The branch, master has been updated via 12464bd4c22 blackbox.ndrdump: fix test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test via 43648e95a51 librpc/ndr: let ndr_push_string() let s_len == 0 result in d_len = 0 via 8da26cb6725 s4:torture/ndr: demonstrate the ndr_push_string(STR_NOTERM|REMAINING) of "" is wrong via 1dc385cb648 blackbox.ndrdump: adjust example files to the usage of dump_data_diff output. via d1a7f392a8c ndrdump: make use of dump_data_file_diff() in order to show differences via b489b7feda1 lib/util: add dump_data_diff*() helpers via 9110a8854a5 blackbox.ndrdump: adjust example files to changed dump_data() output. via 58b09e107ca lib/util: split out a dump_data_block16() helper via 0651fa474cd dcesrv_core: wrap gensec_*() calls in [un]become_root() calls via be1935dac8a WHATSNEW: Start release notes for Samba 4.17.0pre1. from d844bc6cbdb ldb: bump version to 2.6.0 for Samba 4.17.x releases
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 12464bd4c222d996aac6d6250b7945d63f20f4bc Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 21 20:42:45 2022 +0100 blackbox.ndrdump: fix test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test This actually reveals that ndr_push_string() for TargetName="" was failing before because it resulted in 1 byte for a subcontext with TargetLen=0. This is fixed now and we no longer expect ndrdump to exit with 1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Mon Jan 24 16:18:34 UTC 2022 on sn-devel-184 commit 43648e95a514020da4c7efa62df55d0882e3db85 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 3 13:57:50 2021 +0100 librpc/ndr: let ndr_push_string() let s_len == 0 result in d_len = 0 convert_string_talloc_handle() tries to play an the safe side and always returns a null terminated array. But for NDR we need to be correct on the wire... BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 8da26cb6725b5d853ab481a348a3a672966715b5 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 21 01:09:23 2022 +0100 s4:torture/ndr: demonstrate the ndr_push_string(STR_NOTERM|REMAINING) of "" is wrong convert_string_talloc() never returns a string with len=0 and always implies zero termination byte(s). For ndr_push_string this is unexpected as we need to be compatible on the wire and push 0 bytes for an empty string. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 1dc385cb648f0c37b04f4ede6b1c96916e379b23 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 21 20:28:59 2022 +0100 blackbox.ndrdump: adjust example files to the usage of dump_data_diff output. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit d1a7f392a8ceef111a5d6c3d2a3bdb9dcb90db5e Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 3 13:32:48 2021 +0100 ndrdump: make use of dump_data_file_diff() in order to show differences This makes it much easier to detect differences in the given and generated buffers. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit b489b7feda19b3c0f0fe2300f2c76d416776355b Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 3 11:40:13 2021 +0100 lib/util: add dump_data_diff*() helpers That will make it easy to see the difference between two memory buffers. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 9110a8854a518befa2908c26076e17a085c5ec48 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 21 20:06:40 2022 +0100 blackbox.ndrdump: adjust example files to changed dump_data() output. The cleanup using dump_data_block16() fixed the space handling. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 58b09e107cadd7fb8191822d4e7e42657b1ed4c7 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 3 11:05:52 2021 +0100 lib/util: split out a dump_data_block16() helper This simplifies the logic a lot for me. It also fixes some corner cases regarding whitespaces in the output, that's why we have to mark a few tests as knownfail, they will be fixed in the next commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Jan 22 01:08:26 2022 +0100 dcesrv_core: wrap gensec_*() calls in [un]become_root() calls This is important for the source3/rpc_server code as it might be called embedded in smbd and may not run as root with access to our private tdb/ldb files. Note this is only really needed for 4.15 and older, as we no longer run the rpc_server embedded in smbd, but we better be consistent for now. This should be able to fix the problem the printing no longer works on Windows 7 with 2021-10 monthly rollup patch (KB5006743). Windows uses NTLMSSP with privacy at the DCERPC layer on top of NCACN_NP (smb). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit be1935dac8a188901ae0f13181b356b508c5be4f Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 24 15:57:50 2022 +0100 WHATSNEW: Start release notes for Samba 4.17.0pre1. Signed-off-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 153 +---------- lib/util/util.c | 203 +++++++++----- lib/util/util.h | 28 ++ librpc/ndr/ndr_string.c | 5 +- librpc/rpc/dcesrv_auth.c | 5 + librpc/rpc/dcesrv_core.c | 18 ++ librpc/rpc/dcesrv_core.h | 2 + librpc/tools/ndrdump.c | 10 + python/samba/tests/blackbox/ndrdump.py | 19 +- source3/rpc_server/rpc_config.c | 2 + source3/rpc_server/rpc_worker.c | 2 + source3/selftest/ktest-krb5_ccache-2.txt | 4 +- source3/selftest/ktest-krb5_ccache-3.txt | 4 +- .../tests/dns-decode_dns_name_packet-hex.txt | 2 +- .../librpc/tests/fuzzed_drsuapi_DsAddEntry_1.txt | 297 ++++++++++++++++++++- .../librpc/tests/fuzzed_drsuapi_DsGetNCChanges.txt | 2 +- .../tests/fuzzed_drsuapi_DsReplicaAttribute.txt | 31 ++- .../tests/fuzzed_ntlmssp-AUTHENTICATE_MESSAGE.txt | 33 +++ .../tests/fuzzed_ntlmssp-CHALLENGE_MESSAGE.txt | 52 +++- source4/librpc/tests/krb5pac_upn_dns_info_ex.txt | 61 +++++ .../krb5pac_upn_dns_info_ex_not_supported.txt | 69 +++++ source4/rpc_server/service_rpc.c | 10 + source4/torture/ndr/string.c | 30 ++- 23 files changed, 801 insertions(+), 241 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 71a8d9a103e..6c7ab0407c8 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,12 +1,12 @@ Release Announcements ===================== -This is the first release candidate of Samba 4.16. This is *not* +This is the first pre release of Samba 4.17. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. -Samba 4.16 will be the next version of the Samba suite. +Samba 4.17 will be the next version of the Samba suite. UPGRADING @@ -16,167 +16,22 @@ UPGRADING NEW FEATURES/CHANGES ==================== -New samba-dcerpcd binary to provide DCERPC in the member server setup ---------------------------------------------------------------------- - -In order to make it much easier to break out the DCERPC services -from smbd, a new samba-dcerpcd binary has been created. - -samba-dcerpcd can be used in two ways. In the normal case without -startup script modification it is invoked on demand from smbd or -winbind --np-helper to serve DCERPC over named pipes. Note that -in order to run in this mode the smb.conf [global] section has -a new parameter "rpc start on demand helpers = [true|false]". -This parameter is set to "true" by default, meaning no changes to -smb.conf files are needed to run samba-dcerpcd on demand as a named -pipe helper. - -It can also be used in a standalone mode where it is started -separately from smbd or winbind but this requires changes to system -startup scripts, and in addition a change to smb.conf, setting the new -[global] parameter "rpc start on demand helpers = false". If "rpc -start on demand helpers" is not set to false, samba-dcerpcd will -refuse to start in standalone mode. - -Note that when Samba is run in the Active Directory Domain Controller -mode the samba binary that provides the AD code will still provide its -normal DCERPC services whilst allowing samba-dcerpcd to provide -services like SRVSVC in the same way that smbd used to in this -configuration. - -The parameters that allowed some smbd-hosted services to be started -externally are now gone (detailed below) as this is now the default -setting. - -samba-dcerpcd can also be useful for use outside of the Samba -framework, for example, use with the Linux kernel SMB2 server ksmbd or -possibly other SMB2 server implementations. - -Certificate Auto Enrollment ---------------------------- - -Certificate Auto Enrollment allows devices to enroll for certificates from -Active Directory Certificate Services. It is enabled by Group Policy. -To enable Certificate Auto Enrollment, Samba's group policy will need to be -enabled by setting the smb.conf option `apply group policies` to Yes. Samba -Certificate Auto Enrollment depends on certmonger, the cepces certmonger -plugin, and sscep. Samba uses sscep to download the CA root chain, then uses -certmonger paired with cepces to monitor the host certificate templates. -Certificates are installed in /var/lib/samba/certs and private keys are -installed in /var/lib/samba/private/certs. - -Ability to add ports to dns forwarder addresses in internal DNS backend ------------------------------------------------------------------------ - -The internal DNS server of Samba forwards queries non-AD zones to one or more -configured forwarders. Up until now it has been assumed that these forwarders -listen on port 53. Starting with this version it is possible to configure the -port using host:port notation. See smb.conf for more details. Existing setups -are not affected, as the default port is 53. - -CTDB changes ------------- - -* The "recovery master" role has been renamed "leader" - - Documentation and logs now refer to "leader". - - The following ctdb tool command names have changed: - - recmaster -> leader - setrecmasterrole -> setleaderrole - - Command output has changed for the following commands: - - status - getcapabilities - - The "[legacy] -> recmaster capability" configuration option has been - renamed and moved to the cluster section, so this is now: - - [cluster] -> leader capability - -* The "recovery lock" has been renamed "cluster lock" - - Documentation and logs now refer to "cluster lock". - - The "[cluster] -> recovery lock" configuration option has been - deprecated and will be removed in a future version. Please use - "[cluster] -> cluster lock" instead. - - If the cluster lock is enabled then traditional elections are not - done and leader elections use a race for the cluster lock. This - avoids various conditions where a node is elected leader but can not - take the cluster lock. Such conditions included: - - - At startup, a node elects itself leader of its own cluster before - connecting to other nodes - - - Cluster filesystem failover is slow - - The abbreviation "reclock" is still used in many places, because a - better abbreviation eludes us (i.e. "clock" is obvious bad) and - changing all instances would require a lot of churn. If the - abbreviation "reclock" for "cluster lock" is confusing, please - consider mentally prefixing it with "really excellent". - -* CTDB now uses leader broadcasts and an associated timeout to - determine if an election is required - - The leader broadcast timeout can be configured via new configuration - option - - [cluster] -> leader timeout - - This specifies the number of seconds without leader broadcasts - before a node calls an election. The default is 5. - REMOVED FEATURES ================ -SMB1 CORE and LANMAN1 protocol wildcard copy, unlink and rename removed -======================================================================= - -In preparation for the removal of the SMB1 server, the unused -SMB1 command SMB_COM_COPY (SMB1 command number 0x29) has been -removed from the Samba smbd server. In addition, the ability -to process file name wildcards in requests using the SMB1 commands -SMB_COM_COPY (SMB1 command number 0x2A), SMB_COM_RENAME (SMB1 command -number 0x7), SMB_COM_NT_RENAME (SMB1 command number 0xA5) and -SMB_COM_DELETE (SMB1 command number 0x6) have been removed. - -This only affects clients using MS-DOS based versions of -SMB1, the last release of which was Windows 98. Users requiring -support for these features will need to use older versions -of Samba. - -No longer using Linux mandatory locks for sharemodes -==================================================== - -smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel -was broken for a long time, and is planned to be removed with Linux 5.15. This -Samba release removes the usage of mandatory locks for sharemodes and the -"kernel share modes" config parameter is changed to default to "no". The Samba -VFS interface is kept, so that file-system specific VFS modules can still use -private calls for enforcing sharemodes. - smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- - kernel share modes New default No - dns forwarder Changed - rpc_daemon Removed - rpc_server Removed - rpc start on demand helpers Added true + KNOWN ISSUES ============ -https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.16#Release_blocking_bugs +https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.17#Release_blocking_bugs ####################################### diff --git a/lib/util/util.c b/lib/util/util.c index 7eee60b85cd..c066406d320 100644 --- a/lib/util/util.c +++ b/lib/util/util.c @@ -481,6 +481,48 @@ void print_asc(int level, const uint8_t *buf,int len) print_asc_cb(buf, len, debugadd_cb, &level); } +static void dump_data_block16(const char *prefix, size_t idx, + const uint8_t *buf, size_t len, + void (*cb)(const char *buf, void *private_data), + void *private_data) +{ + char tmp[16]; + size_t i; + + SMB_ASSERT(len >= 0 && len <= 16); + + snprintf(tmp, sizeof(tmp), "%s[%04zX]", prefix, idx); + cb(tmp, private_data); + + for (i=0; i<16; i++) { + if (i == 8) { + cb(" ", private_data); + } + if (i < len) { + snprintf(tmp, sizeof(tmp), " %02X", (int)buf[i]); + } else { + snprintf(tmp, sizeof(tmp), " "); + } + cb(tmp, private_data); + } + + cb(" ", private_data); + + if (len == 0) { + cb("EMPTY BLOCK\n", private_data); + return; + } + + for (i=0; i<len; i++) { + if (i == 8) { + cb(" ", private_data); + } + print_asc_cb(&buf[i], 1, cb, private_data); + } + + cb("\n", private_data); +} + /** * Write dump of binary data to a callback */ @@ -491,73 +533,30 @@ void dump_data_cb(const uint8_t *buf, int len, { int i=0; bool skipped = false; - char tmp[16]; if (len<=0) return; - for (i=0;i<len;) { - - if (i%16 == 0) { - if ((omit_zero_bytes == true) && - (i > 0) && - (len > i+16) && - all_zero(&buf[i], 16)) - { - i +=16; - continue; - } - - if (i<len) { - snprintf(tmp, sizeof(tmp), "[%04X] ", i); - cb(tmp, private_data); + for (i=0;i<len;i+=16) { + size_t remaining_len = len - i; + size_t this_len = MIN(remaining_len, 16); + const uint8_t *this_buf = &buf[i]; + + if ((omit_zero_bytes == true) && + (i > 0) && (remaining_len > 16) && + (this_len == 16) && all_zero(this_buf, 16)) + { + if (!skipped) { + cb("skipping zero buffer bytes\n", + private_data); + skipped = true; } + continue; } - snprintf(tmp, sizeof(tmp), "%02X ", (int)buf[i]); - cb(tmp, private_data); - i++; - if (i%8 == 0) { - cb(" ", private_data); - } - if (i%16 == 0) { - - print_asc_cb(&buf[i-16], 8, cb, private_data); - cb(" ", private_data); - print_asc_cb(&buf[i-8], 8, cb, private_data); - cb("\n", private_data); - - if ((omit_zero_bytes == true) && - (len > i+16) && - all_zero(&buf[i], 16)) { - if (!skipped) { - cb("skipping zero buffer bytes\n", - private_data); - skipped = true; - } - } - } + skipped = false; + dump_data_block16("", i, this_buf, this_len, + cb, private_data); } - - if (i%16) { - int n; - n = 16 - (i%16); - cb(" ", private_data); - if (n>8) { - cb(" ", private_data); - } - while (n--) { - cb(" ", private_data); - } - n = MIN(8,i%16); - print_asc_cb(&buf[i-(i%16)], n, cb, private_data); - cb(" ", private_data); - n = (i%16) - n; - if (n>0) { - print_asc_cb(&buf[i-n], n, cb, private_data); - } - cb("\n", private_data); - } - } /** @@ -615,6 +614,90 @@ void dump_data_file(const uint8_t *buf, int len, bool omit_zero_bytes, dump_data_cb(buf, len, omit_zero_bytes, fprintf_cb, f); } +/** + * Write dump of compared binary data to a callback + */ +void dump_data_diff_cb(const uint8_t *buf1, size_t len1, + const uint8_t *buf2, size_t len2, + bool omit_zero_bytes, + void (*cb)(const char *buf, void *private_data), + void *private_data) +{ + size_t len = MAX(len1, len2); + size_t i; + bool skipped = false; + + for (i=0; i<len; i+=16) { + size_t remaining_len = len - i; + size_t remaining_len1 = 0; + size_t this_len1 = 0; + const uint8_t *this_buf1 = NULL; + size_t remaining_len2 = 0; + size_t this_len2 = 0; + const uint8_t *this_buf2 = NULL; + + if (i < len1) { + remaining_len1 = len1 - i; + this_len1 = MIN(remaining_len1, 16); + this_buf1 = &buf1[i]; + } + if (i < len2) { + remaining_len2 = len2 - i; + this_len2 = MIN(remaining_len2, 16); + this_buf2 = &buf2[i]; + } + + if ((omit_zero_bytes == true) && + (i > 0) && (remaining_len > 16) && + (this_len1 == 16) && all_zero(this_buf1, 16) && + (this_len2 == 16) && all_zero(this_buf2, 16)) + { + if (!skipped) { + cb("skipping zero buffer bytes\n", + private_data); + skipped = true; + } + continue; + } + + skipped = false; + + if ((this_len1 == this_len2) && + (memcmp(this_buf1, this_buf2, this_len1) == 0)) + { + dump_data_block16(" ", i, this_buf1, this_len1, + cb, private_data); + continue; + } + + dump_data_block16("-", i, this_buf1, this_len1, + cb, private_data); + dump_data_block16("+", i, this_buf2, this_len2, + cb, private_data); + } +} + +_PUBLIC_ void dump_data_diff(int dbgc_class, int level, + bool omit_zero_bytes, + const uint8_t *buf1, size_t len1, + const uint8_t *buf2, size_t len2) +{ + struct debug_channel_level dcl = { dbgc_class, level }; + + if (!DEBUGLVLC(dbgc_class, level)) { + return; + } + dump_data_diff_cb(buf1, len1, buf2, len2, true, debugadd_channel_cb, &dcl); +} + +_PUBLIC_ void dump_data_file_diff(FILE *f, + bool omit_zero_bytes, + const uint8_t *buf1, size_t len1, + const uint8_t *buf2, size_t len2) +{ + dump_data_diff_cb(buf1, len1, buf2, len2, omit_zero_bytes, fprintf_cb, f); +} + /** malloc that aborts with smb_panic on fail or zero size. **/ diff --git a/lib/util/util.h b/lib/util/util.h index a7acad56880..072f0486234 100644 --- a/lib/util/util.h +++ b/lib/util/util.h @@ -51,4 +51,32 @@ _PUBLIC_ void dump_data(int level, const uint8_t *buf,int len); */ _PUBLIC_ void dump_data_dbgc(int dbgc_class, int level, const uint8_t *buf, int len); +/** + * Write dump of compared binary data to a callback + */ +void dump_data_diff_cb(const uint8_t *buf1, size_t len1, + const uint8_t *buf2, size_t len2, + bool omit_zero_bytes, + void (*cb)(const char *buf, void *private_data), + void *private_data); + +/** + * Write dump of compared binary data to the log file. + * + * The data is only written if the log level is at least level for + * debug class dbgc_class. + */ +_PUBLIC_ void dump_data_diff(int dbgc_class, int level, + bool omit_zero_bytes, + const uint8_t *buf1, size_t len1, + const uint8_t *buf2, size_t len2); + +/** + * Write dump of compared binary data to the given file handle + */ +_PUBLIC_ void dump_data_file_diff(FILE *f, + bool omit_zero_bytes, + const uint8_t *buf1, size_t len1, + const uint8_t *buf2, size_t len2); + #endif diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c index b5421e99ff5..95b0366b791 100644 --- a/librpc/ndr/ndr_string.c +++ b/librpc/ndr/ndr_string.c @@ -236,7 +236,10 @@ _PUBLIC_ enum ndr_err_code ndr_push_string(struct ndr_push *ndr, int ndr_flags, s_len++; } - if (!do_convert) { + if (s_len == 0) { + d_len = 0; + dest = (uint8_t *)talloc_strdup(ndr, ""); + } else if (!do_convert) { d_len = s_len; dest = (uint8_t *)talloc_strndup(ndr, s, s_len); } else if (!convert_string_talloc(ndr, CH_UNIX, chset, s, s_len, diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c index fec8df513a8..99d8e016216 100644 --- a/librpc/rpc/dcesrv_auth.c +++ b/librpc/rpc/dcesrv_auth.c @@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call) auth->auth_level = call->in_auth_info.auth_level; auth->auth_context_id = call->in_auth_info.auth_context_id; + cb->auth.become_root(); status = cb->auth.gensec_prepare( auth, call, &auth->gensec_security, cb->auth.private_data); + cb->auth.unbecome_root(); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to call samba_server_gensec_start %s\n", nt_errstr(status))); @@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status) { struct dcesrv_auth *auth = call->auth_state; + struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; -- Samba Shared Repository