = self.key_name
+ r.name = tkey['name']
r.rr_type = dns.DNS_QTYPE_TKEY
r.rr_class = dns.DNS_QCLASS_IN
r.ttl = 0
r.length = 0xffff
rdata = dns.tkey_record()
- rdata.algorithm = "gss-tsig"
+ rdata.algorithm = algorithm_name
rdata.inception = int(time.time())
rdata.expiration = int(time.time()) + 60 * 60
rdata.mode = dns.DNS_TKEY_MODE_GSSAPI
rdata.error = 0
rdata.other_size = 0
- self.g = gensec.Security.start_client(self.settings)
- self.g.set_credentials(creds)
- self.g.set_target_service("dns")
- self.g.set_target_hostname(self.server)
- self.g.want_feature(gensec.FEATURE_SIGN)
- self.g.start_mech_by_name("spnego")
+ tkey['gensec'] = gensec.Security.start_client(self.settings)
+ tkey['gensec'].set_credentials(creds)
+ tkey['gensec'].set_target_service("dns")
+ tkey['gensec'].set_target_hostname(self.server)
+ tkey['gensec'].want_feature(gensec.FEATURE_SIGN)
+ tkey['gensec'].start_mech_by_name(tkey['mech'])
finished = False
client_to_server = b""
- (finished, server_to_client) = self.g.update(client_to_server)
+ (finished, server_to_client) = tkey['gensec'].update(client_to_server)
self.assertFalse(finished)
data = [x if isinstance(x, int) else ord(x) for x in list(server_to_client)]
@@ -268,56 +341,76 @@ class DNSTKeyTest(DNSTest):
r.rdata = rdata
additional = [r]
- p.arcount = 1
- p.additional = additional
+ if tkey_req_in_answers:
+ p.ancount = 1
+ p.answers = additional
+ else:
+ p.arcount = 1
+ p.additional = additional
(response, response_packet) =\
self.dns_transaction_tcp(p, self.server_ip)
+ if expected_rcode != dns.DNS_RCODE_OK:
+ self.assert_echoed_dns_error(p, response, response_packet, expected_rcode)
+ return
self.assert_dns_rcode_equals(response, dns.DNS_RCODE_OK)
tkey_record = response.answers[0].rdata
server_to_client = bytes(tkey_record.key_data)
- (finished, client_to_server) = self.g.update(server_to_client)
+ (finished, client_to_server) = tkey['gensec'].update(server_to_client)
self.assertTrue(finished)
+ self.tkey = tkey
+
self.verify_packet(response, response_packet)
def verify_packet(self, response, response_packet, request_mac=b""):
+ self.assertEqual(response.arcount, 1)
self.assertEqual(response.additional[0].rr_type, dns.DNS_QTYPE_TSIG)
+ if self.tkey['algorithm'] == "gss-tsig":
+ gss_tsig = True
+ else:
+ gss_tsig = False
+
+ request_mac_len = b""
+ if len(request_mac) > 0 and gss_tsig:
+ request_mac_len = struct.pack('!H', len(request_mac))
+
tsig_record = response.additional[0].rdata
mac = bytes(tsig_record.mac)
+ self.assertEqual(tsig_record.original_id, response.id)
+ self.assertEqual(tsig_record.mac_size, len(mac))
+
# Cut off tsig record from dns response packet for MAC verification
# and reset additional record count.
- key_name_len = len(self.key_name) + 2
- tsig_record_len = len(ndr.ndr_pack(tsig_record)) + key_name_len + 10
-
- # convert str/bytes to a list (of string char or int)
- # so it can be modified
- response_packet_list = [x if isinstance(x, int) else ord(x) for x in response_packet]
- del response_packet_list[-tsig_record_len:]
- response_packet_list[11] = 0
-
- # convert modified list (of string char or int) to str/bytes
- response_packet_wo_tsig = bytes(response_packet_list)
+ response_copy = ndr.ndr_deepcopy(response)
+ response_copy.arcount = 0
+ response_packet_wo_tsig = ndr.ndr_pack(response_copy)
fake_tsig = dns.fake_tsig_rec()
- fake_tsig.name = self.key_name
+ fake_tsig.name = self.tkey['name']
fake_tsig.rr_class = dns.DNS_QCLASS_ANY
fake_tsig.ttl = 0
fake_tsig.time_prefix = tsig_record.time_prefix
fake_tsig.time = tsig_record.time
fake_tsig.algorithm_name = tsig_record.algorithm_name
fake_tsig.fudge = tsig_record.fudge
- fake_tsig.error = 0
- fake_tsig.other_size = 0
+ fake_tsig.error = tsig_record.error
+ fake_tsig.other_size = tsig_record.other_size
+ fake_tsig.other_data = tsig_record.other_data
--
Samba Shared Repository
More information about the samba-cvs
mailing list