The branch, v4-14-test has been updated via 0ce7c5e7a62 s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success. via 1c4e89f0e32 s3:winbind: For 'security = ADS' require realm/workgroup to be set via edf1b31ea82 s3:utils: Tell users that workgroup/realm is required for ADS mode via 7db0a50a8f8 docs: Expand the "log level" docs on audit logging via cc4e8ec610b docs: underline special words in the audit logging part of "log level" in man smb.conf via ecfca707d5f docs: Further discourage the use of the "event notification" options via 54ef0e6d6bb docs: Add proper explination on why transactions need to be audited. via 990997cae28 docs: Add missing documentation on dsdb_group_audit and dsdb_group_audit_json via 60527b07cbd debug: Synchronise "log level" in smb.conf with the code from c650f7738bf VERSION: Bump version up to 4.14.5.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test - Log ----------------------------------------------------------------- commit 0ce7c5e7a6298f0f97129ec4e0889b1889d4bdcd Author: Jeremy Allison <j...@samba.org> Date: Thu Apr 29 09:50:30 2021 -0700 s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success. Missing call to set up req->outbuf means no reply is sent. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14696 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Thu Apr 29 21:27:58 UTC 2021 on sn-devel-184 (cherry picked from commit 47d79d7e7e406f7dd204ded7c72cfed3e0761ad5) Autobuild-User(v4-14-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-14-test): Mon May 3 08:16:14 UTC 2021 on sn-devel-184 commit 1c4e89f0e326fb2e040a8ed3c9115ab652d84313 Author: Andreas Schneider <a...@samba.org> Date: Wed Apr 28 12:25:42 2021 +0200 s3:winbind: For 'security = ADS' require realm/workgroup to be set BUG: https://bugzilla.samba.org/show_bug.cgi?id=14695 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 757c49f6dc52afd6ee39c0b282e9a787b6df7a12) commit edf1b31ea822172a996eed3bed2eee55d84af6a0 Author: Andreas Schneider <a...@samba.org> Date: Wed Apr 28 12:09:21 2021 +0200 s3:utils: Tell users that workgroup/realm is required for ADS mode BUG: https://bugzilla.samba.org/show_bug.cgi?id=14695 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 328682860940679553831b6ff23acff4ce80a22f) commit 7db0a50a8f8911d89af40bba8a6d3db9a70c827d Author: Andrew Bartlett <abart...@samba.org> Date: Fri Apr 16 10:43:07 2021 +1200 docs: Expand the "log level" docs on audit logging BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 38fe888f95f8d22736080ed521939be932e7bca0) commit cc4e8ec610b4db3743ba9823b1abdd7abd15091f Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 15 14:40:30 2021 +1200 docs: underline special words in the audit logging part of "log level" in man smb.conf BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit d03e7ffcff32452bb92f2ced9f06cbeab9843e04) commit ecfca707d5ff2d0cc88e6350f8023d7a1a7dce67 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 15 14:45:07 2021 +1200 docs: Further discourage the use of the "event notification" options BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 364b8be9816b34b2a1b07c6259345c406d68c9f2) commit 54ef0e6d6bb99303562c67c23de50067b8a5a6b2 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 15 14:44:22 2021 +1200 docs: Add proper explination on why transactions need to be audited. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit a778a3a6420f094a953563b87f84457fdebd20a3) commit 990997cae28dc427eeb4d5235ba6b093a4015de0 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 15 14:39:49 2021 +1200 docs: Add missing documentation on dsdb_group_audit and dsdb_group_audit_json BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 2e533664e756ccde8fc1b3e41e70437c9e7bafcd) commit 60527b07cbd7fdec13fdb8ca812abd629ce76114 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 15 13:52:38 2021 +1200 debug: Synchronise "log level" in smb.conf with the code This is done by pasting in the contents of default_classname_table[] in lib/util/debug.c into cut -f 2 -d \"| xargs -i sh -c 'echo "\t<listitem><para><parameter moreinfo=\"none\">{}</parameter></para></listitem>"' BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 0d30d74e89829cc7b4faa6ba835e3d90c1c410aa) ----------------------------------------------------------------------- Summary of changes: docs-xml/smbdotconf/logging/loglevel.xml | 108 +++++++++++++++------ .../smbdotconf/logon/autheventnotification.xml | 17 ++-- docs-xml/smbdotconf/misc/dsdbeventnotification.xml | 14 ++- .../misc/dsdbgroupchangenotification.xml | 16 +-- .../misc/dsdbpasswordeventnotification.xml | 16 +-- source3/smbd/reply.c | 2 + source3/utils/testparm.c | 22 +++++ source3/winbindd/winbindd.c | 17 ++++ 8 files changed, 160 insertions(+), 52 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml index 273765c6fbe..4c6bb5e7e73 100644 --- a/docs-xml/smbdotconf/logging/loglevel.xml +++ b/docs-xml/smbdotconf/logging/loglevel.xml @@ -24,8 +24,6 @@ <listitem><para><parameter moreinfo="none">printdrivers</parameter></para></listitem> <listitem><para><parameter moreinfo="none">lanman</parameter></para></listitem> <listitem><para><parameter moreinfo="none">smb</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">smb2</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">smb2_credits</parameter></para></listitem> <listitem><para><parameter moreinfo="none">rpc_parse</parameter></para></listitem> <listitem><para><parameter moreinfo="none">rpc_srv</parameter></para></listitem> <listitem><para><parameter moreinfo="none">rpc_cli</parameter></para></listitem> @@ -41,19 +39,24 @@ <listitem><para><parameter moreinfo="none">msdfs</parameter></para></listitem> <listitem><para><parameter moreinfo="none">dmapi</parameter></para></listitem> <listitem><para><parameter moreinfo="none">registry</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">scavenger</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">dns</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">ldb</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">tevent</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">auth_audit</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">auth_json_audit</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">kerberos</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">dsdb_audit</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">dsdb_json_audit</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">dsdb_password_audit</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">dsdb_password_json_audit</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">dsdb_transaction_audit</parameter></para></listitem> - <listitem><para><parameter moreinfo="none">dsdb_transaction_json_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">scavenger</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dns</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">ldb</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">tevent</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">auth_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">auth_json_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">kerberos</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">drs_repl</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">smb2</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">smb2_credits</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_json_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_password_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_password_json_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_transaction_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_transaction_json_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_group_audit</parameter></para></listitem> + <listitem><para><parameter moreinfo="none">dsdb_group_json_audit</parameter></para></listitem> </itemizedlist> <para>To configure the logging for specific classes to go into a different @@ -62,9 +65,9 @@ full_audit:1@/var/log/audit.log</parameter>.</para> <para>Authentication and authorization audit information is logged - under the auth_audit, and if Samba was not compiled with + under the <parameter>auth_audit</parameter>, and if Samba was not compiled with --without-json, a JSON representation is logged under - auth_json_audit.</para> + <parameter>auth_json_audit</parameter>.</para> <para>Support is comprehensive for all authentication and authorisation of user accounts in the Samba Active Directory Domain Controller, @@ -72,7 +75,8 @@ the file server, NTLM authentication, SMB and RPC authorization is covered.</para> - <para>Log levels for auth_audit and auth_audit_json are:</para> + <para>Log levels for <parameter>auth_audit</parameter> and + <parameter>auth_audit_json</parameter> are:</para> <itemizedlist> <listitem><para>2: Authentication Failure</para></listitem> <listitem><para>3: Authentication Success</para></listitem> @@ -80,21 +84,69 @@ <listitem><para>5: Anonymous Authentication and Authorization Success</para></listitem> </itemizedlist> - <para>Changes to the sam.ldb database are logged - under the dsdb_audit and a JSON representation is logged under - dsdb_json_audit.</para> + <para>Changes to the AD DC <command moreinfo="none">sam.ldb</command> + database are logged under the <parameter>dsdb_audit</parameter> + and a JSON representation is logged under + <parameter>dsdb_json_audit</parameter>.</para> + + <para>Group membership changes to the AD DC <command + moreinfo="none">sam.ldb</command> database are logged under the + <parameter>dsdb_group_audit</parameter> and a JSON representation + is logged under + <parameter>dsdb_group_json_audit</parameter>.</para> + + <para>Log levels for <parameter>dsdb_audit</parameter>, + <parameter>dsdb_json_audit</parameter>, + <parameter>dsdb_group_audit</parameter>, + <parameter>dsdb_group_json_audit</parameter> and + <parameter>dsdb_json_audit</parameter> are:</para> + <itemizedlist> + <listitem><para>5: Database modifications</para></listitem> + <listitem><para>5: Replicated updates from another DC</para></listitem> + </itemizedlist> - <para>Password changes and Password resets are logged under - dsdb_password_audit and a JSON representation is logged under the - dsdb_password_json_audit.</para> + <para>Password changes and Password resets in the AD DC are logged + under <parameter>dsdb_password_audit</parameter> and a JSON + representation is logged under the + <parameter>dsdb_password_json_audit</parameter>. Password changes + will also appears as authentication events via + <parameter>auth_audit</parameter> and + <parameter>auth_audit_json</parameter>.</para> + + <para>Log levels for <parameter>dsdb_password_audit</parameter> and + <parameter>dsdb_password_json_audit</parameter> are:</para> + <itemizedlist> + <listitem><para>5: Successful password changes and resets</para></listitem> + </itemizedlist> <para>Transaction rollbacks and prepare commit failures are logged under - the dsdb_transaction_audit and a JSON representation is logged under the - password_json_audit. Logging the transaction details allows the - identification of password and sam.ldb operations that have been rolled - back.</para> + the <parameter>dsdb_transaction_audit</parameter> and a JSON representation is logged under the + <parameter>dsdb_transaction_json_audit</parameter>. </para> + + <para>Log levels for <parameter>dsdb_transaction_audit</parameter> and + <parameter>dsdb_transaction_json</parameter> are:</para> + + <itemizedlist> + <listitem><para>5: Transaction failure (rollback)</para></listitem> + <listitem><para>10: Transaction success (commit)</para></listitem> + </itemizedlist> + <para>Transaction roll-backs are possible in Samba, and whilst + they rarely reflect anything more than the failure of an + individual operation (say due to the add of a conflicting record), + they are possible. Audit logs are already generated and sent to + the system logs before the transaction is complete. Logging the + transaction details allows the identification of password and + <command moreinfo="none">sam.ldb</command> operations that have + been rolled back, and so have not actually persisted.</para> + <warning><para> Changes to <command + moreinfo="none">sam.ldb</command> made locally by the <command + moreinfo="none">root</command> user with direct access to the + database are not logged to the system logs, but to the + administrator's own console. While less than ideal, any user able + to make such modifications could disable the audit logging in any + case. </para></warning> </description> <value type="default">0</value> <value type="example">3 passdb:5 auth:10 winbind:2</value> diff --git a/docs-xml/smbdotconf/logon/autheventnotification.xml b/docs-xml/smbdotconf/logon/autheventnotification.xml index 1ae2dbfb61a..87ccf02a8f4 100644 --- a/docs-xml/smbdotconf/logon/autheventnotification.xml +++ b/docs-xml/smbdotconf/logon/autheventnotification.xml @@ -10,16 +10,19 @@ registering as the service <filename moreinfo="none">auth_event</filename>.</para> - <para>This should be considered a developer option (it assists - in the Samba testsuite) rather than a facility for external - auditing, as message delivery is not guaranteed (a feature - that the testsuite works around). Additionally Samba must be - compiled with the jansson support for this option to be - effective.</para> + <para>This is <emphasis>not</emphasis> needed for the audit + logging described in <smbconfoption name="log level"/>.</para> + + <para>Instead, this should instead be considered a developer + option (it assists in the Samba testsuite) rather than a + facility for external auditing, as message delivery is not + guaranteed (a feature that the testsuite works around).</para> <para>The authentication events are also logged via the normal logging methods when the <smbconfoption name="log level"/> is - set appropriately.</para> + set appropriately, say to + <command moreinfo="none">auth_json_audit:3</command>.</para> + </description> <value type="default">no</value> diff --git a/docs-xml/smbdotconf/misc/dsdbeventnotification.xml b/docs-xml/smbdotconf/misc/dsdbeventnotification.xml index 7df46e1d68c..279ac3d29ef 100644 --- a/docs-xml/smbdotconf/misc/dsdbeventnotification.xml +++ b/docs-xml/smbdotconf/misc/dsdbeventnotification.xml @@ -10,14 +10,18 @@ registering as the service <filename moreinfo="none">dsdb_event</filename>.</para> - <para>This should be considered a developer option (it assists - in the Samba testsuite) rather than a facility for external - auditing, as message delivery is not guaranteed (a feature - that the testsuite works around).</para> + <para>This is <emphasis>not</emphasis> needed for the audit + logging described in <smbconfoption name="log level"/>.</para> + + <para>Instead, this should instead be considered a developer + option (it assists in the Samba testsuite) rather than a + facility for external auditing, as message delivery is not + guaranteed (a feature that the testsuite works around).</para> <para>The Samba database events are also logged via the normal logging methods when the <smbconfoption name="log level"/> is - set appropriately.</para> + set appropriately, say to + <command moreinfo="none">dsdb_json_audit:5</command>.</para> </description> diff --git a/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml b/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml index 6354979538b..3972e72b60f 100644 --- a/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml +++ b/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml @@ -10,14 +10,18 @@ registering as the service <filename moreinfo="none">dsdb_group_event</filename>.</para> - <para>This should be considered a developer option (it assists - in the Samba testsuite) rather than a facility for external - auditing, as message delivery is not guaranteed (a feature - that the testsuite works around).</para> + <para>This is <emphasis>not</emphasis> needed for the audit + logging described in <smbconfoption name="log level"/>.</para> - <para>The group events are also logged via the normal + <para>Instead, this should instead be considered a developer + option (it assists in the Samba testsuite) rather than a + facility for external auditing, as message delivery is not + guaranteed (a feature that the testsuite works around).</para> + + <para>The Samba database events are also logged via the normal logging methods when the <smbconfoption name="log level"/> is - set appropriately.</para> + set appropriately, say to + <command moreinfo="none">dsdb_group_json_audit:5</command>.</para> </description> diff --git a/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml b/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml index 984321b98fc..cd2cc98ff42 100644 --- a/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml +++ b/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml @@ -10,14 +10,18 @@ events by registering as the service <filename moreinfo="none">password_event</filename>.</para> - <para>This should be considered a developer option (it assists - in the Samba testsuite) rather than a facility for external - auditing, as message delivery is not guaranteed (a feature - that the testsuite works around).</para> + <para>This is <emphasis>not</emphasis> needed for the audit + logging described in <smbconfoption name="log level"/>.</para> - <para>The password events are also logged via the normal + <para>Instead, this should instead be considered a developer + option (it assists in the Samba testsuite) rather than a + facility for external auditing, as message delivery is not + guaranteed (a feature that the testsuite works around).</para> + + <para>The Samba database events are also logged via the normal logging methods when the <smbconfoption name="log level"/> is - set appropriately.</para> + set appropriately, say to + <command moreinfo="none">dsdb_password_json_audit:5</command>.</para> </description> diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 8bfe15510c4..834fd484192 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -7052,6 +7052,8 @@ void reply_printwrite(struct smb_request *req) DEBUG(3, ("printwrite %s num=%d\n", fsp_fnum_dbg(fsp), numtowrite)); + reply_outbuf(req, 0, 0); + END_PROFILE(SMBsplwr); return; } diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c index 2d717f19756..83ea71e0791 100644 --- a/source3/utils/testparm.c +++ b/source3/utils/testparm.c @@ -215,6 +215,8 @@ static int do_global_checks(void) const struct loadparm_substitution *lp_sub = loadparm_s3_global_substitution(); + fprintf(stderr, "\n"); + if (lp_security() >= SEC_DOMAIN && !lp_encrypt_passwords()) { fprintf(stderr, "ERROR: in 'security=domain' mode the " "'encrypt passwords' parameter must always be " @@ -222,6 +224,26 @@ static int do_global_checks(void) ret = 1; } + if (lp_security() == SEC_ADS) { + const char *workgroup = lp_workgroup(); + const char *realm = lp_realm(); + + if (workgroup == NULL || strlen(workgroup) == 0) { + fprintf(stderr, + "ERROR: The 'security=ADS' mode requires " + "'workgroup' parameter to be set!\n\n "); + ret = 1; + } + + if (realm == NULL || strlen(realm) == 0) { + fprintf(stderr, + "ERROR: The 'security=ADS' mode requires " + "'realm' parameter to be set!\n\n "); + ret = 1; + } + } + + if (lp_we_are_a_wins_server() && lp_wins_server_list()) { fprintf(stderr, "ERROR: both 'wins support = true' and " "'wins server = <server list>' cannot be set in " diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index 3049faa3237..18cc539f250 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -1791,6 +1791,23 @@ int main(int argc, const char **argv) exit(1); } + if (lp_security() == SEC_ADS) { + const char *realm = lp_realm(); + const char *workgroup = lp_workgroup(); + + if (workgroup == NULL || strlen(workgroup) == 0) { + DBG_ERR("For 'secuirity = ADS' mode, the 'workgroup' " + "parameter is required to be set!\n"); + exit(1); + } + + if (realm == NULL || strlen(realm) == 0) { + DBG_ERR("For 'secuirity = ADS' mode, the 'realm' " + "parameter is required to be set!\n"); + exit(1); + } + } + if (!cluster_probe_ok()) { exit(1); } -- Samba Shared Repository