[SCM] Samba Shared Repository - branch v4-20-test updated
Stefan Metzmacher
metze at samba.org
Thu May 30 10:58:01 UTC 2024
The branch, v4-20-test has been updated
via 9d80c928b01 s4:nbt_server: simulate nmbd and provide unexpected handling
via 6a673a35ea0 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs
via 82f73dc2312 s4:libcli/dgram: make use of socket_address_copy()
via 40fe6480d0d s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages
via cf37f9f5272 libcli/nbt: add nbt_name_send_raw()
via b440c11ea0f s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL
via b0c2389c886 s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}()
via 234df77ae0a s3:libsmb/unexpected: don't use talloc_tos() in async code
via 2f73d251e0c s3:wscript: LIBNMB requires lp_ functions
via 27e4297f4c7 s3:include: split out fstring.h
via 260d1bbacf8 s3:include: let nameserv.h be useable on its own
via 4257e3b8fef s3:libads: avoid changing ADS->server.workgroup
via ba361b11d2e s3:libsmb: allow store_cldap_reply() to work with a ipv6 response
via 0d0fbf2bb86 s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send()
via 2954489bd56 s3:utils: let smbstatus report anonymous signing/encryption explicitly
via 9530c418a38 s3:smbd: allow anonymous encryption after one authenticated session setup
via 610e11af858 s3:utils: let smbstatus also report partial tcon signing/encryption
via 6fbf5deb559 s3:utils: let smbstatus also report AES-256 encryption types for tcons
via c547e0c0ff7 s3:utils: let connections_forall_read() report if the session was authenticated
via fe91ed785ed s3:lib: let sessionid_traverse_read() report if the session was authenticated
via 716a0443c9f s3:utils: remove unused signing_flags in connections_forall()
via cd05e7ed937 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}}
via b945f645732 s4:libcli/smb2: add hack to test anonymous signing and encryption
via b7606714959 smbXcli_base: add hacks to test anonymous signing and encryption
via dfcbd88504d tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative
via 1b21c09d513 .gitlab-ci-main.yml: debug kernel details of the current runner
via d5638013962 .gitlab-ci: Remove tags no longer provided by gitlab.com
from 9b6bc91254c VERSION: Bump version up to Samba 4.20.2...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test
- Log -----------------------------------------------------------------
commit 9d80c928b0196839035c0272c0945aad8a3b461a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 14 12:34:48 2024 +0100
s4:nbt_server: simulate nmbd and provide unexpected handling
This is needed in order to let nbt_getdc() work against
another AD DC and get back a modern response with
DNS based names. Instead of falling back to
the ugly name_status_find() that simulates just
an NETLOGON_SAM_LOGON_RESPONSE_NT40 response.
This way dsgetdcname() can work with just the netbios
domain name given and still return an active directory
response.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 796f33c05a0ca337b675b5d4d127f7c53b22528f)
Autobuild-User(v4-20-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-20-test): Thu May 30 10:57:04 UTC 2024 on atb-devel-224
commit 6a673a35ea0a5d79526b96ed462cd7d0d916abbb
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 14 13:49:21 2024 +0100
s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bfb10774b65af65f9c438a5d3e87529b1fcf46a1)
commit 82f73dc23127c033346604fdfc94d5bf94295375
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 15 17:47:45 2024 +0100
s4:libcli/dgram: make use of socket_address_copy()
This avoids talloc_reference...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 77f4f1c7dbaa2bb04d59d908923f6d11fd514da2)
commit 40fe6480d0d4c0dc00b05e8c52b234243c4e652b
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 15 16:42:16 2024 +0100
s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 11861bcfc3054894bc445e631ae03befb4865db8)
commit cf37f9f527269ac2d76577dc0df53f1d369f1817
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 15 17:47:13 2024 +0100
libcli/nbt: add nbt_name_send_raw()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cca373b806e01fc57bd5316d3f8a17578b4b6531)
commit b440c11ea0f770623f67f8e1f6e8f3fee0cf15f9
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 15 17:29:46 2024 +0100
s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL
In 2024 we always want an active directory response...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2b66663c75cdb3bc1b6bc5b1736dd9d35b094b42)
commit b0c2389c886673451f48a1be9ca51415b44314fb
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 14 11:38:19 2024 +0100
s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}()
This will allow source4/nbt_server to make use of
nb_packet_server_create().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 696505a1efbcc9803a287d8c267fed9d04bf8885)
commit 234df77ae0a50b3471cc28209ec1e523a198838d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 14 13:49:43 2024 +0100
s3:libsmb/unexpected: don't use talloc_tos() in async code
It's not needed and it requires the caller to setup a
stackframe...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f90cf0822d6e66426d72f92bd585119066e2a9c3)
commit 2f73d251e0c23973d649ac32f30d6539df8fd950
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 15 16:37:34 2024 +0100
s3:wscript: LIBNMB requires lp_ functions
We need to make this explicit in order to let LIBNMB be used
in source4 code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 011f68ae5ddc3fae8b453744aeb95766d885915e)
commit 27e4297f4c767612917905246598a564a95b0b82
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 15 16:53:29 2024 +0100
s3:include: split out fstring.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 105247c90007474947e2314b63be72fb21f09811)
commit 260d1bbacf874254762825a6da398952cea61499
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 14 14:15:47 2024 +0100
s3:include: let nameserv.h be useable on its own
A lot of stuff is private to nmbd and can
be moved from nameserv.h.
This allows move required types from smb.h to
nameserv.h, so that this can be standalone.
Including it from smb.h is not a huge problem
as nmbd internals are gone from nameserv.h.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7f96c21029e3b94d38bd871c79cabf872ad77fae)
commit 4257e3b8fef705216a630320e0743a0ab6ed43bb
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 15 03:34:11 2021 +0200
s3:libads: avoid changing ADS->server.workgroup
ads_find_dc() uses c_domain = ads->server.workgroup and
don't expect it to get out of scope deep in resolve_and_ping_dns().
The result are corrupted domain values in the debug output.
Valgrind shows this:
Invalid read of size 1
at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x608BE94: __vfprintf_internal (vfprintf-internal.c:1688)
by 0x609ED49: __vasprintf_internal (vasprintf.c:57)
by 0x5D2EC0F: __dbgtext_va (debug.c:1860)
by 0x5D2ED3F: dbgtext (debug.c:1881)
by 0x4BFFB50: ads_find_dc (ldap.c:570)
by 0x4C001F4: ads_connect (ldap.c:704)
by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
Address 0xb69f6f0 is 0 bytes inside a block of size 11 free'd
at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4BFF0AF: ads_try_connect (ldap.c:299)
by 0x4BFF40E: cldap_ping_list (ldap.c:367)
by 0x4BFF75F: resolve_and_ping_dns (ldap.c:468)
by 0x4BFFA91: ads_find_dc (ldap.c:556)
by 0x4C001F4: ads_connect (ldap.c:704)
by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
Block was alloc'd at
at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x60B250E: strdup (strdup.c:42)
by 0x4FF1492: smb_xstrdup (util.c:743)
by 0x4C10E62: ads_init (ads_struct.c:148)
by 0x4C1DB68: ads_dc_name (namequery_dc.c:73)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ca859e55d28f421196bc2660cfa84595ec5b57c6)
commit ba361b11d2e664f4d84718af71118bcdb31fc1f0
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue May 7 14:53:24 2024 +0000
s3:libsmb: allow store_cldap_reply() to work with a ipv6 response
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224
(cherry picked from commit 712ffbffc03c7dcd551c1e22815ebe7c0b9b45d2)
commit 0d0fbf2bb860f3cbc29c74b4ff8c9b3f65778152
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 6 21:09:58 2024 +0100
s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send()
I have customer backtraces showing that 'drsuapi' is NULL in
dreplsrv_op_pull_source_get_changes_trigger() called from the
WERR_DS_DRA_SCHEMA_MISMATCH retry case of
dreplsrv_op_pull_source_apply_changes_trigger(), while 'drsuapi' was
a valid pointer there.
From reading the code I don't understand how this can happen,
but it does very often on RODCs. And this fix prevents the problem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15573
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 83030780285290ecf64b57c1744634379b68ea01)
commit 2954489bd56914a16efab2d3239d54b450c97982
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 3 15:14:38 2023 +0200
s3:utils: let smbstatus report anonymous signing/encryption explicitly
We should mark sessions/tcons with anonymous encryption or signing
in a special way, as the value of it is void, all based on a
session key with 16 zero bytes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu May 23 13:37:09 UTC 2024 on atb-devel-224
(cherry picked from commit 5a54c9b28abb1464c84cb4be15a49718d8ae6795)
commit 9530c418a38fae94ae0b0222a267fb429fa7de40
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 30 18:05:51 2023 +0200
s3:smbd: allow anonymous encryption after one authenticated session setup
I have captures where a client tries smb3 encryption on an anonymous session,
we used to allow that before commit da7dcc443f45d07d9963df9daae458fbdd991a47
was released with samba-4.15.0rc1.
Testing against Windows Server 2022 revealed that anonymous signing is always
allowed (with the session key derived from 16 zero bytes) and
anonymous encryption is allowed after one authenticated session setup on
the tcp connection.
https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit f3ddfb828e66738ca461c3284c423defb774547c)
commit 610e11af858982d8ba81933f9cf8cb9d5217a14a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 3 15:12:38 2023 +0200
s3:utils: let smbstatus also report partial tcon signing/encryption
We already do that for sessions and also for the json output,
but it was missing in the non-json output for tcons.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 551756abd2c9e4922075bc3037db645355542363)
commit 6fbf5deb559286a0b943bcb53eb371b805a96ad8
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 3 15:12:38 2023 +0200
s3:utils: let smbstatus also report AES-256 encryption types for tcons
We already do that for sessions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 8119fd6d6a49b869bd9e8ff653b500e194b070de)
commit c547e0c0ff7508eb972143b4de27ecf716d85585
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 3 15:10:08 2023 +0200
s3:utils: let connections_forall_read() report if the session was authenticated
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 5089d8550640f72b1e0373f8ac321378ccaa8bd5)
commit fe91ed785edc68b5e2dfb2471ffcaa7ca5ea970e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 3 15:08:31 2023 +0200
s3:lib: let sessionid_traverse_read() report if the session was authenticated
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 596a10d1079f5c4a954108c81efc862c22a11f28)
commit 716a0443c9fea779b456fcd25e6d74617800aaa6
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 3 15:05:59 2023 +0200
s3:utils: remove unused signing_flags in connections_forall()
We never use the signing flags from the session, as the tcon
has its own signing flags.
https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit a9f84593f44f15a19c4cdde1e7ad53cd5e03b4d9)
commit cd05e7ed9377abc6fdb72b3951e0dffa8ed84e55
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 15 10:02:00 2024 +0200
s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}}
These demonstrate how anonymous encryption and signing work.
They pass against Windows 2022 as ad dc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 6c5781b5f154857f1454f41133687fba8c4c9df9)
commit b945f645732a3545fdbc9d410c8ddda1bcbb3e29
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 15 10:51:42 2024 +0200
s4:libcli/smb2: add hack to test anonymous signing and encryption
This will be used in torture tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 6a89615d78119c0bff2fb07bd0c62e4c31ea8441)
commit b7606714959a5d0ca31e3e805b9a0f9aab13682a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue May 14 18:21:33 2024 +0200
smbXcli_base: add hacks to test anonymous signing and encryption
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 14d6e2672126adee85997dc3d3c64607c987e8b9)
commit dfcbd88504d0b8b4d48931f61d4a050807a27050
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 8 18:03:54 2024 +0200
tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative
This expects PermissionError: [Errno 1] Operation not permitted,
but it seems that setxattr() for security.NTACL works on gitlab
runners without being root.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 237d9d0228cfed6d2e08b41b888d30aac5ab89e3)
commit 1b21c09d5132d6d60951ef192c72a9bac4158d99
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 8 16:12:06 2024 +0200
.gitlab-ci-main.yml: debug kernel details of the current runner
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 380d9c5a7392741ff2134ef1e83df45a29293db3)
commit d5638013962fb9a8343ef7bf25ccb45a4fcd25dd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 7 22:32:08 2024 +1200
.gitlab-ci: Remove tags no longer provided by gitlab.com
GitLab.com removed a number of tags from their hosted
runners and this meant our CI was being redirected to
our private runners at a larger cost to the Samba Team.
The new infrastructure is much larger than when we last
selected runners so we can just use the default, even for
the code coverage build.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15638
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue May 7 13:40:55 UTC 2024 on atb-devel-224
(cherry picked from commit d58a72c572f63619111f43f6ea39ff84ae0df16e)
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-coverage-runners.yml | 8 +-
.gitlab-ci-default-runners.yml | 44 +-
.gitlab-ci-main.yml | 6 +
libcli/nbt/libnbt.h | 3 +
libcli/nbt/nbtsocket.c | 44 ++
libcli/smb/smbXcli_base.c | 104 +++-
libcli/smb/smbXcli_base.h | 5 +
python/samba/tests/ntacls.py | 2 +-
selftest/flapping.d/gitlab-setxattr-security | 18 +
selftest/target/Samba4.pm | 2 +
lib/util/unix_match.h => source3/include/fstring.h | 14 +-
source3/include/includes.h | 5 +-
source3/include/nameserv.h | 380 +------------
source3/include/session.h | 1 +
source3/include/smb.h | 26 +-
source3/lib/sessionid_tdb.c | 8 +
source3/libads/ldap.c | 16 +-
source3/librpc/idl/ads.idl | 1 +
source3/libsmb/clidgram.c | 6 +-
source3/libsmb/dsgetdcname.c | 29 +-
source3/libsmb/namequery.c | 7 +-
source3/libsmb/nmblib.c | 6 +
source3/libsmb/nmblib.h | 2 +
source3/libsmb/unexpected.c | 18 +-
source3/libsmb/unexpected.h | 2 +
source3/nmbd/nmbd.h | 382 +++++++++++++
source3/nmbd/nmbd_packets.c | 1 +
source3/smbd/globals.h | 5 +
source3/smbd/smb2_server.c | 11 +
source3/smbd/smb2_sesssetup.c | 18 +-
source3/smbd/smb2_tcon.c | 4 +
source3/utils/conn_tdb.c | 12 +-
source3/utils/conn_tdb.h | 1 +
source3/utils/net_ads.c | 6 +
source3/utils/status.c | 82 ++-
source3/utils/status.h | 1 +
source3/utils/status_json.c | 2 +
source3/wscript_build | 1 +
source4/dsdb/repl/drepl_out_helpers.c | 26 +-
source4/libcli/dgram/dgramsocket.c | 40 +-
source4/libcli/dgram/libdgram.h | 3 +
source4/libcli/smb2/session.c | 16 +-
source4/libcli/smb2/smb2.h | 2 +
source4/nbt_server/dgram/request.c | 56 +-
source4/nbt_server/interfaces.c | 29 +
source4/nbt_server/nbt_server.c | 143 +++++
source4/nbt_server/nbt_server.h | 2 +
source4/nbt_server/wscript_build | 2 +-
source4/torture/smb2/session.c | 629 +++++++++++++++++++++
49 files changed, 1743 insertions(+), 488 deletions(-)
create mode 100644 selftest/flapping.d/gitlab-setxattr-security
copy lib/util/unix_match.h => source3/include/fstring.h (76%)
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-coverage-runners.yml b/.gitlab-ci-coverage-runners.yml
index 0f6b2ec1581..331c5d2399c 100644
--- a/.gitlab-ci-coverage-runners.yml
+++ b/.gitlab-ci-coverage-runners.yml
@@ -1,10 +1,4 @@
include:
- /.gitlab-ci-default-runners.yml
-.shared_runner_test:
- # We need the more powerful n1-standard-2 runners
- # in order to handle the lcov overhead.
- #
- # See .gitlab-ci-default-runners.yml for more details
- tags:
- - gitlab-org-docker
+# Currently we're happy with the defaults
diff --git a/.gitlab-ci-default-runners.yml b/.gitlab-ci-default-runners.yml
index f73f868d39c..bdc504aff21 100644
--- a/.gitlab-ci-default-runners.yml
+++ b/.gitlab-ci-default-runners.yml
@@ -1,48 +1,26 @@
-# From https://docs.gitlab.com/ee/user/gitlab_com/#shared-runners:
+# From https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html
#
# ...
#
-# All your CI/CD jobs run on n1-standard-1 instances with 3.75GB of RAM, CoreOS
-# and the latest Docker Engine installed. Instances provide 1 vCPU and 25GB of
-# HDD disk space. The default region of the VMs is US East1. Each instance is
-# used only for one job, this ensures any sensitive data left on the system can’t
-# be accessed by other people their CI jobs.
-#
-# The gitlab-shared-runners-manager-X.gitlab.com fleet of runners are dedicated
-# for GitLab projects as well as community forks of them. They use a slightly
-# larger machine type (n1-standard-2) and have a bigger SSD disk size. They don’t
-# run untagged jobs and unlike the general fleet of shared runners, the instances
-# are re-used up to 40 times.
-#
-# ...
-#
-# The n1-standard-1 runners seem to be tagged with 'docker' together with 'gce'.
-#
-# The more powerful n1-standard-2 runners seem to be tagged with
-# 'gitlab-org-docker' or some with just 'gitlab-org'.
-#
+# Runner Tag vCPUs Memory Storage
+# saas-linux-small-amd64 2 8 GB 25 GB
#
# Our current private runner 'docker', 'samba-ci-private', 'shared' and
# 'ubuntu2204'. It runs with an ubuntu2204 kernel (5.15) and provides an
-# ext4 filesystem and similar RAM as the n1-standard-2 runners.
+# ext4 filesystem, 2 CPU and 4 GB (shared tag) 8G (samba-ci-private tag) RAM.
#
.shared_runner_build:
- # We use n1-standard-1 shared runners by default.
- #
- # There are currently 5 shared runners with 'docker' and 'gce',
- # while there are only 2 provising 'docker' together with 'shared'.
+ # We use saas-linux-small-amd64 shared runners by default.
+ # We avoid adding explicit tags for them in order
+ # to work with potential changes in future
#
- # We used to fallback to our private runner if the docker+shared runners
- # were busy, but now that we use the 5 docker+gce runners, we try to only
- # use shared runners without a fallback to our private runner!
- # Lets see how that will work out.
- tags:
- - docker
- - gce
+ # In order to generate valid yaml, we define a dummy variable...
+ variables:
+ SAMBA_SHARED_RUNNER_BUILD_DUMMY_VARIABLE: shared_runner_build
.shared_runner_test:
- # Currently we're fine using the n1-standard-1 runners also for testing
+ # We use saas-linux-small-amd64 shared runners by default.
extends: .shared_runner_build
.private_runner_test:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index add5f323ec4..26cf07d6fce 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -112,8 +112,14 @@ include:
before_script:
- uname -a
+ - ls -l /sys/module/
+ - ls -l /sys/kernel/security/
+ - if [ -e /sys/kernel/security/lsm ]; then cat /sys/kernel/security/lsm ; echo; fi
+ - if [ -e /proc/config.gz ]; then sudo zcat /proc/config.gz; echo; fi
- lsb_release -a
- cat /etc/os-release
+ - id
+ - cat /proc/self/status
- lscpu
- cat /proc/cpuinfo
- mount
diff --git a/libcli/nbt/libnbt.h b/libcli/nbt/libnbt.h
index 204484be73f..6a30c9fedb5 100644
--- a/libcli/nbt/libnbt.h
+++ b/libcli/nbt/libnbt.h
@@ -331,6 +331,9 @@ NTSTATUS nbt_set_unexpected_handler(struct nbt_name_socket *nbtsock,
void (*handler)(struct nbt_name_socket *, struct nbt_name_packet *,
struct socket_address *),
void *private_data);
+NTSTATUS nbt_name_send_raw(struct nbt_name_socket *nbtsock,
+ struct socket_address *dest,
+ const DATA_BLOB pkt_blob);
NTSTATUS nbt_name_reply_send(struct nbt_name_socket *nbtsock,
struct socket_address *dest,
struct nbt_name_packet *request);
diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c
index 47e73cf2e8d..b2945ad912f 100644
--- a/libcli/nbt/nbtsocket.c
+++ b/libcli/nbt/nbtsocket.c
@@ -448,6 +448,50 @@ failed:
return NULL;
}
+/*
+ send off a nbt name packet
+*/
+_PUBLIC_ NTSTATUS nbt_name_send_raw(struct nbt_name_socket *nbtsock,
+ struct socket_address *dest,
+ const DATA_BLOB pkt_blob)
+{
+ struct nbt_name_request *req;
+
+ req = talloc_zero(nbtsock, struct nbt_name_request);
+ NT_STATUS_HAVE_NO_MEMORY(req);
+
+ req->nbtsock = nbtsock;
+ req->dest = socket_address_copy(req, dest);
+ if (req->dest == NULL) {
+ goto failed;
+ }
+ req->state = NBT_REQUEST_SEND;
+ /*
+ * We don't expect a response so
+ * just pretent it is a request,
+ * but we really don't care about the
+ * content.
+ */
+ req->is_reply = true;
+
+ req->encoded = data_blob_dup_talloc(req, pkt_blob);
+ if (req->encoded.length != pkt_blob.length) {
+ goto failed;
+ }
+
+ talloc_set_destructor(req, nbt_name_request_destructor);
+
+ DLIST_ADD_END(nbtsock->send_queue, req);
+
+ TEVENT_FD_WRITEABLE(nbtsock->fde);
+
+ return NT_STATUS_OK;
+
+failed:
+ talloc_free(req);
+ return NT_STATUS_NO_MEMORY;
+}
+
/*
send off a nbt name reply
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index a52a615857f..87acddfc94f 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -166,6 +166,13 @@ struct smb2cli_session {
uint16_t channel_sequence;
bool replay_active;
bool require_signed_response;
+
+ /*
+ * The following are just for torture tests
+ */
+ bool anonymous_signing;
+ bool anonymous_encryption;
+ bool no_signing_disconnect;
};
struct smbXcli_session {
@@ -3999,6 +4006,9 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_NAME_DELETED) ||
NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED) ||
+ (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
+ session != NULL &&
+ session->smb2->no_signing_disconnect) ||
NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
/*
* if the server returns
@@ -4042,8 +4052,29 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
/*
* If the signing check fails, we disconnect
* the connection.
+ *
+ * Unless
+ * smb2cli_session_torture_no_signing_disconnect
+ * was called in torture tests
*/
- return signing_status;
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ return signing_status;
+ }
+
+ if (!NT_STATUS_EQUAL(status, signing_status)) {
+ return signing_status;
+ }
+
+ if (session == NULL) {
+ return signing_status;
+ }
+
+ if (!session->smb2->no_signing_disconnect) {
+ return signing_status;
+ }
+
+ state->smb2.signing_skipped = true;
}
}
@@ -6332,6 +6363,23 @@ void smb2cli_session_require_signed_response(struct smbXcli_session *session,
session->smb2->require_signed_response = require_signed_response;
}
+void smb2cli_session_torture_anonymous_signing(struct smbXcli_session *session,
+ bool anonymous_signing)
+{
+ session->smb2->anonymous_signing = anonymous_signing;
+}
+
+void smb2cli_session_torture_anonymous_encryption(struct smbXcli_session *session,
+ bool anonymous_encryption)
+{
+ session->smb2->anonymous_encryption = anonymous_encryption;
+}
+
+void smb2cli_session_torture_no_signing_disconnect(struct smbXcli_session *session)
+{
+ session->smb2->no_signing_disconnect = true;
+}
+
NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
const struct iovec *iov)
{
@@ -6432,6 +6480,10 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
conn->protocol,
preauth_hash);
+ if (session->smb2->anonymous_encryption) {
+ goto skip_signing_key;
+ }
+
status = smb2_signing_key_sign_create(session->smb2,
conn->smb2.server.sign_algo,
&_session_key,
@@ -6441,6 +6493,15 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
return status;
}
+ if (session->smb2->anonymous_signing) {
+ /*
+ * skip encryption and application keys
+ */
+ goto skip_application_key;
+ }
+
+skip_signing_key:
+
status = smb2_signing_key_cipher_create(session->smb2,
conn->smb2.server.cipher,
&_session_key,
@@ -6459,6 +6520,10 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
return status;
}
+ if (session->smb2->anonymous_encryption) {
+ goto skip_application_key;
+ }
+
status = smb2_signing_key_sign_create(session->smb2,
conn->smb2.server.sign_algo,
&_session_key,
@@ -6468,6 +6533,8 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
return status;
}
+skip_application_key:
+
status = smb2_signing_key_copy(session,
session->smb2->signing_key,
&session->smb2_channel.signing_key);
@@ -6477,6 +6544,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
check_signature = conn->mandatory_signing;
+ if (conn->protocol >= PROTOCOL_SMB3_11) {
+ check_signature = true;
+ }
+
+ if (session->smb2->anonymous_signing) {
+ check_signature = false;
+ }
+
+ if (session->smb2->anonymous_encryption) {
+ check_signature = false;
+ }
+
hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS);
if (hdr_flags & SMB2_HDR_FLAG_SIGNED) {
/*
@@ -6492,10 +6571,6 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
check_signature = true;
}
- if (conn->protocol >= PROTOCOL_SMB3_11) {
- check_signature = true;
- }
-
if (check_signature) {
status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
recv_iov, 3);
@@ -6527,6 +6602,15 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
session->smb2->should_encrypt = false;
}
+ if (session->smb2->anonymous_signing) {
+ session->smb2->should_sign = true;
+ }
+
+ if (session->smb2->anonymous_encryption) {
+ session->smb2->should_encrypt = true;
+ session->smb2->should_sign = false;
+ }
+
/*
* CCM and GCM algorithms must never have their
* nonce wrap, or the security of the whole
@@ -6698,6 +6782,16 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session)
{
+ if (session->smb2->anonymous_signing) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ if (session->smb2->anonymous_encryption) {
+ SMB_ASSERT(session->smb2->should_encrypt);
+ SMB_ASSERT(!session->smb2->should_sign);
+ return NT_STATUS_OK;
+ }
+
if (!session->smb2->should_sign) {
/*
* We need required signing on the session
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index 25ccd84b336..69fa131a31d 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -535,6 +535,11 @@ void smb2cli_session_start_replay(struct smbXcli_session *session);
void smb2cli_session_stop_replay(struct smbXcli_session *session);
void smb2cli_session_require_signed_response(struct smbXcli_session *session,
bool require_signed_response);
+void smb2cli_session_torture_anonymous_signing(struct smbXcli_session *session,
+ bool anonymous_signing);
+void smb2cli_session_torture_anonymous_encryption(struct smbXcli_session *session,
+ bool anonymous_encryption);
+void smb2cli_session_torture_no_signing_disconnect(struct smbXcli_session *session);
NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
const struct iovec *iov);
NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
diff --git a/python/samba/tests/ntacls.py b/python/samba/tests/ntacls.py
index 0b7963d902e..6e2adda6a0d 100644
--- a/python/samba/tests/ntacls.py
+++ b/python/samba/tests/ntacls.py
@@ -83,5 +83,5 @@ class NtaclsTests(TestCaseInTempDir):
lp = LoadParm()
open(self.tempf, 'w').write("empty")
lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
- self.assertRaises(Exception, setntacl, lp, self.tempf, NTACL_SDDL,
+ self.assertRaises(PermissionError, setntacl, lp, self.tempf, NTACL_SDDL,
DOMAIN_SID, self.session_info, "native")
diff --git a/selftest/flapping.d/gitlab-setxattr-security b/selftest/flapping.d/gitlab-setxattr-security
new file mode 100644
index 00000000000..d7d24032450
--- /dev/null
+++ b/selftest/flapping.d/gitlab-setxattr-security
@@ -0,0 +1,18 @@
+# gitlab runners with kernel 5.15.109+
+# allow setxattr() on security.NTACL
+#
+# It's not clear in detail why there's a difference
+# between various systems, one reason could be that
+# with selinux inode_owner_or_capable() is used to check
+# setxattr() permissions:
+# it checks for the fileowner too, as well as CAP_FOWNER.
+# Otherwise cap_inode_setxattr() is used, which checks for
+# CAP_SYS_ADMIN.
+#
+# But the kernel doesn't have selinux only apparmor...
+#
+# test_setntacl_forcenative expects
+# PermissionError: [Errno 1] Operation not permitted
+#
+# So for now we allow this to fail...
+^samba.tests.ntacls.samba.tests.ntacls.NtaclsTests.test_setntacl_forcenative.none
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 2d449e4a652..f2b84b4f9b7 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -618,6 +618,7 @@ sub provision_raw_prepare($$$$$$$$$$$$$$)
$ctx->{statedir} = "$prefix_abs/statedir";
$ctx->{cachedir} = "$prefix_abs/cachedir";
$ctx->{winbindd_socket_dir} = "$prefix_abs/wbsock";
+ $ctx->{nmbd_socket_dir} = "$prefix_abs/nmbsock";
$ctx->{ntp_signd_socket_dir} = "$prefix_abs/ntp_signd_socket";
$ctx->{nsswrap_passwd} = "$ctx->{etcdir}/passwd";
$ctx->{nsswrap_group} = "$ctx->{etcdir}/group";
@@ -774,6 +775,7 @@ sub provision_raw_step1($$)
state directory = $ctx->{statedir}
cache directory = $ctx->{cachedir}
winbindd socket directory = $ctx->{winbindd_socket_dir}
+ nmbd:socket dir = $ctx->{nmbd_socket_dir}
ntp signd socket directory = $ctx->{ntp_signd_socket_dir}
winbind separator = /
interfaces = $interfaces
diff --git a/lib/util/unix_match.h b/source3/include/fstring.h
similarity index 76%
copy from lib/util/unix_match.h
copy to source3/include/fstring.h
index a7b693500b2..dfc8f17a8f3 100644
--- a/lib/util/unix_match.h
+++ b/source3/include/fstring.h
@@ -1,7 +1,6 @@
/*
Unix SMB/CIFS implementation.
- Utility functions for Samba
- Copyright (C) Jeremy Allison 2001
+ Copyright (C) 2002 by Martin Pool <mbp at samba.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -17,9 +16,12 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#ifndef _UNIX_MASK_H_
-#define _UNIX_MASK_H_
-
-bool unix_wild_match(const char *pattern, const char *string);
+#ifndef _SAMBA_FSTRING_H
+#define _SAMBA_FSTRING_H
+#ifndef FSTRING_LEN
+#define FSTRING_LEN 256
+typedef char fstring[FSTRING_LEN];
#endif
+
+#endif /* _SAMBA_FSTRING_H */
diff --git a/source3/include/includes.h b/source3/include/includes.h
index 1e7b79ba0a9..ee05b93c07d 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -237,10 +237,7 @@ enum timestamp_set_resolution {
_________)/\\_//(\/(/\)/\//\/\///|_)_______
*/
-#ifndef FSTRING_LEN
-#define FSTRING_LEN 256
-typedef char fstring[FSTRING_LEN];
-#endif
+#include "fstring.h"
/* debug.h need to be included before samba_util.h for the macro SMB_ASSERT */
#include "../lib/util/debug.h"
diff --git a/source3/include/nameserv.h b/source3/include/nameserv.h
index 8fbe5a33a29..51efe82d061 100644
--- a/source3/include/nameserv.h
+++ b/source3/include/nameserv.h
@@ -20,18 +20,6 @@
*/
-#define INFO_VERSION "INFO/version"
-#define INFO_COUNT "INFO/num_entries"
-#define INFO_ID_HIGH "INFO/id_high"
-#define INFO_ID_LOW "INFO/id_low"
-#define ENTRY_PREFIX "ENTRY/"
-
-#define PERMANENT_TTL 0
-
-/* NTAS uses 2, NT uses 1, WfWg uses 0 */
-#define MAINTAIN_LIST 2
-#define ELECTION_VERSION 1
--
Samba Shared Repository
More information about the samba-cvs
mailing list