The branch, v4-7-stable has been updated
via 9a8a725 VERSION: Disable GIT_SNAPSHOT for the 4.7.11 release.
via db25438 WHATSNEW: Add release notes for Samba 4.7.11.
via 145b2ee s3:winbind: Fix regression introduced with bso #12851
via 9885da4 smb2_server: set req->do_encryption = true earlier
via fcdce95 s4:torture: split smb2.session.expire{1,2} to run with
signing and encryptpion
via 1f634f3 s3: smbd: Prevent valgrind errors in smbtorture3 POSIX test.
via 629466e lib: Hold at most 10 outstanding paged result cookies
via 5968278 lib: Put "results_store" into a doubly linked list
via dccaea5 krb5-samba: interdomain trust uses different salt principal
via b31ba49 testprogs/blackbox: let test_trust_user_account.sh check
the correct kerberos salt
via 5f89783 testprogs/blackbox: add testit[_expect_failure]_grep() to
subunit.sh
via fab6d42 samba-tool: add virtualKerberosSalt attribute to 'user
getpassword/syncpasswords'
via f7b9267 s4:selftest: test kinit with the interdomain trust user
account
via 38d7e58 libds: rename UF_MACHINE_ACCOUNT_MASK to
UF_TRUST_ACCOUNT_MASK
via 17ed5e0 vfs_fruit: Don't unlink the main file
via 3d8fdc3 torture: Make sure that fruit_ftruncate only unlinks streams
via 0e8298e s3:smbd: add a comment stating that file_close_user() is
redundant for SMB2
via b7c659a s3:smbd: let session logoff close files and tcons before
deleting the session
via 5125304 s3:smbd: reorder tcon global record deletion and closing
files of a tcon
via 6a179a5 selftest: add a durable handle test with delayed disconnect
via 34b4b5b s4:selftest: reformat smb2_s3only list
via ada2165 vfs_delay_inject: adding delay to VFS calls
via fc3d25b s4:rpc_server/netlogon: don't treet trusted domains as
primary in LogonGetDomainInfo()
via f77ea35 s4:rpc_server/netlogon: make use of talloc_zero_array() for
the netr_OneDomainInfo array
via f73ef35 s4:rpc_server/netlogon: use
samdb_domain_guid()/dsdb_trust_local_tdo_info() to build our netr_OneDomainInfo
values
via ecffd79 s4:dsdb/common: add samdb_domain_guid() helper function
via 14a2695 dsdb:util_trusts: add dsdb_trust_local_tdo_info() helper
function
via 467e6ae dsdb/util_trusts: domain_dn is an input parameter of
dsdb_trust_crossref_tdo_info()
via 8e81aa4 s4:torture/rpc/netlogon: verify the trusted domains output
of LogonGetDomainInfo()
via 435e096a s4:torture/rpc/netlogon: assert that
cli_credentials_get_{workstation,password} don't return NULL
via 592bdff smbd: Fix a memleak in async search ask sharemode
via 8f1183d s3: util: Do not take over stderr when there is no log file
via 1cdf976 s3: smbd: Ensure get_real_filename() copes with empty
pathnames.
via b9b4e96 VERSION: Bump version up to 4.7.9...
from 2ec3c4d VERSION: Disable GIT_SNAPSHOT for the 4.7.10 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 69 +++++-
auth/credentials/credentials_krb5.c | 16 +-
lib/krb5_wrap/krb5_samba.c | 61 ++++--
lib/krb5_wrap/krb5_samba.h | 2 +-
lib/ldb/modules/paged_results.c | 43 ++--
lib/util/debug.c | 7 +-
libds/common/flags.h | 2 +-
python/samba/netcmd/user.py | 24 +++
selftest/target/Samba3.pm | 8 +
source3/locking/share_mode_lock.c | 13 +-
source3/modules/vfs_delay_inject.c | 58 +++++
source3/modules/vfs_fruit.c | 6 +-
source3/modules/wscript_build | 7 +
source3/passdb/machine_account_secrets.c | 3 +-
.../script/tests/test_durable_handle_reconnect.sh | 21 ++
source3/selftest/tests.py | 5 +-
source3/smbd/close.c | 4 +
source3/smbd/filename.c | 5 +
source3/smbd/smb2_server.c | 15 +-
source3/smbd/smbXsrv_session.c | 52 +++--
source3/smbd/smbXsrv_tcon.c | 38 ++--
source3/winbindd/wb_getpwsid.c | 28 +--
source3/wscript | 1 +
source4/dsdb/common/util.c | 55 +++++
source4/dsdb/common/util_trusts.c | 22 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 6 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 234 +++++++++++++++------
source4/selftest/tests.py | 9 +-
source4/torture/rpc/netlogon.c | 146 ++++++++++++-
source4/torture/smb2/durable_v2_open.c | 95 +++++++++
source4/torture/smb2/session.c | 50 ++++-
source4/torture/smb2/smb2.c | 2 +
source4/torture/vfs/fruit.c | 45 ++++
testprogs/blackbox/subunit.sh | 50 +++++
testprogs/blackbox/test_trust_user_account.sh | 58 +++++
36 files changed, 1058 insertions(+), 204 deletions(-)
create mode 100644 source3/modules/vfs_delay_inject.c
create mode 100755 source3/script/tests/test_durable_handle_reconnect.sh
create mode 100755 testprogs/blackbox/test_trust_user_account.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 0f3c07e..2b8b626 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=7
-SAMBA_VERSION_RELEASE=10
+SAMBA_VERSION_RELEASE=11
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 98fcfe5..e3da5bf 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,69 @@
==============================
+ Release Notes for Samba 4.7.11
+ October 23, 2018
+ ==============================
+
+
+Please note that this will very likely be the last bugfix release of the Samba
+4.7 release series. There will be security fixes only beyond this point.
+
+
+Changes since 4.7.10:
+--------------------
+
+o Paulo Alcantara <[email protected]>
+ * BUG 13578: s3: util: Do not take over stderr when there is no log file.
+
+o Jeremy Allison <[email protected]>
+ * BUG 13585: s3: smbd: Ensure get_real_filename() copes with empty
pathnames.
+ * BUG 13633: s3: smbd: Prevent valgrind errors in smbtorture3 POSIX test.
+
+o Ralph Boehme <[email protected]>
+ * BUG 13549: Durable Reconnect fails because cookie.allow_reconnect is not
+ set redundant for SMB2.
+
+o Alexander Bokovoy <[email protected]>
+ * BUG 13539: krb5-samba: Interdomain trust uses different salt principal.
+
+o Volker Lendecke <[email protected]>
+ * BUG 13362: Fix possible memory leak in the Samba process.
+ * BUG 13441: vfs_fruit: Don't unlink the main file.
+ * BUG 13602: smbd: Fix a memleak in async search ask sharemode.
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 11517: Fix Samba GPO issue when Trust is enabled.
+ * BUG 13539: samba-tool: Add virtualKerberosSalt attribute to 'user
+ getpassword/syncpasswords'.
+ * BUG 13624: smb2_server: Set req->do_encryption = true earlier.
+
+o Andreas Schneider <[email protected]>
+ * BUG 12851: s3:winbind: Fix regression.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
Release Notes for Samba 4.7.10
August 27, 2018
==============================
@@ -100,8 +165,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.7.9
diff --git a/auth/credentials/credentials_krb5.c
b/auth/credentials/credentials_krb5.c
index b88497d..fb46797 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -34,6 +34,7 @@
#include "auth/kerberos/kerberos_util.h"
#include "auth/kerberos/pac_utils.h"
#include "param/param.h"
+#include "../libds/common/flags.h"
static void cli_credentials_invalidate_client_gss_creds(
struct cli_credentials *cred,
@@ -971,7 +972,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct
cli_credentials *cred,
const char *upn = NULL;
const char *realm = cli_credentials_get_realm(cred);
char *salt_principal = NULL;
- bool is_computer = false;
+ uint32_t uac_flags = 0;
if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
cred->username_obtained))) {
@@ -996,9 +997,15 @@ _PUBLIC_ int cli_credentials_get_keytab(struct
cli_credentials *cred,
switch (cred->secure_channel_type) {
case SEC_CHAN_WKSTA:
- case SEC_CHAN_BDC:
case SEC_CHAN_RODC:
- is_computer = true;
+ uac_flags = UF_WORKSTATION_TRUST_ACCOUNT;
+ break;
+ case SEC_CHAN_BDC:
+ uac_flags = UF_SERVER_TRUST_ACCOUNT;
+ break;
+ case SEC_CHAN_DOMAIN:
+ case SEC_CHAN_DNS_DOMAIN:
+ uac_flags = UF_INTERDOMAIN_TRUST_ACCOUNT;
break;
default:
upn = cli_credentials_get_principal(cred, mem_ctx);
@@ -1006,13 +1013,14 @@ _PUBLIC_ int cli_credentials_get_keytab(struct
cli_credentials *cred,
TALLOC_FREE(mem_ctx);
return ENOMEM;
}
+ uac_flags = UF_NORMAL_ACCOUNT;
break;
}
ret = smb_krb5_salt_principal(realm,
username, /* sAMAccountName */
upn, /* userPrincipalName */
- is_computer,
+ uac_flags,
mem_ctx,
&salt_principal);
if (ret) {
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 0ba8aae..73e89ea 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -24,6 +24,7 @@
#include "system/filesys.h"
#include "krb5_samba.h"
#include "lib/crypto/crypto.h"
+#include "../libds/common/flags.h"
#ifdef HAVE_COM_ERR_H
#include <com_err.h>
@@ -445,8 +446,7 @@ int smb_krb5_get_pw_salt(krb5_context context,
* @param[in] userPrincipalName The userPrincipalName attribute of the object
* or NULL is not available.
*
- * @param[in] is_computer The indication of the object includes
- * objectClass=computer.
+ * @param[in] uac_flags UF_ACCOUNT_TYPE_MASKed userAccountControl
field
*
* @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
*
@@ -459,7 +459,7 @@ int smb_krb5_get_pw_salt(krb5_context context,
int smb_krb5_salt_principal(const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
- bool is_computer,
+ uint32_t uac_flags,
TALLOC_CTX *mem_ctx,
char **_salt_principal)
{
@@ -480,6 +480,23 @@ int smb_krb5_salt_principal(const char *realm,
return EINVAL;
}
+ if (uac_flags & ~UF_ACCOUNT_TYPE_MASK) {
+ /*
+ * catch callers which still
+ * pass 'true'.
+ */
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+ if (uac_flags == 0) {
+ /*
+ * catch callers which still
+ * pass 'false'.
+ */
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+
upper_realm = strupper_talloc(frame, realm);
if (upper_realm == NULL) {
TALLOC_FREE(frame);
@@ -493,7 +510,7 @@ int smb_krb5_salt_principal(const char *realm,
/*
* Determine a salting principal
*/
- if (is_computer) {
+ if (uac_flags & UF_TRUST_ACCOUNT_MASK) {
int computer_len = 0;
char *tmp = NULL;
@@ -502,20 +519,32 @@ int smb_krb5_salt_principal(const char *realm,
computer_len -= 1;
}
- tmp = talloc_asprintf(frame, "host/%*.*s.%s",
- computer_len, computer_len,
- sAMAccountName, realm);
- if (tmp == NULL) {
- TALLOC_FREE(frame);
- return ENOMEM;
- }
+ if (uac_flags & UF_INTERDOMAIN_TRUST_ACCOUNT) {
+ principal = talloc_asprintf(frame, "krbtgt/%*.*s",
+ computer_len, computer_len,
+ sAMAccountName);
+ if (principal == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+ } else {
- principal = strlower_talloc(frame, tmp);
- TALLOC_FREE(tmp);
- if (principal == NULL) {
- TALLOC_FREE(frame);
- return ENOMEM;
+ tmp = talloc_asprintf(frame, "host/%*.*s.%s",
+ computer_len, computer_len,
+ sAMAccountName, realm);
+ if (tmp == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+
+ principal = strlower_talloc(frame, tmp);
+ TALLOC_FREE(tmp);
+ if (principal == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
}
+
principal_len = strlen(principal);
} else if (userPrincipalName != NULL) {
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 315d3c3..8305c1f 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -353,7 +353,7 @@ int smb_krb5_get_pw_salt(krb5_context context,
int smb_krb5_salt_principal(const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
- bool is_computer,
+ uint32_t uac_flags,
TALLOC_CTX *mem_ctx,
char **_salt_principal);
int smb_krb5_salt_principal2data(krb5_context context,
diff --git a/lib/ldb/modules/paged_results.c b/lib/ldb/modules/paged_results.c
index de014a3..ecb2227 100644
--- a/lib/ldb/modules/paged_results.c
+++ b/lib/ldb/modules/paged_results.c
@@ -35,6 +35,8 @@
#include "replace.h"
#include "system/filesys.h"
#include "system/time.h"
+#include "dlinklist.h"
+#include <assert.h>
#include "ldb_module.h"
struct message_store {
@@ -48,14 +50,13 @@ struct message_store {
struct private_data;
struct results_store {
+ struct results_store *prev, *next;
struct private_data *priv;
char *cookie;
time_t timestamp;
- struct results_store *next;
-
struct message_store *first;
struct message_store *last;
int num_entries;
@@ -68,6 +69,7 @@ struct results_store {
struct private_data {
uint32_t next_free_id;
+ size_t num_stores;
struct results_store *store;
};
@@ -75,22 +77,12 @@ struct private_data {
static int store_destructor(struct results_store *del)
{
struct private_data *priv = del->priv;
- struct results_store *loop;
-
- if (priv->store == del) {
- priv->store = del->next;
- return 0;
- }
+ DLIST_REMOVE(priv->store, del);
- for (loop = priv->store; loop; loop = loop->next) {
- if (loop->next == del) {
- loop->next = del->next;
- return 0;
- }
- }
+ assert(priv->num_stores > 0);
+ priv->num_stores -= 1;
- /* is not in list ? */
- return -1;
+ return 0;
}
static struct results_store *new_store(struct private_data *priv)
@@ -120,11 +112,23 @@ static struct results_store *new_store(struct
private_data *priv)
newr->first_ref = NULL;
newr->controls = NULL;
- newr->next = priv->store;
- priv->store = newr;
+ DLIST_ADD(priv->store, newr);
+
+ assert(priv->num_stores < SIZE_MAX);
+ priv->num_stores += 1;
talloc_set_destructor(newr, store_destructor);
+ if (priv->num_stores > 10) {
+ struct results_store *last;
+ /*
+ * 10 is the default for MaxResultSetsPerConn --
+ * possibly need to parameterize it.
+ */
+ last = DLIST_TAIL(priv->store);
+ TALLOC_FREE(last);
+ }
+
return newr;
}
@@ -381,6 +385,8 @@ static int paged_search(struct ldb_module *module, struct
ldb_request *req)
return LDB_ERR_UNWILLING_TO_PERFORM;
}
+ DLIST_PROMOTE(private_data->store, current);
+
ac->store = current;
/* check if it is an abandon */
@@ -412,6 +418,7 @@ static int paged_request_init(struct ldb_module *module)
}
data->next_free_id = 1;
+ data->num_stores = 0;
data->store = NULL;
ldb_module_set_private(module, data);
diff --git a/lib/util/debug.c b/lib/util/debug.c
index 135cdb6..8033c80 100644
--- a/lib/util/debug.c
+++ b/lib/util/debug.c
@@ -1069,8 +1069,11 @@ bool reopen_logs_internal(void)
force_check_log_size();
(void)umask(oldumask);
- /* Take over stderr to catch output into logs */
- if (state.fd > 0) {
+ /*
+ * If log file was opened or created successfully, take over stderr to
+ * catch output into logs.
+ */
+ if (new_fd != -1) {
if (dup2(state.fd, 2) == -1) {
/* Close stderr too, if dup2 can't point it -
at the logfile. There really isn't much
diff --git a/libds/common/flags.h b/libds/common/flags.h
index 88b93cb..11242e1 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -53,7 +53,7 @@
#define UF_PARTIAL_SECRETS_ACCOUNT 0x04000000
#define UF_USE_AES_KEYS 0x08000000
-#define UF_MACHINE_ACCOUNT_MASK (\
+#define UF_TRUST_ACCOUNT_MASK (\
UF_INTERDOMAIN_TRUST_ACCOUNT |\
UF_WORKSTATION_TRUST_ACCOUNT |\
UF_SERVER_TRUST_ACCOUNT \
diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py
index 3b744a3..a82ac76 100644
--- a/python/samba/netcmd/user.py
+++ b/python/samba/netcmd/user.py
@@ -199,6 +199,9 @@ for (alg, attr) in [("5", "virtualCryptSHA256"), ("6",
"virtualCryptSHA512")]:
for x in range(1, 30):
virtual_attributes["virtualWDigest%02d" % x] = {}
+# Add Kerberos virtual attributes
+virtual_attributes["virtualKerberosSalt"] = {}
+
virtual_attributes_help = "The attributes to display (comma separated). "
virtual_attributes_help += "Possible supported virtual attributes: %s" % ",
".join(sorted(virtual_attributes.keys()))
if len(disabled_virtual_attributes) != 0:
@@ -1217,6 +1220,16 @@ class GetPasswordCommand(Command):
# first matching scheme
return (None, scheme_match)
+ def get_kerberos_ctr():
+ primary_krb5 = get_package("Primary:Kerberos-Newer-Keys")
+ if primary_krb5 is None:
+ primary_krb5 = get_package("Primary:Kerberos")
+ if primary_krb5 is None:
+ return (0, None)
+ krb5_blob = ndr_unpack(drsblobs.package_PrimaryKerberosBlob,
+ primary_krb5)
+ return (krb5_blob.version, krb5_blob.ctr)
+
# We use sort here in order to have a predictable processing order
for a in sorted(virtual_attributes.keys()):
if not a.lower() in lower_attrs:
@@ -1268,6 +1281,11 @@ class GetPasswordCommand(Command):
v = get_package("Primary:SambaGPG", min_idx=-1)
if v is None:
continue
+ elif a == "virtualKerberosSalt":
+ (krb5_v, krb5_ctr) = get_kerberos_ctr()
+ if krb5_v not in [3, 4]:
+ continue
+ v = krb5_ctr.salt.string
elif a.startswith("virtualWDigest"):
primary_wdigest = get_package("Primary:WDigest")
if primary_wdigest is None:
@@ -1384,6 +1402,9 @@ for which virtual attributes are supported in your
environment):
https://msdn.microsoft.com/en-us/library/cc245680.aspx
is incorrect
+ virtualKerberosSalt: This results the salt string that is used to compute
+ Kerberos keys from a UTF-8 cleartext password.
+
virtualSambaGPG: The raw cleartext as stored in the
'Primary:SambaGPG' buffer inside of the
supplementalCredentials attribute.
@@ -1551,6 +1572,9 @@ for supported virtual attributes in your environment):
https://msdn.microsoft.com/en-us/library/cc245680.aspx
is incorrect.
+ virtualKerberosSalt: This results the salt string that is used to compute
+ Kerberos keys from a UTF-8 cleartext password.
+
virtualSambaGPG: The raw cleartext as stored in the
'Primary:SambaGPG' buffer inside of the
supplementalCredentials attribute.
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 9c41b8c..25c134e 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -2057,6 +2057,14 @@ sub provision($$$$$$$$$)
copy = tmp
vfs objects = error_inject
include = $libdir/error_inject.conf
+
+[delay_inject]
+ copy = tmp
+ vfs objects = delay_inject
+ kernel share modes = no
+ kernel oplocks = no
+ posix locking = no
+ include = $libdir/delay_inject.conf
";
close(CONF);
diff --git a/source3/locking/share_mode_lock.c
b/source3/locking/share_mode_lock.c
index cee0045..ec17bca 100644
--- a/source3/locking/share_mode_lock.c
+++ b/source3/locking/share_mode_lock.c
@@ -673,7 +673,7 @@ static void fetch_share_mode_done(struct tevent_req
*subreq);
--
Samba Shared Repository
