The branch, v4-9-stable has been updated
via 214ec9cf8f4 VERSION: Disable GIT_SNAPSHOT for the 4.9.5 release.
via 2bbbc1aae27 WHATSNEW: Add release notes for Samba 4.9.5.
via 43957ab96e7 libcli/security: fix handling of deny type ACEs in
access_check_max_allowed()
via 4fe9eff4dd6 s4:torture: Add test_deny1().
via 824a058aa92 s4:torture: Add test_owner_rights_deny1().
via b4289aa34ae libcli/security: correct access check and maximum
access calculation for Owner Rights ACEs
via f801b824815 s4:torture: Add test_owner_rights_deny().
via b1ce4d436a1 s4:torture: Fix the test_owner_rights() test to show
permissions are additive.
via 8f9858671fd libcli/security: add "Owner Rights" calculation to
access_check_max_allowed()
via 2a7e1bb9c03 s4:torture: add a Maximum Access check with an Owner
Rights ACE
via 953039c7a78 s4:libcli: remember return code from maximum access
via 9dc374fee03 sambaundoguididx: use the right escaped oder unescaped
sam ldb files
via f8748b8bfc2 s4-server: Open and close a transaction on sam.ldb at
startup
via 47fb4ba84f3 vfs_ceph: remove ceph_fallocate/ceph_ftruncate fallback
via ba75d5f4839 vfs_ceph: fix strict_allocate_ftruncate()
via 15ef70cb53a vfs_ceph: add missing fallocate hook
via 13bf811858f s3: smbd: filenames - ensure we replace the missing '/'
if we error in an intermediate POSIX path.
via ffb706ddbce s3: torture: Add additional POSIX mkdir tests.
via 4b58042f3fa smbd: unix_convert: Ensure we don't call
get_real_filename on POSIX paths.
via fe4254ef4e1 smbd: SMB1-POSIX: Add missing info-level
SMB_POSIX_PATH_OPEN for UCF_UNIX_NAME_LOOKUP flag.
via f59064f8a96 s3: smbtorture3: Add POSIX-MKDIR test for posix_mkdir
case sensitive bug.
via 53dfd92b82e winbindd: set idmap cache entries as the last step in
async wb_xids2sids
via 9c36a6dd16a winbindd: track whether a result from xid2sid was
coming from the cache
via b6587172d0c winbindd: switch send-next/done order
via 06862c77d5c winbindd: update xid in wb_xids2sids_state->xids with
what we got
via 4cf7bddc645 winbindd: convert id to a pointer in
wb_xids2sids_dom_done()
via 577ac999fbd winbindd: make xids a const argument to
wb_xids2sids_send()
via 915aff6fe7c winbindd: make a copy of xid's in wb_xids2sids_send()
via eb16d3b7bc1 ctdb-cluster-mutex: Separate out command and file
handling
via 65c3c5801ff ctdb-recoverd: Time out attempt to take recovery lock
after 120s
via 4c059e03ef7 ctdb-recoverd: Ban node on unknown error when taking
recovery lock
via fd9a02c0bb2 ctdb-recoverd: Make recoverd context available in
recovery lock handle
via f63f2a0ee39 ctdb-recoverd: Clean up logging on failure to take
recovery lock
via fb8c3bd8995 ctdb-recoverd: Free cluster mutex handler on failure to
take lock
via 592f02112bb ctdb-config: Change example recovery lock setting to
one that fails
via ad3751b5a51 messages_dgm: Properly handle receiver re-initialization
via 9dd1b416654 torture3: Extend read3 for the "messaging target
re-inits" failure
via 6bea9304998 messages_dgm: Use saved errno value
via 6a38b9917b2 man pages: document prefork process model
via ab66f70056c notifyd: Fix SIGBUS on sparc
via 2bbd2dcf282 CVE-2019-3824 ldb: Release ldb 1.4.6
via 47b2344bdb1 CVE-2019-3824 ldb: Add tests for ldb_wildcard_match
via 2a88a47b9f8 CVE-2019-3824 ldb: wildcard_match end of data check
via 73187de7138 CVE-2019-3824 ldb: wildcard_match check tree operation
via 754bc1a76e9 CVE-2019-3824 ldb: ldb_parse_tree use talloc_zero
via 33fa01b4be0 CVE-2019-3824 ldb: Improve code style and layout in
wildcard processing
via cedc4e89625 CVE-2019-3824 ldb: Extra comments to clarify no pointer
wrap in wildcard processing
via fd8e90b9a51 CVE-2019-3824 ldb: Out of bound read in
ldb_wildcard_compare
via 2f5823c5015 waf: Check for libnscd
via d85f9fdc8ac tldap: avoid more use after free errors
via 5995d5b91bf tldap: avoid a use after free crash
via c0858bc990c s3:vfs: Correctly check if OFD locks should be enabled
or not
via 53d2623b2fd s3:vfs: Initialize pid to 0 in test_netatalk_lock()
via eb425d50447 s4: torture: vfs_fruit. Change
test_fruit_locking_conflict() to match the vfs_fruit working server code.
via b650db4d06a s3: VFS: vfs_fruit. Fix the NetAtalk deny mode
compatibility code.
via 6f697b9c68a netcmd/user: python[3]-gpgme unsupported and replaced
by python[3]-gpg
via 7644bb26be0 smbd: uid: Don't crash if 'force group' is added to an
existing share connection.
via eac00de2a09 s3: tests: Add regression test for smbd crash on share
force group change with existing connection.
via 44f49283cb8 printing: check lp_load_printers() prior to pcap cache
update
via 3ec3f9dcb3f printing: drop pcap_cache_loaded() guard around
load_printers()
via 455099bd9dd s3-smbd: use fruit:model string for mDNS registration
via c7b04443226 ldb: Bump ldb version to 1.4.5
via befb3527bc2 ldb: Avoid inefficient one-level searches
via 9b21b518d72 s3-vfs: Use ENOATTR in errno comparison for getxattr
via 676b43893d7 s3-vfs: add glusterfs_fuse vfs module.
via d94e82305e6 selftest:Samba4: use 'smbcontrol samba shutdown'
via aced074c363 s4:server: add support for 'smbcontrol samba shutdown'
via e896ca8f9c5 s4:server: avoid using pid=0 for the parent 'samba'
process
via 562ceb1f43d s4:messaging: add support 'smbcontrol <pid>
debug/debuglevel'
via f6ebd9d2a9e manpages/samba.7.xml: smbcontrol can also work with
'samba'
via 56b401ebd38 join: Throw CommandError instead of Exception for
simple errors
via e51de1d48a4 join: Fix TypeError when handling exception
via 3477e19d742 vfs_glusterfs: Adapt to changes in libgfapi signatures
via 6ddc44fbb7a vfs_fileid: fix fsname_norootdir algorithm
via d1428435b52 ctdb: Print locks latency in machinereadable stats
via bb3e0c5c829 vfs_fileid: fix get_connectpath_ino
via 4588c1c704a lib/audit_logging: actually create talloc
via 3b19257a7d3 s3:libsmb: cli_smb2_list() can sometimes fail initially
on a connection
via 5cbce550a76 libcli: Add error log if insufficient SMB2 credits
via 833505239e3 s3: libsmb: use smb2cli_conn_max_trans_size() in
cli_smb2_list()
via 0493165a22b s3:libsmb: Honor disable_netbios option in
smbsock_connect_send
via 8e2514a1b1c s3:utils:net: Print debug message about Netbios
via c824d35f36c s3:smbpasswd: Print debug message about Netbios
via fc3f516a41d s3:libsmb: Print debug message about Netbios
via f13c5a9c1fd s3:libsmb: Check disable_netbios in socket connect
via 3145dae212c audit_logging: Remove debug log header and JSON
Authentication: prefix
via 2cebe0b84f5 json: Modify API to use return codes
via 76bcdecae23 ldb: Bump ldb version to 1.4.4
via 8738db2afad lib/ldb: Use new PYARG_ES format for parseTuple
via 869ae9a17b2 lib/ldb/tests/python: Add test to pass utf8 encoded
bytes to ldb.Dn
via 043e6e8b7d4 s4/libnet: use 'et' as format for ParseTuple with
python2
via d253c470ae4 python: Add new compat PYARG_STR_UNI format
via 38c459223d2 s3: lib: nmbname: Ensure we limit the NetBIOS name
correctly. CID: 1433607
via 0a3a26179f8 s3: net: Do not set NET_FLAGS_ANONYMOUS with -k
via d94403d1dc7 s3-vfs-fruit: add close call
via 16bd1112e2a s3-vfs-streams_xattr: add close call
via f6ff49b3da8 audit_logging: auth_json_audit required auth_json
via d1027b4b8e6 dns: changing onelevel search for wildcard to subtree
via 1d927b23f63 samba-tool: don't print backtrace on simple DNS errors
via d4b8049d781 s3:auth_winbind: ignore a missing winbindd as NT4
PDC/BDC without trusts
via cb7dabb89d3 s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if
winbindd is not available
via 887030b71c9 s3:auth_winbind: remove fallback to optional backend
via 48af1338396 s3-smbd: avoid assuming fsp is always intact after
close_file call.
via e7b344747eb lib/util: Count a trailing line that doesn't end in a
newline
via 55e8277a975 samba-tool drs showrepl: do not crash if no dnsHostName
found
via a1486390762 s3:auth: ignore create_builtin_guests() failing without
a valid idmap configuration
via 41889196769 s3:utils/smbget fix recursive download with empty
source directories
via b9a1a179e62 s3:utils/smbget add error handling for mkdir() calls
via a5c8e943d34 s3:script/tests reduce code duplication
via 2c51c8f8ac1 VERISON: Bump version up to 4.9.5...
from f1a0c8355e6 VERSION: Disable GIT_SNAPSHOT for the 4.9.4 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 145 +++++-
auth/auth_log.c | 324 ++++++++----
ctdb/config/ctdb.conf | 13 +-
ctdb/server/ctdb_cluster_mutex.c | 113 +++--
ctdb/server/ctdb_recoverd.c | 36 +-
ctdb/tools/ctdb.c | 5 +
docs-xml/manpages/samba.7.xml | 2 +-
docs-xml/manpages/samba.8.xml | 35 +-
docs-xml/manpages/vfs_glusterfs_fuse.8.xml | 103 ++++
docs-xml/smbdotconf/base/preforkchildren.xml | 4 +-
docs-xml/wscript_build | 1 +
lib/audit_logging/audit_logging.c | 546 +++++++++++++-------
lib/audit_logging/audit_logging.h | 64 +--
lib/audit_logging/tests/audit_logging_test.c | 252 ++++++++--
lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.4.4.sigs} | 0
lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.4.5.sigs} | 0
lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.4.6.sigs} | 0
...yldb-util-1.1.10.sigs => pyldb-util-1.4.4.sigs} | 0
...yldb-util-1.1.10.sigs => pyldb-util-1.4.5.sigs} | 0
...yldb-util-1.1.10.sigs => pyldb-util-1.4.6.sigs} | 0
...-util-1.1.10.sigs => pyldb-util.py3-1.4.4.sigs} | 0
...-util-1.1.10.sigs => pyldb-util.py3-1.4.5.sigs} | 0
...-util-1.1.10.sigs => pyldb-util.py3-1.4.6.sigs} | 0
lib/ldb/common/ldb_match.c | 41 +-
lib/ldb/common/ldb_parse.c | 2 +-
lib/ldb/ldb_tdb/ldb_index.c | 18 +-
lib/ldb/pyldb.c | 7 +-
lib/ldb/tests/ldb_match_test.c | 191 +++++++
lib/ldb/tests/ldb_match_test.valgrind | 16 +
lib/ldb/tests/python/api.py | 15 +
lib/ldb/wscript | 10 +-
lib/util/tests/file.c | 152 ++++++
lib/util/util_file.c | 6 +-
libcli/security/access_check.c | 127 +++--
libcli/smb/smbXcli_base.c | 3 +
python/py3compat.h | 10 +
python/samba/join.py | 7 +-
python/samba/netcmd/dns.py | 10 +-
python/samba/netcmd/domain.py | 2 +-
python/samba/netcmd/drs.py | 4 +-
python/samba/netcmd/user.py | 86 +++-
selftest/selftesthelpers.py | 1 +
selftest/skip | 1 +
selftest/target/Samba3.pm | 6 +
selftest/target/Samba4.pm | 9 +
source3/auth/auth.c | 2 +-
source3/auth/auth_winbind.c | 47 +-
source3/auth/token_util.c | 18 +-
source3/include/proto.h | 2 +-
source3/lib/messages_dgm.c | 18 +-
source3/lib/tldap.c | 1 -
source3/lib/tldap_util.c | 2 -
source3/lib/util.c | 7 +-
source3/libsmb/cli_smb2_fnum.c | 15 +-
source3/libsmb/clidfs.c | 10 +-
source3/libsmb/libsmb_server.c | 4 +
source3/libsmb/nmblib.c | 34 +-
source3/libsmb/passchange.c | 16 +-
source3/libsmb/smbsock_connect.c | 12 +
source3/modules/posixacl_xattr.c | 4 +-
source3/modules/vfs_ceph.c | 112 +----
source3/modules/vfs_default.c | 14 +-
source3/modules/vfs_fileid.c | 7 +-
source3/modules/vfs_fruit.c | 286 +++++++----
source3/modules/vfs_glusterfs.c | 21 +-
source3/modules/vfs_glusterfs_fuse.c | 71 +++
source3/modules/vfs_streams_xattr.c | 26 +
source3/modules/wscript_build | 8 +
source3/printing/load.c | 4 +-
source3/printing/pcap.c | 5 +
source3/printing/queue_process.c | 6 +-
source3/printing/spoolssd.c | 8 +-
source3/script/tests/test_force_group_change.sh | 73 +++
source3/script/tests/test_smbget.sh | 86 +++-
source3/selftest/tests.py | 5 +-
source3/smbd/avahi_register.c | 27 +
source3/smbd/filename.c | 43 ++
source3/smbd/files.c | 9 +
source3/smbd/notifyd/notifyd.c | 11 +-
source3/smbd/smb2_close.c | 2 +-
source3/smbd/trans2.c | 1 +
source3/smbd/uid.c | 35 +-
source3/torture/test_messaging_read.c | 44 +-
source3/torture/torture.c | 202 ++++++++
source3/utils/net_rpc.c | 13 +-
source3/utils/net_time.c | 9 +-
source3/utils/smbget.c | 11 +-
source3/winbindd/wb_xids2sids.c | 74 ++-
source3/winbindd/winbindd_proto.h | 2 +-
source3/wscript | 7 +
source3/wscript_build | 1 +
source4/dns_server/dnsserver_common.c | 2 +-
source4/dsdb/samdb/ldb_modules/audit_log.c | 441 ++++++++++++----
source4/dsdb/samdb/ldb_modules/audit_util.c | 148 +++++-
source4/dsdb/samdb/ldb_modules/group_audit.c | 93 +++-
.../samdb/ldb_modules/tests/test_group_audit.c | 5 +-
source4/lib/messaging/messaging.c | 72 +++
source4/libcli/raw/interfaces.h | 1 +
source4/libcli/smb2/create.c | 4 +-
source4/libnet/py_net.c | 3 +-
source4/scripting/bin/sambaundoguididx | 3 +-
source4/smbd/server.c | 81 ++-
source4/torture/smb2/acls.c | 558 +++++++++++++++++++++
source4/torture/vfs/fruit.c | 26 +-
105 files changed, 4209 insertions(+), 1012 deletions(-)
create mode 100644 docs-xml/manpages/vfs_glusterfs_fuse.8.xml
copy lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.4.4.sigs} (100%)
copy lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.4.5.sigs} (100%)
copy lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.4.6.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.4.4.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.4.5.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.4.6.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.4.4.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.4.5.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.4.6.sigs} (100%)
create mode 100644 lib/ldb/tests/ldb_match_test.c
create mode 100644 lib/ldb/tests/ldb_match_test.valgrind
create mode 100644 source3/modules/vfs_glusterfs_fuse.c
create mode 100755 source3/script/tests/test_force_group_change.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 7efe718ebbf..683f87b6c68 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=9
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b3a39d3291a..22eeec2ddcc 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,144 @@
+ =============================
+ Release Notes for Samba 4.9.5
+ March 12, 2019
+ =============================
+
+
+Changes since 4.9.4:
+--------------------
+
+o Andrew Bartlett <[email protected]>
+ * BUG 13714: audit_logging: Remove debug log header and JSON Authentication:
+ prefix.
+ * BUG 13760: Fix upgrade from 4.7 (or earlier) to 4.9.
+
+o Jeremy Allison <[email protected]>
+ * BUG 11495: s3: lib: nmbname: Ensure we limit the NetBIOS name correctly.
+ CID: 1433607.
+ * BUG 13690: smbd: uid: Don't crash if 'force group' is added to an existing
+ share connection.
+ * BUG 13770: s3: VFS: vfs_fruit. Fix the NetAtalk deny mode compatibility
+ code.
+ * BUG 13803: s3: SMB1 POSIX mkdir does case insensitive name lookup.
+
+o Christian Ambach <[email protected]>
+ * BUG 13199: s3:utils/smbget fix recursive download with empty source
+ directories.
+
+o Douglas Bagnall <[email protected]>
+ * BUG 13716: samba-tool drs showrepl: Do not crash if no dnsHostName found.
+
+o Tim Beale <[email protected]>
+ * BUG 13736: s3:libsmb: cli_smb2_list() can sometimes fail initially on a
+ connection.
+ * BUG 13747: join: Throw CommandError instead of Exception for simple
errors.
+ * BUG 13762: ldb: Avoid inefficient one-level searches.
+
+o Ralph Boehme <[email protected]>
+ * BUG 13736: s3: libsmb: use smb2cli_conn_max_trans_size() in
+ cli_smb2_list().
+ * BUG 13776: tldap: Avoid use after free errors.
+ * BUG 13802: Fix idmap xid2sid cache churn.
+ * BUG 13812: access_check_max_allowed() doesn't process "Owner Rights" ACEs.
+
+o Günther Deschner <[email protected]>
+ * BUG 13720: s3-smbd: Avoid assuming fsp is always intact after close_file
+ call.
+ * BUG 13725: s3-vfs-fruit: Add close call.
+ * BUG 13746: s3-smbd: Use fruit:model string for mDNS registration.
+ * BUG 13774: s3-vfs: add glusterfs_fuse vfs module.
+
+o David Disseldorp <[email protected]>
+ * BUG 13766: printing: Check lp_load_printers() prior to pcap cache update.
+ * BUG 13807: vfs_ceph: vfs_ceph strict_allocate_ftruncate calls (local FS)
+ ftruncate and fallocate.
+
+o Philipp Gesang <[email protected]>
+ * BUG 13737: lib/audit_logging: Actually create talloc.
+
+o Joe Guo <[email protected]>
+ * BUG 13728: netcmd/user: python[3]-gpgme unsupported and replaced by
+ python[3]-gpg.
+
+o Aaron Haslett <[email protected]>
+ * BUG 13738: dns: Changing onelevel search for wildcard to subtree.
+
+o Björn Jacke <[email protected]>
+ * BUG 13721: samba-tool: Don't print backtrace on simple DNS errors.
+ * BUG 13759: sambaundoguididx: Use the right escaped oder unescaped sam ldb
+ files.
+
+o Volker Lendecke <[email protected]>
+ * BUG 13742: ctdb: Print locks latency in machinereadable stats.
+ * BUG 13786: messages_dgm: Messaging gets stuck when pids are recycled.
+
+o Gary Lockyer <[email protected]>
+ * BUG 13715: audit_logging: auth_json_audit required auth_json.
+ * BUG 13765: man pages: Document prefork process model.
+ * BUG 13773: CVE-2019-3824 ldb: Release ldb 1.4.6.
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 13697: s3:auth: ignore create_builtin_guests() failing without a valid
+ idmap configuration.
+ * BUG 13722: s3:auth_winbind: Ignore a missing winbindd as NT4 PDC/BDC
+ without trusts.
+ * BUG 13723: s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd
+ is not available.
+ * BUG 13752: s4:server: Add support for 'smbcontrol samba shutdown' and
+ 'smbcontrol <pid> debug/debuglevel'.
+
+o Noel Power <[email protected]>
+ * BUG 13616: Python: Ensure ldb.Dn can doesn't rencoded str with py2.
+
+o Anoop C S <[email protected]>
+ * BUG 13330: vfs_glusterfs: Adapt to changes in libgfapi signatures.
+ * BUG 13774: s3-vfs: Use ENOATTR in errno comparison for getxattr.
+
+o Jiří Šašek <[email protected]>
+ * BUG 13704: notifyd: Fix SIGBUS on sparc.
+
+o Christof Schmitt <[email protected]>
+ * BUG 13787: waf: Check for libnscd.
+
+o Andreas Schneider <[email protected]>
+ * BUG 13770: s3:vfs: Correctly check if OFD locks should be enabled or not.
+
+o Martin Schwenke <[email protected]>
+ * BUG 13717: lib/util: Count a trailing line that doesn't end in a newline.
+ * BUG 13800: Recovery lock bug fixes.
+
+o Justin Stephenson <[email protected]>
+ * BUG 13726: s3: net: Do not set NET_FLAGS_ANONYMOUS with -k.
+ * BUG 13727: s3:libsmb: Honor disable_netbios option in
smbsock_connect_send.
+
+o Ralph Wuerthner <[email protected]>
+ * BUG 13741: vfs_fileid: Fix get_connectpath_ino.
+ * BUG 13744: vfs_fileid: Fix fsname_norootdir algorithm.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
=============================
Release Notes for Samba 4.9.4
December 20, 2018
@@ -74,8 +215,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.9.3
diff --git a/auth/auth_log.c b/auth/auth_log.c
index 67d23c12a1b..1df112d9a8b 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -78,11 +78,10 @@ static const char* get_password_type(const struct
auth_usersupplied_info *ui);
static void log_json(struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
struct json_object *object,
- const char *type,
int debug_class,
int debug_level)
{
- audit_log_json(type, object, debug_class, debug_level);
+ audit_log_json(object, debug_class, debug_level);
if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) {
audit_message_send(msg_ctx,
AUTH_EVENT_NAME,
@@ -102,9 +101,8 @@ static void log_json(struct imessaging_context *msg_ctx,
* To process the resulting log lines from the commend line use jq to
* parse the json.
*
- * grep "JSON Authentication" log file |
- * sed 's;^[^{]*;;' |
- * jq -rc '"\(.timestamp)\t\(.Authentication.status)\t
+ * grep "^ {" log file |
+ * jq -rc '"\(.timestamp)\t\(.Authentication.status)\t
* \(.Authentication.clientDomain)\t
* \(.Authentication.clientAccount)
* \t\(.Authentication.workstation)
@@ -123,63 +121,134 @@ static void log_authentication_event_json(
struct dom_sid *sid,
int debug_level)
{
- struct json_object wrapper = json_new_object();
- struct json_object authentication;
+ struct json_object wrapper = json_empty_object;
+ struct json_object authentication = json_empty_object;
char negotiate_flags[11];
-
- json_add_timestamp(&wrapper);
- json_add_string(&wrapper, "type", AUTH_JSON_TYPE);
+ int rc = 0;
authentication = json_new_object();
- json_add_version(&authentication, AUTH_MAJOR, AUTH_MINOR);
- json_add_string(&authentication, "status", nt_errstr(status));
- json_add_address(&authentication, "localAddress", ui->local_host);
- json_add_address(&authentication, "remoteAddress", ui->remote_host);
- json_add_string(&authentication,
- "serviceDescription",
- ui->service_description);
- json_add_string(&authentication,
- "authDescription",
- ui->auth_description);
- json_add_string(&authentication,
- "clientDomain",
- ui->client.domain_name);
- json_add_string(&authentication,
- "clientAccount",
- ui->client.account_name);
- json_add_string(&authentication,
- "workstation",
- ui->workstation_name);
- json_add_string(&authentication, "becameAccount", account_name);
- json_add_string(&authentication, "becameDomain", domain_name);
- json_add_sid(&authentication, "becameSid", sid);
- json_add_string(&authentication,
- "mappedAccount",
- ui->mapped.account_name);
- json_add_string(&authentication,
- "mappedDomain",
- ui->mapped.domain_name);
- json_add_string(&authentication,
- "netlogonComputer",
- ui->netlogon_trust_account.computer_name);
- json_add_string(&authentication,
- "netlogonTrustAccount",
- ui->netlogon_trust_account.account_name);
+ if (json_is_invalid(&authentication)) {
+ goto failure;
+ }
+ rc = json_add_version(&authentication, AUTH_MAJOR, AUTH_MINOR);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(&authentication, "status", nt_errstr(status));
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_address(&authentication, "localAddress", ui->local_host);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc =
+ json_add_address(&authentication, "remoteAddress", ui->remote_host);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(
+ &authentication, "serviceDescription", ui->service_description);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(
+ &authentication, "authDescription", ui->auth_description);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(
+ &authentication, "clientDomain", ui->client.domain_name);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(
+ &authentication, "clientAccount", ui->client.account_name);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(
+ &authentication, "workstation", ui->workstation_name);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(&authentication, "becameAccount", account_name);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(&authentication, "becameDomain", domain_name);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_sid(&authentication, "becameSid", sid);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(
+ &authentication, "mappedAccount", ui->mapped.account_name);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(
+ &authentication, "mappedDomain", ui->mapped.domain_name);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(&authentication,
+ "netlogonComputer",
+ ui->netlogon_trust_account.computer_name);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(&authentication,
+ "netlogonTrustAccount",
+ ui->netlogon_trust_account.account_name);
+ if (rc != 0) {
+ goto failure;
+ }
snprintf(negotiate_flags,
sizeof( negotiate_flags),
"0x%08X",
ui->netlogon_trust_account.negotiate_flags);
- json_add_string(&authentication,
- "netlogonNegotiateFlags",
- negotiate_flags);
- json_add_int(&authentication,
- "netlogonSecureChannelType",
- ui->netlogon_trust_account.secure_channel_type);
- json_add_sid(&authentication,
- "netlogonTrustAccountSid",
- ui->netlogon_trust_account.sid);
- json_add_string(&authentication, "passwordType", get_password_type(ui));
- json_add_object(&wrapper, AUTH_JSON_TYPE, &authentication);
+ rc = json_add_string(
+ &authentication, "netlogonNegotiateFlags", negotiate_flags);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_int(&authentication,
+ "netlogonSecureChannelType",
+ ui->netlogon_trust_account.secure_channel_type);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_sid(&authentication,
+ "netlogonTrustAccountSid",
+ ui->netlogon_trust_account.sid);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(
+ &authentication, "passwordType", get_password_type(ui));
+ if (rc != 0) {
+ goto failure;
+ }
+
+ wrapper = json_new_object();
+ if (json_is_invalid(&wrapper)) {
+ goto failure;
+ }
+ rc = json_add_timestamp(&wrapper);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(&wrapper, "type", AUTH_JSON_TYPE);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_object(&wrapper, AUTH_JSON_TYPE, &authentication);
+ if (rc != 0) {
+ goto failure;
+ }
/*
* While not a general-purpose profiling solution this will
@@ -192,18 +261,28 @@ static void log_authentication_event_json(
struct timeval current_time = timeval_current();
uint64_t duration = usec_time_diff(¤t_time,
start_time);
- json_add_int(&authentication,
- "duration",
- duration);
+ rc = json_add_int(&authentication, "duration", duration);
+ if (rc != 0) {
+ goto failure;
+ }
}
log_json(msg_ctx,
lp_ctx,
&wrapper,
- AUTH_JSON_TYPE,
- DBGC_AUTH_AUDIT,
+ DBGC_AUTH_AUDIT_JSON,
debug_level);
json_free(&wrapper);
+ return;
+failure:
+ /*
+ * On a failure authentication will not have been added to wrapper so it
+ * needs to be freed to avoid a leak.
+ *
+ */
+ json_free(&authentication);
+ json_free(&wrapper);
+ DBG_ERR("Failed to write authentication event JSON log message\n");
}
/*
@@ -218,8 +297,7 @@ static void log_authentication_event_json(
* To process the resulting log lines from the commend line use jq to
* parse the json.
*
- * grep "JSON Authentication" log_file |\
- * sed "s;^[^{]*;;" |\
+ * grep "^ {" log_file |\
* jq -rc '"\(.timestamp)\t
* \(.Authorization.domain)\t
* \(.Authorization.account)\t
@@ -237,53 +315,109 @@ static void log_successful_authz_event_json(
struct auth_session_info *session_info,
int debug_level)
{
- struct json_object wrapper = json_new_object();
- struct json_object authorization;
+ struct json_object wrapper = json_empty_object;
+ struct json_object authorization = json_empty_object;
char account_flags[11];
+ int rc = 0;
- json_add_timestamp(&wrapper);
- json_add_string(&wrapper, "type", AUTHZ_JSON_TYPE);
authorization = json_new_object();
- json_add_version(&authorization, AUTHZ_MAJOR, AUTHZ_MINOR);
- json_add_address(&authorization, "localAddress", local);
- json_add_address(&authorization, "remoteAddress", remote);
- json_add_string(&authorization,
- "serviceDescription",
- service_description);
- json_add_string(&authorization, "authType", auth_type);
- json_add_string(&authorization,
- "domain",
- session_info->info->domain_name);
- json_add_string(&authorization,
- "account",
- session_info->info->account_name);
- json_add_sid(&authorization,
- "sid",
- &session_info->security_token->sids[0]);
- json_add_guid(&authorization,
- "sessionId",
- &session_info->unique_session_token);
- json_add_string(&authorization,
- "logonServer",
- session_info->info->logon_server);
- json_add_string(&authorization,
- "transportProtection",
- transport_protection);
+ if (json_is_invalid(&authorization)) {
+ goto failure;
+ }
+ rc = json_add_version(&authorization, AUTHZ_MAJOR, AUTHZ_MINOR);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_address(&authorization, "localAddress", local);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_address(&authorization, "remoteAddress", remote);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(
+ &authorization, "serviceDescription", service_description);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(&authorization, "authType", auth_type);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(
+ &authorization, "domain", session_info->info->domain_name);
+ if (rc != 0) {
+ goto failure;
+ }
+ rc = json_add_string(
--
Samba Shared Repository
