The branch, v4-17-stable has been updated via 28b356ae82a VERSION: Disable GIT_SNAPSHOT for the 4.17.0rc5 release. via f83fb43ff93 WHATSNEW: Add release notes for Samba 4.17.0rc5. via 71c94a076ba smbXsrv_client: notify a different node to drop a connection by client guid. via 095ee4ce189 smbXsrv_client: correctly check in negotiate_request.length smbXsrv_client_connection_pass[ed]_* via 64daf27dc73 s3:tests: add test_smbXsrv_client_cross_node.sh via fc52fe99d79 s3:tests: let test_smbXsrv_client_dead_rec.sh cleanup the correct files via ed1d0112616 smbd: Catch streams on non-stream shares via 930380d4746 smbd: return NT_STATUS_OBJECT_NAME_INVALID if a share doesn't support streams via 3139a1063a0 smbtorture: add a test trying to create a stream on share without streams support via f3886349ec3 smbd: implement access checks for SMB2-GETINFO as per MS-SMB2 3.3.5.20.1 via 5fff2048a47 smbtorture: check required access for SMB2-GETINFO via 771aad3baa0 s4/libcli/smb2: avoid using smb2_composite_setpathinfo() in smb2_util_setatr() via 229d55eff3a WHATSNEW: Document new Protected Users group via 8a7551c4ac6 WHATSNEW: add more added/updated parameters via b3e04327601 WHATSNEW: Make MIT Kerberos 1.20 updates clearer via e9c554c0a6a s3/winbindd: Fix bad access to sid array (with debug level >= info) via 3ba0c89f248 VERSION: Bump version up to Samba 4.17.0rc4... from e6294461ad1 VERSION: Disable GIT_SNAPSHOT for the 4.17.0rc4 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 88 ++++++- librpc/idl/messaging.idl | 1 + selftest/knownfail | 3 +- source3/librpc/idl/smbXsrv.idl | 28 +++ .../script/tests/test_smbXsrv_client_cross_node.sh | 95 ++++++++ .../script/tests/test_smbXsrv_client_dead_rec.sh | 2 +- source3/selftest/tests.py | 9 + source3/smbd/filename.c | 6 + source3/smbd/files.c | 10 +- source3/smbd/open.c | 2 +- source3/smbd/smb2_getinfo.c | 28 +++ source3/smbd/smbXsrv_client.c | 266 +++++++++++++++++++-- source3/winbindd/wb_lookupusergroups.c | 2 +- source4/libcli/smb2/util.c | 37 ++- source4/selftest/tests.py | 1 + source4/torture/smb2/create.c | 48 ++++ source4/torture/smb2/getinfo.c | 147 ++++++++++++ source4/torture/smb2/oplock.c | 10 +- source4/torture/smb2/smb2.c | 1 + 20 files changed, 734 insertions(+), 52 deletions(-) create mode 100755 source3/script/tests/test_smbXsrv_client_cross_node.sh Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 6dd9eb383e4..50344235004 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # ######################################################## -SAMBA_VERSION_RC_RELEASE=4 +SAMBA_VERSION_RC_RELEASE=5 ######################################################## # To mark SVN snapshots this should be set to 'yes' # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 3591b8a4306..b060f2e5d09 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements ===================== -This is the fourth release candidate of Samba 4.17. This is *not* +This is the fifth release candidate of Samba 4.17. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -68,8 +68,8 @@ even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. -Bronze bit and S4U support with MIT Kerberos 1.20 -------------------------------------------------- +Bronze bit and S4U support now also with MIT Kerberos 1.20 +---------------------------------------------------------- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, @@ -87,17 +87,24 @@ but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20. In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions. +Note the default (Heimdal-based) KDC was already fixed in 2021, +see https://bugzilla.samba.org/show_bug.cgi?id=14642 + Resource Based Constrained Delegation (RBCD) support ---------------------------------------------------- Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite. -Note that samba-tool lacks support for setting this up yet! + +samba-tool delegation got the 'add-principal' and 'del-principal' subcommands +in order to manage RBCD. To complete RBCD support and make it useful to Administrators we added the Asserted Identity [1] SID into the PAC for constrained delegation. This is available for Samba AD compiled with MIT Kerberos 1.20. +Note the default (Heimdal-based) KDC does not support RBCD yet. + [1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview Customizable DNS listening port @@ -187,6 +194,45 @@ covers all the existing text output including sessions, connections, open files, byte-range locks, notifies and profile data with all low-level information maintained by Samba in the respective databases. +Protected Users security group +------------------------------ + +Samba AD DC now includes support for the Protected Users security +group introduced in Windows Server 2012 R2. The feature reduces the +attack surface of user accounts by preventing the use of weak +encryption types. It also mitigates the effects of credential theft by +limiting credential lifetime and scope. + +The protections are intended for user accounts only, and service or +computer accounts should not be added to the Protected Users +group. User accounts added to the group are granted the following +security protections: + + * NTLM authentication is disabled. + * Kerberos ticket-granting tickets (TGTs) encrypted with RC4 are + not issued to or accepted from affected principals. Tickets + encrypted with AES, and service tickets encrypted with RC4, are + not affected by this restriction. + * The lifetime of Kerberos TGTs is restricted to a maximum of four + hours. + * Kerberos constrained and unconstrained delegation is disabled. + +If the Protected Users group is not already present in the domain, it +can be created with 'samba-tool group add'. The new '--special' +parameter must be specified, with 'Protected Users' as the name of the +group. An example command invocation is: + +samba-tool group add 'Protected Users' --special + +or against a remote server: + +samba-tool group add 'Protected Users' --special -H ldap://dc1.example.com -U Administrator + +The Protected Users group is identified in the domain by its having a +RID of 525. Thus, it should only be created with samba-tool and the +'--special' parameter, as above, so that it has the required RID +to function correctly. + REMOVED FEATURES ================ @@ -197,14 +243,44 @@ LanMan Authentication and password storage removed from the AD DC The storage and authentication with LanMan passwords has been entirely removed from the Samba AD DC, even when "lanman auth = yes" is set. + smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- dns port New default 53 - nt hash store New parameter always - volume serial number New parameter -1 + fruit:zero_file_id New default yes + nt hash store New parameter always + smb1 unix extensions Replaces "unix extensions" + volume serial number New parameter -1 + winbind debug traceid New parameter no + + +CHANGES SINCE 4.17.0rc4 +======================= + +o Ralph Boehme <s...@samba.org> + * BUG 15126: acl_xattr VFS module may unintentionally use filesystem + permissions instead of ACL from xattr. + * BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1. + * BUG 15161: assert failed: !is_named_stream(smb_fname)") at + ../../lib/util/fault.c:197. + +o Volker Lendecke <v...@samba.org> + * BUG 15126: acl_xattr VFS module may unintentionally use filesystem + permissions instead of ACL from xattr. + * BUG 15161: assert failed: !is_named_stream(smb_fname)") at + ../../lib/util/fault.c:197. + +o Stefan Metzmacher <me...@samba.org> + * BUG 15159: Cross-node multi-channel reconnects result in SMB2 Negotiate + returning NT_STATUS_NOT_SUPPORTED. + +o Noel Power <noel.po...@suse.com> + * BUG 15160: winbind at info level debug can coredump when processing + wb_lookupusergroups. + CHANGES SINCE 4.17.0rc3 ======================= diff --git a/librpc/idl/messaging.idl b/librpc/idl/messaging.idl index d6929c799ad..5d217c03f5b 100644 --- a/librpc/idl/messaging.idl +++ b/librpc/idl/messaging.idl @@ -138,6 +138,7 @@ interface messaging MSG_SMBXSRV_SESSION_CLOSE = 0x0600, MSG_SMBXSRV_CONNECTION_PASS = 0x0601, MSG_SMBXSRV_CONNECTION_PASSED = 0x0602, + MSG_SMBXSRV_CONNECTION_DROP = 0x0603, /* source4 and NTVFS smb server messages */ MSG_BRL_RETRY = 0x0700, diff --git a/selftest/knownfail b/selftest/knownfail index 0b4c5a44a7f..82dd7e1e8b4 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -176,6 +176,7 @@ ^samba4.smb2.oplock.stream1 # samba 4 oplocks are a mess ^samba4.smb2.oplock.statopen1\(ad_dc_ntvfs\)$ # fails with ACCESS_DENIED on a SYNCHRONIZE_ACCESS open ^samba4.smb2.getinfo.complex # streams on directories does not work +^samba4.smb2.getinfo.getinfo_access\(ad_dc_ntvfs\) # Access checks not implemented ^samba4.smb2.getinfo.qfs_buffercheck # S4 does not do the INFO_LENGTH_MISMATCH/BUFFER_OVERFLOW thingy ^samba4.smb2.getinfo.qfile_buffercheck # S4 does not do the INFO_LENGTH_MISMATCH/BUFFER_OVERFLOW thingy ^samba4.smb2.getinfo.qsec_buffercheck # S4 does not do the BUFFER_TOO_SMALL thingy @@ -207,10 +208,8 @@ ^samba3.smb2.oplock.stream1 ^samba3.smb2.streams.rename ^samba3.smb2.streams.rename2 -^samba3.smb2.streams.attributes1\(.*\) ^samba3.smb2.streams streams_xattr.rename\(nt4_dc\) ^samba3.smb2.streams streams_xattr.rename2\(nt4_dc\) -^samba3.smb2.streams streams_xattr.attributes1\(nt4_dc\) ^samba3.smb2.getinfo.complex ^samba3.smb2.getinfo.fsinfo # quotas don't work yet ^samba3.smb2.setinfo.setinfo diff --git a/source3/librpc/idl/smbXsrv.idl b/source3/librpc/idl/smbXsrv.idl index fc502009b3b..ec65a5c1a61 100644 --- a/source3/librpc/idl/smbXsrv.idl +++ b/source3/librpc/idl/smbXsrv.idl @@ -143,6 +143,7 @@ interface smbXsrv boolean8 server_multi_channel_enabled; hyper next_channel_id; [ignore] struct tevent_req *connection_pass_subreq; + [ignore] struct tevent_req *connection_drop_subreq; /* * A List of pending breaks. @@ -194,6 +195,33 @@ interface smbXsrv [in] smbXsrv_connection_passB blob ); + /* + * smbXsrv_connection_drop is used in the MSG_SMBXSRV_CONNECTION_DROP + * message as reaction the record is deleted. + */ + typedef struct { + GUID client_guid; + server_id src_server_id; + NTTIME xconn_connect_time; + server_id dst_server_id; + NTTIME client_connect_time; + } smbXsrv_connection_drop0; + + typedef union { + [case(0)] smbXsrv_connection_drop0 *info0; + [default] hyper *dummy; + } smbXsrv_connection_dropU; + + typedef [public] struct { + smbXsrv_version_values version; + [value(0)] uint32 reserved; + [switch_is(version)] smbXsrv_connection_dropU info; + } smbXsrv_connection_dropB; + + void smbXsrv_connection_drop_decode( + [in] smbXsrv_connection_dropB blob + ); + /* sessions */ typedef [public,bitmap8bit] bitmap { diff --git a/source3/script/tests/test_smbXsrv_client_cross_node.sh b/source3/script/tests/test_smbXsrv_client_cross_node.sh new file mode 100755 index 00000000000..ff826924b49 --- /dev/null +++ b/source3/script/tests/test_smbXsrv_client_cross_node.sh @@ -0,0 +1,95 @@ +#!/bin/bash +# +# Test smbd let cluster node 0 destroy the connection, +# if the client with a specific client-guid connections to node 1 +# + +if [ $# -lt 4 ]; then + echo Usage: test_smbXsrv_client_cross_node.sh SERVERCONFFILE NODE0 NODE1 SHARENAME + exit 1 +fi + +CONF=$1 +NODE0=$2 +NODE1=$3 +SHARE=$4 + +SMBCLIENT="$BINDIR/smbclient" +SMBSTATUS="$BINDIR/smbstatus" + +incdir=$(dirname "$0")/../../../testprogs/blackbox +. "$incdir"/subunit.sh + +failed=0 + +test_smbclient() +{ + name="$1" + server="$2" + share="$3" + cmd="$4" + shift + shift + subunit_start_test "$name" + output=$($VALGRIND $SMBCLIENT //$server/$share -c "$cmd" "$@" 2>&1) + status=$? + if [ x$status = x0 ]; then + subunit_pass_test "$name" + else + echo "$output" | subunit_fail_test "$name" + fi + return $status +} + +cd "$SELFTEST_TMPDIR" || exit 1 + +# Create the smbclient communication pipes. +rm -f smbclient-stdin smbclient-stdout smbclient-stderr +mkfifo smbclient-stdin smbclient-stdout smbclient-stderr + +UID_WRAPPER_ROOT=1 +export UID_WRAPPER_ROOT + +smbstatus_num_sessions() +{ + UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 "$SMBSTATUS" "$CONF" --json | jq -M '.sessions | length' +} + +testit_grep "step1: smbstatus 0 sessions" '^0$' smbstatus_num_sessions || failed=$(expr $failed + 1) + +test_smbclient "smbclient against node0[${NODE0}]" "${NODE0}" "${SHARE}" "ls" -U"${DC_USERNAME}"%"${DC_PASSWORD}" \ + --option="libsmb:client_guid=6112f7d3-9528-4a2a-8861-0ca129aae6c4" \ + || failed=$(expr $failed + 1) + +testit_grep "step2: smbstatus 0 sessions" '^0$' smbstatus_num_sessions || failed=$(expr $failed + 1) + +CLI_FORCE_INTERACTIVE=1 +export CLI_FORCE_INTERACTIVE + +testit "start backgroup smbclient against node0[${NODE0}]" true || failed=$(expr $failed + 1) + +# Connect a first time +${SMBCLIENT} //"${NODE0}"/"${SHARE}" -U"${DC_USERNAME}"%"${DC_PASSWORD}" \ + --option="libsmb:client_guid=6112f7d3-9528-4a2a-8861-0ca129aae6c4" \ + <smbclient-stdin >smbclient-stdout 2>smbclient-stderr & +CLIENT_PID=$! + +exec 100>smbclient-stdin 101<smbclient-stdout 102<smbclient-stderr + +testit "sleep 1 second" true || failed=$(expr $failed + 1) +sleep 1 + +testit_grep "step3: smbstatus 1 session" '^1$' smbstatus_num_sessions || failed=$(expr $failed + 1) + +# Connect a second time +unset CLI_FORCE_INTERACTIVE +test_smbclient "smbclient against node1[${NODE1}]" "${NODE1}" "${SHARE}" "ls" -U"${DC_USERNAME}"%"${DC_PASSWORD}" \ + --option="libsmb:client_guid=6112f7d3-9528-4a2a-8861-0ca129aae6c4" \ + || failed=$(expr $failed + 1) + +kill $CLIENT_PID +rm -f smbclient-stdin smbclient-stdout smbclient-stderr + +testit_grep "step24: smbstatus 0 sessions" '^0$' smbstatus_num_sessions || failed=$(expr $failed + 1) + +testok "$0" "$failed" diff --git a/source3/script/tests/test_smbXsrv_client_dead_rec.sh b/source3/script/tests/test_smbXsrv_client_dead_rec.sh index a29350878bd..0a287370944 100755 --- a/source3/script/tests/test_smbXsrv_client_dead_rec.sh +++ b/source3/script/tests/test_smbXsrv_client_dead_rec.sh @@ -62,7 +62,7 @@ ${SMBCLIENT} //"${SERVER}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" \ --option="libsmb:client_guid=6112f7d3-9528-4a2a-8861-0ca129aae6c4" \ -c exit -rm -f smbclient-stdin smbclient-stdout aio_outstanding_testfile +rm -f smbclient-stdin smbclient-stdout smbclient-stderr # # Ensure the panic count didn't change. diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index afb326029dc..01ec90e9878 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -1080,6 +1080,8 @@ for t in tests: elif t == "smb2.twrp": # This is being driven by samba3.blackbox.shadow_copy_torture pass + elif t == "smb2.create_no_streams": + plansmbtorture4testsuite(t, "fileserver", '//$SERVER_IP/nfs4acl_simple_40 -U$USERNAME%$PASSWORD') elif t == "rpc.wkssvc": plansmbtorture4testsuite(t, "ad_member", '//$SERVER/tmp -U$DC_USERNAME%$DC_PASSWORD') elif t == "rpc.srvsvc": @@ -1368,6 +1370,13 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local", '$SERVER_IP', "tmp"]) +plantestsuite("samba3.blackbox.smbXsrv_client_cross_node", "clusteredmember:local", + [os.path.join(samba3srcdir, + "script/tests/test_smbXsrv_client_cross_node.sh"), + configuration, + 'ctdb0', 'ctdb1', + "tmp"]) + env = 'fileserver' plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env), [os.path.join(samba3srcdir, diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c index ca94b7ec7f9..0be8e320ffa 100644 --- a/source3/smbd/filename.c +++ b/source3/smbd/filename.c @@ -1120,6 +1120,12 @@ static NTSTATUS filename_convert_dirfsp_nosymlink( goto fail; } + if ((streamname != NULL) && + ((conn->fs_capabilities & FILE_NAMED_STREAMS) == 0)) { + status = NT_STATUS_OBJECT_NAME_INVALID; + goto fail; + } + if (!posix) { bool name_has_wild = ms_has_wild(dirname); name_has_wild |= ms_has_wild(fname_rel); diff --git a/source3/smbd/files.c b/source3/smbd/files.c index b494a8b789a..179c3e11a76 100644 --- a/source3/smbd/files.c +++ b/source3/smbd/files.c @@ -565,8 +565,14 @@ NTSTATUS openat_pathref_fsp(const struct files_struct *dirfsp, return NT_STATUS_OK; } - if (!(conn->fs_capabilities & FILE_NAMED_STREAMS) || - !is_named_stream(smb_fname)) { + if (is_named_stream(smb_fname) && + ((conn->fs_capabilities & FILE_NAMED_STREAMS) == 0)) { + DBG_DEBUG("stream open [%s] on non-stream share\n", + smb_fname_str_dbg(smb_fname)); + return NT_STATUS_OBJECT_NAME_INVALID; + } + + if (!is_named_stream(smb_fname)) { /* * openat_pathref_fullname() will make "full_fname" a * talloc child of the smb_fname->fsp. Don't use diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 3dd9f69b8cc..c24c55d6a76 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -6310,7 +6310,7 @@ NTSTATUS create_file_default(connection_struct *conn, } if (!(conn->fs_capabilities & FILE_NAMED_STREAMS)) { - status = NT_STATUS_OBJECT_NAME_NOT_FOUND; + status = NT_STATUS_OBJECT_NAME_INVALID; goto fail; } } diff --git a/source3/smbd/smb2_getinfo.c b/source3/smbd/smb2_getinfo.c index 0320dcc5fde..23322e7b85f 100644 --- a/source3/smbd/smb2_getinfo.c +++ b/source3/smbd/smb2_getinfo.c @@ -303,6 +303,34 @@ static struct tevent_req *smbd_smb2_getinfo_send(TALLOC_CTX *mem_ctx, ZERO_STRUCT(write_time_ts); + /* + * MS-SMB2 3.3.5.20.1 "Handling SMB2_0_INFO_FILE" + * + * FileBasicInformation, FileAllInformation, + * FileNetworkOpenInformation, FileAttributeTagInformation + * require FILE_READ_ATTRIBUTES. + * + * FileFullEaInformation requires FILE_READ_EA. + */ + switch (in_file_info_class) { + case FSCC_FILE_BASIC_INFORMATION: + case FSCC_FILE_ALL_INFORMATION: + case FSCC_FILE_NETWORK_OPEN_INFORMATION: + case FSCC_FILE_ATTRIBUTE_TAG_INFORMATION: + if (!(fsp->access_mask & SEC_FILE_READ_ATTRIBUTE)) { + tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED); + return tevent_req_post(req, ev); + } + break; + + case FSCC_FILE_FULL_EA_INFORMATION: + if (!(fsp->access_mask & SEC_FILE_READ_EA)) { + tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED); + return tevent_req_post(req, ev); + } + break; + } + switch (in_file_info_class) { case FSCC_FILE_FULL_EA_INFORMATION: file_info_level = SMB2_FILE_FULL_EA_INFORMATION; diff --git a/source3/smbd/smbXsrv_client.c b/source3/smbd/smbXsrv_client.c index 079ca80ad12..d7a6fa35bf0 100644 --- a/source3/smbd/smbXsrv_client.c +++ b/source3/smbd/smbXsrv_client.c @@ -346,6 +346,55 @@ static NTSTATUS smb2srv_client_connection_pass(struct smbd_smb2_request *smb2req return NT_STATUS_OK; } +static NTSTATUS smb2srv_client_connection_drop(struct smbd_smb2_request *smb2req, + struct smbXsrv_client_global0 *global) +{ + DATA_BLOB blob; + enum ndr_err_code ndr_err; + NTSTATUS status; + struct smbXsrv_connection_drop0 drop_info0; + struct smbXsrv_connection_dropB drop_blob; + struct iovec iov; + + drop_info0 = (struct smbXsrv_connection_drop0) { + .client_guid = global->client_guid, + .src_server_id = smb2req->xconn->client->global->server_id, + .xconn_connect_time = smb2req->xconn->client->global->initial_connect_time, + .dst_server_id = global->server_id, + .client_connect_time = global->initial_connect_time, + }; + + ZERO_STRUCT(drop_blob); + drop_blob.version = smbXsrv_version_global_current(); + drop_blob.info.info0 = &drop_info0; + + if (DEBUGLVL(DBGLVL_DEBUG)) { + NDR_PRINT_DEBUG(smbXsrv_connection_dropB, &drop_blob); -- Samba Shared Repository