The branch, v4-5-test has been updated
via 0996b58 s3:librpc/gse: make use of gss_krb5_import_cred() instead
of gss_acquire_cred()
via 53864b1 s3:librpc/gse: remove unused #ifdef
HAVE_GSS_KRB5_IMPORT_CRED
via 05534e0 s3:librpc/gse: include ccache_name in DEBUG message if
krb5_cc_resolve() fails
via d60e583 ctdb-tests: Do not attempt to unregister the join handler
multiple times
via ceaafa7 smbd/ioctl: match WS2016 ReFS set compression behaviour
via e0bb628 torture/ioctl: test set_compression(format_none)
via 9f196e9 pam: map more NT password errors to PAM errors
from 4d37a14 s3: torture: Add test for cli_ftruncate calling
cli_smb2_ftruncate.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test
- Log -----------------------------------------------------------------
commit 0996b58e7f5133a093c13a73a6255b33e26e873a
Author: Stefan Metzmacher <[email protected]>
Date: Thu Dec 22 08:49:38 2016 +0100
s3:librpc/gse: make use of gss_krb5_import_cred() instead of
gss_acquire_cred()
This avoids the usage of the ccselect_realm logic in MIT krb5,
which leads to unpredictable results.
The problem is the usage of gss_acquire_cred(), that just creates
a credential handle without ccache.
As result gss_init_sec_context() will trigger a code path
where it use "ccselect" plugins. And the ccselect_realm
module just chooses a random ccache from a global list
where the realm of the provides target principal matches
the realm of the ccache user principal.
In the winbindd case we're using MEMORY:cliconnect to setup
the smb connection to the DC. For ldap connections we use
MEMORY:winbind_ccache.
The typical case is that we do the smb connection first.
If we try to create a new ldap connection, while the
credentials in MEMORY:cliconnect are expired,
we'll do the required kinit into MEMORY:winbind_ccache,
but the ccselect_realm module will select MEMORY:cliconnect
and tries to get a service ticket for the ldap server
using the already expired TGT from MEMORY:cliconnect.
The solution will be to use gss_krb5_import_cred() and explicitly
pass the desired ccache, which avoids the ccselect logic.
We could also use gss_acquire_cred_from(), but that's only available
in modern MIT krb5 versions, while gss_krb5_import_cred() is available
in heimdal and all supported MIT versions (>=1.9).
As far as I can see both call the same internal function in MIT
(at least for the ccache case).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 7c3ea9fe96336483752adb821f8062a883d52998)
Autobuild-User(v4-5-test): Stefan Metzmacher <[email protected]>
Autobuild-Date(v4-5-test): Wed Jan 11 21:46:58 CET 2017 on sn-devel-144
commit 53864b1fc568b23ce199cb1ae8be7a18bf2b0f13
Author: Stefan Metzmacher <[email protected]>
Date: Thu Dec 22 08:47:32 2016 +0100
s3:librpc/gse: remove unused #ifdef HAVE_GSS_KRB5_IMPORT_CRED
We always have gss_krb5_import_cred(), it available in heimdal
and also the oldest version (1.9) of MIT krb5 that we support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit b61a93755ca59a58775c1c8c21baee49fef42fbf)
commit 05534e089f58c2c5cbe1a0f23ff66608c997d961
Author: Stefan Metzmacher <[email protected]>
Date: Thu Dec 22 08:46:21 2016 +0100
s3:librpc/gse: include ccache_name in DEBUG message if krb5_cc_resolve()
fails
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 6f029d58703f657e46fee35fc663128157db4d9f)
commit d60e583fa2ad03fd98618a9a51ed1fbc6325365f
Author: Amitay Isaacs <[email protected]>
Date: Thu Jan 5 15:05:56 2017 +1100
ctdb-tests: Do not attempt to unregister the join handler multiple times
MSG_ID_SYNC is broadcast to each node when a MSG_ID_JOIN has been
received from all nodes. After MSG_ID_SYNC is successfully broadcast,
the join handler is unregistered. However, if another MSG_ID_JOIN is
received before the join handler is unregistered then MSG_ID_SYNC is
re-broadcast. This results in multiple attempts to unregister the
join handler.
Once all MSG_ID_JOIN messages are received, unregister the join handler
to ignore any extra MSG_ID_JOIN messages. Also, make sure that while
join handler is being unregistered, MSG_ID_JOIN messages are ignored.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12500
Identified-by: Martin Schwenke <[email protected]>
Signed-off-by: Amitay Isaacs <[email protected]>
Reviewed-by: Martin Schwenke <[email protected]>
Autobuild-User(master): Martin Schwenke <[email protected]>
Autobuild-Date(master): Fri Jan 6 12:27:23 CET 2017 on sn-devel-144
(cherry picked from commit 4635c22411a7864dd70703f854ec9844816e0294)
commit ceaafa7cdb187da5db4c6e63af64a17e6c0b88ae
Author: David Disseldorp <[email protected]>
Date: Thu Jan 5 17:36:02 2017 +0100
smbd/ioctl: match WS2016 ReFS set compression behaviour
ReFS doesn't support compression, but responds to set-compression FSCTLs
with NT_STATUS_OK if (and only if) the requested compression format is
COMPRESSION_FORMAT_NONE.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12144
Reported-by: Nick Barrett <[email protected]>
Signed-off-by: David Disseldorp <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
Autobuild-User(master): Jeremy Allison <[email protected]>
Autobuild-Date(master): Mon Jan 9 23:14:28 CET 2017 on sn-devel-144
(cherry picked from commit 28cc347876b97b7409d6efd377f031fc6df0c5f3)
commit e0bb6287e0b8421ea7a3072f014ddff3e790a86e
Author: David Disseldorp <[email protected]>
Date: Thu Jan 5 17:10:42 2017 +0100
torture/ioctl: test set_compression(format_none)
This test case was overlooked in the previous bso#12144 update -
set compression requests with format=COMPRESSION_FORMAT_NONE should
succeed if the server / backing storage doesn't offer compression
support.
Confirm that Samba matches Windows Server 2016 ReFS behaviour here.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12144
Reported-by: Nick Barrett <[email protected]>
Signed-off-by: David Disseldorp <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
(cherry picked from commit 6fde123176409e261d955e24b3d28e5124f33bed)
commit 9f196e92755d70c2249f832dfbbddcfc787bca5e
Author: Björn Jacke <[email protected]>
Date: Wed Nov 25 14:04:24 2015 +0100
pam: map more NT password errors to PAM errors
NT_STATUS_ACCOUNT_DISABLED,
NT_STATUS_PASSWORD_RESTRICTION,
NT_STATUS_PWD_HISTORY_CONFLICT,
NT_STATUS_PWD_TOO_RECENT,
NT_STATUS_PWD_TOO_SHORT
now map to PAM_AUTHTOK_ERR (Authentication token manipulation error), which
is
the closest match.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2210
Signed-off-by: Bjoern Jacke <[email protected]>
Reviewed by: Jeremy Allison <[email protected]>
(cherry picked from commit 69f10080c3765a9b139fbad7f3dc633066fdded2)
-----------------------------------------------------------------------
Summary of changes:
ctdb/tests/src/cluster_wait.c | 40 +++++++++++++++++++++++----------------
libcli/auth/pam_errors.c | 6 +++++-
nsswitch/pam_winbind.c | 5 +++++
source3/librpc/crypto/gse.c | 38 +++++++++++++++++++------------------
source3/smbd/smb2_ioctl_filesys.c | 26 +++++++++++++------------
source4/torture/smb2/ioctl.c | 11 ++++++++++-
6 files changed, 78 insertions(+), 48 deletions(-)
Changeset truncated at 500 lines:
diff --git a/ctdb/tests/src/cluster_wait.c b/ctdb/tests/src/cluster_wait.c
index ddc3e02..1405738 100644
--- a/ctdb/tests/src/cluster_wait.c
+++ b/ctdb/tests/src/cluster_wait.c
@@ -36,6 +36,7 @@ struct cluster_wait_state {
struct ctdb_client_context *client;
int num_nodes;
bool *ready;
+ bool join_done;
};
static void cluster_wait_join_registered(struct tevent_req *subreq);
@@ -44,8 +45,8 @@ static void cluster_wait_join(struct tevent_req *subreq);
static void cluster_wait_join_sent(struct tevent_req *subreq);
static void cluster_wait_join_handler(uint64_t srvid, TDB_DATA data,
void *private_data);
-static void cluster_wait_sync_sent(struct tevent_req *subreq);
static void cluster_wait_join_unregistered(struct tevent_req *subreq);
+static void cluster_wait_sync_sent(struct tevent_req *subreq);
static void cluster_wait_sync_handler(uint64_t srvid, TDB_DATA data,
void *private_data);
static void cluster_wait_sync_unregistered(struct tevent_req *subreq);
@@ -67,6 +68,8 @@ struct tevent_req *cluster_wait_send(TALLOC_CTX *mem_ctx,
state->client = client;
state->num_nodes = num_nodes;
+ state->join_done = false;
+
if (ctdb_client_pnn(client) == 0) {
state->ready = talloc_zero_array(state, bool, num_nodes);
if (tevent_req_nomem(state->ready, req)) {
@@ -201,7 +204,6 @@ static void cluster_wait_join_handler(uint64_t srvid,
TDB_DATA data,
private_data, struct tevent_req);
struct cluster_wait_state *state = tevent_req_data(
req, struct cluster_wait_state);
- struct ctdb_req_message msg;
struct tevent_req *subreq;
uint32_t pnn;
int i;
@@ -228,50 +230,56 @@ static void cluster_wait_join_handler(uint64_t srvid,
TDB_DATA data,
}
}
- msg.srvid = MSG_ID_SYNC;
- msg.data.data = tdb_null;
+ if (state->join_done) {
+ return;
+ }
- subreq = ctdb_client_message_send(state, state->ev, state->client,
- CTDB_BROADCAST_ALL, &msg);
+ state->join_done = true;
+ subreq = ctdb_client_remove_message_handler_send(
+ state, state->ev, state->client,
+ MSG_ID_JOIN, req);
if (tevent_req_nomem(subreq, req)) {
return;
}
- tevent_req_set_callback(subreq, cluster_wait_sync_sent, req);
+ tevent_req_set_callback(subreq, cluster_wait_join_unregistered, req);
}
-static void cluster_wait_sync_sent(struct tevent_req *subreq)
+static void cluster_wait_join_unregistered(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(
subreq, struct tevent_req);
struct cluster_wait_state *state = tevent_req_data(
req, struct cluster_wait_state);
+ struct ctdb_req_message msg;
bool status;
int ret;
- status = ctdb_client_message_recv(subreq, &ret);
- TALLOC_FREE(subreq);
+ status = ctdb_client_remove_message_handler_recv(subreq, &ret);
if (! status) {
tevent_req_error(req, ret);
return;
}
- subreq = ctdb_client_remove_message_handler_send(
- state, state->ev, state->client,
- MSG_ID_JOIN, req);
+ msg.srvid = MSG_ID_SYNC;
+ msg.data.data = tdb_null;
+
+ subreq = ctdb_client_message_send(state, state->ev, state->client,
+ CTDB_BROADCAST_ALL, &msg);
if (tevent_req_nomem(subreq, req)) {
return;
}
- tevent_req_set_callback(subreq, cluster_wait_join_unregistered, req);
+ tevent_req_set_callback(subreq, cluster_wait_sync_sent, req);
}
-static void cluster_wait_join_unregistered(struct tevent_req *subreq)
+static void cluster_wait_sync_sent(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(
subreq, struct tevent_req);
bool status;
int ret;
- status = ctdb_client_remove_message_handler_recv(subreq, &ret);
+ status = ctdb_client_message_recv(subreq, &ret);
+ TALLOC_FREE(subreq);
if (! status) {
tevent_req_error(req, ret);
return;
diff --git a/libcli/auth/pam_errors.c b/libcli/auth/pam_errors.c
index 978f8ff..5592d39 100644
--- a/libcli/auth/pam_errors.c
+++ b/libcli/auth/pam_errors.c
@@ -71,11 +71,15 @@ static const struct {
{NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
{NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
{NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
+ {NT_STATUS_ACCOUNT_DISABLED, PAM_ACCT_EXPIRED},
{NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
{NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
{NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES},
{NT_STATUS_NO_MEMORY, PAM_BUF_ERR},
- {NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED},
+ {NT_STATUS_PASSWORD_RESTRICTION, PAM_AUTHTOK_ERR},
+ {NT_STATUS_PWD_HISTORY_CONFLICT, PAM_AUTHTOK_ERR},
+ {NT_STATUS_PWD_TOO_RECENT, PAM_AUTHTOK_ERR},
+ {NT_STATUS_PWD_TOO_SHORT, PAM_AUTHTOK_ERR},
{NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL},
{NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM_AUTHINFO_UNAVAIL},
{NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL},
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 42c4f8e..4ae78b3 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -775,6 +775,11 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
return PAM_IGNORE;
}
return retval;
+ case PAM_AUTHTOK_ERR:
+ /* Authentication token manipulation error */
+ _pam_log(ctx, LOG_WARNING, "user `%s' authentication token
change failed "
+ "(pwd complexity/history/min_age not met?)", user);
+ return retval;
case PAM_SUCCESS:
/* Otherwise, the authentication looked good */
if (strcmp(fn, "wbcLogonUser") == 0) {
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index c4c4bbc..1b9ec24 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -172,8 +172,8 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
k5ret = krb5_cc_resolve(gse_ctx->k5ctx, ccache_name,
&gse_ctx->ccache);
if (k5ret) {
- DEBUG(1, ("Failed to resolve credential cache! (%s)\n",
- error_message(k5ret)));
+ DEBUG(1, ("Failed to resolve credential cache '%s'! (%s)\n",
+ ccache_name, error_message(k5ret)));
status = NT_STATUS_INTERNAL_ERROR;
goto err_out;
}
@@ -203,7 +203,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
struct gse_context *gse_ctx;
OM_uint32 gss_maj, gss_min;
gss_buffer_desc name_buffer = GSS_C_EMPTY_BUFFER;
- gss_OID_set_desc mech_set;
#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
#endif
@@ -248,20 +247,26 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
/* TODO: get krb5 ticket using username/password, if no valid
* one already available in ccache */
- mech_set.count = 1;
- mech_set.elements = &gse_ctx->gss_mech;
-
- gss_maj = gss_acquire_cred(&gss_min,
- GSS_C_NO_NAME,
- GSS_C_INDEFINITE,
- &mech_set,
- GSS_C_INITIATE,
- &gse_ctx->creds,
- NULL, NULL);
+ gss_maj = gss_krb5_import_cred(&gss_min,
+ gse_ctx->ccache,
+ NULL, /* keytab_principal */
+ NULL, /* keytab */
+ &gse_ctx->creds);
if (gss_maj) {
- DEBUG(5, ("gss_acquire_creds failed for GSS_C_NO_NAME with [%s]
-"
+ char *ccache = NULL;
+ int kret;
+
+ kret = krb5_cc_get_full_name(gse_ctx->k5ctx,
+ gse_ctx->ccache,
+ &ccache);
+ if (kret != 0) {
+ ccache = NULL;
+ }
+
+ DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -"
"the caller may retry after a kinit.\n",
- gse_errstr(gse_ctx, gss_maj, gss_min)));
+ ccache, gse_errstr(gse_ctx, gss_maj, gss_min)));
+ SAFE_FREE(ccache);
status = NT_STATUS_INTERNAL_ERROR;
goto err_out;
}
@@ -380,8 +385,6 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
goto done;
}
-#ifdef HAVE_GSS_KRB5_IMPORT_CRED
-
/* This creates a GSSAPI cred_id_t with the keytab set */
gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
&gse_ctx->creds);
@@ -400,7 +403,6 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
* principal in request'. Work around the issue by
* falling back to the alternate approach below. */
} else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
-#endif
/* FIXME!!!
* This call sets the default keytab for the whole server, not
* just for this context. Need to find a way that does not alter
diff --git a/source3/smbd/smb2_ioctl_filesys.c
b/source3/smbd/smb2_ioctl_filesys.c
index 55ce3f2..34331b4 100644
--- a/source3/smbd/smb2_ioctl_filesys.c
+++ b/source3/smbd/smb2_ioctl_filesys.c
@@ -104,11 +104,6 @@ static NTSTATUS fsctl_set_cmprn(TALLOC_CTX *mem_ctx,
return status;
}
- if ((fsp->conn->fs_capabilities & FILE_FILE_COMPRESSION) == 0) {
- DEBUG(4, ("FS does not advertise compression support\n"));
- return NT_STATUS_NOT_SUPPORTED;
- }
-
ndr_ret = ndr_pull_struct_blob(in_input, mem_ctx, &cmpr_state,
(ndr_pull_flags_fn_t)ndr_pull_compression_state);
if (ndr_ret != NDR_ERR_SUCCESS) {
@@ -116,15 +111,22 @@ static NTSTATUS fsctl_set_cmprn(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}
- status = SMB_VFS_SET_COMPRESSION(fsp->conn,
- mem_ctx,
- fsp,
- cmpr_state.format);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ status = NT_STATUS_NOT_SUPPORTED;
+ if (fsp->conn->fs_capabilities & FILE_FILE_COMPRESSION) {
+ status = SMB_VFS_SET_COMPRESSION(fsp->conn,
+ mem_ctx,
+ fsp,
+ cmpr_state.format);
+ } else if (cmpr_state.format == COMPRESSION_FORMAT_NONE) {
+ /*
+ * bso#12144: The underlying filesystem doesn't support
+ * compression. We should still accept set(FORMAT_NONE) requests
+ * (like WS2016 ReFS).
+ */
+ status = NT_STATUS_OK;
}
- return NT_STATUS_OK;
+ return status;
}
static NTSTATUS fsctl_zero_data(TALLOC_CTX *mem_ctx,
diff --git a/source4/torture/smb2/ioctl.c b/source4/torture/smb2/ioctl.c
index 5fc03bc..4348862 100644
--- a/source4/torture/smb2/ioctl.c
+++ b/source4/torture/smb2/ioctl.c
@@ -2608,7 +2608,16 @@ static bool test_ioctl_compress_notsup_set(struct
torture_context *torture,
COMPRESSION_FORMAT_DEFAULT);
torture_assert_ntstatus_equal(torture, status,
NT_STATUS_NOT_SUPPORTED,
- "FSCTL_GET_COMPRESSION");
+ "FSCTL_SET_COMPRESSION default");
+
+ /*
+ * Despite not supporting compression, we should get a successful
+ * response for set(COMPRESSION_FORMAT_NONE) - like WS2016 ReFS.
+ */
+ status = test_ioctl_compress_set(torture, tmp_ctx, tree, fh,
+ COMPRESSION_FORMAT_NONE);
+ torture_assert_ntstatus_ok(torture, status,
+ "FSCTL_SET_COMPRESSION none");
smb2_util_close(tree, fh);
talloc_free(tmp_ctx);
--
Samba Shared Repository
