The branch, master has been updated
via fc9f0cd1ae1 s3: Fix use of dbwrap_transaction_cancel() in
machine_account_secrets.c
via 38f15aa8fc5 pylibsmb: avoid unnecessary check of sid/gid counts
via 7fe963e320b ldb_tdb: wrap can cope with NULL path
via 2bc5f08a33b python:join: do not suppress unexpected DNS enum errors
via e06b36fbdf7 pyldb: consistent results in py_ldb_msg_richcmp
via ae0461ebe89 dsdb:group_audit: log_membership_changes: match doxygen
to code
via 48e91df600d lib/compression: add a windows python script for test
vectors
via 3c53430eed4 s4/dns/dlz: log when falling back to obsolete dns ldb
path
from 9152c08955c .github: CodeQL triggers on current branches
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit fc9f0cd1ae14f5ce1dd48a7e9287a70e9abc948b
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Feb 20 20:33:19 2025 +0100
s3: Fix use of dbwrap_transaction_cancel() in machine_account_secrets.c
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
Autobuild-User(master): Ralph Böhme <s...@samba.org>
Autobuild-Date(master): Sat Mar 29 19:02:35 UTC 2025 on atb-devel-224
commit 38f15aa8fc5db43468cfeed6c6c3ba0e36742f43
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Fri Mar 7 12:01:14 2025 +1300
pylibsmb: avoid unnecessary check of sid/gid counts
This causes compiler conniptions because the check is tautologically
false with 64 bit size_t, while a 32 bit ssize_t that wraps to a
negative number is rejected by PyList_New(). Besides which, out of
bounds access is blocked by PyList_SetItem(), and talloc won't create
arrays that large.
The trouble is picky compilers can say things like:
../../source3/libsmb/pylibsmb.c: In function ‘py_smb_posix_whoami’:
../../source3/libsmb/pylibsmb.c:2226:22: warning: comparison is always
false due to limited range of data type [-Wtype-limits]
2226 | if (num_gids > PY_SSIZE_T_MAX) {
which draws endless but useless developer attention.
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 7fe963e320b7c4f391a4fbd4668666c816e531e8
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Thu Nov 28 09:33:16 2024 +1300
ldb_tdb: wrap can cope with NULL path
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 2bc5f08a33b91077636e2f21977fbccbc31d5664
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Sat Aug 10 10:37:24 2024 +1200
python:join: do not suppress unexpected DNS enum errors
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit e06b36fbdf7d3dc442304ba1f38c813e15706309
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Mon Jun 24 23:02:45 2024 +1200
pyldb: consistent results in py_ldb_msg_richcmp
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit ae0461ebe892f7b83c19ac699feb5ecb5f500e53
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Wed Jan 18 10:13:23 2023 +1300
dsdb:group_audit: log_membership_changes: match doxygen to code
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 48e91df600dfc1a0125381b9995da95628097318
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Fri Dec 23 21:36:26 2022 +1300
lib/compression: add a windows python script for test vectors
The C program we have (generate-windows-test-vectors.c) uses a higher
level API than MS-XCA refers to, which plays tricks like refusing to
do compression if the result would be larger than the original. It
does that because I could not successfully compile something using the
correct RtlCompressBuffer API in Cygwin.
It turns out you don't need to compile anything; using the Python
ctypes library, the Windows libraries are available to Python.
The compression *is* the same, which is what we expected.
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 3c53430eed4fb7f1b5975908495c03947065749b
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Fri Jan 20 13:07:43 2023 +1300
s4/dns/dlz: log when falling back to obsolete dns ldb path
Prior to 4.8 or so, the dlz dns files were kept in samba/private, but
sharing those files is a bit less than private so a new bind-dns
directory was added. As part of that patch set efforts were made to
fallback gracefully to the old locations. But now that silent grace is
causing confusion; the time has come to fallback resentfully.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15288
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Ralph Boehme <s...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
.../tests/scripts/generate-windows-test-vectors.py | 155 +++++++++++++++++++++
lib/ldb/ldb_tdb/ldb_tdb_wrap.c | 2 +-
lib/ldb/pyldb.c | 20 +--
python/samba/join.py | 3 +
source3/libsmb/pylibsmb.c | 8 --
source3/passdb/machine_account_secrets.c | 3 +-
source4/dns_server/dlz_bind9.c | 5 +
source4/dsdb/samdb/ldb_modules/group_audit.c | 5 +-
8 files changed, 178 insertions(+), 23 deletions(-)
create mode 100644
lib/compression/tests/scripts/generate-windows-test-vectors.py
Changeset truncated at 500 lines:
diff --git a/lib/compression/tests/scripts/generate-windows-test-vectors.py
b/lib/compression/tests/scripts/generate-windows-test-vectors.py
new file mode 100644
index 00000000000..b5da5b830bc
--- /dev/null
+++ b/lib/compression/tests/scripts/generate-windows-test-vectors.py
@@ -0,0 +1,155 @@
+# Generate test vectors for Windows LZ77 Huffman compression.
+#
+# Copyright (c) 2022 Catalyst IT
+#
+# GPLv3+.
+#
+# This uses the Python ctypes module to access the lower level RTL
+# compression functions.
+
+import sys
+import argparse
+from ctypes import create_string_buffer, byref, windll
+from ctypes.wintypes import USHORT, ULONG, LONG, PULONG, LPVOID, CHAR
+NTSTATUS = LONG
+
+
+METHODS = {
+ 'LZNT1': 2,
+ 'XPRESS_PLAIN': 3,
+ 'XPRESS_HUFF': 4,
+ '2': 2,
+ '3': 3,
+ '4': 4
+}
+
+
+class RtlError(Exception):
+ pass
+
+
+def ntstatus_check(status, f, args):
+ # 0x117 is STATUS_BUFFER_ALL_ZEROS
+ status &= 0xffffffff
+ if status in (0, 0x117):
+ return status
+ msg = {
+ 0xC0000023: "buffer too small",
+ 0xC0000242: "bad compression data",
+ }.get(status, '')
+
+ raise RtlError(f'NTSTATUS: {status:08X} {msg}')
+
+
+def wrap(f, result, *args):
+ f.restype = result
+ f.argtypes = args
+ f.errcheck = ntstatus_check
+ return f
+
+
+CompressBuffer = wrap(windll.ntdll.RtlCompressBuffer, NTSTATUS,
+ USHORT, LPVOID, ULONG, LPVOID, ULONG, ULONG, PULONG,
+ LPVOID)
+
+
+GetCompressionWorkSpaceSize = wrap(windll.ntdll.RtlGetCompressionWorkSpaceSize,
+ NTSTATUS,
+ USHORT, PULONG, PULONG)
+
+
+DecompressBufferEx = wrap(windll.ntdll.RtlDecompressBufferEx,
+ NTSTATUS,
+ USHORT, LPVOID, ULONG, LPVOID, ULONG, PULONG, LPVOID)
+
+
+def compress(data, format, effort=0):
+ flags = USHORT(format | effort)
+ workspace_size = ULONG(0)
+ fragment_size = ULONG(0)
+ comp_len = ULONG(0)
+ GetCompressionWorkSpaceSize(flags,
+ byref(workspace_size),
+ byref(fragment_size))
+ workspace = create_string_buffer(workspace_size.value)
+ output_len = len(data) * 9 // 8 + 260
+ output_buf = bytearray(output_len)
+ CompressBuffer(flags,
+ (CHAR * 1).from_buffer(data), len(data),
+ (CHAR * 1).from_buffer(output_buf), output_len,
+ 4096,
+ byref(comp_len),
+ workspace)
+ return output_buf[:comp_len.value]
+
+
+def decompress(data, format, target_size=None):
+ flags = USHORT(format)
+ workspace_size = ULONG(0)
+ fragment_size = ULONG(0)
+ decomp_len = ULONG(0)
+ GetCompressionWorkSpaceSize(flags,
+ byref(workspace_size),
+ byref(fragment_size))
+ workspace = create_string_buffer(workspace_size.value)
+ if target_size is None:
+ output_len = len(data) * 10
+ else:
+ output_len = target_size
+ output_buf = bytearray(output_len)
+
+ DecompressBufferEx(format,
+ (CHAR * 1).from_buffer(output_buf), len(output_buf),
+ (CHAR * 1).from_buffer(data), len(data),
+ byref(decomp_len),
+ workspace)
+ return output_buf[:decomp_len.value]
+
+
+def main():
+ if sys.getwindowsversion().major < 7:
+ print("this probably won't work on your very old version of Windows\n"
+ "but we'll try anyway!", file=sys.stderr)
+
+ parser = argparse.ArgumentParser()
+ parser.add_argument('-d', '--decompress', action='store_true',
+ help='decompress instead of compress')
+ parser.add_argument('-m', '--method', default='XPRESS_HUFF',
+ choices=list(METHODS.keys()),
+ help='use this compression method')
+ parser.add_argument('-e', '--extra-effort', action='store_true',
+ help='use extra effort to compress')
+
+ parser.add_argument('-s', '--decompressed-size', type=int,
+ help=('decompress to this size '
+ '(required for XPRESS_HUFF'))
+
+ parser.add_argument('-o', '--output',
+ help='write to this file')
+ parser.add_argument('-i', '--input',
+ help='read data from this file')
+
+ args = parser.parse_args()
+
+ method = METHODS[args.method]
+
+ if all((args.decompress,
+ args.decompressed_size is None,
+ method == 4)):
+ print("a size is required for XPRESS_HUFF decompression")
+ sys.exit(1)
+
+ with open(args.input, 'rb') as f:
+ data = bytearray(f.read())
+
+ if args.decompress:
+ output = decompress(data, method, args.decompressed_size)
+ else:
+ effort = 1 if args.extra_effort else 0
+ output = compress(data, method, effort)
+
+ with open(args.output, 'wb') as f:
+ f.write(output)
+
+
+main()
diff --git a/lib/ldb/ldb_tdb/ldb_tdb_wrap.c b/lib/ldb/ldb_tdb/ldb_tdb_wrap.c
index bc702a22584..1de1f4723de 100644
--- a/lib/ldb/ldb_tdb/ldb_tdb_wrap.c
+++ b/lib/ldb/ldb_tdb/ldb_tdb_wrap.c
@@ -103,7 +103,7 @@ struct tdb_context *ltdb_wrap_open(TALLOC_CTX *mem_ctx,
struct tdb_logging_context lctx;
struct stat st;
- if (stat(path, &st) == 0) {
+ if (path != NULL && stat(path, &st) == 0) {
for (w=tdb_list;w;w=w->next) {
if (st.st_dev == w->device && st.st_ino == w->inode) {
pid_t pid = getpid();
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index 8acb51705f1..9acea901558 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -4445,18 +4445,18 @@ static PyObject *py_ldb_msg_richcmp(PyLdbMessageObject
*py_msg1,
PyErr_LDB_MESSAGE_OR_RAISE(py_msg1, msg1);
PyErr_LDB_MESSAGE_OR_RAISE(py_msg2, msg2);
/*
- * FIXME: this can be a non-transitive compare, unsuitable for
- * sorting.
+ * If the DNs are different, sort by DN.
*
- * supposing msg1, msg2, and msg3 have 1, 2, and 3 elements
- * each. msg2 has a NULL DN, while msg1 has a DN that compares
- * higher than msg3. Then:
- *
- * msg1 < msg2, due to num_elements.
- * msg2 < msg3, due to num_elements.
- * msg1 > msg3, due to DNs.
+ * NULL DNs sort to the end. Note that if there are multiple messages
+ * with NULL DNs, they sort normally by the other attributes.
*/
- if ((msg1->dn != NULL) || (msg2->dn != NULL)) {
+ if (msg1->dn != msg2->dn) {
+ if (msg1->dn == NULL) {
+ return richcmp(-1, op);
+ }
+ if (msg2->dn == NULL) {
+ return richcmp(1, op);
+ }
ret = ldb_dn_compare(msg1->dn, msg2->dn);
if (ret != 0) {
return richcmp(ret, op);
diff --git a/python/samba/join.py b/python/samba/join.py
index 7b09445a52a..3ea188682dc 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -1210,6 +1210,9 @@ class DCJoinContext(object):
except WERRORError as e:
if e.args[0] == werror.WERR_DNS_ERROR_NAME_DOES_NOT_EXIST:
name_found = False
+ else:
+ print(e)
+ raise
if name_found:
for rec in res.rec:
diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
index bfbddbd5e7b..c6c8f008350 100644
--- a/source3/libsmb/pylibsmb.c
+++ b/source3/libsmb/pylibsmb.c
@@ -2499,14 +2499,6 @@ static PyObject *py_smb_posix_whoami(struct py_cli_state
*self,
PyErr_SetNTSTATUS(status);
goto fail;
}
- if (num_gids > PY_SSIZE_T_MAX) {
- PyErr_SetString(PyExc_OverflowError, "posix_whoami: Too many
GIDs");
- goto fail;
- }
- if (num_sids > PY_SSIZE_T_MAX) {
- PyErr_SetString(PyExc_OverflowError, "posix_whoami: Too many
SIDs");
- goto fail;
- }
py_gids = PyList_New(num_gids);
if (!py_gids) {
diff --git a/source3/passdb/machine_account_secrets.c
b/source3/passdb/machine_account_secrets.c
index 0679535f026..971dd15aa5f 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -1516,7 +1516,6 @@ NTSTATUS secrets_fetch_or_upgrade_domain_info(const char
*domain,
if (ret != 0) {
DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
domain);
- dbwrap_transaction_cancel(db);
TALLOC_FREE(frame);
return NT_STATUS_INTERNAL_DB_ERROR;
}
@@ -1711,6 +1710,7 @@ NTSTATUS secrets_prepare_password_change(const char
*domain, const char *dcname,
next = talloc_zero(frame, struct secrets_domain_info1_change);
if (next == NULL) {
DBG_ERR("talloc_zero failed\n");
+ dbwrap_transaction_cancel(db);
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
@@ -1773,7 +1773,6 @@ NTSTATUS secrets_prepare_password_change(const char
*domain, const char *dcname,
status = sync_pw2keytabs_fn();
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("Sync of machine password failed.\n");
- dbwrap_transaction_cancel(db);
TALLOC_FREE(frame);
return status;
}
diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c
index 02de7dae796..e5c9679835e 100644
--- a/source4/dns_server/dlz_bind9.c
+++ b/source4/dns_server/dlz_bind9.c
@@ -727,6 +727,11 @@ _PUBLIC_ isc_result_t dlz_create(const char *dlzname,
}
if (!file_exist(state->options.url)) {
+ dlz_bind9_state->log(ISC_LOG_ERROR,
+ "samba_dlz: dlz_create could not
find '%s'; "
+ "trying old location
'%s/dns/sam.ldb' instead",
+ state->options.url,
+ lpcfg_private_dir(state->lp));
state->options.url = talloc_asprintf(state,
"%s/dns/sam.ldb",
lpcfg_private_dir(state->lp));
diff --git a/source4/dsdb/samdb/ldb_modules/group_audit.c
b/source4/dsdb/samdb/ldb_modules/group_audit.c
index 7f979d1392b..70e76528a7d 100644
--- a/source4/dsdb/samdb/ldb_modules/group_audit.c
+++ b/source4/dsdb/samdb/ldb_modules/group_audit.c
@@ -663,8 +663,9 @@ static enum event_id_type get_add_member_event(uint32_t
group_type)
*
* @param module The ldb module.
* @param request The request being logged.
- * @param action Description of the action being performed.
- * @param user The linearized form of the users DN
+ * @param el element with new memberships.
+ * @param old_el element with previous memberships.
+ * @param group_type group type flags.
* @param status the LDB status code for the processing of the request.
*
*/
--
Samba Shared Repository
