The branch, v4-4-test has been updated
via 930667c messaging: Fix dead but not cleaned-up-yet destination
sockets
via e7fbca8 s3:librpc/gse: make use of gss_krb5_import_cred() instead
of gss_acquire_cred()
via 838be14 s3:librpc/gse: remove unused #ifdef
HAVE_GSS_KRB5_IMPORT_CRED
via 119ddfd s3:librpc/gse: include ccache_name in DEBUG message if
krb5_cc_resolve() fails
via f9c6dd8 smbd/ioctl: match WS2016 ReFS set compression behaviour
via b975c76 torture/ioctl: test set_compression(format_none)
via 0fba7b2 pam: map more NT password errors to PAM errors
from d6b8638 s3: torture: Add test for cli_ftruncate calling
cli_smb2_ftruncate.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test
- Log -----------------------------------------------------------------
commit 930667c3b223341118a95c46443a8737e4337226
Author: Volker Lendecke <v...@samba.org>
Date: Tue Jan 10 12:30:54 2017 +0000
messaging: Fix dead but not cleaned-up-yet destination sockets
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12509
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Tue Jan 10 17:40:58 CET 2017 on sn-devel-144
(cherry picked from commit e84e44ce923e5dc7529bb813e10a2890528a4ab0)
Autobuild-User(v4-4-test): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(v4-4-test): Sat Jan 14 13:55:25 CET 2017 on sn-devel-144
commit e7fbca8a488c2611d0be18bd81a65e8d4c66a633
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Dec 22 08:49:38 2016 +0100
s3:librpc/gse: make use of gss_krb5_import_cred() instead of
gss_acquire_cred()
This avoids the usage of the ccselect_realm logic in MIT krb5,
which leads to unpredictable results.
The problem is the usage of gss_acquire_cred(), that just creates
a credential handle without ccache.
As result gss_init_sec_context() will trigger a code path
where it use "ccselect" plugins. And the ccselect_realm
module just chooses a random ccache from a global list
where the realm of the provides target principal matches
the realm of the ccache user principal.
In the winbindd case we're using MEMORY:cliconnect to setup
the smb connection to the DC. For ldap connections we use
MEMORY:winbind_ccache.
The typical case is that we do the smb connection first.
If we try to create a new ldap connection, while the
credentials in MEMORY:cliconnect are expired,
we'll do the required kinit into MEMORY:winbind_ccache,
but the ccselect_realm module will select MEMORY:cliconnect
and tries to get a service ticket for the ldap server
using the already expired TGT from MEMORY:cliconnect.
The solution will be to use gss_krb5_import_cred() and explicitly
pass the desired ccache, which avoids the ccselect logic.
We could also use gss_acquire_cred_from(), but that's only available
in modern MIT krb5 versions, while gss_krb5_import_cred() is available
in heimdal and all supported MIT versions (>=1.9).
As far as I can see both call the same internal function in MIT
(at least for the ccache case).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit 7c3ea9fe96336483752adb821f8062a883d52998)
commit 838be147f06303f48645908e6a40907a1a36e1f3
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Dec 22 08:47:32 2016 +0100
s3:librpc/gse: remove unused #ifdef HAVE_GSS_KRB5_IMPORT_CRED
We always have gss_krb5_import_cred(), it available in heimdal
and also the oldest version (1.9) of MIT krb5 that we support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit b61a93755ca59a58775c1c8c21baee49fef42fbf)
commit 119ddfdfa7b1eb53ce399d5f10b2bb0ddffa909e
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Dec 22 08:46:21 2016 +0100
s3:librpc/gse: include ccache_name in DEBUG message if krb5_cc_resolve()
fails
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit 6f029d58703f657e46fee35fc663128157db4d9f)
commit f9c6dd80f435a3a362b6b9ee2785a034561e7caa
Author: David Disseldorp <dd...@samba.org>
Date: Thu Jan 5 17:36:02 2017 +0100
smbd/ioctl: match WS2016 ReFS set compression behaviour
ReFS doesn't support compression, but responds to set-compression FSCTLs
with NT_STATUS_OK if (and only if) the requested compression format is
COMPRESSION_FORMAT_NONE.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12144
Reported-by: Nick Barrett <n...@barrett.org.nz>
Signed-off-by: David Disseldorp <dd...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Mon Jan 9 23:14:28 CET 2017 on sn-devel-144
(cherry picked from commit 28cc347876b97b7409d6efd377f031fc6df0c5f3)
commit b975c76326189552fdf0efeebc63f525fa0a848f
Author: David Disseldorp <dd...@samba.org>
Date: Thu Jan 5 17:10:42 2017 +0100
torture/ioctl: test set_compression(format_none)
This test case was overlooked in the previous bso#12144 update -
set compression requests with format=COMPRESSION_FORMAT_NONE should
succeed if the server / backing storage doesn't offer compression
support.
Confirm that Samba matches Windows Server 2016 ReFS behaviour here.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12144
Reported-by: Nick Barrett <n...@barrett.org.nz>
Signed-off-by: David Disseldorp <dd...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 6fde123176409e261d955e24b3d28e5124f33bed)
commit 0fba7b2b7b23b7971d5d34148292fb4eaa35617a
Author: Björn Jacke <b...@sernet.de>
Date: Wed Nov 25 14:04:24 2015 +0100
pam: map more NT password errors to PAM errors
NT_STATUS_ACCOUNT_DISABLED,
NT_STATUS_PASSWORD_RESTRICTION,
NT_STATUS_PWD_HISTORY_CONFLICT,
NT_STATUS_PWD_TOO_RECENT,
NT_STATUS_PWD_TOO_SHORT
now map to PAM_AUTHTOK_ERR (Authentication token manipulation error), which
is
the closest match.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2210
Signed-off-by: Bjoern Jacke <b...@sernet.de>
Reviewed by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 69f10080c3765a9b139fbad7f3dc633066fdded2)
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/pam_errors.c | 6 +++++-
nsswitch/pam_winbind.c | 5 +++++
source3/lib/messages.c | 11 +++++++++++
source3/librpc/crypto/gse.c | 38 ++++++++++++++++++++------------------
source3/smbd/smb2_ioctl_filesys.c | 26 ++++++++++++++------------
source4/torture/smb2/ioctl.c | 11 ++++++++++-
6 files changed, 65 insertions(+), 32 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/auth/pam_errors.c b/libcli/auth/pam_errors.c
index 978f8ff..5592d39 100644
--- a/libcli/auth/pam_errors.c
+++ b/libcli/auth/pam_errors.c
@@ -71,11 +71,15 @@ static const struct {
{NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
{NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
{NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
+ {NT_STATUS_ACCOUNT_DISABLED, PAM_ACCT_EXPIRED},
{NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
{NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
{NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES},
{NT_STATUS_NO_MEMORY, PAM_BUF_ERR},
- {NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED},
+ {NT_STATUS_PASSWORD_RESTRICTION, PAM_AUTHTOK_ERR},
+ {NT_STATUS_PWD_HISTORY_CONFLICT, PAM_AUTHTOK_ERR},
+ {NT_STATUS_PWD_TOO_RECENT, PAM_AUTHTOK_ERR},
+ {NT_STATUS_PWD_TOO_SHORT, PAM_AUTHTOK_ERR},
{NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL},
{NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM_AUTHINFO_UNAVAIL},
{NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL},
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index b83a276..f5a5b99 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -765,6 +765,11 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
return PAM_IGNORE;
}
return retval;
+ case PAM_AUTHTOK_ERR:
+ /* Authentication token manipulation error */
+ _pam_log(ctx, LOG_WARNING, "user `%s' authentication token
change failed "
+ "(pwd complexity/history/min_age not met?)", user);
+ return retval;
case PAM_SUCCESS:
/* Otherwise, the authentication looked good */
if (strcmp(fn, "wbcLogonUser") == 0) {
diff --git a/source3/lib/messages.c b/source3/lib/messages.c
index ef8e83d..908c53c 100644
--- a/source3/lib/messages.c
+++ b/source3/lib/messages.c
@@ -561,6 +561,17 @@ int messaging_send_iov_from(struct messaging_context
*msg_ctx,
ret = messaging_dgm_send(dst.pid, iov2, iovlen+1, fds, num_fds);
unbecome_root();
+ if (ret == ECONNREFUSED) {
+ /*
+ * Linux returns this when a socket exists in the file
+ * system without a listening process. This is not
+ * documented in susv4 or the linux manpages, but it's
+ * easily testable. For the higher levels this is the
+ * same as "destination does not exist"
+ */
+ ret = ENOENT;
+ }
+
return ret;
}
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index c4c4bbc..1b9ec24 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -172,8 +172,8 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
k5ret = krb5_cc_resolve(gse_ctx->k5ctx, ccache_name,
&gse_ctx->ccache);
if (k5ret) {
- DEBUG(1, ("Failed to resolve credential cache! (%s)\n",
- error_message(k5ret)));
+ DEBUG(1, ("Failed to resolve credential cache '%s'! (%s)\n",
+ ccache_name, error_message(k5ret)));
status = NT_STATUS_INTERNAL_ERROR;
goto err_out;
}
@@ -203,7 +203,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
struct gse_context *gse_ctx;
OM_uint32 gss_maj, gss_min;
gss_buffer_desc name_buffer = GSS_C_EMPTY_BUFFER;
- gss_OID_set_desc mech_set;
#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
#endif
@@ -248,20 +247,26 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
/* TODO: get krb5 ticket using username/password, if no valid
* one already available in ccache */
- mech_set.count = 1;
- mech_set.elements = &gse_ctx->gss_mech;
-
- gss_maj = gss_acquire_cred(&gss_min,
- GSS_C_NO_NAME,
- GSS_C_INDEFINITE,
- &mech_set,
- GSS_C_INITIATE,
- &gse_ctx->creds,
- NULL, NULL);
+ gss_maj = gss_krb5_import_cred(&gss_min,
+ gse_ctx->ccache,
+ NULL, /* keytab_principal */
+ NULL, /* keytab */
+ &gse_ctx->creds);
if (gss_maj) {
- DEBUG(5, ("gss_acquire_creds failed for GSS_C_NO_NAME with [%s]
-"
+ char *ccache = NULL;
+ int kret;
+
+ kret = krb5_cc_get_full_name(gse_ctx->k5ctx,
+ gse_ctx->ccache,
+ &ccache);
+ if (kret != 0) {
+ ccache = NULL;
+ }
+
+ DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -"
"the caller may retry after a kinit.\n",
- gse_errstr(gse_ctx, gss_maj, gss_min)));
+ ccache, gse_errstr(gse_ctx, gss_maj, gss_min)));
+ SAFE_FREE(ccache);
status = NT_STATUS_INTERNAL_ERROR;
goto err_out;
}
@@ -380,8 +385,6 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
goto done;
}
-#ifdef HAVE_GSS_KRB5_IMPORT_CRED
-
/* This creates a GSSAPI cred_id_t with the keytab set */
gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
&gse_ctx->creds);
@@ -400,7 +403,6 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
* principal in request'. Work around the issue by
* falling back to the alternate approach below. */
} else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
-#endif
/* FIXME!!!
* This call sets the default keytab for the whole server, not
* just for this context. Need to find a way that does not alter
diff --git a/source3/smbd/smb2_ioctl_filesys.c
b/source3/smbd/smb2_ioctl_filesys.c
index 55ce3f2..34331b4 100644
--- a/source3/smbd/smb2_ioctl_filesys.c
+++ b/source3/smbd/smb2_ioctl_filesys.c
@@ -104,11 +104,6 @@ static NTSTATUS fsctl_set_cmprn(TALLOC_CTX *mem_ctx,
return status;
}
- if ((fsp->conn->fs_capabilities & FILE_FILE_COMPRESSION) == 0) {
- DEBUG(4, ("FS does not advertise compression support\n"));
- return NT_STATUS_NOT_SUPPORTED;
- }
-
ndr_ret = ndr_pull_struct_blob(in_input, mem_ctx, &cmpr_state,
(ndr_pull_flags_fn_t)ndr_pull_compression_state);
if (ndr_ret != NDR_ERR_SUCCESS) {
@@ -116,15 +111,22 @@ static NTSTATUS fsctl_set_cmprn(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}
- status = SMB_VFS_SET_COMPRESSION(fsp->conn,
- mem_ctx,
- fsp,
- cmpr_state.format);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ status = NT_STATUS_NOT_SUPPORTED;
+ if (fsp->conn->fs_capabilities & FILE_FILE_COMPRESSION) {
+ status = SMB_VFS_SET_COMPRESSION(fsp->conn,
+ mem_ctx,
+ fsp,
+ cmpr_state.format);
+ } else if (cmpr_state.format == COMPRESSION_FORMAT_NONE) {
+ /*
+ * bso#12144: The underlying filesystem doesn't support
+ * compression. We should still accept set(FORMAT_NONE) requests
+ * (like WS2016 ReFS).
+ */
+ status = NT_STATUS_OK;
}
- return NT_STATUS_OK;
+ return status;
}
static NTSTATUS fsctl_zero_data(TALLOC_CTX *mem_ctx,
diff --git a/source4/torture/smb2/ioctl.c b/source4/torture/smb2/ioctl.c
index 5fc03bc..4348862 100644
--- a/source4/torture/smb2/ioctl.c
+++ b/source4/torture/smb2/ioctl.c
@@ -2608,7 +2608,16 @@ static bool test_ioctl_compress_notsup_set(struct
torture_context *torture,
COMPRESSION_FORMAT_DEFAULT);
torture_assert_ntstatus_equal(torture, status,
NT_STATUS_NOT_SUPPORTED,
- "FSCTL_GET_COMPRESSION");
+ "FSCTL_SET_COMPRESSION default");
+
+ /*
+ * Despite not supporting compression, we should get a successful
+ * response for set(COMPRESSION_FORMAT_NONE) - like WS2016 ReFS.
+ */
+ status = test_ioctl_compress_set(torture, tmp_ctx, tree, fh,
+ COMPRESSION_FORMAT_NONE);
+ torture_assert_ntstatus_ok(torture, status,
+ "FSCTL_SET_COMPRESSION none");
smb2_util_close(tree, fh);
talloc_free(tmp_ctx);
--
Samba Shared Repository
