The branch, v4-15-stable has been updated via 16fb5c685a5 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc2 release. via d872e7f0cd7 WHATSNEW: Add release notes for Samba 4.15.0rc2. via 4467a0ba7f0 smbd: only open full fd for directories if needed via 4f3b6f6b311 smbd: drop requirement for full open for READ_CONTROL_ACCESS, WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS via 9b8e795df6f s3: smbd: Don't leak meta-data about the containing directory of the share root. via 3acccfc764d s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage. via fccedb4d94a configure: Do not put arguments into double quotes via c933b88dbe1 samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry" via c33b18ec92e lib:cmdline: Use lp_load_global() for servers via 2a21ecf1f91 s3:smbd: really support AES-256* in the server via 13839721f06 s4:torture/smb2: add tests to check all signing and encryption algorithms via e606987911e gnutls: allow gnutls_aead_cipher_encryptv2 with gcm before 3.6.15 via 047cbaad5d9 gitlab: Use shorter names for Samba AD DC env with MIT KRB5 via f2b2ecec7fc s3:winbindd: Add a check for the path length of 'winbindd socket directory' via 68bd2229bd4 WHATSNEW: mention the offline domain join feature via 8380f21aadd libcli/smb: allow unexpected padding in SMB2 READ responses via 170b8195507 libcli/smb: make smb2cli_ioctl_parse_buffer() available as smb2cli_parse_dyn_buffer() via b644b297bf8 s3:smbd: implement FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8 via 0be68189ffc s3:smbd: introduce a body_size variable in smbd_smb2_request_read_done via 570b3ced84a s4:torture/smb2: add smb2.read.bug14607 test via 81eeb1c6708 VERSION: Bump version up to 4.15.0rc2... from 6a6f6044771 VERSION: Disable GIT_SNAPSHOT for the Samba 4.15.0rc1 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: .gitlab-ci-main.yml | 12 +- VERSION | 2 +- WHATSNEW.txt | 35 +++- configure | 2 +- lib/cmdline/cmdline.h | 9 + lib/cmdline/cmdline_s3.c | 2 +- libcli/smb/smb2_signing.c | 54 +++-- libcli/smb/smb2cli_ioctl.c | 123 ++---------- libcli/smb/smb2cli_read.c | 22 +- libcli/smb/smbXcli_base.c | 91 +++++++++ libcli/smb/smbXcli_base.h | 9 + libcli/smb/smb_constants.h | 2 + script/autobuild.py | 6 +- selftest/target/Samba3.pm | 1 + source3/printing/samba-bgqd.c | 58 +++++- source3/smbd/dir.c | 25 +++ source3/smbd/dosmode.c | 23 ++- source3/smbd/globals.h | 4 + source3/smbd/open.c | 31 ++- source3/smbd/smb2_ioctl.c | 10 + source3/smbd/smb2_read.c | 14 +- source3/smbd/smb2_sesssetup.c | 6 + source3/winbindd/winbindd.c | 25 +++ source4/torture/smb2/read.c | 136 +++++++++++++ source4/torture/smb2/session.c | 436 ++++++++++++++++++++++++++++++++++++++++ wscript_configure_system_gnutls | 10 +- 26 files changed, 976 insertions(+), 172 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 1aee591b068..0979c007dc6 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -331,10 +331,10 @@ samba-ad-dc-ntvfs: samba-admem-mit: extends: .needs_samba-mit-build -samba-ad-dc-4a-mitkrb5: +samba-addc-mit-4a: extends: .needs_samba-mit-build -samba-ad-dc-4b-mitkrb5: +samba-addc-mit-4b: extends: .needs_samba-mit-build # This task is run first to ensure we compile before we start the @@ -389,7 +389,7 @@ samba-ad-dc-1: samba-nt4: extends: .needs_samba-nt4-build-private -samba-ad-dc-1-mitkrb5: +samba-addc-mit-1: extends: .needs_samba-mit-build-private samba-no-opath1: @@ -421,15 +421,15 @@ pages: - samba-ctdb - samba-ad-dc-ntvfs - samba-admem-mit - - samba-ad-dc-4a-mitkrb5 - - samba-ad-dc-4b-mitkrb5 + - samba-addc-mit-4a + - samba-addc-mit-4b - samba-ad-back1 - samba-ad-back2 - samba-fileserver - samba-ad-dc-1 - samba-nt4 - samba-schemaupgrade - - samba-ad-dc-1-mitkrb5 + - samba-addc-mit-1 - samba-fips - samba-no-opath1 - samba-no-opath2 diff --git a/VERSION b/VERSION index 787b2dd26b0..ba0f12ea840 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # ######################################################## -SAMBA_VERSION_RC_RELEASE=1 +SAMBA_VERSION_RC_RELEASE=2 ######################################################## # To mark SVN snapshots this should be set to 'yes' # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index a5190766e5e..074767e3251 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements ===================== -This is the first release candidate of Samba 4.15. This is *not* +This is the second release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -154,6 +154,18 @@ to redirect ticket requests to the right DC. This is e.g. needed for one way trusts. The options `winbind use krb5 enterprise principals` and `winbind scan trusted domains` will be deprecated in one of the next releases. +Support for Offline Domain Join (ODJ) +------------------------------------- + +The net utility is now able to support the offline domain join feature +as known from the Windows djoin.exe command for many years. Samba's +implementation is accessible via the "net offlinejoin" subcommand. It +can provision computers and request offline joining for both Windows +and Unix machines. It is also possible to provision computers from +Windows (using djoin.exe) and use the generated data in Samba's net +utility. The existing options for the provisioning and joining steps +are documented in the net(8) manpage. + REMOVED FEATURES ================ @@ -196,6 +208,27 @@ smb.conf changes winbind scan trusted domains Changed No +CHANGES SINCE 4.15.0rc1 +======================= + +o Andreas Schneider <a...@samba.org> + * BUG 14768: smbd/winbind should load the registry if configured + * BUG 14777: do not quote passed argument of configure script + * BUG 14779: Winbind should not start if the socket path is too long + +o Stefan Metzmacher <me...@samba.org> + * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER + * BUG 14764: aes-256-gcm and aes-256-ccm doesn't work in the server + +o Ralph Boehme <s...@samba.org> + * BUG 14700: file owner not available when file unredable + +o Jeremy Allison <j...@samba.org> + * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER + * BUG 14759: 4.15rc can leak meta-data about the directory containing the + share path + + KNOWN ISSUES ============ diff --git a/configure b/configure index a6ca50feb47..2b0ffb0dae1 100755 --- a/configure +++ b/configure @@ -13,5 +13,5 @@ export JOBS unset LD_PRELOAD cd . || exit 1 -$PYTHON $WAF configure "$@" || exit 1 +$PYTHON $WAF configure $@ || exit 1 cd $PREVPATH diff --git a/lib/cmdline/cmdline.h b/lib/cmdline/cmdline.h index 8c816c5bce3..3c0c9e8c18d 100644 --- a/lib/cmdline/cmdline.h +++ b/lib/cmdline/cmdline.h @@ -59,6 +59,15 @@ enum smb_cmdline_popt_options { * The function will also setup fault handler, set logging to STDERR by * default, setup talloc logging and the panic handler. * + * The function also setups a callback for loading the smb.conf file, the + * config file will be parsed after the commandline options have been parsed + * by popt. This is done by one of the following options parser: + * + * POPT_COMMON_DEBUG_ONLY + * POPT_COMMON_OPTION_ONLY + * POPT_COMMON_CONFIG_ONLY + * POPT_COMMON_SAMBA + * * @param[in] mem_ctx The talloc memory context to use for allocating memory. * This should be a long living context till the client * exits. diff --git a/lib/cmdline/cmdline_s3.c b/lib/cmdline/cmdline_s3.c index 31250b1996e..70fd768a648 100644 --- a/lib/cmdline/cmdline_s3.c +++ b/lib/cmdline/cmdline_s3.c @@ -56,7 +56,7 @@ static bool _samba_cmdline_load_config_s3(void) ok = lp_load_client(config_file); break; case SAMBA_CMDLINE_CONFIG_SERVER: - ok = lp_load_initial_only(config_file); + ok = lp_load_global(config_file); break; } diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c index 830f3bf1570..fdb69e90a07 100644 --- a/libcli/smb/smb2_signing.c +++ b/libcli/smb/smb2_signing.c @@ -324,7 +324,7 @@ static NTSTATUS smb2_signing_gmac(gnutls_aead_cipher_hd_t cipher_hnd, { size_t tag_size = _tag_size; int rc; -#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2) +#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM rc = gnutls_aead_cipher_encryptv2(cipher_hnd, iv, iv_size, @@ -336,7 +336,7 @@ static NTSTATUS smb2_signing_gmac(gnutls_aead_cipher_hd_t cipher_hnd, } return NT_STATUS_OK; -#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */ +#else /* ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM */ TALLOC_CTX *tmp_ctx = NULL; size_t atext_size = 0; uint8_t *atext = NULL; @@ -387,7 +387,7 @@ static NTSTATUS smb2_signing_gmac(gnutls_aead_cipher_hd_t cipher_hnd, } return NT_STATUS_OK; -#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */ +#endif /* ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM */ } static NTSTATUS smb2_signing_calc_signature(struct smb2_signing_key *signing_key, @@ -808,6 +808,9 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, struct iovec *vector, int count) { +#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 + bool use_encryptv2 = false; +#endif uint16_t cipher_id; uint8_t *tf; size_t a_total; @@ -851,18 +854,30 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, case SMB2_ENCRYPTION_AES128_CCM: algo = GNUTLS_CIPHER_AES_128_CCM; iv_size = SMB2_AES_128_CCM_NONCE_SIZE; +#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM + use_encryptv2 = true; +#endif break; case SMB2_ENCRYPTION_AES128_GCM: algo = GNUTLS_CIPHER_AES_128_GCM; iv_size = gnutls_cipher_get_iv_size(algo); +#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM + use_encryptv2 = true; +#endif break; case SMB2_ENCRYPTION_AES256_CCM: algo = GNUTLS_CIPHER_AES_256_CCM; iv_size = SMB2_AES_128_CCM_NONCE_SIZE; +#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM + use_encryptv2 = true; +#endif break; case SMB2_ENCRYPTION_AES256_GCM: algo = GNUTLS_CIPHER_AES_256_GCM; iv_size = gnutls_cipher_get_iv_size(algo); +#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM + use_encryptv2 = true; +#endif break; default: return NT_STATUS_INVALID_PARAMETER; @@ -903,8 +918,8 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, 0, 16 - iv_size); -#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2) - { +#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 + if (use_encryptv2) { uint8_t tag[tag_size]; giovec_t auth_iov[1]; @@ -928,8 +943,8 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, } memcpy(tf + SMB2_TF_SIGNATURE, tag, tag_size); - } -#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */ + } else +#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */ { size_t ptext_size = m_total; uint8_t *ptext = NULL; @@ -1007,7 +1022,6 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, TALLOC_FREE(ptext); TALLOC_FREE(ctext); } -#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */ DBG_INFO("Encrypted SMB2 message\n"); @@ -1020,6 +1034,9 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, struct iovec *vector, int count) { +#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 + bool use_encryptv2 = false; +#endif uint16_t cipher_id; uint8_t *tf; uint16_t flags; @@ -1073,18 +1090,30 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, case SMB2_ENCRYPTION_AES128_CCM: algo = GNUTLS_CIPHER_AES_128_CCM; iv_size = SMB2_AES_128_CCM_NONCE_SIZE; +#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM + use_encryptv2 = true; +#endif break; case SMB2_ENCRYPTION_AES128_GCM: algo = GNUTLS_CIPHER_AES_128_GCM; iv_size = gnutls_cipher_get_iv_size(algo); +#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM + use_encryptv2 = true; +#endif break; case SMB2_ENCRYPTION_AES256_CCM: algo = GNUTLS_CIPHER_AES_256_CCM; iv_size = SMB2_AES_128_CCM_NONCE_SIZE; +#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM + use_encryptv2 = true; +#endif break; case SMB2_ENCRYPTION_AES256_GCM: algo = GNUTLS_CIPHER_AES_256_GCM; iv_size = gnutls_cipher_get_iv_size(algo); +#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM + use_encryptv2 = true; +#endif break; default: return NT_STATUS_INVALID_PARAMETER; @@ -1122,8 +1151,8 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, } /* gnutls_aead_cipher_encryptv2() has a bug in version 3.6.10 */ -#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2) - { +#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 + if (use_encryptv2) { giovec_t auth_iov[1]; auth_iov[0] = (giovec_t) { @@ -1144,8 +1173,8 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR); goto out; } - } -#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */ + } else +#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */ { size_t ctext_size = m_total + tag_size; uint8_t *ctext = NULL; @@ -1229,7 +1258,6 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, TALLOC_FREE(ptext); TALLOC_FREE(ctext); } -#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */ DBG_INFO("Decrypted SMB2 message\n"); diff --git a/libcli/smb/smb2cli_ioctl.c b/libcli/smb/smb2cli_ioctl.c index f9abcc57bab..d638b281678 100644 --- a/libcli/smb/smb2cli_ioctl.c +++ b/libcli/smb/smb2cli_ioctl.c @@ -160,97 +160,6 @@ struct tevent_req *smb2cli_ioctl_send(TALLOC_CTX *mem_ctx, return req; } -static NTSTATUS smb2cli_ioctl_parse_buffer(uint32_t dyn_offset, - const DATA_BLOB dyn_buffer, - uint32_t min_offset, - uint32_t buffer_offset, - uint32_t buffer_length, - uint32_t max_length, - uint32_t *next_offset, - DATA_BLOB *buffer) -{ - uint32_t offset; - bool oob; - - *buffer = data_blob_null; - *next_offset = dyn_offset; - - if (buffer_offset == 0) { - /* - * If the offset is 0, we better ignore - * the buffer_length field. - */ - return NT_STATUS_OK; - } - - if (buffer_length == 0) { - /* - * If the length is 0, we better ignore - * the buffer_offset field. - */ - return NT_STATUS_OK; - } - - if ((buffer_offset % 8) != 0) { - /* - * The offset needs to be 8 byte aligned. - */ - return NT_STATUS_INVALID_NETWORK_RESPONSE; - } - - /* - * We used to enforce buffer_offset to be - * an exact match of the expected minimum, - * but the NetApp Ontap 7.3.7 SMB server - * gets the padding wrong and aligns the - * input_buffer_offset by a value of 8. - * - * So we just enforce that the offset is - * not lower than the expected value. - */ - SMB_ASSERT(min_offset >= dyn_offset); - if (buffer_offset < min_offset) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; - } - - /* - * Make [input|output]_buffer_offset relative to "dyn_buffer" - */ - offset = buffer_offset - dyn_offset; - oob = smb_buffer_oob(dyn_buffer.length, offset, buffer_length); - if (oob) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; - } - - /* - * Give the caller a hint what we consumed, - * the caller may need to add possible padding. - */ - *next_offset = buffer_offset + buffer_length; - - if (max_length == 0) { - /* - * If max_input_length is 0 we ignore the - * input_buffer_length, because Windows 2008 echos the - * DCERPC request from the requested input_buffer to - * the response input_buffer. - * - * We just use the same logic also for max_output_length... - */ - buffer_length = 0; - } - - if (buffer_length > max_length) { - return NT_STATUS_INVALID_NETWORK_RESPONSE; - } - - *buffer = (DATA_BLOB) { - .data = dyn_buffer.data + offset, - .length = buffer_length, - }; - return NT_STATUS_OK; -} - static void smb2cli_ioctl_done(struct tevent_req *subreq) { struct tevent_req *req = @@ -352,14 +261,14 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) input_min_offset = dyn_ofs; input_next_offset = dyn_ofs; - error = smb2cli_ioctl_parse_buffer(dyn_ofs, - dyn_buffer, - input_min_offset, - input_buffer_offset, - input_buffer_length, - state->max_input_length, - &input_next_offset, - &state->out_input_buffer); + error = smb2cli_parse_dyn_buffer(dyn_ofs, + dyn_buffer, + input_min_offset, + input_buffer_offset, + input_buffer_length, + state->max_input_length, + &input_next_offset, + &state->out_input_buffer); if (tevent_req_nterror(req, error)) { return; } @@ -370,14 +279,14 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) */ output_min_offset = NDR_ROUND(input_next_offset, 8); output_next_offset = 0; /* this variable is completely ignored */ - error = smb2cli_ioctl_parse_buffer(dyn_ofs, - dyn_buffer, - output_min_offset, - output_buffer_offset, - output_buffer_length, - state->max_output_length, - &output_next_offset, - &state->out_output_buffer); + error = smb2cli_parse_dyn_buffer(dyn_ofs, + dyn_buffer, + output_min_offset, + output_buffer_offset, + output_buffer_length, + state->max_output_length, + &output_next_offset, + &state->out_output_buffer); if (tevent_req_nterror(req, error)) { return; } diff --git a/libcli/smb/smb2cli_read.c b/libcli/smb/smb2cli_read.c index 8110b65d432..c7f48741b87 100644 --- a/libcli/smb/smb2cli_read.c +++ b/libcli/smb/smb2cli_read.c @@ -90,8 +90,13 @@ static void smb2cli_read_done(struct tevent_req *subreq) tevent_req_data(req, struct smb2cli_read_state); NTSTATUS status; + NTSTATUS error; struct iovec *iov; + const uint8_t dyn_ofs = SMB2_HDR_BODY + 0x10; + DATA_BLOB dyn_buffer = data_blob_null; uint8_t data_offset; + DATA_BLOB data_buffer = data_blob_null; + uint32_t next_offset = 0; /* this variable is completely ignored */ static const struct smb2cli_req_expected_response expected[] = { { -- Samba Shared Repository