The branch, v4-17-stable has been updated via b8598d4b9fb VERSION: Disable GIT_SNAPSHOT for the 4.17.9 release. via 95fd96dbab9 WHATSNEW: Add release notes for Samba 4.17.9. via 65f35a5bf32 s3:winbindd: let winbind_samlogon_retry_loop() fallback to NT_STATUS_NO_LOGON_SERVERS via b5b4fd3ee23 s3:winbindd: make use of reset_cm_connection_on_error() in winbind_samlogon_retry_loop() via 38a9e17d02f s3:winbindd: let winbind_samlogon_retry_loop() always start with authoritative = 1 via 0afed23bcd2 s3:winbindd: make use of reset_cm_connection_on_error() for winbindd_lookup_{names,sids}() via 62507b112e6 s3:winbindd: call reset_cm_connection_on_error() in wb_cache_query_user_list() via 426b6ecca6d smbd: call exit_server_cleanly() to avoid panicking via c366a064c8f pidl: avoid py compile issues with --pidl-developer via 88c24655c79 s3:utils: smbget fix a memory leak via f26b205786e smbclient: Fix fd leak with "showacls;ls" via af55bfe4e99 libsmb: Fix directory listing against old servers via 72149cd8b3b tests: Show that we 100% loop in cli_list_old_recv() via 0a27a04ec05 tests: Make timelimit available to test scripts via 25b75eccea0 s4:dnsserver: Rename dns_name_equal() to samba_dns_name_equal() via dff3946d616 vfs_fruit: add fruit:convert_adouble parameter via a2567c17294 vfs_fruit: just log failing AppleDouble conversion via 4e0850b7afc libadouble: allow FILE_SHARE_DELETE in ad_convert_xattr() via b0e8932b1cf vfs_fruit: never return AFP_Resource stream for directories via ed1979c76c6 vfs_fruit: return ENOENT instead of EISDIR when trying to open AFP_Resource for a directory via f544dc9cc06 CI: add a test for fruit AppleDouble conversion when deletion triggers conversion via e1c3f8328cd rpc_server3: Pass winbind_env_set() state through to rpcd_* via 99f28fecf9d lib: Add security_token_del_npa_flags() helper function via c21560a03c9 rpc: Remove named_pipe_auth_req_info6->need_idle_server via f5323412879 rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle" via 270855cfdb5 named_pipe_auth: Bump info5 to info6 via 61a71886a14 rpc: Add global_sid_Samba_NPA_Flags SID via 9a3ae1d0da7 librpc: Simplify dcerpc_is_transport_encrypted() via 2d1e69dcc6e smbd: Use security_token_count_flag_sids() in open_np_file() via e8094b7913c libcli: Add security_token_count_flag_sids() via 98b8ffdb447 librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms via 01d3f58321d VERSION: Bump version up to Samba 4.17.9... from bdd1a7c5f2f VERSION: Disable GIT_SNAPSHOT for the 4.17.8 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 62 +- docs-xml/manpages/vfs_fruit.8.xml | 13 + libcli/named_pipe_auth/npa_tstream.c | 144 +++-- libcli/named_pipe_auth/npa_tstream.h | 4 +- libcli/security/dom_sid.h | 4 + libcli/security/security_token.c | 36 ++ libcli/security/security_token.h | 9 + libcli/security/util_sid.c | 7 + librpc/idl/named_pipe_auth.idl | 9 +- librpc/rpc/dcerpc_helper.c | 32 +- librpc/rpc/dcesrv_core.c | 17 + librpc/rpc/dcesrv_core.h | 1 + pidl/lib/Parse/Pidl/Samba4/Python.pm | 8 +- selftest/selftesthelpers.py | 1 + source3/client/client.c | 1 + source3/include/proto.h | 3 + source3/lib/adouble.c | 2 +- source3/lib/util_sid.c | 34 + source3/librpc/idl/rpc_host.idl | 2 +- source3/libsmb/clilist.c | 6 + source3/modules/vfs_fruit.c | 48 +- source3/rpc_client/local_np.c | 105 ++- source3/rpc_server/rpc_host.c | 115 ++-- source3/rpc_server/rpc_worker.c | 112 ++-- source3/script/tests/test_old_dirlisting.sh | 28 + source3/selftest/tests.py | 6 + source3/smbd/scavenger.c | 2 +- source3/smbd/smb2_pipes.c | 23 +- source3/utils/smbget.c | 1 + source3/winbindd/winbindd_cache.c | 1 + source3/winbindd/winbindd_msrpc.c | 10 +- source3/winbindd/winbindd_pam.c | 67 +- source4/dns_server/dns_crypto.c | 2 +- source4/dns_server/dns_update.c | 4 +- source4/dns_server/dnsserver_common.c | 21 +- source4/dns_server/dnsserver_common.h | 2 +- source4/rpc_server/dnsserver/dnsutils.c | 2 +- source4/torture/dns/dlz_bind9.c | 8 +- source4/torture/vfs/fruit.c | 954 ++++++++++++++++++++++++++++ 40 files changed, 1607 insertions(+), 301 deletions(-) create mode 100755 source3/script/tests/test_old_dirlisting.sh Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index bcfbd046e24..8778e6ebb26 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=17 -SAMBA_VERSION_RELEASE=8 +SAMBA_VERSION_RELEASE=9 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index c9f39ce3912..84dbe233384 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,62 @@ + ============================== + Release Notes for Samba 4.17.9 + July 06, 2023 + ============================== + + +This is the latest stable release of the Samba 4.17 release series. + + +Changes since 4.17.8 +-------------------- + +o Douglas Bagnall <douglas.bagn...@catalyst.net.nz> + * BUG 15404: Backport --pidl-developer fixes. + +o Ralph Boehme <s...@samba.org> + * BUG 15275: smbd_scavenger crashes when service smbd is stopped. + * BUG 15378: vfs_fruit might cause a failing open for delete. + +o Samuel Cabrero <scabr...@samba.org> + * BUG 14030: named crashes on DLZ zone update. + +o Volker Lendecke <v...@samba.org> + * BUG 15361: winbind recurses into itself via rpcd_lsad. + * BUG 15382: cli_list loops 100% CPU against pre-lanman2 servers. + * BUG 15391: smbclient leaks fds with showacls. + +o Stefan Metzmacher <me...@samba.org> + * BUG 15374: aes256 smb3 encryption algorithms are not allowed in + smb3_sid_parse(). + * BUG 15413: winbindd gets stuck on NT_STATUS_RPC_SEC_PKG_ERROR. + +o Jones Syue <joness...@qnap.com> + * BUG 15403: smbget memory leak if failed to download files recursively. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- ============================== Release Notes for Samba 4.17.8 May 11, 2023 @@ -75,8 +134,7 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- ============================== Release Notes for Samba 4.17.7 March 29, 2023 diff --git a/docs-xml/manpages/vfs_fruit.8.xml b/docs-xml/manpages/vfs_fruit.8.xml index 4caf308a612..b2ebfae2e21 100644 --- a/docs-xml/manpages/vfs_fruit.8.xml +++ b/docs-xml/manpages/vfs_fruit.8.xml @@ -406,6 +406,19 @@ </listitem> </varlistentry> + <varlistentry> + <term>fruit:convert_adouble = yes | no</term> + <listitem> + <para>Whether an attempt shall be made to convert ._ AppleDouble + sidecar files to native streams (xattrs when using + vfs_streams_xattr). The main use case for this conversion is + transparent migration from a server config without streams support + where the macOS client created those AppleDouble sidecar + files.</para> + <para>The default is <emphasis>yes</emphasis>.</para> + </listitem> + </varlistentry> + </variablelist> </refsect1> diff --git a/libcli/named_pipe_auth/npa_tstream.c b/libcli/named_pipe_auth/npa_tstream.c index 506c4a35681..f84440fe755 100644 --- a/libcli/named_pipe_auth/npa_tstream.c +++ b/libcli/named_pipe_auth/npa_tstream.c @@ -73,7 +73,7 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx, int ret; enum ndr_err_code ndr_err; char *lower_case_npipe; - struct named_pipe_auth_req_info5 *info5; + struct named_pipe_auth_req_info7 *info7; req = tevent_req_create(mem_ctx, &state, struct tstream_npa_connect_state); @@ -119,39 +119,43 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx, goto post; } - state->auth_req.level = 5; - info5 = &state->auth_req.info.info5; + state->auth_req.level = 7; + info7 = &state->auth_req.info.info7; - info5->transport = transport; - SMB_ASSERT(info5->transport == transport); /* Assert no overflow */ + info7->transport = transport; + SMB_ASSERT(info7->transport == transport); /* Assert no overflow */ - info5->remote_client_name = remote_client_name_in; - info5->remote_client_addr = tsocket_address_inet_addr_string(remote_client_addr, - state); - if (!info5->remote_client_addr) { + info7->remote_client_name = remote_client_name_in; + info7->remote_client_addr = + tsocket_address_inet_addr_string(remote_client_addr, state); + if (!info7->remote_client_addr) { /* errno might be EINVAL */ tevent_req_error(req, errno); goto post; } - info5->remote_client_port = tsocket_address_inet_port(remote_client_addr); - if (!info5->remote_client_name) { - info5->remote_client_name = info5->remote_client_addr; + info7->remote_client_port = + tsocket_address_inet_port(remote_client_addr); + if (!info7->remote_client_name) { + info7->remote_client_name = info7->remote_client_addr; } - info5->local_server_name = local_server_name_in; - info5->local_server_addr = tsocket_address_inet_addr_string(local_server_addr, - state); - if (!info5->local_server_addr) { + info7->local_server_name = local_server_name_in; + info7->local_server_addr = + tsocket_address_inet_addr_string(local_server_addr, state); + if (!info7->local_server_addr) { /* errno might be EINVAL */ tevent_req_error(req, errno); goto post; } - info5->local_server_port = tsocket_address_inet_port(local_server_addr); - if (!info5->local_server_name) { - info5->local_server_name = info5->local_server_addr; + info7->local_server_port = + tsocket_address_inet_port(local_server_addr); + if (!info7->local_server_name) { + info7->local_server_name = info7->local_server_addr; } - info5->session_info = discard_const_p(struct auth_session_info_transport, session_info); + info7->session_info = + discard_const_p(struct auth_session_info_transport, + session_info); if (DEBUGLVL(10)) { NDR_PRINT_DEBUG(named_pipe_auth_req, &state->auth_req); @@ -348,10 +352,10 @@ int _tstream_npa_connect_recv(struct tevent_req *req, npas->unix_stream = talloc_move(stream, &state->unix_stream); switch (state->auth_rep.level) { - case 5: - npas->file_type = state->auth_rep.info.info5.file_type; - device_state = state->auth_rep.info.info5.device_state; - allocation_size = state->auth_rep.info.info5.allocation_size; + case 7: + npas->file_type = state->auth_rep.info.info7.file_type; + device_state = state->auth_rep.info.info7.device_state; + allocation_size = state->auth_rep.info.info7.allocation_size; break; } @@ -1084,7 +1088,7 @@ static void tstream_npa_accept_existing_reply(struct tevent_req *subreq) tevent_req_data(req, struct tstream_npa_accept_state); struct named_pipe_auth_req *pipe_request; struct named_pipe_auth_rep pipe_reply; - struct named_pipe_auth_req_info5 i5; + struct named_pipe_auth_req_info7 i7; enum ndr_err_code ndr_err; DATA_BLOB in, out; int err; @@ -1147,53 +1151,59 @@ static void tstream_npa_accept_existing_reply(struct tevent_req *subreq) NDR_PRINT_DEBUG(named_pipe_auth_req, pipe_request); } - ZERO_STRUCT(i5); + ZERO_STRUCT(i7); - if (pipe_request->level != 5) { + if (pipe_request->level != 7) { DEBUG(0, ("Unknown level %u\n", pipe_request->level)); pipe_reply.level = 0; pipe_reply.status = NT_STATUS_INVALID_LEVEL; goto reply; } - pipe_reply.level = 5; + pipe_reply.level = 7; pipe_reply.status = NT_STATUS_OK; - pipe_reply.info.info5.file_type = state->file_type; - pipe_reply.info.info5.device_state = state->device_state; - pipe_reply.info.info5.allocation_size = state->alloc_size; + pipe_reply.info.info7.file_type = state->file_type; + pipe_reply.info.info7.device_state = state->device_state; + pipe_reply.info.info7.allocation_size = state->alloc_size; - i5 = pipe_request->info.info5; - if (i5.local_server_addr == NULL) { + i7 = pipe_request->info.info7; + if (i7.local_server_addr == NULL) { pipe_reply.status = NT_STATUS_INVALID_ADDRESS; DEBUG(2, ("Missing local server address\n")); goto reply; } - if (i5.remote_client_addr == NULL) { + if (i7.remote_client_addr == NULL) { pipe_reply.status = NT_STATUS_INVALID_ADDRESS; DEBUG(2, ("Missing remote client address\n")); goto reply; } - ret = tsocket_address_inet_from_strings(state, "ip", - i5.local_server_addr, - i5.local_server_port, + ret = tsocket_address_inet_from_strings(state, + "ip", + i7.local_server_addr, + i7.local_server_port, &state->local_server_addr); if (ret != 0) { - DEBUG(2, ("Invalid local server address[%s:%u] - %s\n", - i5.local_server_addr, i5.local_server_port, - strerror(errno))); + DEBUG(2, + ("Invalid local server address[%s:%u] - %s\n", + i7.local_server_addr, + i7.local_server_port, + strerror(errno))); pipe_reply.status = NT_STATUS_INVALID_ADDRESS; goto reply; } - ret = tsocket_address_inet_from_strings(state, "ip", - i5.remote_client_addr, - i5.remote_client_port, + ret = tsocket_address_inet_from_strings(state, + "ip", + i7.remote_client_addr, + i7.remote_client_port, &state->remote_client_addr); if (ret != 0) { - DEBUG(2, ("Invalid remote client address[%s:%u] - %s\n", - i5.remote_client_addr, i5.remote_client_port, - strerror(errno))); + DEBUG(2, + ("Invalid remote client address[%s:%u] - %s\n", + i7.remote_client_addr, + i7.remote_client_port, + strerror(errno))); pipe_reply.status = NT_STATUS_INVALID_ADDRESS; goto reply; } @@ -1249,14 +1259,15 @@ static void tstream_npa_accept_existing_done(struct tevent_req *subreq) tevent_req_done(req); } -static struct named_pipe_auth_req_info5 *copy_npa_info5( - TALLOC_CTX *mem_ctx, const struct named_pipe_auth_req_info5 *src) +static struct named_pipe_auth_req_info7 * +copy_npa_info7(TALLOC_CTX *mem_ctx, + const struct named_pipe_auth_req_info7 *src) { - struct named_pipe_auth_req_info5 *dst = NULL; + struct named_pipe_auth_req_info7 *dst = NULL; DATA_BLOB blob; enum ndr_err_code ndr_err; - dst = talloc_zero(mem_ctx, struct named_pipe_auth_req_info5); + dst = talloc_zero(mem_ctx, struct named_pipe_auth_req_info7); if (dst == NULL) { return NULL; } @@ -1265,9 +1276,9 @@ static struct named_pipe_auth_req_info5 *copy_npa_info5( &blob, dst, src, - (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req_info5); + (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req_info7); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - DBG_WARNING("ndr_push_named_pipe_auth_req_info5 failed: %s\n", + DBG_WARNING("ndr_push_named_pipe_auth_req_info7 failed: %s\n", ndr_errstr(ndr_err)); TALLOC_FREE(dst); return NULL; @@ -1277,10 +1288,10 @@ static struct named_pipe_auth_req_info5 *copy_npa_info5( &blob, dst, dst, - (ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_req_info5); + (ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_req_info7); TALLOC_FREE(blob.data); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - DBG_WARNING("ndr_push_named_pipe_auth_req_info5 failed: %s\n", + DBG_WARNING("ndr_push_named_pipe_auth_req_info7 failed: %s\n", ndr_errstr(ndr_err)); TALLOC_FREE(dst); return NULL; @@ -1294,7 +1305,7 @@ int _tstream_npa_accept_existing_recv( int *perrno, TALLOC_CTX *mem_ctx, struct tstream_context **stream, - struct named_pipe_auth_req_info5 **info5, + struct named_pipe_auth_req_info7 **info7, enum dcerpc_transport_t *transport, struct tsocket_address **remote_client_addr, char **_remote_client_name, @@ -1305,7 +1316,8 @@ int _tstream_npa_accept_existing_recv( { struct tstream_npa_accept_state *state = tevent_req_data(req, struct tstream_npa_accept_state); - struct named_pipe_auth_req_info5 *i5 = &state->pipe_request->info.info5; + struct named_pipe_auth_req_info7 *i7 = + &state->pipe_request->info.info7; struct tstream_npa *npas; int ret; @@ -1346,24 +1358,24 @@ int _tstream_npa_accept_existing_recv( npas->unix_stream = state->plain; npas->file_type = state->file_type; - if (info5 != NULL) { + if (info7 != NULL) { /* - * Make a full copy of "info5" because further down we + * Make a full copy of "info7" because further down we * talloc_move() away substructures from * state->pipe_request. */ - struct named_pipe_auth_req_info5 *dst = copy_npa_info5( - mem_ctx, i5); + struct named_pipe_auth_req_info7 *dst = + copy_npa_info7(mem_ctx, i7); if (dst == NULL) { *perrno = ENOMEM; tevent_req_received(req); return -1; } - *info5 = dst; + *info7 = dst; } if (transport != NULL) { - *transport = i5->transport; + *transport = i7->transport; } if (remote_client_addr != NULL) { *remote_client_addr = talloc_move( @@ -1371,7 +1383,8 @@ int _tstream_npa_accept_existing_recv( } if (_remote_client_name != NULL) { *_remote_client_name = discard_const_p( - char, talloc_move(mem_ctx, &i5->remote_client_name)); + char, + talloc_move(mem_ctx, &i7->remote_client_name)); } if (local_server_addr != NULL) { *local_server_addr = talloc_move( @@ -1379,10 +1392,11 @@ int _tstream_npa_accept_existing_recv( } if (local_server_name != NULL) { *local_server_name = discard_const_p( - char, talloc_move(mem_ctx, &i5->local_server_name)); + char, + talloc_move(mem_ctx, &i7->local_server_name)); } if (session_info != NULL) { - *session_info = talloc_move(mem_ctx, &i5->session_info); + *session_info = talloc_move(mem_ctx, &i7->session_info); } tevent_req_received(req); diff --git a/libcli/named_pipe_auth/npa_tstream.h b/libcli/named_pipe_auth/npa_tstream.h index 1d7e93dc0fa..ebb6d16e428 100644 --- a/libcli/named_pipe_auth/npa_tstream.h +++ b/libcli/named_pipe_auth/npa_tstream.h @@ -27,7 +27,7 @@ struct tevent_req; struct tevent_context; struct auth_session_info_transport; struct tsocket_address; -struct named_pipe_auth_req_info5; +struct named_pipe_auth_req_info7; struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, @@ -114,7 +114,7 @@ int _tstream_npa_accept_existing_recv( int *perrno, TALLOC_CTX *mem_ctx, struct tstream_context **stream, - struct named_pipe_auth_req_info5 **info5, + struct named_pipe_auth_req_info7 **info7, enum dcerpc_transport_t *transport, struct tsocket_address **remote_client_addr, char **_remote_client_name, diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h index 568916a159d..c362fa6fe80 100644 --- a/libcli/security/dom_sid.h +++ b/libcli/security/dom_sid.h @@ -66,6 +66,10 @@ extern const struct dom_sid global_sid_Unix_NFS_Mode; extern const struct dom_sid global_sid_Unix_NFS_Other; extern const struct dom_sid global_sid_Samba_SMB3; +extern const struct dom_sid global_sid_Samba_NPA_Flags; +#define SAMBA_NPA_FLAGS_NEED_IDLE 1 +#define SAMBA_NPA_FLAGS_WINBIND_OFF 2 + enum lsa_SidType; NTSTATUS dom_sid_lookup_predefined_name(const char *name, diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c index 03e7bb70743..f788540e98e 100644 --- a/libcli/security/security_token.c +++ b/libcli/security/security_token.c @@ -95,6 +95,42 @@ bool security_token_has_sid(const struct security_token *token, const struct dom return false; } +size_t security_token_count_flag_sids(const struct security_token *token, + const struct dom_sid *prefix_sid, + size_t num_flags, + const struct dom_sid **_flag_sid) +{ + const size_t num_auths_expected = prefix_sid->num_auths + num_flags; + const struct dom_sid *found = NULL; + size_t num = 0; + uint32_t i; + + SMB_ASSERT(num_auths_expected <= ARRAY_SIZE(prefix_sid->sub_auths)); + + for (i = 0; i < token->num_sids; i++) { + const struct dom_sid *sid = &token->sids[i]; + int cmp; + + if ((size_t)sid->num_auths != num_auths_expected) { + continue; + } + + cmp = dom_sid_compare_domain(sid, prefix_sid); + if (cmp != 0) { + continue; + } + + num += 1; + found = sid; + } + + if ((num == 1) && (_flag_sid != NULL)) { + *_flag_sid = found; + } + + return num; +} + bool security_token_has_builtin_guests(const struct security_token *token) { return security_token_has_sid(token, &global_sid_Builtin_Guests); diff --git a/libcli/security/security_token.h b/libcli/security/security_token.h index 15773df617f..c6898859b98 100644 -- Samba Shared Repository