The branch, v4-4-test has been updated via 930667c messaging: Fix dead but not cleaned-up-yet destination sockets via e7fbca8 s3:librpc/gse: make use of gss_krb5_import_cred() instead of gss_acquire_cred() via 838be14 s3:librpc/gse: remove unused #ifdef HAVE_GSS_KRB5_IMPORT_CRED via 119ddfd s3:librpc/gse: include ccache_name in DEBUG message if krb5_cc_resolve() fails via f9c6dd8 smbd/ioctl: match WS2016 ReFS set compression behaviour via b975c76 torture/ioctl: test set_compression(format_none) via 0fba7b2 pam: map more NT password errors to PAM errors from d6b8638 s3: torture: Add test for cli_ftruncate calling cli_smb2_ftruncate.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test - Log ----------------------------------------------------------------- commit 930667c3b223341118a95c46443a8737e4337226 Author: Volker Lendecke <v...@samba.org> Date: Tue Jan 10 12:30:54 2017 +0000 messaging: Fix dead but not cleaned-up-yet destination sockets Bug: https://bugzilla.samba.org/show_bug.cgi?id=12509 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Tue Jan 10 17:40:58 CET 2017 on sn-devel-144 (cherry picked from commit e84e44ce923e5dc7529bb813e10a2890528a4ab0) Autobuild-User(v4-4-test): Stefan Metzmacher <me...@samba.org> Autobuild-Date(v4-4-test): Sat Jan 14 13:55:25 CET 2017 on sn-devel-144 commit e7fbca8a488c2611d0be18bd81a65e8d4c66a633 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Dec 22 08:49:38 2016 +0100 s3:librpc/gse: make use of gss_krb5_import_cred() instead of gss_acquire_cred() This avoids the usage of the ccselect_realm logic in MIT krb5, which leads to unpredictable results. The problem is the usage of gss_acquire_cred(), that just creates a credential handle without ccache. As result gss_init_sec_context() will trigger a code path where it use "ccselect" plugins. And the ccselect_realm module just chooses a random ccache from a global list where the realm of the provides target principal matches the realm of the ccache user principal. In the winbindd case we're using MEMORY:cliconnect to setup the smb connection to the DC. For ldap connections we use MEMORY:winbind_ccache. The typical case is that we do the smb connection first. If we try to create a new ldap connection, while the credentials in MEMORY:cliconnect are expired, we'll do the required kinit into MEMORY:winbind_ccache, but the ccselect_realm module will select MEMORY:cliconnect and tries to get a service ticket for the ldap server using the already expired TGT from MEMORY:cliconnect. The solution will be to use gss_krb5_import_cred() and explicitly pass the desired ccache, which avoids the ccselect logic. We could also use gss_acquire_cred_from(), but that's only available in modern MIT krb5 versions, while gss_krb5_import_cred() is available in heimdal and all supported MIT versions (>=1.9). As far as I can see both call the same internal function in MIT (at least for the ccache case). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 7c3ea9fe96336483752adb821f8062a883d52998) commit 838be147f06303f48645908e6a40907a1a36e1f3 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Dec 22 08:47:32 2016 +0100 s3:librpc/gse: remove unused #ifdef HAVE_GSS_KRB5_IMPORT_CRED We always have gss_krb5_import_cred(), it available in heimdal and also the oldest version (1.9) of MIT krb5 that we support. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit b61a93755ca59a58775c1c8c21baee49fef42fbf) commit 119ddfdfa7b1eb53ce399d5f10b2bb0ddffa909e Author: Stefan Metzmacher <me...@samba.org> Date: Thu Dec 22 08:46:21 2016 +0100 s3:librpc/gse: include ccache_name in DEBUG message if krb5_cc_resolve() fails BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 6f029d58703f657e46fee35fc663128157db4d9f) commit f9c6dd80f435a3a362b6b9ee2785a034561e7caa Author: David Disseldorp <dd...@samba.org> Date: Thu Jan 5 17:36:02 2017 +0100 smbd/ioctl: match WS2016 ReFS set compression behaviour ReFS doesn't support compression, but responds to set-compression FSCTLs with NT_STATUS_OK if (and only if) the requested compression format is COMPRESSION_FORMAT_NONE. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12144 Reported-by: Nick Barrett <n...@barrett.org.nz> Signed-off-by: David Disseldorp <dd...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Mon Jan 9 23:14:28 CET 2017 on sn-devel-144 (cherry picked from commit 28cc347876b97b7409d6efd377f031fc6df0c5f3) commit b975c76326189552fdf0efeebc63f525fa0a848f Author: David Disseldorp <dd...@samba.org> Date: Thu Jan 5 17:10:42 2017 +0100 torture/ioctl: test set_compression(format_none) This test case was overlooked in the previous bso#12144 update - set compression requests with format=COMPRESSION_FORMAT_NONE should succeed if the server / backing storage doesn't offer compression support. Confirm that Samba matches Windows Server 2016 ReFS behaviour here. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12144 Reported-by: Nick Barrett <n...@barrett.org.nz> Signed-off-by: David Disseldorp <dd...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 6fde123176409e261d955e24b3d28e5124f33bed) commit 0fba7b2b7b23b7971d5d34148292fb4eaa35617a Author: Björn Jacke <b...@sernet.de> Date: Wed Nov 25 14:04:24 2015 +0100 pam: map more NT password errors to PAM errors NT_STATUS_ACCOUNT_DISABLED, NT_STATUS_PASSWORD_RESTRICTION, NT_STATUS_PWD_HISTORY_CONFLICT, NT_STATUS_PWD_TOO_RECENT, NT_STATUS_PWD_TOO_SHORT now map to PAM_AUTHTOK_ERR (Authentication token manipulation error), which is the closest match. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2210 Signed-off-by: Bjoern Jacke <b...@sernet.de> Reviewed by: Jeremy Allison <j...@samba.org> (cherry picked from commit 69f10080c3765a9b139fbad7f3dc633066fdded2) ----------------------------------------------------------------------- Summary of changes: libcli/auth/pam_errors.c | 6 +++++- nsswitch/pam_winbind.c | 5 +++++ source3/lib/messages.c | 11 +++++++++++ source3/librpc/crypto/gse.c | 38 ++++++++++++++++++++------------------ source3/smbd/smb2_ioctl_filesys.c | 26 ++++++++++++++------------ source4/torture/smb2/ioctl.c | 11 ++++++++++- 6 files changed, 65 insertions(+), 32 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/auth/pam_errors.c b/libcli/auth/pam_errors.c index 978f8ff..5592d39 100644 --- a/libcli/auth/pam_errors.c +++ b/libcli/auth/pam_errors.c @@ -71,11 +71,15 @@ static const struct { {NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR}, {NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR}, {NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED}, + {NT_STATUS_ACCOUNT_DISABLED, PAM_ACCT_EXPIRED}, {NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED}, {NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD}, {NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES}, {NT_STATUS_NO_MEMORY, PAM_BUF_ERR}, - {NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED}, + {NT_STATUS_PASSWORD_RESTRICTION, PAM_AUTHTOK_ERR}, + {NT_STATUS_PWD_HISTORY_CONFLICT, PAM_AUTHTOK_ERR}, + {NT_STATUS_PWD_TOO_RECENT, PAM_AUTHTOK_ERR}, + {NT_STATUS_PWD_TOO_SHORT, PAM_AUTHTOK_ERR}, {NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL}, {NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM_AUTHINFO_UNAVAIL}, {NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL}, diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c index b83a276..f5a5b99 100644 --- a/nsswitch/pam_winbind.c +++ b/nsswitch/pam_winbind.c @@ -765,6 +765,11 @@ static int pam_winbind_request_log(struct pwb_context *ctx, return PAM_IGNORE; } return retval; + case PAM_AUTHTOK_ERR: + /* Authentication token manipulation error */ + _pam_log(ctx, LOG_WARNING, "user `%s' authentication token change failed " + "(pwd complexity/history/min_age not met?)", user); + return retval; case PAM_SUCCESS: /* Otherwise, the authentication looked good */ if (strcmp(fn, "wbcLogonUser") == 0) { diff --git a/source3/lib/messages.c b/source3/lib/messages.c index ef8e83d..908c53c 100644 --- a/source3/lib/messages.c +++ b/source3/lib/messages.c @@ -561,6 +561,17 @@ int messaging_send_iov_from(struct messaging_context *msg_ctx, ret = messaging_dgm_send(dst.pid, iov2, iovlen+1, fds, num_fds); unbecome_root(); + if (ret == ECONNREFUSED) { + /* + * Linux returns this when a socket exists in the file + * system without a listening process. This is not + * documented in susv4 or the linux manpages, but it's + * easily testable. For the higher levels this is the + * same as "destination does not exist" + */ + ret = ENOENT; + } + return ret; } diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index c4c4bbc..1b9ec24 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -172,8 +172,8 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, k5ret = krb5_cc_resolve(gse_ctx->k5ctx, ccache_name, &gse_ctx->ccache); if (k5ret) { - DEBUG(1, ("Failed to resolve credential cache! (%s)\n", - error_message(k5ret))); + DEBUG(1, ("Failed to resolve credential cache '%s'! (%s)\n", + ccache_name, error_message(k5ret))); status = NT_STATUS_INTERNAL_ERROR; goto err_out; } @@ -203,7 +203,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx; OM_uint32 gss_maj, gss_min; gss_buffer_desc name_buffer = GSS_C_EMPTY_BUFFER; - gss_OID_set_desc mech_set; #ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; #endif @@ -248,20 +247,26 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, /* TODO: get krb5 ticket using username/password, if no valid * one already available in ccache */ - mech_set.count = 1; - mech_set.elements = &gse_ctx->gss_mech; - - gss_maj = gss_acquire_cred(&gss_min, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - &mech_set, - GSS_C_INITIATE, - &gse_ctx->creds, - NULL, NULL); + gss_maj = gss_krb5_import_cred(&gss_min, + gse_ctx->ccache, + NULL, /* keytab_principal */ + NULL, /* keytab */ + &gse_ctx->creds); if (gss_maj) { - DEBUG(5, ("gss_acquire_creds failed for GSS_C_NO_NAME with [%s] -" + char *ccache = NULL; + int kret; + + kret = krb5_cc_get_full_name(gse_ctx->k5ctx, + gse_ctx->ccache, + &ccache); + if (kret != 0) { + ccache = NULL; + } + + DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -" "the caller may retry after a kinit.\n", - gse_errstr(gse_ctx, gss_maj, gss_min))); + ccache, gse_errstr(gse_ctx, gss_maj, gss_min))); + SAFE_FREE(ccache); status = NT_STATUS_INTERNAL_ERROR; goto err_out; } @@ -380,8 +385,6 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, goto done; } -#ifdef HAVE_GSS_KRB5_IMPORT_CRED - /* This creates a GSSAPI cred_id_t with the keytab set */ gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab, &gse_ctx->creds); @@ -400,7 +403,6 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, * principal in request'. Work around the issue by * falling back to the alternate approach below. */ } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) -#endif /* FIXME!!! * This call sets the default keytab for the whole server, not * just for this context. Need to find a way that does not alter diff --git a/source3/smbd/smb2_ioctl_filesys.c b/source3/smbd/smb2_ioctl_filesys.c index 55ce3f2..34331b4 100644 --- a/source3/smbd/smb2_ioctl_filesys.c +++ b/source3/smbd/smb2_ioctl_filesys.c @@ -104,11 +104,6 @@ static NTSTATUS fsctl_set_cmprn(TALLOC_CTX *mem_ctx, return status; } - if ((fsp->conn->fs_capabilities & FILE_FILE_COMPRESSION) == 0) { - DEBUG(4, ("FS does not advertise compression support\n")); - return NT_STATUS_NOT_SUPPORTED; - } - ndr_ret = ndr_pull_struct_blob(in_input, mem_ctx, &cmpr_state, (ndr_pull_flags_fn_t)ndr_pull_compression_state); if (ndr_ret != NDR_ERR_SUCCESS) { @@ -116,15 +111,22 @@ static NTSTATUS fsctl_set_cmprn(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - status = SMB_VFS_SET_COMPRESSION(fsp->conn, - mem_ctx, - fsp, - cmpr_state.format); - if (!NT_STATUS_IS_OK(status)) { - return status; + status = NT_STATUS_NOT_SUPPORTED; + if (fsp->conn->fs_capabilities & FILE_FILE_COMPRESSION) { + status = SMB_VFS_SET_COMPRESSION(fsp->conn, + mem_ctx, + fsp, + cmpr_state.format); + } else if (cmpr_state.format == COMPRESSION_FORMAT_NONE) { + /* + * bso#12144: The underlying filesystem doesn't support + * compression. We should still accept set(FORMAT_NONE) requests + * (like WS2016 ReFS). + */ + status = NT_STATUS_OK; } - return NT_STATUS_OK; + return status; } static NTSTATUS fsctl_zero_data(TALLOC_CTX *mem_ctx, diff --git a/source4/torture/smb2/ioctl.c b/source4/torture/smb2/ioctl.c index 5fc03bc..4348862 100644 --- a/source4/torture/smb2/ioctl.c +++ b/source4/torture/smb2/ioctl.c @@ -2608,7 +2608,16 @@ static bool test_ioctl_compress_notsup_set(struct torture_context *torture, COMPRESSION_FORMAT_DEFAULT); torture_assert_ntstatus_equal(torture, status, NT_STATUS_NOT_SUPPORTED, - "FSCTL_GET_COMPRESSION"); + "FSCTL_SET_COMPRESSION default"); + + /* + * Despite not supporting compression, we should get a successful + * response for set(COMPRESSION_FORMAT_NONE) - like WS2016 ReFS. + */ + status = test_ioctl_compress_set(torture, tmp_ctx, tree, fh, + COMPRESSION_FORMAT_NONE); + torture_assert_ntstatus_ok(torture, status, + "FSCTL_SET_COMPRESSION none"); smb2_util_close(tree, fh); talloc_free(tmp_ctx); -- Samba Shared Repository