The branch, v4-21-stable has been updated
via d67152765b3 VERSION: Disable GIT_SNAPSHOT for the 4.21.2 release.
via c8e1d816979 WHATSNEW: Add release notes for Samba 4.21.2.
via 8da34956d68 ctdb-scripts: Track connections for all ports for
public IPs
via 53df2b78ae5 ctdb-scripts: Get connections after tickle list
via f5fc8aa709c ctdb-scripts: Move connection tracking to 10.interface
via c6c0722cb72 ctdb-server: Drop a log message to DEBUG level
via 7791375ccca ctdb-server: Clean up connection tracking functions
via 84deecc5e8e ctdb-scripts: Use ss -H option to simplify
via 5920d47149c ctdb-scripts: Remove superseded compatibility code
via 0a571a6dbe3 ctdb-scripts: update_tickles() should use the public
IPs cache
via 650ce39d63c ctdb-scripts: Don't list connections when not hosting
IPs
via 6afa2ce5dc2 smbd: avoid a panic in close_directory()
via 0c3379c5bd8 examples:winexe: Initialize Trustee.ptstrName at the
right time
via 193dc02471b libcli/auth: make use of
netlogon_creds_cli_check_transport() in more places
via f444707208c libcli/auth: split out
netlogon_creds_cli_check_transport()
via 97c1456157a libcli/auth: let netlogon_creds_copy() copy all scalar
elements
via 10e8e230e7b s4:librpc/rpc: make use of
netlogon_creds_client_verify()
via 4fb7226f776 libcli/auth: make use of netlogon_creds_client_verify()
via bd5058538cc libcli/auth: split out netlogon_creds_client_verify()
that takes auth_{type,level}
via 1edb984810b libcli/auth: pass auth_{type,level} to
netlogon_creds_server_step_check()
via 15fad537ca5 libcli/auth: pass auth_{type,level} to
schannel_check_creds_state()
via 57b897276ca libcli/auth: return INVALID_PARAMETER for DES in
netlogon_creds_{de,en}crypt_samlogon_logon
via f93fc1e65cb s4:rpc_server/netlogon: make use of
netlogon_creds_decrypt_SendToSam
via 9f36351814a s4:rpc_server/netlogon: make use of
netlogon_creds_decrypt_samr_CryptPassword
via 51dca749dd5 s4:rpc_server/netlogon: make use of
netlogon_creds_{de,en}crypt_samr_Password()
via 9b2c2de4bf9 s3:rpc_server/netlogon: make use of
netlogon_creds_decrypt_samr_CryptPassword()
via cedcfa310b9 s3:rpc_server/netlogon: make use of
netlogon_creds_{de,en}crypt_samr_Password
via fea3d0c5810 s4:torture/rpc: make use of
netlogon_creds_{de,en}crypt_samr_Password
via a8e5bbb2689 s4:torture/rpc: make use of
netlogon_creds_encrypt_samr_CryptPassword()
via c944d1fc372 s4:torture/rpc: make use of
netlogon_creds_decrypt_samlogon_validation()
via 7664466f8be s4:torture/rpc: make use of
netlogon_creds_encrypt_samlogon_logon()
via 423ee427b2d libcli/auth: make use of
netlogon_creds_{de,en}crypt_samr_Password
via c39ab113afd libcli/auth: make use of
netlogon_creds_encrypt_SendToSam
via 44803568fce libcli/auth: make use of
netlogon_creds_encrypt_samr_CryptPassword
via 104dd940b80 libcli/auth: make
netlogon_creds_des_{de,en}crypt_LMKey() static
via 986e85311b1 python/tests: use encrypt_netr_PasswordInfo in
KDCBaseTest._test_samlogon()
via 16486fc89e9 pycredentials: add py_creds_encrypt_netr_PasswordInfo
helper
via 63cd352ce46 pycredentials: make use of
netlogon_creds_encrypt_samr_CryptPassword in
py_creds_encrypt_netr_crypt_password
via 1942021a04b libcli/auth: add netlogon_creds_{de,en}crypt_SendToSam()
via a67f23403d5 libcli/auth: add
netlogon_creds_{de,en}crypt_samr_CryptPassword()
via ee30900ecef libcli/auth: add
netlogon_creds_{de,en}crypt_samr_Password()
via 4da8ed66be9 libcli/auth: pass auth_{type,level} to
netlogon_creds_{de,en}crypt_samlogon_logon()
via 44109378880 libcli/auth: pass auth_{type,level} to
netlogon_creds_{de,en}crypt_samlogon_validation()
via 553db707b57 netlogon.idl: add netr_ServerAuthenticateKerberos() and
related stuff
via 2a210ec5c40 s3:rpc_server: add DCESRV_COMPAT_NOT_USED_ON_WIRE()
helper macro
via c7166d2d612 dcesrv_core: add DCESRV_NOT_USED_ON_WIRE() helper macro
via 30d744d0a6a s4:rpc_server/netlogon: split out
dcesrv_netr_ServerAuthenticateGeneric()
via 769588b25a7 s4:dsdb/common: dsdb_trust_get_incoming_passwords only
needs a const ldb_message
via d7b7db05fd2 libcli/auth: split out netlogon_creds_alloc()
via 57c1fb9048c libcli/auth: let netlogon_creds_cli_store_internal
check netlogon_creds_CredentialState_legacy
via dcd3c2b9d2b libcli/auth: let netlogon_creds_cli_store_internal()
use talloc_stackframe()
via 46b7eb7737b libcli/auth: also use
netlogon_creds_CredentialState_extra_info for the client
via ef69f555566 s4:torture/rpc: let test_netlogon_capabilities() fail
on legacy servers
via 1fecabddeb6 s4:rpc_server/netlogon: implement
netr_LogonGetCapabilities query_level=2
via 47e5aa1e36e s3:rpc_server/netlogon: implement
netr_LogonGetCapabilities query_level=2
via c6bfa4dbb25 libcli/auth: remember client_requested_flags and
auth_time in netlogon_creds_server_init()
via a0ad07e82f0 libcli/auth: remove unused creds->sid
via 72be93b62f3 s4:rpc_server/netlogon: make use of
creds->ex->client_sid
via 39399a49d36 s3:rpc_server/netlogon: make use of
creds->ex->client_sid
via 114e369122c librpc/rpc: make use of creds->ex->client_sid in
dcesrv_netr_check_schannel_get_state()
via 58f657baf09 libcli/auth: split out
netlogon_creds_CredentialState_extra_info
via 1a6928892a9 libcli/auth: pass client_sid to
netlogon_creds_server_init()
via e03e2f7639f s4:rpc_server/netlogon: add client_sid helper variables
via d197dd522f3 s3:rpc_server/netlogon: add client_sid helper variables
via f4edcf3d0ea s4:dsdb/common: samdb_confirm_rodc_allowed_to_repl_to()
only needs a const sid
via b5bf7bc3810 s3:cli_netlogon: let rpccli_connect_netlogon() use
force_reauth = true on retry
via c2796abfdc2 s4:torture/rpc/netlogon: adjust
test_netlogon_capabilities query_level=2 to request_flags
via 83e9f281ca4 s4:librpc/rpc: use netr_LogonGetCapabilities
query_level=2 to verify the proposed capabilities
via 5c7301f799f s4:librpc/rpc: define required schannel flags and
enforce them
via 41be718d655 s4:librpc/rpc: don't allow any unexpected upgrades of
negotiate_flags
via 59d8a8715de s4:librpc/rpc: do LogonControl after
LogonGetCapabilities downgrade
via 9265852ec70 libcli/auth: use netr_LogonGetCapabilities
query_level=2 to verify the proposed capabilities
via ea1bb195859 libcli/auth: use a LogonControl after a
LogonGetCapabilities downgrade
via d73e6c7ab08 libcli/auth: if we require aes we don't need to require
arcfour nor strong key
via 48acce5da8f libcli/auth: don't allow any unexpected upgrades of
negotiate_flags
via 6f1d556b407 libcli/auth: make use of
netlogon_creds_cli_store_internal() in netlogon_creds_cli_auth_srvauth_done()
via ced6cbfa6b1 libcli/auth: remove unused
netlogon_creds_client_init_session_key()
via 8cf7bf9f615 netlogon.idl: the capabilities in query_level=2 are the
ones send by the client
via 349f3144883 s4:rpc_server/netlogon: if we require AES there's no
need to remove the ARCFOUR flag
via 6916bf43d3f s3:rpc_server/netlogon: if we require AES there's no
need to remove the ARCFOUR flag
via a442241004e s3:rpc_server/netlogon: correctly negotiate flags in
ServerAuthenticate2/3
via 0267772cdf2 s4:torture/rpc: without weak crypto we should require
AES
via a65ca95d4d2 s4:torture/rpc: check that DOWNGRADE_DETECTED has no
bits negotiated
via d41a1dbc0bf s3:winbindd: call process_set_title() for locator child
via 00e1c97fee9 third_party/heimdal: Import
lorikeet-heimdal-202410161454 (commit 0d61538a16b5051c820702f0711102112cd01a83)
via a7ea9b5026f smbd: fix sharing access check for directories
via 5c3e5377fe6 smbd: fix share access check for overwrite dispostions
via 66c09de1f30 smbtorture: add subtests for overwrite dispositions vs
sharemodes
via 88caf2c0911 smbtorture: fix smb2.notify.mask test
via a2ee15f58de smbtorture: prepare test_overwrite_read_only_file() for
more subtests
via 27e364a4933 dcesrv_core: better fault codes
dcesrv_auth_prepare_auth3()
via 4b60c66a9e7 dcesrv_core: fix the auth3 for large ntlmssp messages
via dae81f45a37 gensec:spnego: ignore trailing bytes in
SPNEGO_SERVER_START state
via f18b49489f1 gensec:ntlmssp: only allow messages up to 2888 bytes
via 657953d8e48 dcesrv_core: alter_context logon failures should result
in DCERPC_FAULT_ACCESS_DENIED
via aa0e68958cc dcesrv_core: a failure from gensec_update results in
NAK_REASON_INVALID_CHECKSUM
via f27161ef539 dcerpc_util: let dcerpc_pull_auth_trailer() ignore
data_and_pad for bind, alter, auth3
via 178e654eca1 dcerpc_util: let dcerpc_pull_auth_trailer() expose the
reject reason
via 5740e9daadc dcerpc_util: let dcerpc_pull_auth_trailer() check that
auth_offset is 4 bytes aligned
via a91d040b859 tests/dcerpc/raw_protocol: test invalid schannel binds
via 8add039c0bc tests/dcerpc/raw_protocol: add more tests for auth_pad
alignment
via 68ade99138d tests/dcerpc/raw_protocol: add tests for max
auth_padding, auth_len or auth_offset
via b019eb56d69 tests/dcerpc/raw_protocol: fix comment in
test_spnego_change_auth_type1
via 5fbb57e0dd5 tests/dcerpc/raw_protocol: test_no_auth_ctx_request
via 058328859c7 dcesrv_core: introduce
dcesrv_connection->transport_max_recv_frag
via 80129a9b077 tests/dcerpc/raw_protocol: run test_neg_xmit_ffff_ffff
over tcp and smb
via 2553c9aeded dcesrv_core: add more verbose debugging for missing
association groups
via 465bcb60550 RawDCERPCTest: add some more auth_length related asserts
via fcbb5243d5a RawDCERPCTest: split prepare_pdu() and send_pdu_blob()
out of send_pdu()
via 82ce898457b s4:librpc: provide py_schannel bindings
via bea355c2316 dcerpc_util: don't allow auth_padding for BIND,
ALTER_CONTEXT and AUTH3 pdus
via 79d8431c864 tests/dcerpc/raw_protocol: add more test for auth
padding during ALTER_CONTEXT/AUTH3
via cbcd11f2fb2 dcesrv_core: return
NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED for binds without contexts
via 346dab391d6 dcesrv_core: disconnect after a fault with non
AUTH_LEVEL_CONNECT bind
via b56c35c3366 s4:selftest: only run ad_member with
AUTH_LEVEL_CONNECT_LSA=1
via c0f40a78313 tests/dcerpc/raw_protocol: pass against Windows 2022
and require special env vars for legacy servers
via 9e35e26e038 RawDCERPCTest: ignore errors in smb_pipe_socket.close()
via 189e4e8b262 s4:tortore/rpc: let rpc.backupkey without privacy pass
against Windows 2022
via 53cf535b450 VERSION: Bump version up to Samba 4.21.2...
from 654d41a19c2 VERSION: Disable GIT_SNAPSHOT for the 4.21.1 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 58 +-
auth/credentials/pycredentials.c | 92 +-
auth/gensec/spnego.c | 24 +-
auth/ntlmssp/ntlmssp.c | 9 +
auth/ntlmssp/ntlmssp_client.c | 6 -
auth/ntlmssp/ntlmssp_server.c | 6 -
ctdb/config/events/legacy/10.interface.script | 2 +
ctdb/config/events/legacy/60.nfs.script | 1 -
ctdb/config/functions | 52 +-
ctdb/server/ctdb_takeover.c | 108 +-
examples/winexe/winexesvc.c | 3 +-
libcli/auth/credentials.c | 358 ++++--
libcli/auth/libcli_auth.h | 1 +
libcli/auth/netlogon_creds_cli.c | 744 +++++++-----
libcli/auth/proto.h | 59 +-
libcli/auth/schannel_state.h | 2 +
libcli/auth/schannel_state_tdb.c | 15 +-
librpc/idl/netlogon.idl | 33 +-
librpc/idl/schannel.idl | 73 +-
librpc/idl/wscript_build | 2 +-
librpc/rpc/dcerpc_util.c | 75 +-
librpc/rpc/dcesrv_auth.c | 71 +-
librpc/rpc/dcesrv_core.c | 107 +-
librpc/rpc/dcesrv_core.h | 10 +
librpc/rpc/server/netlogon/schannel_util.c | 6 +-
python/samba/tests/dcerpc/raw_protocol.py | 1555 ++++++++++++++++++++++---
python/samba/tests/dcerpc/raw_testcase.py | 52 +-
python/samba/tests/krb5/kdc_base_test.py | 10 +-
selftest/expectedfail.d/ntlm-auth | 4 +
selftest/expectedfail.d/samba4.rpc.backupkey | 28 +
selftest/target/Samba4.pm | 1 -
source3/rpc_client/cli_netlogon.c | 1 +
source3/rpc_server/netlogon/srv_netlog_nt.c | 169 ++-
source3/rpc_server/rpc_pipes.h | 6 +
source3/smbd/close.c | 4 +-
source3/smbd/open.c | 7 +-
source3/winbindd/winbindd_dual.c | 2 +
source3/winbindd/winbindd_locator.c | 9 +
source3/winbindd/winbindd_proto.h | 1 +
source4/dsdb/common/rodc_helper.c | 2 +-
source4/dsdb/common/util_trusts.c | 2 +-
source4/librpc/rpc/dcerpc_schannel.c | 333 +++++-
source4/librpc/wscript_build | 7 +
source4/rpc_server/netlogon/dcerpc_netlogon.c | 343 ++++--
source4/selftest/tests.py | 14 +-
source4/torture/ntp/ntp_signd.c | 1 +
source4/torture/rpc/backupkey.c | 80 +-
source4/torture/rpc/forest_trust.c | 17 +-
source4/torture/rpc/lsa.c | 21 +-
source4/torture/rpc/netlogon.c | 194 ++-
source4/torture/rpc/netlogon_crypto.c | 7 +-
source4/torture/rpc/remote_pac.c | 42 +-
source4/torture/rpc/samba3rpc.c | 19 +-
source4/torture/rpc/samlogon.c | 38 +-
source4/torture/rpc/samr.c | 21 +-
source4/torture/rpc/schannel.c | 85 +-
source4/torture/smb2/acls.c | 124 +-
source4/torture/smb2/notify.c | 34 +-
third_party/heimdal/lib/gssapi/krb5/8003.c | 10 +
60 files changed, 4105 insertions(+), 1057 deletions(-)
create mode 100644 selftest/expectedfail.d/samba4.rpc.backupkey
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 5ccd19a89c2..e34c965aa18 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the
Samba Team 1992-2024"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=21
-SAMBA_VERSION_RELEASE=1
+SAMBA_VERSION_RELEASE=2
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index e6db953bedc..4f3ff92965b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,58 @@
+ ==============================
+ Release Notes for Samba 4.21.2
+ November 25, 2024
+ ==============================
+
+
+This is the latest stable release of the Samba 4.21 release series.
+
+
+Changes since 4.21.1
+--------------------
+
+o Ralph Boehme <s...@samba.org>
+ * BUG 15732: smbd fails to correctly check sharemode against OVERWRITE
+ dispositions.
+ * BUG 15754: Panic in close_directory.
+
+o Pavel Filipenský <pfilipen...@samba.org>
+ * BUG 15752: winexe no longer works with samba 4.21.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 14356: protocol error - Unclear debug message "pad length mismatch"
for
+ invalid bind packet.
+ * BUG 15425: NetrGetLogonCapabilities QueryLevel 2 needs to be implemented.
+ * BUG 15740: gss_accept_sec_context() from Heimdal does not imply
+ GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE.
+ * BUG 15749: winbindd should call process_set_title() for locator child.
+
+o Martin Schwenke <mschwe...@ddn.com>
+ * BUG 15320: Update CTDB to track all TCP connections to public IP
addresses.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.21.1
October 14, 2024
@@ -68,8 +123,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.21.0
September 02, 2024
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 8008bd0418d..b123c2e986a 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -1074,9 +1074,11 @@ static PyObject *py_creds_get_old_kerberos_key(PyObject
*self, PyObject *args)
static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self,
PyObject *args)
{
- DATA_BLOB data = data_blob_null;
struct cli_credentials *creds = NULL;
struct netr_CryptPassword *pwd = NULL;
+ struct samr_CryptPassword spwd;
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
NTSTATUS status;
PyObject *py_cp = Py_None;
@@ -1100,9 +1102,18 @@ static PyObject
*py_creds_encrypt_netr_crypt_password(PyObject *self,
/* pytalloc_get_type sets TypeError */
return NULL;
}
- data.length = sizeof(struct netr_CryptPassword);
- data.data = (uint8_t *)pwd;
- status = netlogon_creds_session_encrypt(creds->netlogon_creds, data);
+
+ memcpy(spwd.data, pwd->data, 512);
+ PUSH_LE_U32(spwd.data, 512, pwd->length);
+
+ status =
netlogon_creds_encrypt_samr_CryptPassword(creds->netlogon_creds,
+ &spwd,
+ auth_type,
+ auth_level);
+
+ memcpy(pwd->data, spwd.data, 512);
+ pwd->length = PULL_LE_U32(spwd.data, 512);
+ ZERO_STRUCT(spwd);
PyErr_NTSTATUS_IS_ERR_RAISE(status);
@@ -1151,6 +1162,68 @@ static PyObject *py_creds_encrypt_samr_password(PyObject
*self,
Py_RETURN_NONE;
}
+static PyObject *py_creds_encrypt_netr_PasswordInfo(PyObject *self,
+ PyObject *args,
+ PyObject *kwargs)
+{
+ const char * const kwnames[] = {
+ "info",
+ "auth_type",
+ "auth_level",
+ NULL
+ };
+ struct cli_credentials *creds = NULL;
+ PyObject *py_info = Py_None;
+ enum netr_LogonInfoClass level = NetlogonInteractiveInformation;
+ union netr_LogonLevel logon = { .password = NULL, };
+ uint8_t auth_type = DCERPC_AUTH_TYPE_NONE;
+ uint8_t auth_level = DCERPC_AUTH_LEVEL_NONE;
+ NTSTATUS status;
+ bool ok;
+
+ creds = PyCredentials_AsCliCredentials(self);
+ if (creds == NULL) {
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
+ return NULL;
+ }
+
+ if (creds->netlogon_creds == NULL) {
+ PyErr_Format(PyExc_ValueError, "NetLogon credentials not set");
+ return NULL;
+ }
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwargs, "Obb",
+ discard_const_p(char *, kwnames),
+ &py_info, &auth_type, &auth_level))
+ {
+ return NULL;
+ }
+
+ ok = py_check_dcerpc_type(py_info,
+ "samba.dcerpc.netlogon",
+ "netr_PasswordInfo");
+ if (!ok) {
+ /* py_check_dcerpc_type sets TypeError */
+ return NULL;
+ }
+
+ logon.password = pytalloc_get_type(py_info, struct netr_PasswordInfo);
+ if (logon.password == NULL) {
+ /* pytalloc_get_type sets TypeError */
+ return NULL;
+ }
+
+ status = netlogon_creds_encrypt_samlogon_logon(creds->netlogon_creds,
+ level,
+ &logon,
+ auth_type,
+ auth_level);
+
+ PyErr_NTSTATUS_IS_ERR_RAISE(status);
+
+ Py_RETURN_NONE;
+}
+
static PyObject *py_creds_get_smb_signing(PyObject *self, PyObject *unused)
{
enum smb_signing_setting signing_state;
@@ -1684,6 +1757,17 @@ static PyMethodDef py_creds_methods[] = {
"the negotiated encryption algorithm in place\n"
"i.e. it overwrites the original data"
},
+ {
+ .ml_name = "encrypt_netr_PasswordInfo",
+ .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
+ py_creds_encrypt_netr_PasswordInfo),
+ .ml_flags = METH_VARARGS | METH_KEYWORDS,
+ .ml_doc = "S.encrypt_netr_PasswordInfo(info, "
+ "auth_type, auth_level) -> None\n"
+ "Encrypt the supplied password info using the
session key and\n"
+ "the negotiated encryption algorithm in place\n"
+ "i.e. it overwrites the original data"
+ },
{
.ml_name = "get_smb_signing",
.ml_meth = py_creds_get_smb_signing,
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 378ba3402c4..741d85b9a5e 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1758,6 +1758,7 @@ static NTSTATUS gensec_spnego_update_in(struct
gensec_security *gensec_security,
const DATA_BLOB in, TALLOC_CTX *mem_ctx,
DATA_BLOB *full_in)
{
+ DATA_BLOB consume = data_blob_null;
struct spnego_state *spnego_state =
talloc_get_type_abort(gensec_security->private_data,
struct spnego_state);
@@ -1824,17 +1825,26 @@ static NTSTATUS gensec_spnego_update_in(struct
gensec_security *gensec_security,
return NT_STATUS_INVALID_PARAMETER;
}
+ consume = in;
expected = spnego_state->in_needed - spnego_state->in_frag.length;
- if (in.length > expected) {
+ if (consume.length > expected) {
+ if (spnego_state->state_position != SPNEGO_SERVER_START) {
+ /*
+ * we got more than expected
+ */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
/*
- * we got more than expected
+ * In SPNEGO_SERVER_START we need to ignore unexpected
+ * bytes at the end.
*/
- return NT_STATUS_INVALID_PARAMETER;
+ consume.length = expected;
}
- if (in.length == spnego_state->in_needed) {
+ if (consume.length == spnego_state->in_needed) {
/*
- * if the in.length contains the full blob
+ * if the consume.length contains the full blob
* we are done.
*
* Note: this implies spnego_state->in_frag.length == 0,
@@ -1842,13 +1852,13 @@ static NTSTATUS gensec_spnego_update_in(struct
gensec_security *gensec_security,
* because we already know that we did not get
* more than expected.
*/
- *full_in = in;
+ *full_in = consume;
spnego_state->in_needed = 0;
return NT_STATUS_OK;
}
ok = data_blob_append(spnego_state, &spnego_state->in_frag,
- in.data, in.length);
+ consume.data, consume.length);
if (!ok) {
return NT_STATUS_NO_MEMORY;
}
diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
index 745f2628d21..c9360a5fa2d 100644
--- a/auth/ntlmssp/ntlmssp.c
+++ b/auth/ntlmssp/ntlmssp.c
@@ -36,6 +36,8 @@ struct auth_session_info;
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
+#define NTLMSSP_MAX_UPDATE_SIZE 2888
+
/**
* Callbacks for NTLMSSP - for both client and server operating modes
*
@@ -136,6 +138,13 @@ static NTSTATUS gensec_ntlmssp_update_find(struct
gensec_security *gensec_securi
}
}
+ if (input.length > NTLMSSP_MAX_UPDATE_SIZE) {
+ DBG_WARNING("reject large command=%u message, length %zu >
%u)\n",
+ ntlmssp_command, input.length,
+ NTLMSSP_MAX_UPDATE_SIZE);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
if (ntlmssp_command != gensec_ntlmssp->ntlmssp_state->expected_state) {
DEBUG(2, ("got NTLMSSP command %u, expected %u\n",
ntlmssp_command,
gensec_ntlmssp->ntlmssp_state->expected_state));
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index a50ff661f5f..8c2a1f9c0aa 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -142,12 +142,6 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct
gensec_security *gensec_security,
/* parse the NTLMSSP packet */
- if (in.length > UINT16_MAX) {
- DEBUG(1, ("%s: reject large request of length %u\n",
- __func__, (unsigned int)in.length));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
ok = msrpc_parse(ntlmssp_state, &in, "Cdd",
"NTLMSSP",
&ntlmssp_command,
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 1e49379a8ed..2e25c4efab5 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -124,12 +124,6 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct
gensec_security *gensec_security
#endif
if (request.length) {
- if (request.length > UINT16_MAX) {
- DEBUG(1, ("ntlmssp_server_negotiate: reject large
request of length %u\n",
- (unsigned int)request.length));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
if ((request.length < 16) || !msrpc_parse(ntlmssp_state,
&request, "Cdd",
"NTLMSSP",
&ntlmssp_command,
diff --git a/ctdb/config/events/legacy/10.interface.script
b/ctdb/config/events/legacy/10.interface.script
index fdc559ee1c8..dfd796563fd 100755
--- a/ctdb/config/events/legacy/10.interface.script
+++ b/ctdb/config/events/legacy/10.interface.script
@@ -247,6 +247,8 @@ ipreallocated)
monitor)
monitor_interfaces || exit 1
+
+ update_tickles
;;
esac
diff --git a/ctdb/config/events/legacy/60.nfs.script
b/ctdb/config/events/legacy/60.nfs.script
index 246a856bca8..7d03a2a50f2 100755
--- a/ctdb/config/events/legacy/60.nfs.script
+++ b/ctdb/config/events/legacy/60.nfs.script
@@ -338,7 +338,6 @@ monitor)
exit $?
fi
- update_tickles 2049
nfs_update_lock_info
nfs_check_services
diff --git a/ctdb/config/functions b/ctdb/config/functions
index ef79dbf2162..4139059a3d3 100755
--- a/ctdb/config/functions
+++ b/ctdb/config/functions
@@ -499,7 +499,7 @@ ctdb_check_unix_socket()
return 1
fi
- _out=$(ss -l -x "src ${_sockpath}" | tail -n +2)
+ _out=$(ss -l -xH "src ${_sockpath}")
if [ -z "$_out" ]; then
echo "ERROR: ${service_name} not listening on ${_sockpath}"
return 1
@@ -602,7 +602,7 @@ get_tcp_connections_for_ip()
{
_ip="$1"
- ss -tn state established "src [$_ip]" | awk 'NR > 1 {print $3, $4}'
+ ss -tnH state established "src [$_ip]" | awk '{print $3, $4}'
}
########################################################
@@ -1176,49 +1176,39 @@ nfs_callout()
update_tickles()
{
- _port="$1"
-
tickledir="${CTDB_SCRIPT_VARDIR}/tickles"
mkdir -p "$tickledir"
- # What public IPs do I hold?
- _pnn=$(ctdb_get_pnn)
- _ips=$($CTDB -X ip | awk -F'|' -v pnn="$_pnn" '$3 == pnn {print $2}')
+ # If not hosting any public IPs then can't have any connections...
+ if [ ! -s "$CTDB_MY_PUBLIC_IPS_CACHE" ]; then
+ return
+ fi
- # IPs and port as ss filters
+ # IPs ss filter
_ip_filter=""
- for _ip in $_ips; do
+ while read -r _ip; do
_ip_filter="${_ip_filter}${_ip_filter:+ || }src [${_ip}]"
- done
- _port_filter="sport == :${_port}"
+ done <"$CTDB_MY_PUBLIC_IPS_CACHE"
+
+ # Record our current tickles in a temporary file
+ _my_tickles="${tickledir}/all.tickles.$$"
+ while read -r _i; do
+ $CTDB -X gettickles "$_i" |
+ awk -F'|' 'NR > 1 { printf "%s:%s %s:%s\n", $2, $3, $4,
$5 }'
+ done <"$CTDB_MY_PUBLIC_IPS_CACHE" |
+ sort >"$_my_tickles"
# Record connections to our public IPs in a temporary file.
# This temporary file is in CTDB's private state directory and
# $$ is used to avoid a very rare race involving CTDB's script
# debugging. No security issue, nothing to see here...
- _my_connections="${tickledir}/${_port}.connections.$$"
- # Parentheses are needed around the filters for precedence but
+ _my_connections="${tickledir}/all.connections.$$"
+ # Parentheses are needed around the IP filter for precedence but
# the parentheses can't be empty!
- #
- # Recent versions of ss print square brackets around IPv6
- # addresses. While it is desirable to update CTDB's address
- # parsing and printing code, something needs to be done here
- # for backward compatibility, so just delete the brackets.
- ss -tn state established \
- "${_ip_filter:+( ${_ip_filter} )}" \
- "${_port_filter:+( ${_port_filter} )}" |
- awk 'NR > 1 {print $4, $3}' |
- tr -d '][' |
+ ss -tnH state established "${_ip_filter:+( ${_ip_filter} )}" |
+ awk '{print $4, $3}' |
sort >"$_my_connections"
- # Record our current tickles in a temporary file
- _my_tickles="${tickledir}/${_port}.tickles.$$"
- for _i in $_ips; do
- $CTDB -X gettickles "$_i" "$_port" |
- awk -F'|' 'NR > 1 { printf "%s:%s %s:%s\n", $2, $3, $4,
$5 }'
- done |
- sort >"$_my_tickles"
-
# Add tickles for connections that we haven't already got tickles for
comm -23 "$_my_connections" "$_my_tickles" |
$CTDB addtickle
diff --git a/ctdb/server/ctdb_takeover.c b/ctdb/server/ctdb_takeover.c
index 2176c6ab806..ad543452e62 100644
--- a/ctdb/server/ctdb_takeover.c
+++ b/ctdb/server/ctdb_takeover.c
@@ -1504,27 +1504,40 @@ static struct ctdb_connection *ctdb_tcp_find(struct
ctdb_tcp_array *array,
clients managing that should tickled with an ACK when IP takeover is
done
*/
-int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb, TDB_DATA indata, bool
tcp_update_needed)
+int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb,
+ TDB_DATA indata,
+ bool tcp_update_needed)
{
struct ctdb_connection *p = (struct ctdb_connection *)indata.dptr;
struct ctdb_tcp_array *tcparray;
struct ctdb_connection tcp;
struct ctdb_vnn *vnn;
+ char conn_str[132] = { 0, };
+ int ret;
/* If we don't have public IPs, tickles are useless */
if (ctdb->vnn == NULL) {
return 0;
}
+ ret = ctdb_connection_to_buf(conn_str,
+ sizeof(conn_str),
+ p,
+ false,
+ " -> ");
+ if (ret != 0) {
+ strlcpy(conn_str, "UNKNOWN", sizeof(conn_str));
+ }
+
vnn = find_public_ip_vnn(ctdb, &p->dst);
if (vnn == NULL) {
- DEBUG(DEBUG_INFO,(__location__ " got TCP_ADD control for an
address which is not a public address '%s'\n",
- ctdb_addr_to_str(&p->dst)));
+ DBG_INFO("Attempt to add connection %s "
+ "but destination is not a public address\n",
+ conn_str);
return -1;
}
-
tcparray = vnn->tcp_array;
/* If this is the first tickle */
@@ -1534,7 +1547,8 @@ int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb,
TDB_DATA indata, bool tc
vnn->tcp_array = tcparray;
--
Samba Shared Repository
