From orion at et.byu.edu Thu Aug 1 23:06:52 2024 From: orion at et.byu.edu (Orion) Date: Thu, 1 Aug 2024 17:06:52 -0600 Subject: become_root() Necessary for Group Quota in quotas.c? Message-ID: <65ad7c9a-38a3-4224-b40e-b7c991c8e0b2@et.byu.edu> We have a situation in which the root user does not have access to the files contained in a directory with SGID set. When a user navigates to this directory and Samba attempts to request the quota for the directory, it fails when the code later attempts to do a stat on the file because of lack of permissions. In the file samba/source3/smbd/quotas.c if the SGID bit is set, the code changes the effective GID to the GID of the folder, uses become_root() to change to root, and then requests the quota. However, if the SGID bit is not set, quotas.c requests the quota without using the become_root() function. The question I have is, why when the SGID bit is set does it change to root before requesting the quota? Can we remove the become_root() function call for this instance and request the quota as the GID of the folder? I tested removing the become_root() and unbecome_root() function calls, and for our particular setup, it works perfectly. However, I am curious if there is some other setup that may have issues if this bit is removed. From metze at samba.org Fri Aug 2 12:11:22 2024 From: metze at samba.org (Stefan Metzmacher) Date: Fri, 2 Aug 2024 14:11:22 +0200 Subject: [Announce] Samba 4.20.3 Available for Download Message-ID: Release Announcements --------------------- This is the latest stable release of the Samba 4.20 release series. LDAP TLS/SASL channel binding support ------------------------------------- The ldap server supports SASL binds with kerberos or NTLMSSP over TLS connections now (either ldaps or starttls). Setups where 'ldap server require strong auth = allow_sasl_over_tls' was required before, can now most likely move to the default of 'ldap server require strong auth = yes'. If SASL binds without correct tls channel bindings are required 'ldap server require strong auth = allow_sasl_without_tls_channel_bindings' should be used now, as 'allow_sasl_over_tls' will generate a warning in every start of 'samba', as well as '[samba-tool ]testparm'. This is similar to LdapEnforceChannelBinding under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on Windows. All client tools using ldaps also include the correct channel bindings now. smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- ldap server require strong auth new values Changes since 4.20.2 -------------------- o Andreas Schneider * BUG 15683: Running samba-bgqd a a standalone systemd service does not work. o Andrew Bartlett * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password. o Douglas Bagnall * BUG 15671: Invalid client warning about command line passwords. * BUG 15672: Version string is truncated in manpages. * BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters. * BUG 15674: cmdline_burn does not always burn secrets. * BUG 15685: Samba does not parse SDDL found in defaultSecurityDescriptor in AD_DS_Classes_Windows_Server_v1903.ldf. o Jo Sutton * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password. o Pavel Filipensk? * BUG 15660: The images don\'t build after the git security release and CentOS 8 Stream is EOL. o Ralph Boehme * BUG 15676: Fix clock skew error message and memory cache clock skew recovery. o Stefan Metzmacher * BUG 15603: Heimdal ignores _gsskrb5_decapsulate errors in init_sec_context/repl_mutual. * BUG 15621: s4:ldap_server: does not support tls channel bindings for sasl binds. o Xavi Hernandez * BUG 15678: CTDB socket output queues may suffer unbounded delays under some special conditions. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.20.3.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team From metze at samba.org Tue Aug 6 10:40:42 2024 From: metze at samba.org (Stefan Metzmacher) Date: Tue, 6 Aug 2024 12:40:42 +0200 Subject: [Announce] Samba 4.20.4 Available for Download Message-ID: Release Announcements --------------------- This is the latest stable release of the Samba 4.20 release series. Changes since 4.20.3 -------------------- This only fixes a regression in library version strings in Samba 4.20.3, see: https://bugzilla.samba.org/show_bug.cgi?id=15673 If you compiled Samba from the sources and don't have other applications relying on Samba's public libraries, there's no reason to upgrade from 4.20.3 to 4.20.4. o Andreas Schneider * BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters. o Stefan Metzmacher * BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.20.4.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team From smfrench at gmail.com Wed Aug 7 21:42:01 2024 From: smfrench at gmail.com (Steve French) Date: Wed, 7 Aug 2024 16:42:01 -0500 Subject: [PATCH] Fix spelling errors in Server Message Block In-Reply-To: <20240807165320.56450-1-shenxiaxi26@gmail.com> References: <20240807165320.56450-1-shenxiaxi26@gmail.com> Message-ID: merged into cifs-2.6.git for-next On Wed, Aug 7, 2024 at 11:53?AM Xiaxi Shen wrote: > Fixed typos in various files under fs/smb/client/ > > Signed-off-by: Xiaxi Shen > --- > fs/smb/client/cifsglob.h | 4 ++-- > fs/smb/client/misc.c | 2 +- > fs/smb/client/smbdirect.c | 8 ++++---- > fs/smb/client/transport.c | 2 +- > 4 files changed, 8 insertions(+), 8 deletions(-) > > diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h > index f6d1f075987f..66677b8fc9be 100644 > --- a/fs/smb/client/cifsglob.h > +++ b/fs/smb/client/cifsglob.h > @@ -345,7 +345,7 @@ struct smb_version_operations { > /* connect to a server share */ > int (*tree_connect)(const unsigned int, struct cifs_ses *, const > char *, > struct cifs_tcon *, const struct nls_table *); > - /* close tree connecion */ > + /* close tree connection */ > int (*tree_disconnect)(const unsigned int, struct cifs_tcon *); > /* get DFS referrals */ > int (*get_dfs_refer)(const unsigned int, struct cifs_ses *, > @@ -816,7 +816,7 @@ struct TCP_Server_Info { > * Protected by @refpath_lock and @srv_lock. The @refpath_lock is > * mostly used for not requiring a copy of @leaf_fullpath when > getting > * cached or new DFS referrals (which might also sleep during I/O). > - * While @srv_lock is held for making string and NULL comparions > against > + * While @srv_lock is held for making string and NULL comparisons > against > * both fields as in mount(2) and cache refresh. > * > * format: \\HOST\SHARE[\OPTIONAL PATH] > diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c > index b28ff62f1f15..3fe5bfc389d0 100644 > --- a/fs/smb/client/misc.c > +++ b/fs/smb/client/misc.c > @@ -352,7 +352,7 @@ checkSMB(char *buf, unsigned int total_read, struct > TCP_Server_Info *server) > * on simple responses (wct, bcc both zero) > * in particular have seen this on > * ulogoffX and FindClose. This leaves > - * one byte of bcc potentially unitialized > + * one byte of bcc potentially > uninitialized > */ > /* zero rest of bcc */ > tmp[sizeof(struct smb_hdr)+1] = 0; > diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c > index d74e829de51c..7bcc379014ca 100644 > --- a/fs/smb/client/smbdirect.c > +++ b/fs/smb/client/smbdirect.c > @@ -406,7 +406,7 @@ static void smbd_post_send_credits(struct work_struct > *work) > else > response = get_empty_queue_buffer(info); > if (!response) { > - /* now switch to emtpy packet queue */ > + /* now switch to empty packet queue */ > if (use_receive_queue) { > use_receive_queue = 0; > continue; > @@ -618,7 +618,7 @@ static struct rdma_cm_id *smbd_create_id( > > /* > * Test if FRWR (Fast Registration Work Requests) is supported on the > device > - * This implementation requries FRWR on RDMA read/write > + * This implementation requires FRWR on RDMA read/write > * return value: true if it is supported > */ > static bool frwr_is_supported(struct ib_device_attr *attrs) > @@ -2177,7 +2177,7 @@ static int allocate_mr_list(struct smbd_connection > *info) > * MR available in the list. It may access the list while the > * smbd_mr_recovery_work is recovering the MR list. This doesn't need a > lock > * as they never modify the same places. However, there may be several > CPUs > - * issueing I/O trying to get MR at the same time, mr_list_lock is used to > + * issuing I/O trying to get MR at the same time, mr_list_lock is used to > * protect this situation. > */ > static struct smbd_mr *get_mr(struct smbd_connection *info) > @@ -2311,7 +2311,7 @@ struct smbd_mr *smbd_register_mr(struct > smbd_connection *info, > /* > * There is no need for waiting for complemtion on ib_post_send > * on IB_WR_REG_MR. Hardware enforces a barrier and order of > execution > - * on the next ib_post_send when we actaully send I/O to remote > peer > + * on the next ib_post_send when we actually send I/O to remote > peer > */ > rc = ib_post_send(info->id->qp, ®_wr->wr, NULL); > if (!rc) > diff --git a/fs/smb/client/transport.c b/fs/smb/client/transport.c > index adfe0d058701..6e68aaf5bd20 100644 > --- a/fs/smb/client/transport.c > +++ b/fs/smb/client/transport.c > @@ -1289,7 +1289,7 @@ compound_send_recv(const unsigned int xid, struct > cifs_ses *ses, > out: > /* > * This will dequeue all mids. After this it is important that the > - * demultiplex_thread will not process any of these mids any > futher. > + * demultiplex_thread will not process any of these mids any > further. > * This is prevented above by using a noop callback that will not > * wake this thread except for the very last PDU. > */ > -- > 2.34.1 > > > -- Thanks, Steve From smfrench at gmail.com Wed Aug 7 21:43:39 2024 From: smfrench at gmail.com (Steve French) Date: Wed, 7 Aug 2024 16:43:39 -0500 Subject: [PATCH] Fix spelling errors in Server Message Block In-Reply-To: <20240807165320.56450-1-shenxiaxi26@gmail.com> References: <20240807165320.56450-1-shenxiaxi26@gmail.com> Message-ID: merged into cifs-2.6.git for-next On Wed, Aug 7, 2024 at 11:53?AM Xiaxi Shen wrote: > > Fixed typos in various files under fs/smb/client/ > > Signed-off-by: Xiaxi Shen > --- > fs/smb/client/cifsglob.h | 4 ++-- > fs/smb/client/misc.c | 2 +- > fs/smb/client/smbdirect.c | 8 ++++---- > fs/smb/client/transport.c | 2 +- > 4 files changed, 8 insertions(+), 8 deletions(-) > > diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h > index f6d1f075987f..66677b8fc9be 100644 > --- a/fs/smb/client/cifsglob.h > +++ b/fs/smb/client/cifsglob.h > @@ -345,7 +345,7 @@ struct smb_version_operations { > /* connect to a server share */ > int (*tree_connect)(const unsigned int, struct cifs_ses *, const char *, > struct cifs_tcon *, const struct nls_table *); > - /* close tree connecion */ > + /* close tree connection */ > int (*tree_disconnect)(const unsigned int, struct cifs_tcon *); > /* get DFS referrals */ > int (*get_dfs_refer)(const unsigned int, struct cifs_ses *, > @@ -816,7 +816,7 @@ struct TCP_Server_Info { > * Protected by @refpath_lock and @srv_lock. The @refpath_lock is > * mostly used for not requiring a copy of @leaf_fullpath when getting > * cached or new DFS referrals (which might also sleep during I/O). > - * While @srv_lock is held for making string and NULL comparions against > + * While @srv_lock is held for making string and NULL comparisons against > * both fields as in mount(2) and cache refresh. > * > * format: \\HOST\SHARE[\OPTIONAL PATH] > diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c > index b28ff62f1f15..3fe5bfc389d0 100644 > --- a/fs/smb/client/misc.c > +++ b/fs/smb/client/misc.c > @@ -352,7 +352,7 @@ checkSMB(char *buf, unsigned int total_read, struct TCP_Server_Info *server) > * on simple responses (wct, bcc both zero) > * in particular have seen this on > * ulogoffX and FindClose. This leaves > - * one byte of bcc potentially unitialized > + * one byte of bcc potentially uninitialized > */ > /* zero rest of bcc */ > tmp[sizeof(struct smb_hdr)+1] = 0; > diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c > index d74e829de51c..7bcc379014ca 100644 > --- a/fs/smb/client/smbdirect.c > +++ b/fs/smb/client/smbdirect.c > @@ -406,7 +406,7 @@ static void smbd_post_send_credits(struct work_struct *work) > else > response = get_empty_queue_buffer(info); > if (!response) { > - /* now switch to emtpy packet queue */ > + /* now switch to empty packet queue */ > if (use_receive_queue) { > use_receive_queue = 0; > continue; > @@ -618,7 +618,7 @@ static struct rdma_cm_id *smbd_create_id( > > /* > * Test if FRWR (Fast Registration Work Requests) is supported on the device > - * This implementation requries FRWR on RDMA read/write > + * This implementation requires FRWR on RDMA read/write > * return value: true if it is supported > */ > static bool frwr_is_supported(struct ib_device_attr *attrs) > @@ -2177,7 +2177,7 @@ static int allocate_mr_list(struct smbd_connection *info) > * MR available in the list. It may access the list while the > * smbd_mr_recovery_work is recovering the MR list. This doesn't need a lock > * as they never modify the same places. However, there may be several CPUs > - * issueing I/O trying to get MR at the same time, mr_list_lock is used to > + * issuing I/O trying to get MR at the same time, mr_list_lock is used to > * protect this situation. > */ > static struct smbd_mr *get_mr(struct smbd_connection *info) > @@ -2311,7 +2311,7 @@ struct smbd_mr *smbd_register_mr(struct smbd_connection *info, > /* > * There is no need for waiting for complemtion on ib_post_send > * on IB_WR_REG_MR. Hardware enforces a barrier and order of execution > - * on the next ib_post_send when we actaully send I/O to remote peer > + * on the next ib_post_send when we actually send I/O to remote peer > */ > rc = ib_post_send(info->id->qp, ®_wr->wr, NULL); > if (!rc) > diff --git a/fs/smb/client/transport.c b/fs/smb/client/transport.c > index adfe0d058701..6e68aaf5bd20 100644 > --- a/fs/smb/client/transport.c > +++ b/fs/smb/client/transport.c > @@ -1289,7 +1289,7 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses, > out: > /* > * This will dequeue all mids. After this it is important that the > - * demultiplex_thread will not process any of these mids any futher. > + * demultiplex_thread will not process any of these mids any further. > * This is prevented above by using a noop callback that will not > * wake this thread except for the very last PDU. > */ > -- > 2.34.1 > > -- Thanks, Steve From smfrench at gmail.com Thu Aug 8 21:51:37 2024 From: smfrench at gmail.com (Steve French) Date: Thu, 8 Aug 2024 16:51:37 -0500 Subject: [PATCH] smb/client: avoid possible NULL dereference in cifs_free_subrequest() In-Reply-To: <20240808122331.342473-1-suhui@nfschina.com> References: <20240808122331.342473-1-suhui@nfschina.com> Message-ID: Tentatively merged into cifs-2.6.git pending review/testing Did minor update to add Cc: stable On Thu, Aug 8, 2024 at 7:26?AM Su Hui wrote: > > Clang static checker (scan-build) warning: > cifsglob.h:line 890, column 3 > Access to field 'ops' results in a dereference of a null pointer. > > Commit 519be989717c ("cifs: Add a tracepoint to track credits involved in > R/W requests") adds a check for 'rdata->server', and let clang throw this > warning about NULL dereference. > > When 'rdata->credits.value != 0 && rdata->server == NULL' happens, > add_credits_and_wake_if() will call rdata->server->ops->add_credits(). > This will cause NULL dereference problem. Add a check for 'rdata->server' > to avoid NULL dereference. > > Signed-off-by: Su Hui > --- > fs/smb/client/file.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c > index b2405dd4d4d4..45459af5044d 100644 > --- a/fs/smb/client/file.c > +++ b/fs/smb/client/file.c > @@ -315,7 +315,7 @@ static void cifs_free_subrequest(struct netfs_io_subrequest *subreq) > #endif > } > > - if (rdata->credits.value != 0) > + if (rdata->credits.value != 0) { > trace_smb3_rw_credits(rdata->rreq->debug_id, > rdata->subreq.debug_index, > rdata->credits.value, > @@ -323,8 +323,12 @@ static void cifs_free_subrequest(struct netfs_io_subrequest *subreq) > rdata->server ? rdata->server->in_flight : 0, > -rdata->credits.value, > cifs_trace_rw_credits_free_subreq); > + if (rdata->server) > + add_credits_and_wake_if(rdata->server, &rdata->credits, 0); > + else > + rdata->credits.value = 0; > + } > > - add_credits_and_wake_if(rdata->server, &rdata->credits, 0); > if (rdata->have_xid) > free_xid(rdata->xid); > } > -- > 2.30.2 > > -- Thanks, Steve From linkinjeon at kernel.org Fri Aug 9 02:51:30 2024 From: linkinjeon at kernel.org (Namjae Jeon) Date: Fri, 9 Aug 2024 11:51:30 +0900 Subject: [PATCH][next] smb: smb2pdu.h: Use static_assert() to check struct sizes In-Reply-To: References: Message-ID: 2024? 8? 9? (?) ?? 7:04, Gustavo A. R. Silva ?? ??: > > Commit 9f9bef9bc5c6 ("smb: smb2pdu.h: Avoid -Wflex-array-member-not-at-end > warnings") introduced tagged `struct create_context_hdr`. We want to > ensure that when new members need to be added to the flexible structure, > they are always included within this tagged struct. > > So, we use `static_assert()` to ensure that the memory layout for > both the flexible structure and the tagged struct is the same after > any changes. > > Signed-off-by: Gustavo A. R. Silva Acked-by: Namjae Jeon Thanks! From smfrench at gmail.com Fri Aug 9 03:50:13 2024 From: smfrench at gmail.com (Steve French) Date: Thu, 8 Aug 2024 22:50:13 -0500 Subject: [PATCH][next] smb: smb2pdu.h: Use static_assert() to check struct sizes In-Reply-To: References: Message-ID: merged into cifs-2.6.git for-next On Thu, Aug 8, 2024 at 9:51?PM Namjae Jeon wrote: > > 2024? 8? 9? (?) ?? 7:04, Gustavo A. R. Silva ?? ??: > > > > Commit 9f9bef9bc5c6 ("smb: smb2pdu.h: Avoid -Wflex-array-member-not-at-end > > warnings") introduced tagged `struct create_context_hdr`. We want to > > ensure that when new members need to be added to the flexible structure, > > they are always included within this tagged struct. > > > > So, we use `static_assert()` to ensure that the memory layout for > > both the flexible structure and the tagged struct is the same after > > any changes. > > > > Signed-off-by: Gustavo A. R. Silva > Acked-by: Namjae Jeon > > Thanks! > -- Thanks, Steve From smfrench at gmail.com Fri Aug 9 15:38:17 2024 From: smfrench at gmail.com (Steve French) Date: Fri, 9 Aug 2024 10:38:17 -0500 Subject: [PATCH] smb/client: avoid possible NULL dereference in cifs_free_subrequest() In-Reply-To: <893f2ebb-2979-4e34-bdab-a7cbb0c7e7b8@stanley.mountain> References: <20240808122331.342473-1-suhui@nfschina.com> <893f2ebb-2979-4e34-bdab-a7cbb0c7e7b8@stanley.mountain> Message-ID: On Fri, Aug 9, 2024 at 10:01?AM Dan Carpenter wrote: > > On Thu, Aug 08, 2024 at 08:23:32PM +0800, Su Hui wrote: > > Clang static checker (scan-build) warning: > > cifsglob.h:line 890, column 3 > > Access to field 'ops' results in a dereference of a null pointer. > > > > Commit 519be989717c ("cifs: Add a tracepoint to track credits involved in > > R/W requests") adds a check for 'rdata->server', and let clang throw this > > warning about NULL dereference. > > > > When 'rdata->credits.value != 0 && rdata->server == NULL' happens, > > add_credits_and_wake_if() will call rdata->server->ops->add_credits(). > > This will cause NULL dereference problem. Add a check for 'rdata->server' > > to avoid NULL dereference. > > > > Signed-off-by: Su Hui > > Needs a Fixes tag. I had added a fixes tag > Also when you add a Fixes tag, then get_maintainer will add the David Howells > automatically. I've added him manually. > > > --- > > fs/smb/client/file.c | 8 ++++++-- > > 1 file changed, 6 insertions(+), 2 deletions(-) > > > > diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c > > index b2405dd4d4d4..45459af5044d 100644 > > --- a/fs/smb/client/file.c > > +++ b/fs/smb/client/file.c > > @@ -315,7 +315,7 @@ static void cifs_free_subrequest(struct netfs_io_subrequest *subreq) > > #endif > > } > > > > - if (rdata->credits.value != 0) > > + if (rdata->credits.value != 0) { > > trace_smb3_rw_credits(rdata->rreq->debug_id, > > rdata->subreq.debug_index, > > rdata->credits.value, > > @@ -323,8 +323,12 @@ static void cifs_free_subrequest(struct netfs_io_subrequest *subreq) > > rdata->server ? rdata->server->in_flight : 0, > > -rdata->credits.value, > > cifs_trace_rw_credits_free_subreq); > > + if (rdata->server) > > + add_credits_and_wake_if(rdata->server, &rdata->credits, 0); > > + else > > + rdata->credits.value = 0; > ^^^^^^^^^^^^^^^^^^^^^^^^^ > Why do this? add_credits_and_wake() has the effect of setting credits->value to 0 so seems reasonable here (in the case where add_credits_and_wake can not be safely called), even if an extremely unlikely for rdata->server to be null. -- Thanks, Steve From smfrench at gmail.com Fri Aug 9 15:42:25 2024 From: smfrench at gmail.com (Steve French) Date: Fri, 9 Aug 2024 10:42:25 -0500 Subject: [PATCH] smb/client: avoid possible NULL dereference in cifs_free_subrequest() In-Reply-To: References: <20240808122331.342473-1-suhui@nfschina.com> <893f2ebb-2979-4e34-bdab-a7cbb0c7e7b8@stanley.mountain> Message-ID: On Fri, Aug 9, 2024 at 10:11?AM Dan Carpenter wrote: > > On Fri, Aug 09, 2024 at 06:00:26PM +0300, Dan Carpenter wrote: > > On Thu, Aug 08, 2024 at 08:23:32PM +0800, Su Hui wrote: > > > Clang static checker (scan-build) warning: > > > cifsglob.h:line 890, column 3 > > > Access to field 'ops' results in a dereference of a null pointer. > > > > > > Commit 519be989717c ("cifs: Add a tracepoint to track credits involved in > > > R/W requests") adds a check for 'rdata->server', and let clang throw this > > > warning about NULL dereference. > > > > > > When 'rdata->credits.value != 0 && rdata->server == NULL' happens, > > > add_credits_and_wake_if() will call rdata->server->ops->add_credits(). > > > This will cause NULL dereference problem. Add a check for 'rdata->server' > > > to avoid NULL dereference. > > > > > > Signed-off-by: Su Hui > > > > Needs a Fixes tag. > > > > Also when you add a Fixes tag, then get_maintainer will add the David Howells > > automatically. I've added him manually. > > > > Actually, David should have been CC'd but the fixes tag wouldn't have pointed > to his patch. > > This is an inconsistent NULL checking warning. It's not clear to me if the NULL > checks should be removed or more added. If David were trying to fix a NULL > pointer dereference and accidentally left one unchecked dereference out then the > Fixes tag would point to his patch. Since David was doing something unrelated Looks like (if this is even possible for server to to be null) then I will need to change the fixes to commit 69c3c023af25. I will update the tag in the current patch in for-next Author: David Howells Date: Fri Oct 6 18:16:15 2023 +0100 cifs: Implement netfslib hooks Provide implementation of the netfslib hooks that will be used by netfslib to ask cifs to set up and perform operations. -- Thanks, Steve From smfrench at gmail.com Fri Aug 9 15:46:52 2024 From: smfrench at gmail.com (Steve French) Date: Fri, 9 Aug 2024 10:46:52 -0500 Subject: [PATCH] smb/client: avoid possible NULL dereference in cifs_free_subrequest() In-Reply-To: References: <20240808122331.342473-1-suhui@nfschina.com> <893f2ebb-2979-4e34-bdab-a7cbb0c7e7b8@stanley.mountain> Message-ID: Updated patch to change Fixes tag and Cc: David On Fri, Aug 9, 2024 at 10:42?AM Steve French wrote: > > On Fri, Aug 9, 2024 at 10:11?AM Dan Carpenter wrote: > > > > On Fri, Aug 09, 2024 at 06:00:26PM +0300, Dan Carpenter wrote: > > > On Thu, Aug 08, 2024 at 08:23:32PM +0800, Su Hui wrote: > > > > Clang static checker (scan-build) warning: > > > > cifsglob.h:line 890, column 3 > > > > Access to field 'ops' results in a dereference of a null pointer. > > > > > > > > Commit 519be989717c ("cifs: Add a tracepoint to track credits involved in > > > > R/W requests") adds a check for 'rdata->server', and let clang throw this > > > > warning about NULL dereference. > > > > > > > > When 'rdata->credits.value != 0 && rdata->server == NULL' happens, > > > > add_credits_and_wake_if() will call rdata->server->ops->add_credits(). > > > > This will cause NULL dereference problem. Add a check for 'rdata->server' > > > > to avoid NULL dereference. > > > > > > > > Signed-off-by: Su Hui > > > > > > Needs a Fixes tag. > > > > > > Also when you add a Fixes tag, then get_maintainer will add the David Howells > > > automatically. I've added him manually. > > > > > > > Actually, David should have been CC'd but the fixes tag wouldn't have pointed > > to his patch. > > > > This is an inconsistent NULL checking warning. It's not clear to me if the NULL > > checks should be removed or more added. If David were trying to fix a NULL > > pointer dereference and accidentally left one unchecked dereference out then the > > Fixes tag would point to his patch. Since David was doing something unrelated > > Looks like (if this is even possible for server to to be null) then I > will need to change > the fixes to commit 69c3c023af25. I will update the tag in the current > patch in for-next > > Author: David Howells > Date: Fri Oct 6 18:16:15 2023 +0100 > > cifs: Implement netfslib hooks > > Provide implementation of the netfslib hooks that will be used by netfslib > to ask cifs to set up and perform operations. > -- > Thanks, > > Steve -- Thanks, Steve -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-smb-client-avoid-possible-NULL-dereference-in-cifs_f.patch Type: text/x-patch Size: 2025 bytes Desc: not available URL: From orion at et.byu.edu Fri Aug 9 21:00:48 2024 From: orion at et.byu.edu (Orion) Date: Fri, 9 Aug 2024 15:00:48 -0600 Subject: become_root() Necessary for Group Quota in quotas.c? In-Reply-To: <65ad7c9a-38a3-4224-b40e-b7c991c8e0b2@et.byu.edu> References: <65ad7c9a-38a3-4224-b40e-b7c991c8e0b2@et.byu.edu> Message-ID: <47bef7c7-50c7-4185-8268-89c0f5664703@et.byu.edu> Here is my proposed patch of the file source3/smbd/quotas.c to fix the issue I outlined previously: @@ -458,10 +458,8 @@ try_group_quota: S_ISDIR(fname->st.st_ex_mode) && fname->st.st_ex_mode & S_ISGID) { id.gid = fname->st.st_ex_gid; - become_root(); r = SMB_VFS_GET_QUOTA(conn, fname, SMB_GROUP_QUOTA_TYPE, id, &D); - unbecome_root(); } else { id.gid = getegid(); r = SMB_VFS_GET_QUOTA(conn, fname, SMB_GROUP_QUOTA_TYPE, id, Any comments would be appreciated. On 8/1/24 17:06, Orion wrote: > We have a situation in which the root user does not have access to the > files contained in a directory with SGID set. When a user navigates to > this directory and Samba attempts to request the quota for the > directory, it fails when the code later attempts to do a stat on the > file because of lack of permissions. > > In the file samba/source3/smbd/quotas.c if the SGID bit is set, the > code changes the effective GID to the GID of the folder, uses > become_root() to change to root, and then requests the quota. However, > if the SGID bit is not set, quotas.c requests the quota without using > the become_root() function. The question I have is, why when the SGID > bit is set does it change to root before requesting the quota? > > Can we remove the become_root() function call for this instance and > request the quota as the GID of the folder? > > I tested removing the become_root() and unbecome_root() function > calls, and for our particular setup, it works perfectly. However, I am > curious if there is some other setup that may have issues if this bit > is removed. > From dmulder at samba.org Mon Aug 12 21:29:27 2024 From: dmulder at samba.org (David Mulder) Date: Mon, 12 Aug 2024 15:29:27 -0600 Subject: CI can't reach internet to fetch rust packages Message-ID: <37323893-503b-455c-beb6-fede11a44eb9@samba.org> I'm getting this failure when doing a `cargo test` via samba test in CI: ??? Updating crates.io index warning: spurious network error (3 tries remaining): [7] Couldn't connect to server (Failed to connect to index.crates.io port 443 after 42 ms: Couldn't connect to server) warning: spurious network error (2 tries remaining): [7] Couldn't connect to server (Failed to connect to index.crates.io port 443 after 0 ms: Couldn't connect to server) warning: spurious network error (1 tries remaining): [7] Couldn't connect to server (Failed to connect to index.crates.io port 443 after 0 ms: Couldn't connect to server) error: failed to get `libc` as a dependency of package `config v4.21.0 (/builds/samba-testbase/samba-o3/rust/config)` Caused by: ? download of config.json failed Caused by: ? failed to download from `https://index.crates.io/config.json` Caused by: ? [7] Couldn't connect to server (Failed to connect to index.crates.io port 443 after 0 ms: Couldn't connect to server) Doing `cargo build` during the build phase does not fail to download dependencies. Any one know what's causing this? https://gitlab.com/samba-team/devel/samba/-/jobs/7566611520 -- David Mulder Labs Software Engineer, Samba SUSE 1221 S Valley Grove Way, Suite 500 Pleasant Grove, UT 84062 (P)+1 385.208.2989 dmulder at suse.com http://www.suse.com From abartlet at samba.org Mon Aug 12 21:37:59 2024 From: abartlet at samba.org (Andrew Bartlett) Date: Tue, 13 Aug 2024 09:37:59 +1200 Subject: CI can't reach internet to fetch rust packages In-Reply-To: <37323893-503b-455c-beb6-fede11a44eb9@samba.org> References: <37323893-503b-455c-beb6-fede11a44eb9@samba.org> Message-ID: <0ef42b0d9fda725ae617220b19abdfbcc416ee55.camel@samba.org> On Mon, 2024-08-12 at 15:29 -0600, David Mulder via samba-technical wrote: > I'm getting this failure when doing a `cargo test` via samba test in > CI: > Updating crates.io indexwarning: spurious network error (3 tries > remaining): [7] Couldn't connect to server (Failed to connect to > index.crates.io port 443 after 42 ms: Couldn't connect to > server)warning: spurious network error (2 tries remaining): [7] > Couldn't connect to server (Failed to connect to index.crates.io port > 443 after 0 ms: Couldn't connect to server)warning: spurious network > error (1 tries remaining): [7] Couldn't connect to server (Failed to > connect to index.crates.io port 443 after 0 ms: Couldn't connect to > server)error: failed to get `libc` as a dependency of package `config > v4.21.0 (/builds/samba-testbase/samba-o3/rust/config)` > Caused by: download of config.json failed > Caused by: failed to download from ` > https://index.crates.io/config.json` > > Caused by: [7] Couldn't connect to server (Failed to connect to > index.crates.io port 443 after 0 ms: Couldn't connect to server) > Doing `cargo build` during the build phase does not fail to download > dependencies. Any one know what's causing this? > https://gitlab.com/samba-team/devel/samba/-/jobs/7566611520 It will be socker_wrapper, I think we now have code to stop our tests leaking out. If you want access to the real internet, remove the socket wrapper environment variables or otherwise disable it. But also, don't do that. At least in the past, the autobuild host does not permit outbound access, so you will need to work with the sysadmins. The preferred pattern from our C model of software development is to encode dependencies at image generation time, and manually install on the autobuild host. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions From cs at samba.org Mon Aug 12 23:41:13 2024 From: cs at samba.org (Christof Schmitt) Date: Mon, 12 Aug 2024 16:41:13 -0700 Subject: become_root() Necessary for Group Quota in quotas.c? In-Reply-To: <47bef7c7-50c7-4185-8268-89c0f5664703@et.byu.edu> References: <65ad7c9a-38a3-4224-b40e-b7c991c8e0b2@et.byu.edu> <47bef7c7-50c7-4185-8268-89c0f5664703@et.byu.edu> Message-ID: On Fri, Aug 09, 2024 at 03:00:48PM -0600, Orion via samba-technical wrote: > Here is my proposed patch of the file source3/smbd/quotas.c to fix the issue > I outlined previously: > > @@ -458,10 +458,8 @@ try_group_quota: > S_ISDIR(fname->st.st_ex_mode) && > fname->st.st_ex_mode & S_ISGID) { > id.gid = fname->st.st_ex_gid; > - become_root(); > r = SMB_VFS_GET_QUOTA(conn, fname, SMB_GROUP_QUOTA_TYPE, id, > &D); > - unbecome_root(); > } else { > id.gid = getegid(); > r = SMB_VFS_GET_QUOTA(conn, fname, SMB_GROUP_QUOTA_TYPE, id, > > Any comments would be appreciated. > > On 8/1/24 17:06, Orion wrote: > > We have a situation in which the root user does not have access to the > > files contained in a directory with SGID set. When a user navigates to > > this directory and Samba attempts to request the quota for the > > directory, it fails when the code later attempts to do a stat on the > > file because of lack of permissions. This sounds confusing. Why would the root not have access to the directory? > > In the file samba/source3/smbd/quotas.c if the SGID bit is set, the code > > changes the effective GID to the GID of the folder, uses become_root() > > to change to root, and then requests the quota. However, if the SGID bit > > is not set, quotas.c requests the quota without using the become_root() > > function. The question I have is, why when the SGID bit is set does it > > change to root before requesting the quota? > > > > Can we remove the become_root() function call for this instance and > > request the quota as the GID of the folder? > > > > I tested removing the become_root() and unbecome_root() function calls, > > and for our particular setup, it works perfectly. However, I am curious > > if there is some other setup that may have issues if this bit is > > removed. Orion, while i worked on this a while ago, i do not recall the details of this change. Looking at the overall picture this could result in a scenario of one user querying quota for a completely different group, not the user's primary or secondary group. Is it guaranteed that any user can always query any group quota? If so, your change is valid. If not, we could look into first issuing the GET_QUOTA call without root privileges, and repeat it when permission is denied (EPERM?) as root. Regards, Christof From ddiss at samba.org Tue Aug 13 01:22:57 2024 From: ddiss at samba.org (David Disseldorp) Date: Tue, 13 Aug 2024 01:22:57 +0000 Subject: CI can't reach internet to fetch rust packages In-Reply-To: <0ef42b0d9fda725ae617220b19abdfbcc416ee55.camel@samba.org> References: <37323893-503b-455c-beb6-fede11a44eb9@samba.org> <0ef42b0d9fda725ae617220b19abdfbcc416ee55.camel@samba.org> Message-ID: <20240813012257.4efbe77b.ddiss@samba.org> On Tue, 13 Aug 2024 09:37:59 +1200, Andrew Bartlett via samba-technical wrote: ... > If you want access to the real internet, remove the socket wrapper > environment variables or otherwise disable it. > But also, don't do that. Indeed. > At least in the past, the autobuild host does > not permit outbound access, so you will need to work with the > sysadmins. > The preferred pattern from our C model of software development is to > encode dependencies at image generation time, and manually install on > the autobuild host. "cargo vendor" should allow you to dump your (hopefully audited and trusted) dependencies in a directory somewhere and build from that. Would that be an option here, David? Cheers, Dave From abartlet at samba.org Tue Aug 13 21:36:56 2024 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 14 Aug 2024 09:36:56 +1200 Subject: CI can't reach internet to fetch rust packages In-Reply-To: <20240813012257.4efbe77b.ddiss@samba.org> References: <37323893-503b-455c-beb6-fede11a44eb9@samba.org> <0ef42b0d9fda725ae617220b19abdfbcc416ee55.camel@samba.org> <20240813012257.4efbe77b.ddiss@samba.org> Message-ID: <152c8c281bbc91a0a2eb6152c107be055bc553d2.camel@samba.org> On Tue, 2024-08-13 at 01:22 +0000, David Disseldorp via samba-technical wrote: > On Tue, 13 Aug 2024 09:37:59 +1200, Andrew Bartlett via samba- > technical wrote: > ... > > If you want access to the real internet, remove the socket wrapper > > environment variables or otherwise disable it. > > But also, don't do that. > > Indeed. > > > At least in the past, the autobuild host does > > not permit outbound access, so you will need to work with the > > sysadmins. > > The preferred pattern from our C model of software development is > > to > > encode dependencies at image generation time, and manually install > > on > > the autobuild host. > > "cargo vendor" should allow you to dump your (hopefully audited and > trusted) dependencies in a directory somewhere and build from that. > Would that be an option here, David? This is also critical for reproducing historical builds and providing long term support. The upstream URLs make break. This is why we keep all the old GitLab CI container images around from the bootstrap system, while they should be able to be rebuilt, we have had issues as you might expect. (I would love it if someone would implement a backup system for those BTW). Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions From janger at samba.org Thu Aug 15 12:18:12 2024 From: janger at samba.org (Jule Anger) Date: Thu, 15 Aug 2024 14:18:12 +0200 Subject: [Announce] Samba 4.19.8 Available for Download Message-ID: <2ef02462-ce30-4236-a530-653afc107b38@samba.org> Release Announcements --------------------- This is the latest stable release of the Samba 4.19 release series. Changes since 4.19.7 -------------------- o? Douglas Bagnall ?? * BUG 15671: Invalid client warning about command line passwords. ?? * BUG 15672: Version string is truncated in manpages. ?? * BUG 15673: --version-* options are still not ergonomic, and they reject ???? tilde characters. ?? * BUG 15674: cmdline_burn does not always burn secrets. ?? * BUG 15685: Samba doesn't parse SDDL found in defaultSecurityDescriptor in ???? AD_DS_Classes_Windows_Server_v1903.ldf. o? Andrew Bartlett ?? * BUG 15654: We have added new options --vendor-name and --vendor-patch- ???? revision arguments to ./configure to allow distributions and packagers to ???? put their name in the Samba version string so that when debugging Samba the ???? source of the binary is obvious. ?? * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a ???? Windows computer when user account need to change their own ???? password. o? Ralph Boehme ?? * BUG 15676: Fix clock skew error message and memory cache clock skew ???? recovery. o? G?nther Deschner ?? * BUG 15665: CTDB RADOS mutex helper misses namespace support. o? Pavel Filipensk? ?? * BUG 15660: The images don't build after the git security release and CentOS ???? 8 Stream is EOL. o? Xavi Hernandez ?? * BUG 15678: Fix unnecessary delays in CTDB while processing requests under ???? high load. o? Stefan Metzmacher ?? * BUG 13019: Dynamic DNS updates with the internal DNS are not working. ?? * BUG 15620: s4:nbt_server: does not provide unexpected handling, so winbindd ???? can't use nmb requests instead cldap. ?? * BUG 15660: The images don't build after the git security release and CentOS ???? 8 Stream is EOL. ?? * BUG 15664: Panic in vfs_offload_token_db_fetch_fsp(). ?? * BUG 15666: "client use kerberos" and --use-kerberos is ignored for the ???? machine account. o? Noel Power ?? * BUG 15435: Regression DFS not working with widelinks = true. o? Andreas Schneider ?? * BUG 15660: The images don't build after the git security release and CentOS ???? 8 Stream is EOL. ?? * BUG 15673: --version-* options are still not ergonomic, and they reject ???? tilde characters. o? Jo Sutton ?? * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a ???? Windows computer when user account need to change their own ???? password. o? Joseph Sutton ?? * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a ???? Windows computer when user account need to change their own ???? password. o? Jones Syue ?? * BUG 15677: ntlm_auth make logs more consistent with length check. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored.? All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620).? The source code can be downloaded from: ??????? https://download.samba.org/pub/samba/stable/ The release notes are available online at: ??????? https://www.samba.org/samba/history/samba-4.19.8.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) ??????????????????????? --Enjoy ??????????????????????? The Samba Team From janger at samba.org Tue Aug 20 11:33:23 2024 From: janger at samba.org (Jule Anger) Date: Tue, 20 Aug 2024 13:33:23 +0200 Subject: [Announce] Samba 4.21.0rc3 Available for Download Message-ID: <10d751cc-c6f8-4af9-8d88-017e3ed5a824@samba.org> Release Announcements ===================== This is the third release candidate of Samba 4.21.? This is *not* intended for production environments and is designed for testing purposes only.? Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.21 will be the next version of the Samba suite. UPGRADING ========= Hardening of "valid users", "invalid users", "read list" and "write list" ------------------------------------------------------------------------- In previous versions of Samba, if a user or group name in either of the mentioned options could not be resolved to a valid SID, the user (or group) would be skipped without any notification. This could result in unexpected and insecure behaviour. Starting with this version of Samba, if any user or group name in any of the options cannot be resolved due to a communication error with a domain controller, Samba will log an error and the tree connect will fail. Non existing users (or groups) are ignored. LDAP TLS/SASL channel binding support ------------------------------------- The ldap server supports SASL binds with kerberos or NTLMSSP over TLS connections now (either ldaps or starttls). Setups where 'ldap server require strong auth = allow_sasl_over_tls' was required before, can now most likely move to the default of 'ldap server require strong auth = yes'. If SASL binds without correct tls channel bindings are required 'ldap server require strong auth = allow_sasl_without_tls_channel_bindings' should be used now, as 'allow_sasl_over_tls' will generate a warning in every start of 'samba', as well as '[samba-tool ]testparm'. This is similar to LdapEnforceChannelBinding under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on Windows. All client tools using ldaps also include the correct channel bindings now. NEW FEATURES/CHANGES ==================== LDB no longer a standalone tarball ---------------------------------- LDB, Samba's LDAP-like local database and the power behind the Samba AD DC, is no longer available to build as a distinct tarball, but is instead provided as an optional public library. If you need ldb as a public library, say to build sssd, then use ?./configure --private-libraries='!ldb' This re-integration allows LDB tests to use the Samba's full selftest system, including our knownfail infrastructure, and decreases the work required during security releases as a coordinated release of the ldb tarball is not also required. This approach has been demonstrated already in Debian, which is already building Samba and LDB is this way. As part of this work, the pyldb-util public library, not known to be used by any other software, is made private to Samba. LDB Module API Python bindings removed -------------------------------------- The LDB Modules API, which we do not promise a stable ABI or API for, was wrapped in python in early LDB development.? However that wrapping never took into account later changes, and so has not worked for a number of years.? Samba 4.21 and LDB 2.10 removes this unused and broken feature. Some Samba public libraries made private by default --------------------------------------------------- The following Samba C libraries are currently made public due to their use by OpenChange or for historical reasons that are no longer clear. ?dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig, ?samba-credentials, dcerpc_server, samdb The libraries used by the OpenChange client now private, but can be made public (like ldb above) with: ?./configure --private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb' The C libraries without any known user or used only for the OpenChange server (a dead project) may be made private entirely in a future Samba version. If you use a Samba library in this list, please be in touch with the samba-technical mailing list. Using ldaps from 'winbindd' and 'net ads' ----------------------------------------- Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also impacted LDAP connections to active directory domain controllers. Using the STARTTLS operation on LDAP port 389 connections. Starting with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in order let to 'ldap ssl = start tls' have any effect on those connections. 'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together with the whole functionality in Samba 4.14.0, because it didn't support tls channel bindings required for the sasl authentication. The functionality is now re-added using the correct channel bindings based on the gnutls based tls implementation we already have, instead of using the tls layer provided by openldap. This makes it available and consistent with all LDAP client libraries we use and implement on our own. The 'client ldap sasl wrapping' option gained the two new possible values: 'starttls' (using STARTTLS on tcp port 389) and 'ldaps' (using TLS directly on tcp port 636). If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes' before, you can now use 'client ldap sasl wrapping = starttls' in order to get STARTTLS on tcp port 389. As we no longer use the openldap tls layer it is required to configure the correct certificate trusts with at least one of the following options: 'tls trust system cas', 'tls ca directories' or 'tls cafile'. While 'tls verify peer' and 'tls crlfile' are also relevant, see 'man smb.conf' for further details. New DNS hostname config option ------------------------------ To get `net ads dns register` working correctly running manually or during a domain join a special entry in /etc/hosts was required. This not really documented and thus the DNS registration mostly didn't work. With the new option the default is [netbios name].[realm] which should be correct in the majority of use cases. We will also use the value to create service principal names during a Kerberos authentication and DNS functions. This is not supported in samba-tool yet. Samba AD will rotate expired passwords on smartcard-required accounts --------------------------------------------------------------------- Traditionally in AD, accounts set to be "smart card require for logon" will have a password for NTLM fallback and local profile encryption (Windows DPAPI). This password previously would not expire. Matching Windows behaviour, when the DC in a FL 2016 domain and the msDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute on the domain root is set to TRUE, Samba will now expire these passwords and rotate them shortly before they expire. Note that the password expiry time must be set to twice the TGT lifetime for smooth operation, e.g. daily expiry given a default 10 hour TGT lifetime, as the password is only rotated in the second half of its life.? Again, this matches the Windows behaviour. Provided the default 2016 schema is used, new Samba domains provisioned with Samba 4.21 will have this enabled once the domain functional level is set to 2016. NOTE: Domains upgraded from older Samba versions will not have this set, even after the functional level preparation, matching the behaviour of upgraded Windows AD domains. Per-user and group "veto files" and "hide files" ------------------------------------------------ "veto files" and "hide files" can optionally be restricted to certain users and groups. To apply a veto or hide directive to a filename for a specific user or group, a parametric option like this can be used: ?hide files : USERNAME = /somefile.txt/ ?veto files : GROUPNAME = /otherfile.txt/ For details consult the updated smb.conf manpage. Automatic keytab update after machine password change ----------------------------------------------------- When machine account password is updated, either by winbind doing regular updates or manually (e.g. net ads changetrustpw), now winbind will also support update of keytab entries in case you use newly added option 'sync machine password to keytab'. The new parameter allows you to describe what keytabs and how should be updated. From smb.conf(5) manpage - each keytab can have exactly one of these four forms: ?????????????? account_name ?????????????? sync_spns ?????????????? spn_prefixes=value1[,value2[...]] ?????????????? spns=value1[,value2[...]] The functionaity provided by the removed commands "net ads keytab add/delete/add_update_ads" can be achieved via the 'sync machine password to keytab' as in these examples: "net ads keytab add? wurst/brot at REALM" - this command is not adding to AD, so the best fit can be specifier ? "spns" - add to smb.conf: ? sync machine password to keytab = /path/to/keytab1:spns=wurst/brot at REALM:machine_password - run: ? "net ads keytab create" "net ads keytab delete wurst/brot at REALM" - remove the principal (or the whole keytab line if there was just one) - run: ? "net ads keytab create" "net ads keytab add_update_ads wurst/brot at REALM" - this command was adding the principal to AD, so for this case use a keytab ? with specifier sync_spns - add to smb.conf: ? sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password - run: ? "net ads setspn add? wurst/brot at REALM"? # this adds the principal to AD ? "net ads keytab create"? # this sync it from AD to local keytab A new parameter 'sync machine password script' allows to specify external script that will be triggered after the automatic keytab update. If keytabs should be generated in clustered environments it is recommended to update them on all nodes.? Check in smb.conf(5) the scripts winbind_ctdb_updatekeytab.sh and 46.update-keytabs.script in section 'sync machine password script' for details. For detailed information check the smb.conf(5) and net(8) manpages. New cephfs VFS module --------------------- Introduce new vfs-to-cephfs bridge which uses libcephfs low-level APIs (instead of path-based operations in the existing module). It allows users to pass explicit user-credentials per call (including supplementary groups), as well as faster operations using inode and file-handle caching on the Samba side. Configuration is identical to existing module, but using 'ceph_new' instead of 'ceph' for the relevant smb.conf entries. This new module is expected to deprecate and replace the old one in next major release. REMOVED FEATURES ================ Following commands are removed: net ads keytab add net ads keytab delete net ads keytab add_update_ads smb.conf changes ================ ? Parameter Name????????????????????????? Description???? Default ? --------------????????????????????????? -----------???? ------- ? client ldap sasl wrapping?????????????? new values ? client use spnego principal???????????? removed ? ldap server require strong auth???????? new values ? tls trust system cas??????????????????? new ? tls ca directories????????????????????? new ? dns hostname??????????????????????????? client dns name [netbios name].[realm] ? valid users???????????????????????????? Hardening ? invalid users?????????????????????????? Hardening ? read list?????????????????????????????? Hardening ? write list????????????????????????????? Hardening ? veto files????????????????????????????? Added per-user and per-group vetos ? hide files????????????????????????????? Added per-user and per-group hides ? sync machine password to keytab???????? keytabs ? sync machine password script??????????? script CHANGES SINCE 4.21.0rc2 ======================= o? Pavel Filipensk? ?? * BUG 15689: Can't add/delete special keys to keytab for nfs, cifs, http etc. o? Stefan Metzmacher ?? * BUG 15696: Compound SMB2 requests don't return ???? NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses ???? MacOSX clients. o? Anoop C S ?? * BUG 15689: Can't add/delete special keys to keytab for nfs, cifs, http etc. CHANGES SINCE 4.21.0rc1 ======================= o? Andreas Schneider ?? * BUG 15673: --version-* options are still not ergonomic, and they reject ???? tilde characters. o? Anoop C S ?? * BUG 15686: Add new vfs_ceph module (based on low level API) o? Douglas Bagnall ?? * BUG 15673: --version-* options are still not ergonomic, and they reject ???? tilde characters. o? Jo Sutton ?? * BUG 15690: ldb_version.h is missing from ldb public library o? Pavel Filipensk? ?? * BUG 15689: Can not add/delete special keys to keytab for nfs, cifs, http etc o? Shachar Sharon ?? * BUG 15686: Add new vfs_ceph module (based on low level API) o? Stefan Metzmacher ?? * BUG 15673: --version-* options are still not ergonomic, and they reject ???? tilde characters. ?? * BUG 15687: undefined reference to winbind_lookup_name_ex ?? * BUG 15688: per user veto and hide file syntax is to complex ?? * BUG 15689: Can not add/delete special keys to keytab for nfs, cifs, http etc o? Volker Lendecke ?? * BUG 15688: per user veto and hide file syntax is to complex KNOWN ISSUES ============ https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored.? All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620).? The source code can be downloaded from: ??????? https://download.samba.org/pub/samba/rc/ The release notes are available online at: https://download.samba.org/pub/samba/rc/samba-4.21.0rc3.WHATSNEW.txt Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) ??????????????????????? --Enjoy ??????????????????????? The Samba Team From janger at samba.org Tue Aug 20 11:34:04 2024 From: janger at samba.org (Jule Anger) Date: Tue, 20 Aug 2024 13:34:04 +0200 Subject: [Release Planning 4.21] Samba 4.21.0rc4 Message-ID: Hi, Samba 4.21.0rc4 is scheduled for Tuesday, August 27 2024. https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21 has been updated accordingly. Jule -- Jule Anger Release Manager Samba Team samba.org SerNet Samba Team sernet.de From smfrench at gmail.com Wed Aug 21 15:57:45 2024 From: smfrench at gmail.com (Steve French) Date: Wed, 21 Aug 2024 10:57:45 -0500 Subject: Samba server multichannel session setup regression? Message-ID: Mounting multichannel from Linux to Samba server on localhost (even current master Version 4.22.0pre1-GIT-8edb1fd13c1 but I also see it failing on Samba 4.21 - but it works fine on Samba 4.19.5 and has worked for years) I see many repeated: [ 1936.825332] CIFS: Status code returned 0xc000000d STATUS_INVALID_PARAMETER [ 1936.825344] CIFS: VFS: \\ Send error in SessSetup = -22 [ 1936.825353] CIFS: VFS: failed to open extra channel on iface:0000:0000:0000:0000:0000:0000:0000:0001 rc=-22 trying to setup additional channels. Any ideas what changed? -- Thanks, Steve From slow at samba.org Wed Aug 21 16:11:42 2024 From: slow at samba.org (Ralph Boehme) Date: Wed, 21 Aug 2024 18:11:42 +0200 Subject: Samba server multichannel session setup regression? In-Reply-To: References: Message-ID: Hi Steve, On 8/21/24 5:57 PM, Steve French wrote: > trying to setup additional channels. Any ideas what changed? can you show us a network trace please? Thanks! -slow -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From smfrench at gmail.com Wed Aug 21 17:35:40 2024 From: smfrench at gmail.com (Steve French) Date: Wed, 21 Aug 2024 12:35:40 -0500 Subject: Samba server multichannel session setup regression? In-Reply-To: References: Message-ID: Ugh - I can't reproduce it now. I added an additional test user (smbpasswd -a) and cleaned up a few comments in the smb.conf file and interfaces line and it works now. My best theory is that it was triggered due to minor difference in the interfaces line of the newer smb.conf If and when I can reproduce it again, will send you a trace, but when I had looked at it before there wasn't anything obvious in the session setup on the additional channels that wireshark decoder flaagged. On Wed, Aug 21, 2024 at 11:11?AM Ralph Boehme wrote: > > Hi Steve, > > On 8/21/24 5:57 PM, Steve French wrote: > > trying to setup additional channels. Any ideas what changed? > can you show us a network trace please? > > Thanks! > -slow -- Thanks, Steve From jra at samba.org Thu Aug 22 20:01:50 2024 From: jra at samba.org (Jeremy Allison) Date: Thu, 22 Aug 2024 13:01:50 -0700 Subject: Helping to improve FreeBSD support In-Reply-To: References: Message-ID: On Wed, Jul 17, 2024 at 08:54:20PM -0700, John Hixson via samba-technical wrote: >Howdy! > >Would Samba be interested in better FreeBSD support? I am reaching out >on behalf of the FreeBSD Foundation. We would like to help improve >support in whatever way we can. What needs to happen? > >For starters, I would like to help get as many of our port patches >upstreamed as possible. I would also be interested in helping out in >areas that are specific to FreeBSD. It would also be nice to have some >CI setup. > >Interested? Where to go from here? Very interested. Please send the port patches upstream ! From dhowells at redhat.com Thu Aug 22 22:26:00 2024 From: dhowells at redhat.com (David Howells) Date: Thu, 22 Aug 2024 23:26:00 +0100 Subject: Bug in Samba's implementation of FSCTL_QUERY_ALLOCATED_RANGES? In-Reply-To: References: <20240522185305.69e04dab@echidna> <349671.1716335639@warthog.procyon.org.uk> <370800.1716374185@warthog.procyon.org.uk> <20240523145420.5bf49110@echidna> <476489.1716445261@warthog.procyon.org.uk> <477167.1716446208@warthog.procyon.org.uk> <6ea739f6-640a-4f13-a9a9-d41538be9111@talpey.com> Message-ID: <319947.1724365560@warthog.procyon.org.uk> Hi Jeremy, > Bug is in fsctl_qar(): > > ndr_ret = ndr_push_struct_blob(out_output, mem_ctx, &qar_rsp, > (ndr_push_flags_fn_t)ndr_push_fsctl_query_alloced_ranges_rsp); > if (ndr_ret != NDR_ERR_SUCCESS) { > DEBUG(0, ("failed to marshall QAR rsp\n")); > return NT_STATUS_INVALID_PARAMETER; > } > > if (out_output->length > in_max_output) { > DEBUG(2, ("QAR output len %lu exceeds max %lu\n", > (unsigned long)out_output->length, > (unsigned long)in_max_output)); > data_blob_free(out_output); > return NT_STATUS_BUFFER_TOO_SMALL; > } > > I'm guessing in this case we need to just truncate out_output->length > to in_max_output and return STATUS_BUFFER_OVERFLOW. Do you perchance have a fix for this? I'm seeing it cause failures in xfstests when running against cifs connected to samba. Thanks, David From ddiss at samba.org Fri Aug 23 13:20:52 2024 From: ddiss at samba.org (David Disseldorp) Date: Fri, 23 Aug 2024 13:20:52 +0000 Subject: Bug in Samba's implementation of FSCTL_QUERY_ALLOCATED_RANGES? In-Reply-To: <319947.1724365560@warthog.procyon.org.uk> References: <20240522185305.69e04dab@echidna> <349671.1716335639@warthog.procyon.org.uk> <370800.1716374185@warthog.procyon.org.uk> <20240523145420.5bf49110@echidna> <476489.1716445261@warthog.procyon.org.uk> <477167.1716446208@warthog.procyon.org.uk> <6ea739f6-640a-4f13-a9a9-d41538be9111@talpey.com> <319947.1724365560@warthog.procyon.org.uk> Message-ID: <20240823132052.3f591f2f.ddiss@samba.org> Thanks for the follow up ping... On Thu, 22 Aug 2024 23:26:00 +0100, David Howells wrote: > > if (out_output->length > in_max_output) { > > DEBUG(2, ("QAR output len %lu exceeds max %lu\n", > > (unsigned long)out_output->length, > > (unsigned long)in_max_output)); > > data_blob_free(out_output); > > return NT_STATUS_BUFFER_TOO_SMALL; > > } > > > > I'm guessing in this case we need to just truncate out_output->length > > to in_max_output and return STATUS_BUFFER_OVERFLOW. > > Do you perchance have a fix for this? I'm seeing it cause failures in > xfstests when running against cifs connected to samba. I've proposed a fix via https://gitlab.com/samba-team/samba/-/merge_requests/3775 If you want to try it yourself... The following changes since commit b0996ed589a931902a304237d6c03efce2b16f6b: s3:tests: Fix spelling error (2024-08-22 10:38:09 +0000) are available in the Git repository at: https://gitlab.com/ddiss/samba.git qar_rsp_truncation for you to fetch changes up to 3c034c4d177ea2367b3131f813381d91c98ab7e1: s4:torture/smb2: test FSCTL_QUERY_ALLOCATED_RANGES truncation (2024-08-23 13:06:04 +0000) ---------------------------------------------------------------- David Disseldorp (2): smb2_ioctl: truncate FSCTL_QUERY_ALLOCATED_RANGES responses s4:torture/smb2: test FSCTL_QUERY_ALLOCATED_RANGES truncation source3/smbd/smb2_ioctl.c | 4 +- source3/smbd/smb2_ioctl_filesys.c | 54 ++++++++------ source4/libcli/smb2/ioctl.c | 3 +- source4/torture/smb2/ioctl.c | 150 +++++++++++++++++++++++++++++++++++++- 4 files changed, 187 insertions(+), 24 deletions(-) From dhowells at redhat.com Fri Aug 23 16:19:06 2024 From: dhowells at redhat.com (David Howells) Date: Fri, 23 Aug 2024 17:19:06 +0100 Subject: Samba llseek bug In-Reply-To: <20240823161209.434705-1-dhowells@redhat.com> References: <20240823161209.434705-1-dhowells@redhat.com> Message-ID: <434992.1724429946@warthog.procyon.org.uk> Note that whilst testing my cifs fixes with the generic/075 and generic/112 xfstests, the tests occasionally hit a bug in Samba whereby llseek() fails because there are too many extents in the server file for the server to report. I've noted this before: https://lore.kernel.org/linux-cifs/349671.1716335639 at warthog.procyon.org.uk/ is there a fix for this I can try? David From orion at et.byu.edu Mon Aug 26 21:40:18 2024 From: orion at et.byu.edu (Orion) Date: Mon, 26 Aug 2024 15:40:18 -0600 Subject: become_root() Necessary for Group Quota in quotas.c? In-Reply-To: References: <65ad7c9a-38a3-4224-b40e-b7c991c8e0b2@et.byu.edu> <47bef7c7-50c7-4185-8268-89c0f5664703@et.byu.edu> Message-ID: <71f45191-4cc4-4d8c-ac8f-520c10739169@et.byu.edu> On 8/12/24 17:41, Christof Schmitt via samba-technical wrote: > On Fri, Aug 09, 2024 at 03:00:48PM -0600, Orion via samba-technical wrote: >> Here is my proposed patch of the file source3/smbd/quotas.c to fix the issue >> I outlined previously: >> >> @@ -458,10 +458,8 @@ try_group_quota: >> S_ISDIR(fname->st.st_ex_mode) && >> fname->st.st_ex_mode & S_ISGID) { >> id.gid = fname->st.st_ex_gid; >> - become_root(); >> r = SMB_VFS_GET_QUOTA(conn, fname, SMB_GROUP_QUOTA_TYPE, id, >> &D); >> - unbecome_root(); >> } else { >> id.gid = getegid(); >> r = SMB_VFS_GET_QUOTA(conn, fname, SMB_GROUP_QUOTA_TYPE, id, >> >> Any comments would be appreciated. >> >> On 8/1/24 17:06, Orion wrote: >>> We have a situation in which the root user does not have access to the >>> files contained in a directory with SGID set. When a user navigates to >>> this directory and Samba attempts to request the quota for the >>> directory, it fails when the code later attempts to do a stat on the >>> file because of lack of permissions. > This sounds confusing. Why would the root not have access to the > directory? The server is making the request over NFS and root squashing is enabled on the machine which causes the permission issue. >>> In the file samba/source3/smbd/quotas.c if the SGID bit is set, the code >>> changes the effective GID to the GID of the folder, uses become_root() >>> to change to root, and then requests the quota. However, if the SGID bit >>> is not set, quotas.c requests the quota without using the become_root() >>> function. The question I have is, why when the SGID bit is set does it >>> change to root before requesting the quota? >>> >>> Can we remove the become_root() function call for this instance and >>> request the quota as the GID of the folder? >>> >>> I tested removing the become_root() and unbecome_root() function calls, >>> and for our particular setup, it works perfectly. However, I am curious >>> if there is some other setup that may have issues if this bit is >>> removed. > Orion, > > while i worked on this a while ago, i do not recall the details of this > change. Looking at the overall picture this could result in a scenario > of one user querying quota for a completely different group, not the > user's primary or secondary group. Is it guaranteed that any user can > always query any group quota? If so, your change is valid. If not, we > could look into first issuing the GET_QUOTA call without root > privileges, and repeat it when permission is denied (EPERM?) as root. > > Regards, > > Christof > Thanks for the response! I do not believe that it is necessary for the quota to be requested as root because this will allow any user to get the quota of any group whether or not they have permission to do so. For example, Linux quota-tools does not allow users to request quota for groups that they do not have access to. Instead it returns a permission denied error. FreeBSD (and presumably the other BSDs) also follow this pattern: "Non-super-users can use the -g flag and optional group argument to view only the limits of groups of which they are members." - man.freebsd.org/cgi/man.cgi?query=quota Since the systems should not make a call for a quota outside of which they have permissions, I believe we can move forward with just removing the become_root() and unbecome_root() parts. From janger at samba.org Tue Aug 27 13:23:59 2024 From: janger at samba.org (Jule Anger) Date: Tue, 27 Aug 2024 15:23:59 +0200 Subject: [Announce] Samba 4.21.0rc4 Available for Download Message-ID: <19eeb440-1716-498b-82d1-b6df8bf724b6@samba.org> Release Announcements ===================== This is the fourth release candidate of Samba 4.21.? This is *not* intended for production environments and is designed for testing purposes only.? Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Samba 4.21 will be the next version of the Samba suite. UPGRADING ========= Hardening of "valid users", "invalid users", "read list" and "write list" ------------------------------------------------------------------------- In previous versions of Samba, if a user or group name in either of the mentioned options could not be resolved to a valid SID, the user (or group) would be skipped without any notification. This could result in unexpected and insecure behaviour. Starting with this version of Samba, if any user or group name in any of the options cannot be resolved due to a communication error with a domain controller, Samba will log an error and the tree connect will fail. Non existing users (or groups) are ignored. LDAP TLS/SASL channel binding support ------------------------------------- The ldap server supports SASL binds with kerberos or NTLMSSP over TLS connections now (either ldaps or starttls). Setups where 'ldap server require strong auth = allow_sasl_over_tls' was required before, can now most likely move to the default of 'ldap server require strong auth = yes'. If SASL binds without correct tls channel bindings are required 'ldap server require strong auth = allow_sasl_without_tls_channel_bindings' should be used now, as 'allow_sasl_over_tls' will generate a warning in every start of 'samba', as well as '[samba-tool ]testparm'. This is similar to LdapEnforceChannelBinding under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on Windows. All client tools using ldaps also include the correct channel bindings now. NEW FEATURES/CHANGES ==================== LDB no longer a standalone tarball ---------------------------------- LDB, Samba's LDAP-like local database and the power behind the Samba AD DC, is no longer available to build as a distinct tarball, but is instead provided as an optional public library. If you need ldb as a public library, say to build sssd, then use ?./configure --private-libraries='!ldb' This re-integration allows LDB tests to use the Samba's full selftest system, including our knownfail infrastructure, and decreases the work required during security releases as a coordinated release of the ldb tarball is not also required. This approach has been demonstrated already in Debian, which is already building Samba and LDB is this way. As part of this work, the pyldb-util public library, not known to be used by any other software, is made private to Samba. LDB Module API Python bindings removed -------------------------------------- The LDB Modules API, which we do not promise a stable ABI or API for, was wrapped in python in early LDB development.? However that wrapping never took into account later changes, and so has not worked for a number of years.? Samba 4.21 and LDB 2.10 removes this unused and broken feature. Some Samba public libraries made private by default --------------------------------------------------- The following Samba C libraries are currently made public due to their use by OpenChange or for historical reasons that are no longer clear. ?dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig, ?samba-credentials, dcerpc_server, samdb The libraries used by the OpenChange client now private, but can be made public (like ldb above) with: ?./configure --private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb' The C libraries without any known user or used only for the OpenChange server (a dead project) may be made private entirely in a future Samba version. If you use a Samba library in this list, please be in touch with the samba-technical mailing list. Using ldaps from 'winbindd' and 'net ads' ----------------------------------------- Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also impacted LDAP connections to active directory domain controllers. Using the STARTTLS operation on LDAP port 389 connections. Starting with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in order let to 'ldap ssl = start tls' have any effect on those connections. 'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together with the whole functionality in Samba 4.14.0, because it didn't support tls channel bindings required for the sasl authentication. The functionality is now re-added using the correct channel bindings based on the gnutls based tls implementation we already have, instead of using the tls layer provided by openldap. This makes it available and consistent with all LDAP client libraries we use and implement on our own. The 'client ldap sasl wrapping' option gained the two new possible values: 'starttls' (using STARTTLS on tcp port 389) and 'ldaps' (using TLS directly on tcp port 636). If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes' before, you can now use 'client ldap sasl wrapping = starttls' in order to get STARTTLS on tcp port 389. As we no longer use the openldap tls layer it is required to configure the correct certificate trusts with at least one of the following options: 'tls trust system cas', 'tls ca directories' or 'tls cafile'. While 'tls verify peer' and 'tls crlfile' are also relevant, see 'man smb.conf' for further details. New DNS hostname config option ------------------------------ To get `net ads dns register` working correctly running manually or during a domain join a special entry in /etc/hosts was required. This not really documented and thus the DNS registration mostly didn't work. With the new option the default is [netbios name].[realm] which should be correct in the majority of use cases. We will also use the value to create service principal names during a Kerberos authentication and DNS functions. This is not supported in samba-tool yet. Samba AD will rotate expired passwords on smartcard-required accounts --------------------------------------------------------------------- Traditionally in AD, accounts set to be "smart card require for logon" will have a password for NTLM fallback and local profile encryption (Windows DPAPI). This password previously would not expire. Matching Windows behaviour, when the DC in a FL 2016 domain and the msDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute on the domain root is set to TRUE, Samba will now expire these passwords and rotate them shortly before they expire. Note that the password expiry time must be set to twice the TGT lifetime for smooth operation, e.g. daily expiry given a default 10 hour TGT lifetime, as the password is only rotated in the second half of its life.? Again, this matches the Windows behaviour. Provided the default 2016 schema is used, new Samba domains provisioned with Samba 4.21 will have this enabled once the domain functional level is set to 2016. NOTE: Domains upgraded from older Samba versions will not have this set, even after the functional level preparation, matching the behaviour of upgraded Windows AD domains. Per-user and group "veto files" and "hide files" ------------------------------------------------ "veto files" and "hide files" can optionally be restricted to certain users and groups. To apply a veto or hide directive to a filename for a specific user or group, a parametric option like this can be used: ?hide files : USERNAME = /somefile.txt/ ?veto files : GROUPNAME = /otherfile.txt/ For details consult the updated smb.conf manpage. Automatic keytab update after machine password change ----------------------------------------------------- When machine account password is updated, either by winbind doing regular updates or manually (e.g. net ads changetrustpw), now winbind will also support update of keytab entries in case you use newly added option 'sync machine password to keytab'. The new parameter allows you to describe what keytabs and how should be updated. From smb.conf(5) manpage - each keytab can have exactly one of these four forms: ?????????????? account_name ?????????????? sync_spns ?????????????? spn_prefixes=value1[,value2[...]] ?????????????? spns=value1[,value2[...]] The functionaity provided by the removed commands "net ads keytab add/delete/add_update_ads" can be achieved via the 'sync machine password to keytab' as in these examples: "net ads keytab add? wurst/brot at REALM" - this command is not adding to AD, so the best fit can be specifier ? "spns" - add to smb.conf: ? sync machine password to keytab = /path/to/keytab1:spns=wurst/brot at REALM:machine_password - run: ? "net ads keytab create" "net ads keytab delete wurst/brot at REALM" - remove the principal (or the whole keytab line if there was just one) - run: ? "net ads keytab create" "net ads keytab add_update_ads wurst/brot at REALM" - this command was adding the principal to AD, so for this case use a keytab ? with specifier sync_spns - add to smb.conf: ? sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password - run: ? "net ads setspn add? wurst/brot at REALM"? # this adds the principal to AD ? "net ads keytab create"? # this sync it from AD to local keytab A new parameter 'sync machine password script' allows to specify external script that will be triggered after the automatic keytab update. If keytabs should be generated in clustered environments it is recommended to update them on all nodes.? Check in smb.conf(5) the scripts winbind_ctdb_updatekeytab.sh and 46.update-keytabs.script in section 'sync machine password script' for details. For detailed information check the smb.conf(5) and net(8) manpages. New cephfs VFS module --------------------- Introduce new vfs-to-cephfs bridge which uses libcephfs low-level APIs (instead of path-based operations in the existing module). It allows users to pass explicit user-credentials per call (including supplementary groups), as well as faster operations using inode and file-handle caching on the Samba side. Configuration is identical to existing module, but using 'ceph_new' instead of 'ceph' for the relevant smb.conf entries. This new module is expected to deprecate and replace the old one in next major release. REMOVED FEATURES ================ Following commands are removed: net ads keytab add net ads keytab delete net ads keytab add_update_ads smb.conf changes ================ ? Parameter Name????????????????????????? Description???? Default ? --------------????????????????????????? -----------???? ------- ? client ldap sasl wrapping?????????????? new values ? client use spnego principal???????????? removed ? ldap server require strong auth???????? new values ? tls trust system cas??????????????????? new ? tls ca directories????????????????????? new ? dns hostname??????????????????????????? client dns name [netbios name].[realm] ? valid users???????????????????????????? Hardening ? invalid users?????????????????????????? Hardening ? read list?????????????????????????????? Hardening ? write list????????????????????????????? Hardening ? veto files????????????????????????????? Added per-user and per-group vetos ? hide files????????????????????????????? Added per-user and per-group hides ? sync machine password to keytab???????? keytabs ? sync machine password script??????????? script CHANGES SINCE 4.21.0rc3 ======================= o? Pavel Filipensk? ?? * BUG 15698: samba-tool can not load the default configuration file. o? Shachar Sharon ?? * BUG 15700: Crash when readlinkat fails. CHANGES SINCE 4.21.0rc2 ======================= o? Pavel Filipensk? ?? * BUG 15689: Can't add/delete special keys to keytab for nfs, cifs, http etc. o? Stefan Metzmacher ?? * BUG 15696: Compound SMB2 requests don't return ???? NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses ???? MacOSX clients. o? Anoop C S ?? * BUG 15689: Can't add/delete special keys to keytab for nfs, cifs, http etc. CHANGES SINCE 4.21.0rc1 ======================= o? Andreas Schneider ?? * BUG 15673: --version-* options are still not ergonomic, and they reject ???? tilde characters. o? Anoop C S ?? * BUG 15686: Add new vfs_ceph module (based on low level API) o? Douglas Bagnall ?? * BUG 15673: --version-* options are still not ergonomic, and they reject ???? tilde characters. o? Jo Sutton ?? * BUG 15690: ldb_version.h is missing from ldb public library o? Pavel Filipensk? ?? * BUG 15689: Can not add/delete special keys to keytab for nfs, cifs, http etc o? Shachar Sharon ?? * BUG 15686: Add new vfs_ceph module (based on low level API) o? Stefan Metzmacher ?? * BUG 15673: --version-* options are still not ergonomic, and they reject ???? tilde characters. ?? * BUG 15687: undefined reference to winbind_lookup_name_ex ?? * BUG 15688: per user veto and hide file syntax is to complex ?? * BUG 15689: Can not add/delete special keys to keytab for nfs, cifs, http etc o? Volker Lendecke ?? * BUG 15688: per user veto and hide file syntax is to complex KNOWN ISSUES ============ https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored.? All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620).? The source code can be downloaded from: ??????? https://download.samba.org/pub/samba/rc/ The release notes are available online at: https://download.samba.org/pub/samba/rc/samba-4.21.0rc4.WHATSNEW.txt Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) ??????????????????????? --Enjoy ??????????????????????? The Samba Team From janger at samba.org Tue Aug 27 13:27:00 2024 From: janger at samba.org (Jule Anger) Date: Tue, 27 Aug 2024 15:27:00 +0200 Subject: [Release Planning 4.21] Samba 4.21.0 Message-ID: <2c05c429-acc3-4063-8874-11a27a1fe27d@samba.org> Hi, Samba 4.21.0 is scheduled for Monday, September 2 2024. https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21 has been updated accordingly. Jule -- Jule Anger Release Manager Samba Team samba.org SerNet Samba Team sernet.de From dhowells at redhat.com Wed Aug 28 10:25:40 2024 From: dhowells at redhat.com (David Howells) Date: Wed, 28 Aug 2024 11:25:40 +0100 Subject: Bug in Samba's implementation of FSCTL_QUERY_ALLOCATED_RANGES? In-Reply-To: <20240823132052.3f591f2f.ddiss@samba.org> References: <20240823132052.3f591f2f.ddiss@samba.org> <20240522185305.69e04dab@echidna> <349671.1716335639@warthog.procyon.org.uk> <370800.1716374185@warthog.procyon.org.uk> <20240523145420.5bf49110@echidna> <476489.1716445261@warthog.procyon.org.uk> <477167.1716446208@warthog.procyon.org.uk> <6ea739f6-640a-4f13-a9a9-d41538be9111@talpey.com> <319947.1724365560@warthog.procyon.org.uk> Message-ID: <951877.1724840740@warthog.procyon.org.uk> Hi David, I tried to apply the patch to the Fedora samba rpm, but I get: mold: error: undefined symbol: torture_assert_size_equal >>> referenced by >>> /tmp/ccVA4FUD.ltrans35.ltrans.o:(test_ioctl_sparse_qar_truncated.lto_priv.0) >>> referenced by >>> /tmp/ccVA4FUD.ltrans35.ltrans.o:(test_ioctl_sparse_qar_truncated.lto_priv.0) >>> referenced by >>> /tmp/ccVA4FUD.ltrans35.ltrans.o:(test_ioctl_sparse_qar_truncated.lto_priv.0) collect2: error: ld returned 1 exit status Do I actually need the torture test patch? David From ddiss at samba.org Wed Aug 28 10:55:36 2024 From: ddiss at samba.org (David Disseldorp) Date: Wed, 28 Aug 2024 10:55:36 +0000 Subject: Bug in Samba's implementation of FSCTL_QUERY_ALLOCATED_RANGES? In-Reply-To: <951877.1724840740@warthog.procyon.org.uk> References: <20240823132052.3f591f2f.ddiss@samba.org> <20240522185305.69e04dab@echidna> <349671.1716335639@warthog.procyon.org.uk> <370800.1716374185@warthog.procyon.org.uk> <20240523145420.5bf49110@echidna> <476489.1716445261@warthog.procyon.org.uk> <477167.1716446208@warthog.procyon.org.uk> <6ea739f6-640a-4f13-a9a9-d41538be9111@talpey.com> <319947.1724365560@warthog.procyon.org.uk> <951877.1724840740@warthog.procyon.org.uk> Message-ID: <20240828105536.1e6226df.ddiss@samba.org> Hi David, On Wed, 28 Aug 2024 11:25:40 +0100, David Howells wrote: > Hi David, > > I tried to apply the patch to the Fedora samba rpm, but I get: > > mold: error: undefined symbol: torture_assert_size_equal > >>> referenced by > >>> /tmp/ccVA4FUD.ltrans35.ltrans.o:(test_ioctl_sparse_qar_truncated.lto_priv.0) > >>> referenced by > >>> /tmp/ccVA4FUD.ltrans35.ltrans.o:(test_ioctl_sparse_qar_truncated.lto_priv.0) > >>> referenced by > >>> /tmp/ccVA4FUD.ltrans35.ltrans.o:(test_ioctl_sparse_qar_truncated.lto_priv.0) > collect2: error: ld returned 1 exit status I've no idea which Samba version Fedora ships. torture_assert_size_equal() was added to lib/torture/torture.h via 46f0c2696582 (samba >= 4.20.0). > Do I actually need the torture test patch? No, not if you can use your xfstests reproducer. The server fix is now in Samba's master branch as commit 5e278a52646 ("smb2_ioctl: fix truncated FSCTL_QUERY_ALLOCATED_RANGES responses"). From dhowells at redhat.com Wed Aug 28 11:52:25 2024 From: dhowells at redhat.com (David Howells) Date: Wed, 28 Aug 2024 12:52:25 +0100 Subject: Bug in Samba's implementation of FSCTL_QUERY_ALLOCATED_RANGES? In-Reply-To: <20240828105536.1e6226df.ddiss@samba.org> References: <20240828105536.1e6226df.ddiss@samba.org> <20240823132052.3f591f2f.ddiss@samba.org> <20240522185305.69e04dab@echidna> <349671.1716335639@warthog.procyon.org.uk> <370800.1716374185@warthog.procyon.org.uk> <20240523145420.5bf49110@echidna> <476489.1716445261@warthog.procyon.org.uk> <477167.1716446208@warthog.procyon.org.uk> <6ea739f6-640a-4f13-a9a9-d41538be9111@talpey.com> <319947.1724365560@warthog.procyon.org.uk> <951877.1724840740@warthog.procyon.org.uk> Message-ID: <965293.1724845945@warthog.procyon.org.uk> Okay, that fixes the problem. For reference, the file can be prepared thusly: xfs_io -c "pwrite 0 16M" -c "fpunch 0 1M" -c "fpunch 2M 1M" -c "fpunch 4M 1M" -c "fpunch 6M 1M" -c "fpunch 8M 1M" /xfstest.test/foo and then the test run: xfs_io -c "seek -h 1" /xfstest.test/foo Something like punch-hole is needed to set the sparse flag - otherwise QAR isn't used by llseek(). So: Tested-by: David Howells if you need it. The Fedora samba version I applied this to was: samba-4.19.7-1.fc39.x86_64 though I had to drop the testing bits as they didn't build. David From ddiss at samba.org Wed Aug 28 12:57:38 2024 From: ddiss at samba.org (David Disseldorp) Date: Wed, 28 Aug 2024 12:57:38 +0000 Subject: Bug in Samba's implementation of FSCTL_QUERY_ALLOCATED_RANGES? In-Reply-To: <965293.1724845945@warthog.procyon.org.uk> References: <20240828105536.1e6226df.ddiss@samba.org> <20240823132052.3f591f2f.ddiss@samba.org> <20240522185305.69e04dab@echidna> <349671.1716335639@warthog.procyon.org.uk> <370800.1716374185@warthog.procyon.org.uk> <20240523145420.5bf49110@echidna> <476489.1716445261@warthog.procyon.org.uk> <477167.1716446208@warthog.procyon.org.uk> <6ea739f6-640a-4f13-a9a9-d41538be9111@talpey.com> <319947.1724365560@warthog.procyon.org.uk> <951877.1724840740@warthog.procyon.org.uk> <965293.1724845945@warthog.procyon.org.uk> Message-ID: <20240828125738.0e409cff.ddiss@samba.org> On Wed, 28 Aug 2024 12:52:25 +0100, David Howells via samba-technical wrote: > Okay, that fixes the problem. > > For reference, the file can be prepared thusly: > > xfs_io -c "pwrite 0 16M" -c "fpunch 0 1M" -c "fpunch 2M 1M" -c "fpunch 4M 1M" -c "fpunch 6M 1M" -c "fpunch 8M 1M" /xfstest.test/foo > > and then the test run: > > xfs_io -c "seek -h 1" /xfstest.test/foo > > Something like punch-hole is needed to set the sparse flag - otherwise QAR > isn't used by llseek(). > > So: > > Tested-by: David Howells > > if you need it. I appreciate the test feedback. The change has already been committed (with you referenced in Reported-by). > The Fedora samba version I applied this to was: > > samba-4.19.7-1.fc39.x86_64 > > though I had to drop the testing bits as they didn't build. Yes, as mentioned, samba >= 4.20 is needed for the test's torture_assert_size_equal() calls. Cheers, David From cs at samba.org Wed Aug 28 23:32:08 2024 From: cs at samba.org (Christof Schmitt) Date: Wed, 28 Aug 2024 16:32:08 -0700 Subject: become_root() Necessary for Group Quota in quotas.c? In-Reply-To: <71f45191-4cc4-4d8c-ac8f-520c10739169@et.byu.edu> References: <65ad7c9a-38a3-4224-b40e-b7c991c8e0b2@et.byu.edu> <47bef7c7-50c7-4185-8268-89c0f5664703@et.byu.edu> <71f45191-4cc4-4d8c-ac8f-520c10739169@et.byu.edu> Message-ID: On Mon, Aug 26, 2024 at 03:40:18PM -0600, Orion via samba-technical wrote: > On 8/12/24 17:41, Christof Schmitt via samba-technical wrote: > > This sounds confusing. Why would the root not have access to the > > directory? > The server is making the request over NFS and root squashing is enabled on > the machine which causes the permission issue. This is at least unusual. I am not sure if that might also expose other problems. > I do not believe that it is necessary for the quota to be requested as root > because this will allow any user to get the quota of any group whether or > not they have permission to do so. For example, Linux quota-tools does not > allow users to request quota for groups that they do not have access to. > Instead it returns a permission denied error. FreeBSD (and presumably the > other BSDs) also follow this pattern: > > "Non-super-users can use the -g flag and optional group argument to view > only the limits of groups of which they are members." - > man.freebsd.org/cgi/man.cgi?query=quota > > Since the systems should not make a call for a quota outside of which they > have permissions, I believe we can move forward with just removing the > become_root() and unbecome_root() parts. What exactly failed for you? Did you query quotas, or did that happen while creating a new file underneath a sgid directory? The interesting codepath is when attempting to create a new file underneath a sgid directory where the directory group has a quota assigned, and the current user is not a member of this group. With "strict allocate = yes" in the Samba config, then in samba/source3/smbd/vfs.c int vfs_allocate_file_space(files_struct *fsp, uint64_t len) is called that first tries to allocate space for the file through ret = SMB_VFS_FALLOCATE(fsp, VFS_FALLOCATE_FL_KEEP_SIZE, 0, len); If that system call is not available in the underlying file system (here, the NFS client, and specifically FL_KEEP_SIZE flag might not be supported), then there is a fallback codepath to query the quota instead. space_avail = get_dfree_info(conn, fsp->fsp_name, &bsize, &dfree, &dsize); and that ends up calling the quota queries you observed. In this specific case, we need to override the quota query permissions, to at least know about the quota. The way this check is done is not great (first check for available space and create the actual file later; somethign could happen in between), but without FL_KEEP_SIZE available, there is not much else we could do. If that is your scenario, you could try configuring Samba with "strict allocate = no", to avoid this codepath. I don't think simply removing the become_root is the correct approach here. Christof From sergey.gortinsc17 at gmail.com Fri Aug 30 07:11:03 2024 From: sergey.gortinsc17 at gmail.com (Omnis ludis - games) Date: Fri, 30 Aug 2024 10:11:03 +0300 Subject: outgoing neighbors do not appear in drs showrepl when samba is located in a separate site Message-ID: Hello, if you enter samba into the windows domain in a separate site where there is no one, then outgoing neighbors do not appear, maybe someone has encountered this problem? if anything, the sites are interconnected via site link and replication between them is set in the range of 15 minutes, there was also an attempt to make repadmin /kcc from windows and samba_kcc --attempt-live-connections, but none of this led to success, I also noticed that the FromTo connection is hanging on the windows side, but still not on the samba side, maybe someone else can tell me if I?m looking at the source code in the netcmd/drs.py file correctly