[SCM] Samba Shared Repository - branch master updated
"$_progname" "$_version" "$_family" || + return $? + done + else + ctdb_check_rpc "$_progname" "" "$_family" || return $? + fi + done } ## # use statd-callout to update NFS lock info ## -nfs_update_lock_info () +nfs_update_lock_info() { -if [ -x "$CTDB_BASE/statd-callout" ] ; then - "$CTDB_BASE/statd-callout" update -fi + if [ -x "$CTDB_BASE/statd-callout" ]; then + "$CTDB_BASE/statd-callout" update + fi } ## @@ -257,6 +265,10 @@ nfs_callout_init "$script_state_dir" case "$1" in startup) + if [ -x "${CTDB_BASE}/statd-callout" ] ; then + "${CTDB_BASE}/statd-callout" startup + fi + nfs_callout "$@" || exit $? ;; @@ -279,7 +291,7 @@ releaseip) ;; ipreallocated) - if ctdb_service_needs_reconfigure ; then + if ctdb_service_needs_reconfigure; then ctdb_service_reconfigure fi ;; @@ -288,9 +300,9 @@ monitor) nfs_callout "monitor-pre" || exit $? # Check that directories for shares actually exist - if [ "$CTDB_NFS_SKIP_SHARE_CHECK" != "yes" ] ; then - nfs_callout "monitor-list-shares" | ctdb_check_directories || \ - exit $? + if [ "$CTDB_NFS_SKIP_SHARE_CHECK" != "yes" ]; then + nfs_callout "monitor-list-shares" | ctdb_check_directories || + exit $? fi update_tickles 2049 @@ -299,7 +311,7 @@ monitor) nfs_check_services nfs_callout "monitor-post" || exit $? - ;; + ;; esac exit 0 diff --git a/ctdb/config/functions b/ctdb/config/functions index e76082b7cb3..fbb1e284020 100755 --- a/ctdb/config/functions +++ b/ctdb/config/functions @@ -269,6 +269,59 @@ ctdb_get_ip_address() cat "$_ip_addr_file" } +# Cache of public IP addresses assigned to this node. This function +# exists mainly so statd-callout does not need to talk to ctdbd, so +# can be run as non-root, but it may be used in other places. This +# must be updated/refreshed on failover. This is done in +# 10.interface, but doing it in "ipreallocated" isn't enough because +# clients may connect as soon as "takeip" completes. Also, the VNN in +# the daemon is only updated after the "releaseip" event completes, so +# "ctdb -X ip" can't be relied on there. Hence, complex updates +# involving locking for "takeip" & "releaseip". A future +# restructuring of the failover model will obsolete all of these +# moving parts. +CTDB_MY_PUBLIC_IPS_CACHE="${CTDB_SCRIPT_VARDIR}/my-public-ip-addresses" +update_my_public_ip_addresses() +{ + _event="$1" + + _f="$CTDB_MY_PUBLIC_IPS_CACHE" + _lock="${_f}.lock" + -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via 9d80c928b01 s4:nbt_server: simulate nmbd and provide unexpected handling via 6a673a35ea0 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs via 82f73dc2312 s4:libcli/dgram: make use of socket_address_copy() via 40fe6480d0d s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages via cf37f9f5272 libcli/nbt: add nbt_name_send_raw() via b440c11ea0f s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL via b0c2389c886 s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}() via 234df77ae0a s3:libsmb/unexpected: don't use talloc_tos() in async code via 2f73d251e0c s3:wscript: LIBNMB requires lp_ functions via 27e4297f4c7 s3:include: split out fstring.h via 260d1bbacf8 s3:include: let nameserv.h be useable on its own via 4257e3b8fef s3:libads: avoid changing ADS->server.workgroup via ba361b11d2e s3:libsmb: allow store_cldap_reply() to work with a ipv6 response via 0d0fbf2bb86 s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send() via 2954489bd56 s3:utils: let smbstatus report anonymous signing/encryption explicitly via 9530c418a38 s3:smbd: allow anonymous encryption after one authenticated session setup via 610e11af858 s3:utils: let smbstatus also report partial tcon signing/encryption via 6fbf5deb559 s3:utils: let smbstatus also report AES-256 encryption types for tcons via c547e0c0ff7 s3:utils: let connections_forall_read() report if the session was authenticated via fe91ed785ed s3:lib: let sessionid_traverse_read() report if the session was authenticated via 716a0443c9f s3:utils: remove unused signing_flags in connections_forall() via cd05e7ed937 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}} via b945f645732 s4:libcli/smb2: add hack to test anonymous signing and encryption via b7606714959 smbXcli_base: add hacks to test anonymous signing and encryption via dfcbd88504d tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative via 1b21c09d513 .gitlab-ci-main.yml: debug kernel details of the current runner via d5638013962 .gitlab-ci: Remove tags no longer provided by gitlab.com from 9b6bc91254c VERSION: Bump version up to Samba 4.20.2... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit 9d80c928b0196839035c0272c0945aad8a3b461a Author: Stefan Metzmacher Date: Wed Feb 14 12:34:48 2024 +0100 s4:nbt_server: simulate nmbd and provide unexpected handling This is needed in order to let nbt_getdc() work against another AD DC and get back a modern response with DNS based names. Instead of falling back to the ugly name_status_find() that simulates just an NETLOGON_SAM_LOGON_RESPONSE_NT40 response. This way dsgetdcname() can work with just the netbios domain name given and still return an active directory response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 796f33c05a0ca337b675b5d4d127f7c53b22528f) Autobuild-User(v4-20-test): Stefan Metzmacher Autobuild-Date(v4-20-test): Thu May 30 10:57:04 UTC 2024 on atb-devel-224 commit 6a673a35ea0a5d79526b96ed462cd7d0d916abbb Author: Stefan Metzmacher Date: Wed Feb 14 13:49:21 2024 +0100 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit bfb10774b65af65f9c438a5d3e87529b1fcf46a1) commit 82f73dc23127c033346604fdfc94d5bf94295375 Author: Stefan Metzmacher Date: Thu Feb 15 17:47:45 2024 +0100 s4:libcli/dgram: make use of socket_address_copy() This avoids talloc_reference... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 77f4f1c7dbaa2bb04d59d908923f6d11fd514da2) commit 40fe6480d0d4c0dc00b05e8c52b234243c4e652b Author: Stefan Metzmacher Date: Thu Feb 15 16:42:16 2024 +0100 s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 11861bcfc3054894bc445e631ae03befb4865db8) commit cf37f9f527269ac2d76577dc0df53f1d369f1817 Author: Stefan Metzmacher Date: Thu Feb 15 17:47:13 2024 +0100 libcli/nbt: add nbt_name_send_raw()
[SCM] Samba Shared Repository - branch v4-19-test updated
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15573 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 83030780285290ecf64b57c1744634379b68ea01) commit 92a0533a9ea31f40a0a38f78e2b63c8e250972b0 Author: Stefan Metzmacher Date: Mon Jul 3 15:14:38 2023 +0200 s3:utils: let smbstatus report anonymous signing/encryption explicitly We should mark sessions/tcons with anonymous encryption or signing in a special way, as the value of it is void, all based on a session key with 16 zero bytes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu May 23 13:37:09 UTC 2024 on atb-devel-224 (cherry picked from commit 5a54c9b28abb1464c84cb4be15a49718d8ae6795) commit 45b9b63283de002d9d524518ad4fe5d8cdaf38d9 Author: Stefan Metzmacher Date: Fri Jun 30 18:05:51 2023 +0200 s3:smbd: allow anonymous encryption after one authenticated session setup I have captures where a client tries smb3 encryption on an anonymous session, we used to allow that before commit da7dcc443f45d07d9963df9daae458fbdd991a47 was released with samba-4.15.0rc1. Testing against Windows Server 2022 revealed that anonymous signing is always allowed (with the session key derived from 16 zero bytes) and anonymous encryption is allowed after one authenticated session setup on the tcp connection. https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner (cherry picked from commit f3ddfb828e66738ca461c3284c423defb774547c) commit 1925abda4c44421aabdb92a3fa1e9a97ec2e1898 Author: Stefan Metzmacher Date: Mon Jul 3 15:12:38 2023 +0200 s3:utils: let smbstatus also report partial tcon signing/encryption We already do that for sessions and also for the json output, but it was missing in the non-json output for tcons. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner (cherry picked from commit 551756abd2c9e4922075bc3037db645355542363) commit 70969d8da5ae893a50b2d0ecfc0f163e960aaf04 Author: Stefan Metzmacher Date: Mon Jul 3 15:12:38 2023 +0200 s3:utils: let smbstatus also report AES-256 encryption types for tcons We already do that for sessions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner (cherry picked from commit 8119fd6d6a49b869bd9e8ff653b500e194b070de) commit 8cc6ccb54a37680aa8a1f91b2ca871a405daf59d Author: Stefan Metzmacher Date: Mon Jul 3 15:10:08 2023 +0200 s3:utils: let connections_forall_read() report if the session was authenticated BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner (cherry picked from commit 5089d8550640f72b1e0373f8ac321378ccaa8bd5) commit 8b6b837eb7dff229ac4659ea7681738badcb3bd5 Author: Stefan Metzmacher Date: Mon Jul 3 15:08:31 2023 +0200 s3:lib: let sessionid_traverse_read() report if the session was authenticated BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner (cherry picked from commit 596a10d1079f5c4a954108c81efc862c22a11f28) commit c9c83fb691f557d570e2f2ad32b2340e06d82978 Author: Stefan Metzmacher Date: Mon Jul 3 15:05:59 2023 +0200 s3:utils: remove unused signing_flags in connections_forall() We never use the signing flags from the session, as the tcon has its own signing flags. https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner (cherry picked from commit a9f84593f44f15a19c4cdde1e7ad53cd5e03b4d9) commit a6c549db3d85d358e1e99b90230d1cd50da6646e Author: Stefan Metzmacher Date: Wed May 15 10:02:00 2024 +0200 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}} These demonstrate how anonymous encryption and signing work. They pass against Windows 2022 as ad dc. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner (cherry picked from commit 6c5781b5f154857f1454f41133687fba8c4c9df9) commit 3f476fd8bf34209f9e74041f8254250aed59fb2f Author: Stefan Metzmacher Date: Wed May 15 10:51:42 2024 +0200 s4:li
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5a54c9b28ab s3:utils: let smbstatus report anonymous signing/encryption explicitly via f3ddfb828e6 s3:smbd: allow anonymous encryption after one authenticated session setup via 551756abd2c s3:utils: let smbstatus also report partial tcon signing/encryption via 8119fd6d6a4 s3:utils: let smbstatus also report AES-256 encryption types for tcons via 5089d855064 s3:utils: let connections_forall_read() report if the session was authenticated via 596a10d1079 s3:lib: let sessionid_traverse_read() report if the session was authenticated via a9f84593f44 s3:utils: remove unused signing_flags in connections_forall() via 6c5781b5f15 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}} via 6a89615d781 s4:libcli/smb2: add hack to test anonymous signing and encryption via 14d6e267212 smbXcli_base: add hacks to test anonymous signing and encryption from d6581d213d5 ldb: move struct ldb_debug_ops to ldb_private.h https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5a54c9b28abb1464c84cb4be15a49718d8ae6795 Author: Stefan Metzmacher Date: Mon Jul 3 15:14:38 2023 +0200 s3:utils: let smbstatus report anonymous signing/encryption explicitly We should mark sessions/tcons with anonymous encryption or signing in a special way, as the value of it is void, all based on a session key with 16 zero bytes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu May 23 13:37:09 UTC 2024 on atb-devel-224 commit f3ddfb828e66738ca461c3284c423defb774547c Author: Stefan Metzmacher Date: Fri Jun 30 18:05:51 2023 +0200 s3:smbd: allow anonymous encryption after one authenticated session setup I have captures where a client tries smb3 encryption on an anonymous session, we used to allow that before commit da7dcc443f45d07d9963df9daae458fbdd991a47 was released with samba-4.15.0rc1. Testing against Windows Server 2022 revealed that anonymous signing is always allowed (with the session key derived from 16 zero bytes) and anonymous encryption is allowed after one authenticated session setup on the tcp connection. https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner commit 551756abd2c9e4922075bc3037db645355542363 Author: Stefan Metzmacher Date: Mon Jul 3 15:12:38 2023 +0200 s3:utils: let smbstatus also report partial tcon signing/encryption We already do that for sessions and also for the json output, but it was missing in the non-json output for tcons. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner commit 8119fd6d6a49b869bd9e8ff653b500e194b070de Author: Stefan Metzmacher Date: Mon Jul 3 15:12:38 2023 +0200 s3:utils: let smbstatus also report AES-256 encryption types for tcons We already do that for sessions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner commit 5089d8550640f72b1e0373f8ac321378ccaa8bd5 Author: Stefan Metzmacher Date: Mon Jul 3 15:10:08 2023 +0200 s3:utils: let connections_forall_read() report if the session was authenticated BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner commit 596a10d1079f5c4a954108c81efc862c22a11f28 Author: Stefan Metzmacher Date: Mon Jul 3 15:08:31 2023 +0200 s3:lib: let sessionid_traverse_read() report if the session was authenticated BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner commit a9f84593f44f15a19c4cdde1e7ad53cd5e03b4d9 Author: Stefan Metzmacher Date: Mon Jul 3 15:05:59 2023 +0200 s3:utils: remove unused signing_flags in connections_forall() We never use the signing flags from the session, as the tcon has its own signing flags. https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner commit 6c5781b5f154857f1454f41133687fba8c4c9df9 Author: Stefan Metzmacher Date: Wed May 15 10:02:00 2024 +0200 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d6581d213d5 ldb: move struct ldb_debug_ops to ldb_private.h via 6dd68d89786 ldb: move struct ldb_utf8_fns to ldb_private.h via a00c0ebd090 s4:dsdb:strcasecmp_with_ldb_val() avoids overflow via b6974030e6a lib/fuzzing: add fuzz_strncasecmp_ldb via b22e1d3207d ldb: don't cast to unsigned for ldb_ascii_toupper() via e33a0dd70f0 ldb: ldb_set_utf8_functions follows README.Coding via 4a6a1d1f0af ldb: deprecate ldb_set_utf8_fns via 42ae85d70af ldb: remove old ldb_comparison_fold_utf8_broken() via 960724a06e4 ldb: ldb_comparison_fold always uses the casecmp function via edabb9f4cb9 ldb-samba: use ldb_comparison_fold_utf8() via 0becc8a90cb ldb-samba: add ldb_comparison_fold_utf8, wrapping strncasecmp_ldb via f9797950fd6 util:charset: strncasecmp_ldb avoids iconv for ASCII via 55397514db5 util:charset: strncasecmp_ldb degrades to ASCII strncasecmp via eb91e3437b4 util:charset: add strncasecmp_ldb() via 7cc3c56293d ldb: ldb_set_utf8_default() sets comparison function via 6c27284f7e9 ldb: ldb_comparison_fold_ascii sorts unsigned via 92275e27947 ldb: add ldb_comparison_fold_ascii() for default comparisons via 947f977acb7 ldb: ldb_comparison_fold uses the utf-8 casecmp function via ae7ca36830b ldb: add ldb_set_utf8_functions() for setting casefold functions via 1624ac7a987 ldb: move ldb_comparison_fold guts into a separate function via 278a3c7f7c6 ldb: add a utf-8 comparison fold callback via f9fbc7a5067 lib/util/charset: be explicit about INVALID_CODEPOINT value via 023a7ce7d5a ldb: add test_ldb_comparison_fold from 589a9ea6767 s4:kdc: Add comment about possible interaction between the krbtgt account and Group Managed Service Accounts https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d6581d213d5f625da493f14620e1a12e79a8e195 Author: Douglas Bagnall Date: Thu May 23 09:40:00 2024 +1200 ldb: move struct ldb_debug_ops to ldb_private.h Only accessed through struct ldb_context -> debug_ops, which is already private. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu May 23 00:19:30 UTC 2024 on atb-devel-224 commit 6dd68d897865bd2518a6a71753ca0bc76d51b37e Author: Douglas Bagnall Date: Thu May 23 09:36:57 2024 +1200 ldb: move struct ldb_utf8_fns to ldb_private.h It is only accessed via ldb functions that find it on the already-private struct ldb_context. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit a00c0ebd090f69f94ce6ba7774a9fc126d7de504 Author: Douglas Bagnall Date: Mon May 13 11:08:35 2024 +1200 s4:dsdb:strcasecmp_with_ldb_val() avoids overflow In the unlikely event that strlen(str) > INT_MAX, the result could have overflowed. This is not a sort transitivity issue, as this is not a symmetric sort comparison, but it would affect binary search reliability. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b6974030e6a7ddb330894f46631c8da4359b2d18 Author: Douglas Bagnall Date: Mon May 13 10:39:44 2024 +1200 lib/fuzzing: add fuzz_strncasecmp_ldb As well as checking for the usual overflows, this asserts that strncasecmp_ldb is always transitive, by splitting the input into 3 pieces and comparing all pairs. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b22e1d3207d90f102247d690bfe31db55d7b681e Author: Douglas Bagnall Date: Fri May 17 11:38:10 2024 +1200 ldb: don't cast to unsigned for ldb_ascii_toupper() Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e33a0dd70f00481d1c3d9e2fdd227e26431402ef Author: Douglas Bagnall Date: Tue May 21 10:55:53 2024 +1200 ldb: ldb_set_utf8_functions follows README.Coding Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 4a6a1d1f0afa830a679781a522d724bd861a3601 Author: Douglas Bagnall Date: Fri May 17 11:35:01 2024 +1200 ldb: deprecate ldb_set_utf8_fns Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 42ae85d70af8da1aecbf45f5fb6e7d7ee1c379fb Author: Douglas Bagnall Date: Fri May 10 15:43:36 2024 +1200 ldb: remove old ldb_comparison_fold_utf8_broken() There are no callers. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 960724a06e4dcb793d606c71d6e79387761b3d42 Author: Douglas Bagnall Date: Thu May 16 17:01:10 2024 +1200 ldb: ldb_comparison_fold always uses the casecmp function Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett
[SCM] Samba Shared Repository - branch master updated
-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 758bb9aacd587daef31a4320b845e92cb09427ac Author: Andreas Schneider Date: Tue Jan 9 15:47:48 2024 +0100 docs-xml: Add smb.conf option 'dns hostname' Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- Summary of changes: WHATSNEW.txt | 14 +++ auth/ntlmssp/gensec_ntlmssp_server.c | 19 +--- dfs_server/dfs_server_ad.c | 8 +- docs-xml/smbdotconf/misc/dnsclientname.xml | 17 lib/param/loadparm.c | 37 .../tests/blackbox/rpcd_witness_samba_only.py | 3 +- python/samba/tests/dckeytab.py | 100 +++-- python/samba/tests/docs.py | 1 + python/samba/tests/krb5/gmsa_tests.py | 95 +++- python/samba/tests/krb5/raw_testcase.py| 3 + selftest/knownfail_heimdal_kdc | 1 - source3/include/proto.h| 1 - source3/lib/util.c | 59 source3/libnet/libnet_join.c | 26 ++ source3/librpc/crypto/gse_krb5.c | 10 ++- source3/param/loadparm.c | 35 source3/param/loadparm.h | 1 + source3/rpc_server/witness/srv_witness_nt.c| 30 +-- source3/utils/net_ads.c| 2 +- source3/utils/net_ads_join_dns.c | 6 +- source4/dns_server/dlz_bind9.c | 9 +- source4/dns_server/dns_server.c| 15 ++-- source4/dsdb/gmsa/util.c | 25 ++ source4/dsdb/gmsa/util.h | 3 + source4/kdc/db-glue.c | 97 +++- source4/kdc/db-glue.h | 2 + source4/kdc/hdb-samba4.c | 4 +- source4/kdc/mit_samba.c| 4 +- source4/libnet/libnet_export_keytab.c | 10 ++- source4/libnet/libnet_export_keytab.h | 1 + source4/libnet/py_net_dckeytab.c | 19 +++- source4/rpc_server/dnsserver/dnsdb.c | 31 +++ source4/rpc_server/dnsserver/dnsutils.c| 10 ++- third_party/heimdal/kdc/Makefile.am| 4 +- third_party/heimdal/kdc/kerberos5.c| 2 +- 35 files changed, 491 insertions(+), 213 deletions(-) create mode 100644 docs-xml/smbdotconf/misc/dnsclientname.xml Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index e08070a0ed3..67bdb963cca 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -104,6 +104,19 @@ correct certificate trusts with at least one of the following options: While 'tls verify peer' and 'tls crlfile' are also relevant, see 'man smb.conf' for further details. +New DNS hostname config option +-- + +To get `net ads dns register` working correctly running manually or during a +domain join a special entry in /etc/hosts was required. This not really +documented and thus the DNS registration mostly didn't work. With the new option +the default is [netbios name].[realm] which should be correct in the majority of +use cases. + +We will also use the value to create service principal names during a Kerberos +authentication and DNS functions. + +This is not supported in samba-tool yet. REMOVED FEATURES @@ -119,6 +132,7 @@ smb.conf changes ldap server require strong auth new values tls trust system casnew tls ca directories new + dns hostnameclient dns name [netbios name].[realm] KNOWN ISSUES diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c index ab92f4d0c09..6da13a1a6fe 100644 --- a/auth/ntlmssp/gensec_ntlmssp_server.c +++ b/auth/ntlmssp/gensec_ntlmssp_server.c @@ -68,7 +68,7 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security, session_info_flags |= AUTH_SESSION_INFO_NTLM; if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) { - nt_status = gensec_security->auth_context->generate_session_info(gensec_security->auth_context, mem_ctx, + nt_status = gensec_security->auth_context->generate_session_info(gensec_security->auth_context, mem_ctx, gensec_ntlmssp->server_returned_info,
[SCM] Samba Shared Repository - branch master updated
t_req *subreq) } /* total size, in bytes */ - sbuf->st_ex_size = IVAL2_TO_SMB_BIG_UINT(data, 0); + sbuf->st_ex_size = BVAL(data, 0); /* number of blocks allocated */ - sbuf->st_ex_blocks = IVAL2_TO_SMB_BIG_UINT(data,8); + sbuf->st_ex_blocks = BVAL(data,8); #if defined (HAVE_STAT_ST_BLOCKS) && defined(STAT_ST_BLOCKSIZE) sbuf->st_ex_blocks /= STAT_ST_BLOCKSIZE; #else @@ -872,7 +872,7 @@ static void cli_posix_stat_done(struct tevent_req *subreq) } #endif /* inode */ - sbuf->st_ex_ino = (SMB_INO_T)IVAL2_TO_SMB_BIG_UINT(data, 76); + sbuf->st_ex_ino = (SMB_INO_T)BVAL(data, 76); /* protection */ sbuf->st_ex_mode |= wire_perms_to_unix(IVAL(data, 84)); @@ -2026,10 +2026,10 @@ static void cli_smb2_hardlink_opened(struct tevent_req *subreq) state->ev, state->cli, state->fnum_src, - 1, /* in_info_type */ - SMB_FILE_LINK_INFORMATION - 1000, /* in_file_info_class */ + SMB2_0_INFO_FILE, /* in_info_type */ + FSCC_FILE_LINK_INFORMATION, /* in_file_info_class */ , - 0); /* in_additional_info */ + 0); /* in_additional_info */ if (tevent_req_nomem(subreq, req)) { return; } diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c index 54b46b09e0e..d8951482bac 100644 --- a/source3/libsmb/clilist.c +++ b/source3/libsmb/clilist.c @@ -254,7 +254,7 @@ static size_t interpret_long_filename(TALLOC_CTX *ctx, p += 8; finfo->ctime_ts = interpret_long_date(BVAL(p, 0)); p += 8; - finfo->size = IVAL2_TO_SMB_BIG_UINT(p,0); + finfo->size = BVAL(p,0); p += 8; p += 8; /* alloc size */ finfo->attr = IVAL(p,0); @@ -298,11 +298,10 @@ static size_t interpret_long_filename(TALLOC_CTX *ctx, Namelen doesn't include the terminating unicode null, so copy it here. */ - if (p_last_name_raw) { - *p_last_name_raw = data_blob(NULL, namelen+2); - memcpy(p_last_name_raw->data, p, namelen); - SSVAL(p_last_name_raw->data, namelen, 0); - } + *p_last_name_raw = data_blob(NULL, namelen + 2); + memcpy(p_last_name_raw->data, p, namelen); + SSVAL(p_last_name_raw->data, namelen, 0); + return calc_next_entry_offset(base, pdata_end); } } @@ -668,11 +667,7 @@ static struct tevent_req *cli_list_trans_send(TALLOC_CTX *mem_ctx, } state->ev = ev; state->cli = cli; - state->mask = talloc_strdup(state, mask); - if (tevent_req_nomem(state->mask, req)) { - return tevent_req_post(req, ev); - } - state->mask = smb1_dfs_share_path(state, cli, state->mask); + state->mask = smb1_dfs_share_path(state, cli, mask); if (tevent_req_nomem(state->mask, req)) { return tevent_req_post(req, ev); } @@ -937,55 +932,6 @@ static NTSTATUS cli_list_trans_recv(struct tevent_req *req, return NT_STATUS_OK; } -NTSTATUS cli_list_trans(struct cli_state *cli, const char *mask, - uint32_t attribute, int info_level, - NTSTATUS (*fn)( - struct file_info *finfo, - const char *mask, - void *private_data), - void *private_data) -{ - TALLOC_CTX *frame = talloc_stackframe(); - struct tevent_context *ev; - struct tevent_req *req; - int i, num_finfo; - struct file_info *finfo = NULL; - NTSTATUS status = NT_STATUS_NO_MEMORY; - - if (smbXcli_conn_has_async_calls(cli->conn)) { - /* - * Can't use sync call while an async call is in flight -*/ - status = NT_STATUS_INVALID_PARAMETER; - goto fail; - } - ev = samba_tevent_context_init(frame); - if (ev == NULL) { - goto fail; - } - req = cli_list_trans_send(frame, ev, cli, mask, attribute, info_level); - if (req == NULL) { - goto fail; - } - if (!tevent_req_poll_ntstatus(req, ev, )) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bdfbf25255e test_kinit_export_keytab: reset pw of the test account and test --only-current-keys via b4be5718d3d samba-tool: let 'samba-tool domain exportkeytab' take an --only-current-keys option via 2793ef3e163 samba.tests.dckeytab: add test_export_keytab_change3_update_only_current_keep() via e2a5fbf5cf2 s4:libnet_export_keytab: add only_current_keys option via 7f1e89488a7 s4:kdc: also provide cross-realm keys via samba_kdc_seq() via 37292f8a60f s4:kdc: let samba_kdc_trust_message2entry() return all keys with SDB_F_ADMIN_DATA via 6ecc607edee s4:kdc: split out samba_kdc_fill_trust_keys() helper via f5c8c212dcb s4:kdc: add available_enctypes to supported_session_etypes in samba_kdc_trust_message2entry() via f48699641cf s4:kdc: add a returned_kvno helper variable in samba_kdc_trust_message2entry() via d1efc396de4 s4:kdc: let samba_kdc_trust_message2entry() ignore KRB5_PROG_ETYPE_NOSUPP via 8cfebc36edc s4:kdc: split out samba_kdc_fill_trust_keys() helper via 83f03513fd5 s3:libnet: add a debug message to libnet_keytab_add_to_keytab_entries() via 888a785f476 s3:libnet: add support for trusted domains in libnet_dssync_keytab.c via 2b2cc544725 s3:libnet: split out store_or_fetch_attribute() from parse_user() in libnet_dssync_keytab.c via feff15fc88b s3:libnet: split out parse_user() in libnet_dssync_keytab.c via 52df4063871 s3:libnet: let parse_user() in libnet_dssync_keytab.c work without nt hash from 01849ab1bca s4:kdc: Implement KDC plugin hardware authentication policy https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bdfbf25255e457c3e5d5d75ee09fca3af461c5a7 Author: Stefan Metzmacher Date: Wed Apr 17 16:15:17 2024 +0200 test_kinit_export_keytab: reset pw of the test account and test --only-current-keys Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed May 22 04:07:02 UTC 2024 on atb-devel-224 commit b4be5718d3de3bc90d142cb53f79fe067d0a3e0a Author: Stefan Metzmacher Date: Fri Mar 15 16:14:18 2024 +0100 samba-tool: let 'samba-tool domain exportkeytab' take an --only-current-keys option Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 2793ef3e1632c735f9caac015503aab06f53d543 Author: Stefan Metzmacher Date: Fri Mar 15 16:31:22 2024 +0100 samba.tests.dckeytab: add test_export_keytab_change3_update_only_current_keep() This tests that only_current_keys=True works. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit e2a5fbf5cf2b65db77e7c5a859c896acca69f432 Author: Stefan Metzmacher Date: Fri Mar 15 16:11:10 2024 +0100 s4:libnet_export_keytab: add only_current_keys option By default we also export on the old and older passwords... In order to do a kinit with a keytab it might we useful to include only the current keys. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 7f1e89488a7212832819380a93fe137a6fa28c37 Author: Stefan Metzmacher Date: Thu Feb 3 14:14:06 2022 +0100 s4:kdc: also provide cross-realm keys via samba_kdc_seq() This means that 'samba-tool domain exportkeytab' is able to export them. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 37292f8a60f8fa82faa7bde4314919dcae6fb7ab Author: Stefan Metzmacher Date: Fri Mar 15 19:23:46 2024 +0100 s4:kdc: let samba_kdc_trust_message2entry() return all keys with SDB_F_ADMIN_DATA Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 6ecc607edeeeb1877b5ecf02ba60d6c8799f583a Author: Stefan Metzmacher Date: Fri Mar 15 19:19:20 2024 +0100 s4:kdc: split out samba_kdc_fill_trust_keys() helper This simplifies the logic in samba_kdc_trust_message2entry(), is very similar to our samba_kdc_fill_user_keys() helper and will make it trivial to provide the previous keys in entry->old_keys in the next commit. Review with: git show -p --patience Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit f5c8c212dcba48167d8ae8c555a5c4750cb763fd Author: Stefan Metzmacher Date: Fri Mar 15 19:19:20 2024 +0100 s4:kdc: add available_enctypes to supported_session_etypes in samba_kdc_trust_message2entry() This aligns the logic of samba_kdc_trust_message2entry() with samba_kdc_message2entry_keys(). Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit f48699641cf95f1e2d197e0f8ea1ed4ce2c4fb41 Author: Stefan Metzmacher Date: Fri Mar 15 19:19:20 2024 +0100 s4:kdc: add a returned_kvno helper variable in samba_kdc_trust_message2en
[SCM] Samba Shared Repository - branch master updated
Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit aa4347ff23e358693920c9b0507eae1c60acd26b Author: Jo Sutton Date: Wed Apr 24 17:22:45 2024 +1200 tests/krb5: Add ‘expect_success’ parameter to gensec_ntlmssp_logon() View with ‘git show -b’. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 41e71406a1401c60ac163dee46505191075c9def Author: Jo Sutton Date: Wed Apr 24 17:20:14 2024 +1200 tests/krb5: Make use of gmsa_series_for_account() method This allows us to replace a call to expected_current_gmsa_password_blob() with one to expected_gmsa_password_blob(), a method which allows us to specify the exact key we expect. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 577aa790425502b25b0e9a98f1f82070d53ce4c7 Author: Jo Sutton Date: Wed Apr 24 17:18:09 2024 +1200 tests/krb5: Add quantized_time() method Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 65fe09007f87322aaf35b610add2776b54005ec9 Author: Jo Sutton Date: Wed Apr 24 17:16:55 2024 +1200 tests/krb5: Read current time from correct SamDB Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit fdaa29436976c4aec94c239ee9d65eb6d8f920f5 Author: Jo Sutton Date: Tue Apr 30 14:36:07 2024 +1200 python:tests: Pass ServerPasswordSet2() parameters in correct order ‘account_name’ and ‘server_name’ are passed in the wrong order. While Samba ignores the account name parameter and doesn’t have a problem with it missing its trailing dollar, Windows checks it and requires the trailing dollar to be present. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit cb357a011b04f37cb6610a94ae5c4af30a56e423 Author: Jo Sutton Date: Tue Apr 30 14:35:13 2024 +1200 python:tests: Remove unnecessary ‘pass’ statement Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit e875193c1ca7025d4929090dce731a074a9dd4e1 Author: Jo Sutton Date: Tue Apr 30 14:34:44 2024 +1200 python:tests: Remove unused netlogon connection parameter Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 170dd47eae5ece962262814d05bfcedb3426b433 Author: Jo Sutton Date: Mon Apr 29 17:03:39 2024 +1200 s4:libcli: Add more controls to our list of known controls Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 526652d162f929426bdefac57ca346dd1c9c5d95 Author: Jo Sutton Date: Mon Apr 29 17:48:01 2024 +1200 s4:libcli: Fix code spelling Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit e4045cd5b15f0c60b8fc7c49936888731ce60274 Author: Jo Sutton Date: Mon Apr 29 17:02:39 2024 +1200 s4:setup: Update name of dsdb password change control Commit 0a907c2f45c34efcac784738c9d75303b9d04d2f renamed this control to DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit f5cbe497897f8f7ceae6de1f6134b336a8d91186 Author: Jo Sutton Date: Mon Apr 29 17:02:06 2024 +1200 s4:dsdb: Fix code spelling Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit cbebffd56da42cd439293c638e3637917beae8bb Author: Jo Sutton Date: Mon Apr 29 17:01:52 2024 +1200 s4:dsdb: Remove trailing whitespace Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 359b3b63213ccb4c9e77fd8afc0e7a2c78f41c32 Author: Jo Sutton Date: Tue May 14 16:42:31 2024 +1200 lib:fuzzing: Fix undefined shift ../../lib/fuzzing/fuzz_stable_sort_r_unstable.c:47:22: runtime error: left shift of negative value -34 Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit be076b3097231930214e6628e455ed03a9767106 Author: Jo Sutton Date: Tue May 14 16:44:11 2024 +1200 lib:fuzzing: Remove unused variable Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 7b02221c4f5571255d2d6124ba1ea5c8fcda6eb4 Author: Jo Sutton Date: Tue May 7 11:43:48 2024 +1200 auth:credentials: Check for NT hash being NULL Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: auth/credentials/pycredentials.c| 3 + lib/crypto/gkdi.h | 1 + lib/fuzzing/fuzz_stable_sort_r_unstable.c | 3 +- python/samba/tests/krb5/gmsa_tests.py | 750 +++- python/samba/tests/krb5/raw_testcase.py | 10 +- python/samba/tests/py_credentials.py| 31 +- selftest/knownfail.d/gmsa | 3 + selftest/knownfail_mit_kdc | 6 - selftest/knownfail_mit_kdc_1_20 | 68 --- source4/auth/ntlm/auth_sam.c| 35 +- source4/dsdb/common/util.c | 16 +- source4/dsdb
[SCM] Samba Shared Repository - branch master updated
ocking -* two records simultaneously. Notifies are async and -* informational only, so calling the notify_fname -* without holding the share mode lock should not do -* any harm. -*/ notify_fname(conn, NOTIFY_ACTION_REMOVED, FILE_NOTIFY_CHANGE_FILE_NAME, fsp->fsp_name->base_name); diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 68e5eb957f2..04d0e1e0336 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -341,7 +341,6 @@ NTSTATUS check_parent_access_fsp(struct files_struct *fsp, NTSTATUS status; struct security_descriptor *parent_sd = NULL; uint32_t access_granted = 0; - struct share_mode_lock *lck = NULL; uint32_t name_hash; bool delete_on_close_set; TALLOC_CTX *frame = talloc_stackframe(); @@ -410,20 +409,7 @@ NTSTATUS check_parent_access_fsp(struct files_struct *fsp, goto out; } - /* -* Don't take a lock here. We just need a snapshot -* of the current state of delete on close and this is -* called in a codepath where we may already have a lock -* (and we explicitly can't hold 2 locks at the same time -* as that may deadlock). -*/ - lck = fetch_share_mode_unlocked(frame, fsp->file_id); - if (lck == NULL) { - status = NT_STATUS_OK; - goto out; - } - - delete_on_close_set = is_delete_on_close_set(lck, name_hash); + get_file_infos(fsp->file_id, name_hash, _on_close_set, NULL); if (delete_on_close_set) { status = NT_STATUS_DELETE_PENDING; goto out; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
hor: Volker Lendecke Date: Thu May 9 11:59:20 2024 +0200 pylibsmb: Add py_cli_qfileinfo Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit c13ac1f1a7606bd78b3527ea931910929adc0c05 Author: Volker Lendecke Date: Thu May 9 12:00:00 2024 +0200 pylibsmb: Add FSCC QUERY_INFO levels Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 291a353b16a77dd29b4a2be559b9c2c311c698e9 Author: Volker Lendecke Date: Thu May 9 10:37:49 2024 +0200 libsmb: Remove smb2 branch from cli_qfileinfo_basic_send cli_qfileinfo_send now does it Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 893e4f6ebf624d1f87fd320b4bbe833fbda4cc2b Author: Volker Lendecke Date: Thu May 9 10:35:26 2024 +0200 libsmb: Add smb2 branch to cli_qfileinfo Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 6e9c18ed821d5c9563ec3ffef612656d87bebb3b Author: Volker Lendecke Date: Thu May 9 10:34:13 2024 +0200 libsmb: Add a tevent_req_received() where appropriate Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit bec5920ec9115a35b49828338ddb6fbbf9608ca4 Author: Volker Lendecke Date: Thu May 9 10:12:14 2024 +0200 libsmb: Convert cli_qfileinfo to use FSCC levels This will enable this routine to be used for SMB2 as well. The translation table is from [MS-CIFS] 2.2.8. Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit af4bb5f75f74eea5f635bc0a019e1b3865ab533f Author: Volker Lendecke Date: Thu May 9 10:27:48 2024 +0200 libsmb: Use SMB2_0_INFO_FILE instead of the raw "1" Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 4eac4014c0358681aedf6deb0accd2f9860ef882 Author: Volker Lendecke Date: Thu May 9 09:37:51 2024 +0200 libsmb: Use SMB2_0_INFO_SECURITY instead of the raw "3" Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 072e4d030aee486e5749dff93ab1be98f931163b Author: Volker Lendecke Date: Wed May 8 14:17:34 2024 +0200 smbd: Modernize a DEBUG Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 7c59f1105607310e4a54488e5f40893ebb796a50 Author: Volker Lendecke Date: Tue May 7 17:22:01 2024 +0200 test: Align integer types Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison --- Summary of changes: libcli/auth/tests/test_schannel.c | 4 +- python/samba/tests/reparsepoints.py | 24 python/samba/tests/smb3unix.py | 41 ++ source3/libsmb/cli_smb2_fnum.c | 1 + source3/libsmb/clifile.c| 108 --- source3/libsmb/clirap.c | 70 +++ source3/libsmb/clirap.h | 19 +-- source3/libsmb/clisecdesc.c | 20 +++ source3/libsmb/pylibsmb.c | 109 source3/modules/util_reparse.c | 54 +- source3/modules/util_reparse.h | 2 + source3/smbd/smb1_reply.c | 5 +- source3/smbd/smb2_create.c | 3 + source3/smbd/smb2_reply.c | 36 ++-- source3/smbd/smb2_trans2.c | 55 -- source3/torture/test_smb2.c | 29 +- source3/torture/torture.c | 13 +++-- 17 files changed, 421 insertions(+), 172 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/auth/tests/test_schannel.c b/libcli/auth/tests/test_schannel.c index b1c88fdf667..e249ff00751 100644 --- a/libcli/auth/tests/test_schannel.c +++ b/libcli/auth/tests/test_schannel.c @@ -167,7 +167,7 @@ static void torture_schannel_seal_rc4(void **state) int buffer_sizes[] = { 0, 1, 3, 7, 8, 9, 15, 16, 17 }; - int i; + size_t i; torture_schannel_seal_flags(state, 0, session_key, @@ -259,7 +259,7 @@ static void torture_schannel_seal_aes(void **state) int buffer_sizes[] = { 0, 1, 3, 7, 8, 9, 15, 16, 17 }; - int i; + size_t i; torture_schannel_seal_flags(state, NETLOGON_NEG_SUPPORTS_AES, session_key, diff --git a/python/samba/tests/reparsepoints.py b/python/samba/tests/reparsepoints.py index 96ca6eefdd5..1f74c61bc64 100644 --- a/python/samba/tests/reparsepoints.py +++ b/python/samba/tests/reparsepoints.py @@ -118,6 +118,30 @@ class ReparsePoints(samba.tests.libsmb.LibsmbTests): self.assertEqual(e.exception.args[0], ntstatus.NT_STATUS_IO_REPARSE_TAG_MISMATCH) +def test_query_reparse_tag(self): +conn = self.connection() +filename = 'reparse' +self.clean_file(conn, filename) + +fd = conn.create( +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 1092d4b0a8e s3:winbindd: Update non cache entries keys (non_centry_keys) via 26d87d1fefa s3:winbindd: Use TDB_REPLACE in tdb_store from 68a1200f66e Restore empty string default for conf.env['icu-libs'] https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1092d4b0a8e6d988e6bcbbd5e7cce7e34fc1ed54 Author: Pavel Filipenský Date: Fri Mar 22 13:51:06 2024 +0100 s3:winbindd: Update non cache entries keys (non_centry_keys) This change does NOT affect WHAT and HOW is cached. It only avoids undefined behavior for "NDR" and "TRUSTDOMCACHE" when processed in wcache_flush_cache() and wbcache_upgrade_v1_to_v2(). winbindd_cache.tdb contains two types of entries: 1) cache entries (typed as 'struct cache_entry') - internal format is: [ntstatus; sequence_number; timeout] 2) non cache entries (keys listed in non_centry_keys) - for "NDR" internal format is: [sequence_number; timeout] Without this commit, "NDR" would be processed as the first type (instead as the second type). E.g. in the stack below: wcache_fetch_raw() traverse_fn_cleanup() wcache_flush_cache() the triplet [ntstatus; sequence_number; timeout] would be initialized from data containing only [sequence_number; timeout], leading to mismatched values ('ntstatus' would be filled from 'sequence_number'). Anyway, current code is never calling wcache_flush_cache(), since wcache_flush_cache() can be called only from get_cache() and get_cache() will call it only if global/static wcache was not set yet. But wcache is set very early in the main winbind (and all winbind children get it after fork), sooner than any call of get_cache() can happen: #1 init_wcache + 0x19 #2 initialize_winbindd_cache + 0x35 #3 winbindd_cache_validate_and_initialize + 0x25 #4 main + 0x806 Signed-off-by: Pavel Filipenský Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue May 14 21:04:57 UTC 2024 on atb-devel-224 commit 26d87d1fefa67b759bc369983b4c55fcd007dca9 Author: Pavel Filipenský Date: Tue May 7 13:01:02 2024 +0200 s3:winbindd: Use TDB_REPLACE in tdb_store tdb_store() should use as a flag TDB_REPLACE instead of undocumented 0 Signed-off-by: Pavel Filipenský Reviewed-by: Jeremy Allison --- Summary of changes: source3/winbindd/winbindd_cache.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index ca2341ef456..833862ab99e 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -68,7 +68,9 @@ static bool opt_nocache = False; */ static const char *non_centry_keys[] = { + "NDR/", "SEQNUM/", + "TRUSTDOMCACHE/", "WINBINDD_OFFLINE", WINBINDD_CACHE_VERSION_KEYSTR, NULL @@ -4605,7 +4607,7 @@ static bool wcache_tdc_store_list( struct winbindd_tdc_domain *domains, size_t n goto done; } - ret = tdb_store( wcache->tdb, key, data, 0 ); + ret = tdb_store(wcache->tdb, key, data, TDB_REPLACE); done: SAFE_FREE( data.dptr ); @@ -4922,7 +4924,7 @@ void wcache_store_ndr(struct winbindd_domain *domain, uint32_t opnum, SBVAL(data.dptr, 4, timeout); memcpy(data.dptr + 12, resp->data, resp->length); - tdb_store(wcache->tdb, key, data, 0); + tdb_store(wcache->tdb, key, data, TDB_REPLACE); done: TALLOC_FREE(key.dptr); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 68a1200f66e Restore empty string default for conf.env['icu-libs'] from 833c3f26b47 python/tests: Fix nlink test in smb3unix on btrfs filesystem https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 68a1200f66e9008ca0a739b37b48c49453ca9d83 Author: Earl Chew Date: Fri May 10 19:46:28 2024 -0700 Restore empty string default for conf.env['icu-libs'] The reworked ICU libraries configuration code used [] as default for conf.env['icu-libs']. This breaks dependency analysis in samba_deps.py because SAMBA_SUBSYSTEM() expects deps to be a string. Signed-off-by: Earl Chew Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Reviewed-by: Volker Lendecke Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Tue May 14 14:44:06 UTC 2024 on atb-devel-224 --- Summary of changes: lib/util/charset/wscript_configure | 2 ++ 1 file changed, 2 insertions(+) Changeset truncated at 500 lines: diff --git a/lib/util/charset/wscript_configure b/lib/util/charset/wscript_configure index c49b55a4fd4..adae44eab5e 100644 --- a/lib/util/charset/wscript_configure +++ b/lib/util/charset/wscript_configure @@ -46,3 +46,5 @@ if conf.CHECK_CFG(package='icu-i18n icu-uc', if not conf.CHECK_HEADERS('unicode/ustring.h', lib='icui18n'): conf.fatal('Found icui18n, but unicode/ustring.h is missing') conf.DEFINE('HAVE_UTF8_NORMALISATION', 1) +else: +conf.env['icu-libs'] = '' -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 833c3f26b47 python/tests: Fix nlink test in smb3unix on btrfs filesystem from 1ca6fb563b0 lib/replace: make sure krb5_cc_default[_name]() is no longer used directly https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 833c3f26b476c5f27d8dd000cfa423f0726cef1a Author: Pavel Filipenský Date: Mon May 13 12:13:38 2024 +0200 python/tests: Fix nlink test in smb3unix on btrfs filesystem Signed-off-by: Pavel Filipenský Reviewed-by: Volker Lendecke Autobuild-User(master): Pavel Filipensky Autobuild-Date(master): Tue May 14 13:37:53 UTC 2024 on atb-devel-224 --- Summary of changes: python/samba/tests/smb3unix.py | 18 ++ 1 file changed, 14 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/smb3unix.py b/python/samba/tests/smb3unix.py index d88bd432239..1962852349c 100644 --- a/python/samba/tests/smb3unix.py +++ b/python/samba/tests/smb3unix.py @@ -24,6 +24,7 @@ from samba.dcerpc import smb3posix from samba.ndr import ndr_unpack from samba.dcerpc.security import dom_sid import os +import subprocess def posix_context(mode): return (libsmb.SMB2_CREATE_TAG_POSIX, mode.to_bytes(4, 'little')) @@ -34,6 +35,9 @@ class Smb3UnixTests(samba.tests.libsmb.LibsmbTests): super().setUp() self.samsid = os.environ["SAMSID"] +prefix_abs = os.environ["PREFIX_ABS"] +p = subprocess.run(['stat', '-f', '-c', '%T', prefix_abs], capture_output=True, text=True) +self.fstype = p.stdout.strip().lower() def connections(self, share1=None, posix1=False, share2=None, posix2=True): if not share1: @@ -303,7 +307,11 @@ class Smb3UnixTests(samba.tests.libsmb.LibsmbTests): self.assertEqual(found_files[fname]['attrib'], libsmb.FILE_ATTRIBUTE_ARCHIVE) else: -self.assertEqual(found_files[fname]['nlink'], 2) +# Note: btrfs always reports the link count of directories as one. +if self.fstype == "btrfs": +self.assertEqual(found_files[fname]['nlink'], 1) +else: +self.assertEqual(found_files[fname]['nlink'], 2) self.assertEqual(found_files[fname]['attrib'], libsmb.FILE_ATTRIBUTE_DIRECTORY) @@ -368,9 +376,11 @@ class Smb3UnixTests(samba.tests.libsmb.LibsmbTests): cc = ndr_unpack(smb3posix.smb3_posix_cc_info, cc_out[0][1]) -# Note: this fails on btrfs which always reports the link -# count of directories as one. -self.assertEqual(cc.nlinks, 2) +# Note: btrfs always reports the link count of directories as one. +if self.fstype == "btrfs": +self.assertEqual(cc.nlinks, 1) +else: +self.assertEqual(cc.nlinks, 2) self.assertEqual(cc.reparse_tag, libsmb.IO_REPARSE_TAG_RESERVED_ZERO) self.assertEqual(cc.posix_perms, 0o700) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
It means kerberos_return_pac() will use smb_krb5_cc_new_unique_memory(). ... Before that commit cc was never NULL as generate_krb5_ccache() returned "MEMORY:winbindd_pam_ccache" as fallback. So we called ads_kdestroy("MEMORY:winbindd_pam_ccache"). Now we have cc == NULL if user_ccache_file == NULL. and kerberos_return_pac() uses smb_krb5_cc_new_unique_memory() and krb5_cc_destroy() internally. It means unless user_ccache_file != NULL we should not call ads_kdestroy(cc) as cc is NULL and means we would destroy any global default krb5 ccache. Review with: git show -U25 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- Summary of changes: auth/credentials/credentials_krb5.c| 6 +- auth/credentials/credentials_krb5.h| 5 +- lib/addns/dns.h| 18 +- lib/addns/dnsgss.c | 240 + lib/addns/wscript_build| 2 +- lib/krb5_wrap/gss_samba.c | 29 +- lib/krb5_wrap/gss_samba.h | 8 + lib/krb5_wrap/krb5_samba.c | 45 +++- lib/krb5_wrap/krb5_samba.h | 11 + lib/replace/system/kerberos.h | 3 + libgpo/pygpo.c | 75 +- python/samba/tests/ntlm_auth.py | 2 +- python/samba/tests/ntlm_auth_base.py | 18 +- python/samba/tests/ntlm_auth_krb5.py | 8 +- source3/auth/auth_generic.c| 3 +- source3/client/smbspool.c | 2 +- source3/client/smbspool_krb5_wrapper.c | 7 +- source3/include/ads.h | 11 + source3/include/krb5_env.h | 26 -- source3/lib/netapi/joindomain.c| 124 - source3/lib/netapi/netapi.c| 24 +- source3/lib/netapi/netapi.h| 2 + source3/libads/ads_ldap_protos.h | 6 + source3/libads/ads_proto.h | 17 +- source3/libads/ads_struct.c| 7 + source3/libads/authdata.c | 2 +- source3/libads/kerberos.c | 46 ++-- source3/libads/kerberos_proto.h| 13 +- source3/libads/kerberos_util.c | 80 -- source3/libads/krb5_setpw.c| 103 ++-- source3/libads/ldap.c | 153 --- source3/libads/ldap_utils.c| 52 +++- source3/libads/sasl.c | 185 ++--- source3/libads/tls_wrapping.c | 9 +- source3/libads/util.c | 5 +- source3/libnet/libnet_join.c | 261 -- source3/libnet/libnet_join.h | 2 +- source3/librpc/crypto/gse.c| 294 - source3/librpc/crypto/gse.h| 3 +- source3/librpc/idl/ads.idl | 17 +- source3/librpc/idl/libnet_join.idl | 16 +- source3/libsmb/auth_generic.c | 4 +- source3/libsmb/cliconnect.c| 177 ++--- source3/libsmb/namequery_dc.c | 3 +- source3/printing/nt_printing_ads.c | 80 +- source3/rpc_server/wkssvc/srv_wkssvc_nt.c | 28 +- source3/utils/net.c| 38 +-- source3/utils/net.h| 8 +- source3/utils/net_ads.c| 220 ++- source3/utils/net_ads_join_dns.c | 96 +++ source3/utils/net_dns.c| 94 ++- source3/utils/net_dns.h| 3 + source3/utils/net_offlinejoin.c| 4 - source3/utils/net_proto.h | 6 +- source3/utils/net_rpc.c| 17 +- source3/utils/net_util.c | 23 +- source3/utils/ntlm_auth.c | 24 +- source3/utils/py_net.c | 14 +- source3/winbindd/idmap_ad.c| 20 +- source3/winbindd/winbindd.c| 9 +- source3/winbindd/winbindd_ads.c| 194 -- source3/winbindd/winbindd_cm.c | 46 +++- source3/winbindd/winbindd_dual_srv.c | 18 +- source3/winbindd/winbindd_pam.c| 32 +-- source3/winbindd/winbindd_proto.h | 7 + source3/wscript_build
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 712ffbffc03 s3:libsmb: allow store_cldap_reply() to work with a ipv6 response via 05807488fd3 Combine ICU libraries icu-i18n and icu-uc into a single dependency via 0c983bd0095 Improve CHECK_LIB interaction with CHECK_PKG via 363c3318577 Augment library_flags() to return libraries via 5aafd2fb404 selftest: add test for User.get_primary_group method via 8fe7f0a6d50 python: models: add get_primary_group method to User model via 1f47c0f6093 python: models: rename argument ldb to samdb via 237d9d0228c tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative via 380d9c5a739 .gitlab-ci-main.yml: debug kernel details of the current runner from 9844ac289be ldb-samba: ldif_read_objectSid avoids VLA https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 712ffbffc03c7dcd551c1e22815ebe7c0b9b45d2 Author: Stefan Metzmacher Date: Tue May 7 14:53:24 2024 + s3:libsmb: allow store_cldap_reply() to work with a ipv6 response BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224 commit 05807488fd340751ee976c5f8a367013ff94843e Author: Earl Chew Date: Sat Dec 16 08:48:36 2023 -0800 Combine ICU libraries icu-i18n and icu-uc into a single dependency Rather than probing for icu-i18n, icu-uc, and icudata libraries separately, only probe for icu-i18n, and icu-uc, as direct dependencies This avoids overlinking with icudata, and allows the package to build even when ICU is not installed as a system library. RN: Only use icu-i18n and icu-uc to express ICU dependency BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623 Signed-off-by: Earl Chew Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 0c983bd0095d4fb20ef8b42f5efb740393073862 Author: Earl Chew Date: Sat Dec 16 17:47:09 2023 -0800 Improve CHECK_LIB interaction with CHECK_PKG When checking for shared libraries, only name the target library if it was not previously discoverd by pkg-config --libs and now available from uselib_store. This avoids using both sources of information which results in the library being named twice on the command line. Once the library is confirmed by CHECK_LIB, append the library if not already present, to avoid dropping libraries that were previously discovered by CHECK_PKG. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623 Signed-off-by: Earl Chew Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 363c33185779141fdfbda695997d548939a0251f Author: Earl Chew Date: Sun Dec 17 08:37:33 2023 -0800 Augment library_flags() to return libraries Extend library_flags() to return the libraries provided by pkg-config --libs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623 Signed-off-by: Earl Chew Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 5aafd2fb4042a2f787dd6a7bc9584494d29c405f Author: Rob van der Linde Date: Tue Apr 30 23:54:13 2024 +1200 selftest: add test for User.get_primary_group method Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 8fe7f0a6d507c4711c9edbc8eab86cf0a46facaf Author: Rob van der Linde Date: Tue Apr 30 23:43:30 2024 +1200 python: models: add get_primary_group method to User model Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 1f47c0f609355aa469c04dafe6c4505f5823a6e3 Author: Rob van der Linde Date: Tue Apr 30 23:42:05 2024 +1200 python: models: rename argument ldb to samdb This argument is actually an instance of SamDB (which inherits from Ldb). This should have been called samdb. Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 237d9d0228cfed6d2e08b41b888d30aac5ab89e3 Author: Stefan Metzmacher Date: Wed May 8 18:03:54 2024 +0200 tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative This expects PermissionError: [Errno 1] Operation not permitted, but it seems that setxattr() for security.NTACL works on gitlab runners without being root. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 380d9c5a7392741ff2134ef1e83df45a29293db3 Author: Stefan Metzmacher Date: Wed May 8 16:12:06 2024 +0200 .gitlab-ci-main.yml: debug kernel details of the current runner Signed-off-by: Stefan Metzmacher Reviewed
[Announce] Samba 4.20.1 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.20 release series. Changes since 4.20.0 o Douglas Bagnall * BUG 15630: dns update debug message is too noisy. o Alexander Bokovoy * BUG 15635: Do not fail PAC validation for RFC8009 checksums types. o Pavel Filipenský * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad. o Anna Popova * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only flag. o Noel Power * BUG 15611: http library doesn't support 'chunked transfer encoding'. o Andreas Schneider * BUG 15600: Provide a systemd service file for the background queue daemon. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.20.1.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 2ec8209 NEWS[4.20.1]: Samba 4.20.1 Available for Download from 4728e21 NEWS[4.19.6]: Samba 4.19.6 Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 2ec82090dff0576c8d451b444d01b9e8d2d44abf Author: Jule Anger Date: Wed May 8 10:05:24 2024 +0200 NEWS[4.20.1]: Samba 4.20.1 Available for Download Signed-off-by: Jule Anger --- Summary of changes: history/header_history.html | 1 + history/samba-4.20.1.html| 54 posted_news/20240508-080633.4.20.1.body.html | 13 ++ posted_news/20240508-080633.4.20.1.headline.html | 3 ++ 4 files changed, 71 insertions(+) create mode 100644 history/samba-4.20.1.html create mode 100644 posted_news/20240508-080633.4.20.1.body.html create mode 100644 posted_news/20240508-080633.4.20.1.headline.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 8f60ff2..984ad78 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,6 +9,7 @@ Release Notes + samba-4.20.1 samba-4.20.0 samba-4.19.6. samba-4.19.5. diff --git a/history/samba-4.20.1.html b/history/samba-4.20.1.html new file mode 100644 index 000..1206074 --- /dev/null +++ b/history/samba-4.20.1.html @@ -0,0 +1,54 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;> +http://www.w3.org/1999/xhtml;> + +Samba 4.20.1 - Release Notes + + +Samba 4.20.1 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.20.1.tar.gz;>Samba 4.20.1 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.20.1.tar.asc;>Signature + + +https://download.samba.org/pub/samba/patches/samba-4.20.0-4.20.1.diffs.gz;>Patch (gzipped) against Samba 4.20.0 +https://download.samba.org/pub/samba/patches/samba-4.20.0-4.20.1.diffs.asc;>Signature + + + + == + Release Notes for Samba 4.20.1 +May 08, 2024 + == + + +This is the latest stable release of the Samba 4.20 release series. + + +Changes since 4.20.0 + + +o Douglas Bagnall douglas.bagn...@catalyst.net.nz + * BUG 15630: dns update debug message is too noisy. + +o Alexander Bokovoy a...@samba.org + * BUG 15635: Do not fail PAC validation for RFC8009 checksums types. + +o Pavel Filipenský pfilipen...@samba.org + * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad. + +o Anna Popova popova.anna...@gmail.com + * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only + flag. + +o Noel Power noel.po...@suse.com + * BUG 15611: http library doesnt support chunked transfer encoding. + +o Andreas Schneider a...@samba.org + * BUG 15600: Provide a systemd service file for the background queue daemon. + + + + + + diff --git a/posted_news/20240508-080633.4.20.1.body.html b/posted_news/20240508-080633.4.20.1.body.html new file mode 100644 index 000..0aef412 --- /dev/null +++ b/posted_news/20240508-080633.4.20.1.body.html @@ -0,0 +1,13 @@ + +08 May 2024 +Samba 4.20.1 Available for Download + +This is the first stable release of the Samba 4.20 release series. + + +The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620). +The source code can be https://download.samba.org/pub/samba/stable/samba-4.20.1.tar.gz;>downloaded now. +A https://download.samba.org/pub/samba/patches/samba-4.20.0-4.20.1.diffs.gz;>patch against Samba 4.20.0 is also available. +See https://www.samba.org/samba/history/samba-4.20.1.html;>the release notes for more info. + + diff --git a/posted_news/20240508-080633.4.20.1.headline.html b/posted_news/20240508-080633.4.20.1.headline.html new file mode 100644 index 000..143404a --- /dev/null +++ b/posted_news/20240508-080633.4.20.1.headline.html @@ -0,0 +1,3 @@ + + 08 May 2024 Samba 4.20.1 Available for Download + -- Samba Website Repository
[SCM] Samba Shared Repository - branch v4-20-stable updated
The branch, v4-20-stable has been updated via 0ba948cba0b VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release. via d01b50ec4f3 WHATSNEW: Add release notes for Samba 4.20.1. via db658c40f5d s3:utils: Fix Inherit-Only flag being automatically propagated to children via d28a889aed2 python/samba/tests/blackbox: Add tests for Inherit-only flag propagation via 83da49f3489 tests: Add a test for "all_groups=no" to test_idmap_ad.sh via 84f82a09ffd selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad via 83701298384 s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad via 8857cf29979 docs-xml: Add parameter all_groupmem to idmap_ad via 215bb9bd48e Do not fail checksums for RFC8009 types via db60a1947b8 s4:dns_server: less noisy, more informative debug messages via 9155d89a2ae packaging: Provide a systemd service file for samba-bgqd via 077f39baf7c libcli/http: Detect unsupported Transfer-encoding type via 2fb1bf0205f selftest: Add new test for testing non-chunk transfer encoding via 30bf3d1430f selftest: fix potential reference before assigned error via a70e3a36c82 libcli/http: Handle http chunked transfer encoding via 7e17e4809d5 tests: add test for chunked encoding with http cli library via 26206392153 libcli/http: Optimise reading for content-length via 71eac5a065f selftest: Add basic content-lenght http tests via 19250e13ab6 Add simple http_client for use in black box tests (in following commits) via eaefe50327d VERSION: Bump version up to Samba 4.20.1... from 8fdd82c8b9c VERSION: Disable GIT_SNAPSHOT for the 4.20.0 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-stable - Log - --- Summary of changes: VERSION| 2 +- WHATSNEW.txt | 55 +++ auth/kerberos/kerberos_pac.c | 47 ++- docs-xml/manpages/idmap_ad.8.xml | 10 + lib/krb5_wrap/krb5_samba.h | 28 ++ libcli/http/http.c | 309 +++- libcli/http/http_internal.h| 4 + nsswitch/tests/test_idmap_ad.sh| 22 ++ .../{samba.service.in => samba-bgqd.service.in}| 9 +- packaging/wscript_build | 3 +- python/samba/tests/blackbox/http_chunk.py | 129 +++ python/samba/tests/blackbox/http_content.py| 95 + .../blackbox/smbcacls_propagate_inhertance.py | 108 ++ selftest/target/Samba3.pm | 1 + selftest/tests.py | 2 + source3/utils/smbcacls.c | 4 + source3/winbindd/winbindd_ads.c| 11 +- source4/client/http_test.c | 401 + source4/dns_server/dnsserver_common.c | 9 +- source4/wscript_build | 5 + 20 files changed, 1200 insertions(+), 54 deletions(-) copy packaging/systemd/{samba.service.in => samba-bgqd.service.in} (50%) create mode 100644 python/samba/tests/blackbox/http_chunk.py create mode 100644 python/samba/tests/blackbox/http_content.py create mode 100644 source4/client/http_test.c Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 482360b7d68..cfa7539380b 100644 --- a/VERSION +++ b/VERSION @@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2024" SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=20 -SAMBA_VERSION_RELEASE=0 +SAMBA_VERSION_RELEASE=1 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 5c97836d36f..8249e9326f9 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,58 @@ + == + Release Notes for Samba 4.20.1 +May 08, 2024 + == + + +This is the latest stable release of the Samba 4.20 release series. + + +Changes since 4.20.0 + + +o Douglas Bagnall + * BUG 15630: dns update debug message is too noisy. + +o Alexander Bokovoy + * BUG 15635: Do not fail PAC validation for RFC8009 checksums types. + +o Pavel Filipenský + * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad. + +o Anna Popova + * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only + flag. + +o Noel Power + * BUG 15611: http library doesn't support 'chunked transfe
[SCM] Samba Shared Repository - annotated tag samba-4.20.1 created
The annotated tag, samba-4.20.1 has been created at dc3912d4f21e57549c2062e03c9bf94afb9d8307 (tag) tagging 0ba948cba0b8b0dd4fddbc94999a61b883a3326d (commit) replaces samba-4.20.0 tagged by Jule Anger on Wed May 8 10:05:04 2024 +0200 - Log - samba: tag release samba-4.20.1 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmY7MjAACgkQqplEL7aA tiDa3A//dCJ/HRwM2pK3vHtVoOVZ3FTDHRSDn+/ys4VDkby9nO78rosEmcUJhCfF jX41DgU+j6s/Y47cHAtp2uVQOTws/tY8FbMxj84XbeDlOOCXo8UPcpqhxUGP5piL LPXfENkirfAuS30G+B7tMqit+i/9fOTbKcjLfY1QPo06Cb8wle0twkVmOQzmm4rz Mh2VjIESvVeo8CVNHpS7DANtJfh27/V4gRvusnmyip6HYqRMuzzJoqOPaCYd1/fj /0E6iLFnfTfjEfqQcnLRJV5Z5UKuLgEowJ6PfUnsKIw28bFwKp5qh8Tn6n2z/sT8 kU8qO25ITAIItJy5tnrnIchvkBNxBt2MnO5OWIEbkWUhTIpcxrk69lxk0med+iDG AovAw2hFsBhdsdmcp888HnGr1j9XcfD/55JK+ETgS39Nwbow1InvsFdc51wgUAAf X39VkVLoL7W/WaFINRJS/PWkDYQ8esHXtqT7Zg/6+NNj4b2FKw6Z8yoj5r/Iwo44 TiqX+DUBWv70B0gXuRB65C++fiSJoPoCIOJR2HXV0OXFTL4Vyd0uwugiZznEd4AZ g9ESUmt4DUzsENXHJaL1WaXa2rI8UBy3VMK6VIyLGfmH3YlhJFuvFTj/DkZpQHm1 kxXX3iZZmwPlfq/qste2Ig9RWuQth3Nwoong/1frR2Gjk1FEKp4= =/YuZ -END PGP SIGNATURE- Alexander Bokovoy (1): Do not fail checksums for RFC8009 types Andreas Schneider (1): packaging: Provide a systemd service file for samba-bgqd Anna Popova (1): s3:utils: Fix Inherit-Only flag being automatically propagated to children Douglas Bagnall (1): s4:dns_server: less noisy, more informative debug messages Jule Anger (3): VERSION: Bump version up to Samba 4.20.1... WHATSNEW: Add release notes for Samba 4.20.1. VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release. Noel Power (8): Add simple http_client for use in black box tests (in following commits) selftest: Add basic content-lenght http tests libcli/http: Optimise reading for content-length tests: add test for chunked encoding with http cli library libcli/http: Handle http chunked transfer encoding selftest: fix potential reference before assigned error selftest: Add new test for testing non-chunk transfer encoding libcli/http: Detect unsupported Transfer-encoding type Pavel Filipenský (4): docs-xml: Add parameter all_groupmem to idmap_ad s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad tests: Add a test for "all_groups=no" to test_idmap_ad.sh yuzu367 (1): python/samba/tests/blackbox: Add tests for Inherit-only flag propagation --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via 9b6bc91254c VERSION: Bump version up to Samba 4.20.2... via 0ba948cba0b VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release. via d01b50ec4f3 WHATSNEW: Add release notes for Samba 4.20.1. from db658c40f5d s3:utils: Fix Inherit-Only flag being automatically propagated to children https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit 9b6bc91254c96a248047c01d68a074edea3f0e6a Author: Jule Anger Date: Wed May 8 10:00:33 2024 +0200 VERSION: Bump version up to Samba 4.20.2... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger commit 0ba948cba0b8b0dd4fddbc94999a61b883a3326d Author: Jule Anger Date: Wed May 8 10:00:17 2024 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release. Signed-off-by: Jule Anger commit d01b50ec4f3cc3c91677703677e3b45cd1d94758 Author: Jule Anger Date: Wed May 8 09:59:43 2024 +0200 WHATSNEW: Add release notes for Samba 4.20.1. Signed-off-by: Jule Anger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 55 +++ 2 files changed, 56 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 81c319ddc0c..e279f2933b8 100644 --- a/VERSION +++ b/VERSION @@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2024" SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=20 -SAMBA_VERSION_RELEASE=1 +SAMBA_VERSION_RELEASE=2 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 5c97836d36f..8249e9326f9 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,58 @@ + == + Release Notes for Samba 4.20.1 +May 08, 2024 + == + + +This is the latest stable release of the Samba 4.20 release series. + + +Changes since 4.20.0 + + +o Douglas Bagnall + * BUG 15630: dns update debug message is too noisy. + +o Alexander Bokovoy + * BUG 15635: Do not fail PAC validation for RFC8009 checksums types. + +o Pavel Filipenský + * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad. + +o Anna Popova + * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only + flag. + +o Noel Power + * BUG 15611: http library doesn't support 'chunked transfer encoding'. + +o Andreas Schneider + * BUG 15600: Provide a systemd service file for the background queue daemon. + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + == Release Notes for Samba 4.20.0 March 27, 2024 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9844ac289be ldb-samba: ldif_read_objectSid avoids VLA via bf4af1a28a3 ldb-samba: ldif_read_objectSid() short-circuits without 'S' via 6c0bdf37187 lib/fuzzing: add fuzz_stable_sort_r_unstable via 59cbaa91348 ldb: note a transitivity problem in ldb_comparison_fold via e2051eebd49 ldb:attrib_handlers: reduce non-transitive behaviour in ldb_comparison_fold via f81b7c7eb20 ldb:attrib_handlers: use NUMERIC_CMP in ldb_comparison_fold via 3e899ef5bfa ldb-samba: remove unused ldif_comparision_objectSid_isString() via 8c702735641 ldb-samba: simplify extended_dn_read_SID() via c6c7cb8d4ba ldb-samba: simplify ldif_canonicalise_objectSid() via be5fd9a3a1b ldb-samba: simplify ldif_comparison_objectSid() via d801ed8b111 pytest: sid_strings: Samba DN object refuses sub-auth overflow via edf9b282ba6 pytest: sid_strings: adjust to match Windows 2016 via 473502d1701 pytest: sid_strings: Windows does allow lowercase s-1-... SIDs via fb724c61107 pytest: sid_strings: use more reliable well known SID via ae4f095586e ldb-samba: ldif_write_schemaInfo() uses correct size via 13af2cb0217 lib:util: codepoint_cmpi: be transitive and case-insensitive via 310d59c7cc3 lib:util:tests: more tests for codepoint_cmpi via 827b0c39ed0 s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP() via c5c29f59fa6 s4:rpc_srv:getncchanges: USN sort uses qsort() instead of ldb_qsort() via 65df8ce05c1 s4:rpc_srv:getncchanges: 4.5 anc emulation uses qsort(), not ldb_qsort() via 5335f122fb5 s4:dsdb:mod: repl_md: make message_sort transitive via 7f995ab887a ldb:tools: ldbsearch doesn't need ldb_qsort() via b37186cf917 s4:dsdb:util_trusts: simplify the NULL case in dns_cmp via 91b802941c1 s4:dsdb:util_trusts: describe dns_cmp return values via 8f080c0295d ldb:tests: add a test for dotted i uppercase via af7654331fb ldb: avoid NULL deref in ldb_db_compare from d58a72c572f .gitlab-ci: Remove tags no longer provided by gitlab.com https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9844ac289be3430fd3f72c5e57fa00e012c5d417 Author: Douglas Bagnall Date: Sat May 4 13:40:35 2024 +1200 ldb-samba: ldif_read_objectSid avoids VLA I don't think this variable length array is any trouble, but people complain about them (e.g. https://nullprogram.com/blog/2019/10/27/) because they make things more complex at run-time, and this is a somewhat performance sensitive path. DOM_SID_STR_BUFLEN + 1 is 191 -- if that stack allocation is going to cause trouble, then so was the VLA <= that. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed May 8 00:26:42 UTC 2024 on atb-devel-224 commit bf4af1a28a3580223fcc3a861c7fdd1b43f234d1 Author: Douglas Bagnall Date: Sat May 4 13:32:39 2024 +1200 ldb-samba: ldif_read_objectSid() short-circuits without 'S' This avoids a memcpy, and level 3 debug verbosity from dom_sid_parse_endp(). In other places we have something like `|| in->data[1] != '-'`, but that is not useful here -- the value is either a string SID, or a binary SID that starts with '\1', or some awful value that we *do* want to get messages about. This replaces the work of ldif_comparision_objectSid_isString(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6c0bdf371878eb1a3a1c3b1663379a89bd0ec2c0 Author: Douglas Bagnall Date: Wed May 1 17:16:38 2024 +1200 lib/fuzzing: add fuzz_stable_sort_r_unstable This should find out how well stable_sort copes with an unstable non-transitive comparison function. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 59cbaa91348857c51854ee5e6bc8f78cdcde4e56 Author: Douglas Bagnall Date: Tue Apr 30 12:41:25 2024 +1200 ldb: note a transitivity problem in ldb_comparison_fold Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e2051eebd492a419f840280336eb242d0b4a26ac Author: Douglas Bagnall Date: Fri Apr 26 15:58:44 2024 +1200 ldb:attrib_handlers: reduce non-transitive behaviour in ldb_comparison_fold If two strings are invalid UTF-8, the string is first compared with memcmp(), which compares as unsigned char. If the strings are of different lengths and one is a substring of the other, the memcmp() returns 0 and a second comparison is made which assumes the next character in the shorter string is '\0' -- but this comparison was done using SIGNED chars (on most systems). That leads
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d58a72c572f .gitlab-ci: Remove tags no longer provided by gitlab.com from 87e31f88f28 s3:libsmb: let cli_session_creds_init() keep the value from 'client use kerberos' https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d58a72c572f63619111f43f6ea39ff84ae0df16e Author: Andrew Bartlett Date: Tue May 7 22:32:08 2024 +1200 .gitlab-ci: Remove tags no longer provided by gitlab.com GitLab.com removed a number of tags from their hosted runners and this meant our CI was being redirected to our private runners at a larger cost to the Samba Team. The new infrastructure is much larger than when we last selected runners so we can just use the default, even for the code coverage build. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15638 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue May 7 13:40:55 UTC 2024 on atb-devel-224 --- Summary of changes: .gitlab-ci-coverage-runners.yml | 8 +--- .gitlab-ci-default-runners.yml | 44 +++-- 2 files changed, 12 insertions(+), 40 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-coverage-runners.yml b/.gitlab-ci-coverage-runners.yml index 0f6b2ec1581..331c5d2399c 100644 --- a/.gitlab-ci-coverage-runners.yml +++ b/.gitlab-ci-coverage-runners.yml @@ -1,10 +1,4 @@ include: - /.gitlab-ci-default-runners.yml -.shared_runner_test: - # We need the more powerful n1-standard-2 runners - # in order to handle the lcov overhead. - # - # See .gitlab-ci-default-runners.yml for more details - tags: -- gitlab-org-docker +# Currently we're happy with the defaults diff --git a/.gitlab-ci-default-runners.yml b/.gitlab-ci-default-runners.yml index f73f868d39c..bdc504aff21 100644 --- a/.gitlab-ci-default-runners.yml +++ b/.gitlab-ci-default-runners.yml @@ -1,48 +1,26 @@ -# From https://docs.gitlab.com/ee/user/gitlab_com/#shared-runners: +# From https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html # # ... # -# All your CI/CD jobs run on n1-standard-1 instances with 3.75GB of RAM, CoreOS -# and the latest Docker Engine installed. Instances provide 1 vCPU and 25GB of -# HDD disk space. The default region of the VMs is US East1. Each instance is -# used only for one job, this ensures any sensitive data left on the system can’t -# be accessed by other people their CI jobs. -# -# The gitlab-shared-runners-manager-X.gitlab.com fleet of runners are dedicated -# for GitLab projects as well as community forks of them. They use a slightly -# larger machine type (n1-standard-2) and have a bigger SSD disk size. They don’t -# run untagged jobs and unlike the general fleet of shared runners, the instances -# are re-used up to 40 times. -# -# ... -# -# The n1-standard-1 runners seem to be tagged with 'docker' together with 'gce'. -# -# The more powerful n1-standard-2 runners seem to be tagged with -# 'gitlab-org-docker' or some with just 'gitlab-org'. -# +# Runner Tag vCPUs Memory Storage +# saas-linux-small-amd64 2 8 GB 25 GB # # Our current private runner 'docker', 'samba-ci-private', 'shared' and # 'ubuntu2204'. It runs with an ubuntu2204 kernel (5.15) and provides an -# ext4 filesystem and similar RAM as the n1-standard-2 runners. +# ext4 filesystem, 2 CPU and 4 GB (shared tag) 8G (samba-ci-private tag) RAM. # .shared_runner_build: - # We use n1-standard-1 shared runners by default. - # - # There are currently 5 shared runners with 'docker' and 'gce', - # while there are only 2 provising 'docker' together with 'shared'. + # We use saas-linux-small-amd64 shared runners by default. + # We avoid adding explicit tags for them in order + # to work with potential changes in future # - # We used to fallback to our private runner if the docker+shared runners - # were busy, but now that we use the 5 docker+gce runners, we try to only - # use shared runners without a fallback to our private runner! - # Lets see how that will work out. - tags: -- docker -- gce + # In order to generate valid yaml, we define a dummy variable... + variables: +SAMBA_SHARED_RUNNER_BUILD_DUMMY_VARIABLE: shared_runner_build .shared_runner_test: - # Currently we're fine using the n1-standard-1 runners also for testing + # We use saas-linux-small-amd64 shared runners by default. extends: .shared_runner_build .private_runner_test: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
TALLOC_CTX *mem_ctx); +NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security); + #endif /* __GENSEC_H__ */ diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c index b6b4a722f27..0c7688d33d2 100644 --- a/auth/gensec/gensec_util.c +++ b/auth/gensec/gensec_util.c @@ -23,10 +23,14 @@ #include "includes.h" #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_internal.h" +#include "auth/credentials/credentials.h" #include "auth/common_auth.h" #include "../lib/util/asn1.h" #include "param/param.h" #include "libds/common/roles.h" +#include "lib/util/util_net.h" + +#undef strcasecmp #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -336,3 +340,80 @@ const char *gensec_child_final_auth_type(struct gensec_security *gensec_security return gensec_final_auth_type(gensec_security->child_security); } + +char *gensec_get_unparsed_target_principal(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx) +{ + const char *target_principal = gensec_get_target_principal(gensec_security); + const char *service = gensec_get_target_service(gensec_security); + const char *hostname = gensec_get_target_hostname(gensec_security); + + if (target_principal != NULL) { + return talloc_strdup(mem_ctx, target_principal); + } else if (service != NULL && hostname != NULL) { + return talloc_asprintf(mem_ctx, "%s/%s", service, hostname); + } else if (hostname != NULL) { + return talloc_strdup(mem_ctx, target_principal); + } + + return NULL; +} + +NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security) +{ + struct cli_credentials *creds = gensec_get_credentials(gensec_security); + bool auth_requested = cli_credentials_authentication_requested(creds); + enum credentials_use_kerberos krb5_state = + cli_credentials_get_kerberos_state(creds); + char *user_principal = NULL; + const char *client_realm = cli_credentials_get_realm(creds); + const char *target_principal = gensec_get_target_principal(gensec_security); + const char *hostname = gensec_get_target_hostname(gensec_security); + + if (!auth_requested) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (krb5_state == CRED_USE_KERBEROS_DISABLED) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-19-test updated
The branch, v4-19-test has been updated via b00c09bee3b s3:utils: Fix Inherit-Only flag being automatically propagated to children via e703c0c3914 python/samba/tests/blackbox: Add tests for Inherit-only flag propagation from 2930a1955bf libcli/http: Detect unsupported Transfer-encoding type https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log - commit b00c09bee3bc28e5637fd786122faeb6b200f2c5 Author: Anna Popova Date: Fri Apr 12 17:32:37 2024 +0300 s3:utils: Fix Inherit-Only flag being automatically propagated to children Inherit-only flag applies only to the container it was set to and it shouldn't be automatically propagated to children. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636 Signed-off-by: Anna Popova Reviewed-by: Noel Power Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Mon Apr 29 10:56:48 UTC 2024 on atb-devel-224 (cherry picked from commit 80159018e411c643fbfe7ef82bd33e30b6147901) Autobuild-User(v4-19-test): Jule Anger Autobuild-Date(v4-19-test): Tue May 7 09:31:32 UTC 2024 on atb-devel-224 commit e703c0c3914d79f5ae4f42b3055e7a2005194927 Author: yuzu367 Date: Thu Apr 11 11:31:07 2024 +0300 python/samba/tests/blackbox: Add tests for Inherit-only flag propagation BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636 Signed-off-by: Anna Popova Reviewed-by: Noel Power Reviewed-by: Ralph Boehme (cherry picked from commit eba2bfde347041a395f0fbd3c57235be63b1890d) --- Summary of changes: .../blackbox/smbcacls_propagate_inhertance.py | 108 + selftest/knownfail.d/smbcacls | 0 source3/utils/smbcacls.c | 4 + 3 files changed, 112 insertions(+) delete mode 100644 selftest/knownfail.d/smbcacls Changeset truncated at 500 lines: diff --git a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py index cfe7e0b0b96..2c21c83ccd4 100644 --- a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py +++ b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py @@ -1288,3 +1288,111 @@ class InheritanceSmbCaclsTests(SmbCaclsBlockboxTestBase): except BlackboxProcessError as e: self.fail(str(e)) + +def test_simple_iocioi_add(self): +"""test smbcacls '--propagate-inheritance --add' which attempts to add the ACL +for the file and additionally use inheritance rules to propagate appropriate +changes to children + +This test adds an ACL with (IO)(CI)(OI)(READ) + +before: + ++-tar_test_dir/(OI)(CI)(I)(F) + +-oi_dir/(OI)(CI)(I)(F) + | +-file.1(I)(F) + | +-nested/ (OI)(CI)(I)(F) + | +-file.2 (I)(F) + | +-nested_again/ (OI)(CI)(I)(F) + | +-file.3 (I)(F) + +after/expected: + ++-tar_test_dir/(OI)(CI)(I)(F) + +-oi_dir/(OI)(CI)(I)(F), (IO)(CI)(OI)(READ) + | +-file.1(I)(F), (I)(READ) + | +-nested/ (OI)(CI)(I)(F), (I)(CI)(OI)(READ) + | +-file.2 (I)(F), (I)(READ) + | +-nested_again/ (OI)(CI)(I)(F), (I)(CI)(OI)(READ) + | +-file.3 (I)(F), (I)(READ)""" + +dir_add_acl_str = "ACL:%s:ALLOWED/OI|CI|IO/READ" % self.user +obj_inherited_ace_str = "ACL:%s:ALLOWED/I/READ" % self.user +dir_inherited_ace_str = "ACL:%s:ALLOWED/OI|CI|I/READ" % self.user + +try: + +self.smb_cacls(["--propagate-inheritance", "--add", +dir_add_acl_str, self.oi_dir]) + +# check top level container 'oi_dir' has IO|CI|OI/READ +dir_ace = self.ace_parse_str(dir_add_acl_str) +self.assertTrue(self.file_ace_check(self.oi_dir, dir_ace)) + +# file 'oi_dir/file-1' should have inherited I/READ +child_file_ace = self.ace_parse_str(obj_inherited_ace_str) +self.assertTrue(self.file_ace_check(self.f1, child_file_ace)) + +# nested dir 'oi_dir/nested/' should have I|CI|OI/READ +child_dir_ace = self.ace_parse_str(dir_inherited_ace_str) +self.assertTrue(self.file_ace_check(self.nested_dir, child_dir_ace)) + +# nested file 'oi_dir/nested/file-2' should have inherited I/READ +self.assertTrue(self.file_ace_check(self.f2, child_file_ace)) + +# nested_again dir 'oi_dir/nested/nested_again' should have I|CI|OI/READ +child_dir_ace = self.ace_parse_str(dir_inherited
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via db658c40f5d s3:utils: Fix Inherit-Only flag being automatically propagated to children via d28a889aed2 python/samba/tests/blackbox: Add tests for Inherit-only flag propagation from 83da49f3489 tests: Add a test for "all_groups=no" to test_idmap_ad.sh https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit db658c40f5d8aeef9dcc190753b7d14b1fa3f5fb Author: Anna Popova Date: Fri Apr 12 17:32:37 2024 +0300 s3:utils: Fix Inherit-Only flag being automatically propagated to children Inherit-only flag applies only to the container it was set to and it shouldn't be automatically propagated to children. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636 Signed-off-by: Anna Popova Reviewed-by: Noel Power Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Mon Apr 29 10:56:48 UTC 2024 on atb-devel-224 (cherry picked from commit 80159018e411c643fbfe7ef82bd33e30b6147901) Autobuild-User(v4-20-test): Jule Anger Autobuild-Date(v4-20-test): Tue May 7 08:52:48 UTC 2024 on atb-devel-224 commit d28a889aed25ac98ba4ef34b26190224e5ebe907 Author: yuzu367 Date: Thu Apr 11 11:31:07 2024 +0300 python/samba/tests/blackbox: Add tests for Inherit-only flag propagation BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636 Signed-off-by: Anna Popova Reviewed-by: Noel Power Reviewed-by: Ralph Boehme (cherry picked from commit eba2bfde347041a395f0fbd3c57235be63b1890d) --- Summary of changes: .../blackbox/smbcacls_propagate_inhertance.py | 108 + source3/utils/smbcacls.c | 4 + 2 files changed, 112 insertions(+) Changeset truncated at 500 lines: diff --git a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py index cc13727b8fb..5b3a27111d5 100644 --- a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py +++ b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py @@ -1288,3 +1288,111 @@ class InheritanceSmbCaclsTests(SmbCaclsBlockboxTestBase): except BlackboxProcessError as e: self.fail(str(e)) + +def test_simple_iocioi_add(self): +"""test smbcacls '--propagate-inheritance --add' which attempts to add the ACL +for the file and additionally use inheritance rules to propagate appropriate +changes to children + +This test adds an ACL with (IO)(CI)(OI)(READ) + +before: + ++-tar_test_dir/(OI)(CI)(I)(F) + +-oi_dir/(OI)(CI)(I)(F) + | +-file.1(I)(F) + | +-nested/ (OI)(CI)(I)(F) + | +-file.2 (I)(F) + | +-nested_again/ (OI)(CI)(I)(F) + | +-file.3 (I)(F) + +after/expected: + ++-tar_test_dir/(OI)(CI)(I)(F) + +-oi_dir/(OI)(CI)(I)(F), (IO)(CI)(OI)(READ) + | +-file.1(I)(F), (I)(READ) + | +-nested/ (OI)(CI)(I)(F), (I)(CI)(OI)(READ) + | +-file.2 (I)(F), (I)(READ) + | +-nested_again/ (OI)(CI)(I)(F), (I)(CI)(OI)(READ) + | +-file.3 (I)(F), (I)(READ)""" + +dir_add_acl_str = "ACL:%s:ALLOWED/OI|CI|IO/READ" % self.user +obj_inherited_ace_str = "ACL:%s:ALLOWED/I/READ" % self.user +dir_inherited_ace_str = "ACL:%s:ALLOWED/OI|CI|I/READ" % self.user + +try: + +self.smb_cacls(["--propagate-inheritance", "--add", +dir_add_acl_str, self.oi_dir]) + +# check top level container 'oi_dir' has IO|CI|OI/READ +dir_ace = self.ace_parse_str(dir_add_acl_str) +self.assertTrue(self.file_ace_check(self.oi_dir, dir_ace)) + +# file 'oi_dir/file-1' should have inherited I/READ +child_file_ace = self.ace_parse_str(obj_inherited_ace_str) +self.assertTrue(self.file_ace_check(self.f1, child_file_ace)) + +# nested dir 'oi_dir/nested/' should have I|CI|OI/READ +child_dir_ace = self.ace_parse_str(dir_inherited_ace_str) +self.assertTrue(self.file_ace_check(self.nested_dir, child_dir_ace)) + +# nested file 'oi_dir/nested/file-2' should have inherited I/READ +self.assertTrue(self.file_ace_check(self.f2, child_file_ace)) + +# nested_again dir 'oi_dir/nested/nested_again' should have I|CI|OI/READ +child_dir_ace = self.ace_parse_str(dir_inherited_ace_str) +self.assertTrue(self.file_ace_check(self.nested_again_dir, child_di
[SCM] Samba Shared Repository - branch master updated
eparse_data_buffer() was duplicated code Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 4b98f993a257ca66df0cb42f920377dbe4b2bc91 Author: Volker Lendecke Date: Sat May 4 11:19:14 2024 +0200 smbd: Prepare to return the reparse tag from fsctl_get_reparse_point We'll need this in many places, for example when listing directories Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit db5c23e4be79ab501b06ee31bb2a562287eb9dd7 Author: Volker Lendecke Date: Sat May 4 19:32:03 2024 +0200 smbd: Change the output of fsctl_get_reparse_point to uint8 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit fafe29a26407237d9742cf135a7db759c88656b6 Author: Volker Lendecke Date: Sat May 4 10:54:27 2024 +0200 reparse: Tighten reparse point length check test_create_reparse shows that the length checks need to be precise, not just checking for overflow. Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 2defbc994de3c0ce763c5272bdf23b6054e5af95 Author: Volker Lendecke Date: Fri Dec 2 15:02:18 2022 +0100 smbd: Return FILE_ATTRIBUTE_REPARSE_POINT from "user.DOSATTRIB" Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison --- Summary of changes: libcli/smb/reparse.c | 12 +- libcli/smb/reparse.h| 5 + python/samba/tests/reparsepoints.py | 104 +-- selftest/knownfail.d/reparse| 2 + selftest/skip | 1 - source3/include/smb.h | 2 + source3/modules/util_reparse.c | 251 source3/modules/util_reparse.h | 5 +- source3/modules/vfs_default.c | 3 +- source3/smbd/dosmode.c | 12 +- source3/smbd/smb2_trans2.c | 1 + 11 files changed, 352 insertions(+), 46 deletions(-) create mode 100644 selftest/knownfail.d/reparse Changeset truncated at 500 lines: diff --git a/libcli/smb/reparse.c b/libcli/smb/reparse.c index 49ecc77725d..08071ca85d7 100644 --- a/libcli/smb/reparse.c +++ b/libcli/smb/reparse.c @@ -26,11 +26,11 @@ #include "lib/util/charset/charset.h" #include "smb_util.h" -static NTSTATUS reparse_buffer_check(const uint8_t *in_data, -size_t in_len, -uint32_t *reparse_tag, -const uint8_t **_reparse_data, -size_t *_reparse_data_length) +NTSTATUS reparse_buffer_check(const uint8_t *in_data, + size_t in_len, + uint32_t *reparse_tag, + const uint8_t **_reparse_data, + size_t *_reparse_data_length) { uint16_t reparse_data_length; @@ -45,7 +45,7 @@ static NTSTATUS reparse_buffer_check(const uint8_t *in_data, reparse_data_length = PULL_LE_U16(in_data, 4); - if (reparse_data_length > (in_len - 8)) { + if (reparse_data_length != (in_len - 8)) { DBG_DEBUG("in_len=%zu, reparse_data_length=%" PRIu16 "\n", in_len, reparse_data_length); diff --git a/libcli/smb/reparse.h b/libcli/smb/reparse.h index 23274bf3852..e4410d974e4 100644 --- a/libcli/smb/reparse.h +++ b/libcli/smb/reparse.h @@ -63,6 +63,11 @@ struct reparse_data_buffer { } parsed; }; +NTSTATUS reparse_buffer_check(const uint8_t *in_data, + size_t in_len, + uint32_t *reparse_tag, + const uint8_t **_reparse_data, + size_t *_reparse_data_length); NTSTATUS reparse_data_buffer_parse(TALLOC_CTX *mem_ctx, struct reparse_data_buffer *dst, const uint8_t *buf, diff --git a/python/samba/tests/reparsepoints.py b/python/samba/tests/reparsepoints.py index cb7421df518..96ca6eefdd5 100644 --- a/python/samba/tests/reparsepoints.py +++ b/python/samba/tests/reparsepoints.py @@ -24,7 +24,9 @@ import samba.tests.libsmb class ReparsePoints(samba.tests.libsmb.LibsmbTests): def connection(self): -share = samba.tests.env_get_var_value("SHARENAME") +share = samba.tests.env_get_var_value("SHARENAME", allow_missing=True) +if not share: +share = "tmp" smb1 = samba.tests.env_get_var_value("SMB1", allow_missing=True) conn = libsmb.Conn( self.server_ip, @@ -72,9 +74,11 @@ class ReparsePoints(samba.tests.libsmb.LibsmbTests): fd = conn.create( filename, -DesiredAccess=sec.SEC_FILE_WRITE_ATTRIBUTE, +
[SCM] Samba Shared Repository - branch master updated
: f5d6e3bdbf9098a6ddde0b7f2e07ffc9ad1b1dc3) Address 0x7f4f91ff51a0 is located in stack of thread T0 at offset 416 in frame #0 0x7f4f8e852b37 in gkdi_new_root_key ../../source4/dsdb/gmsa/gkdi.c:537 This frame has 12 object(s): [32, 40) 'root_key_dn' (line 539) [64, 72) 'res' (line 540) [96, 104) 'server_config_res' (line 118) [128, 136) 'kdf_algorithm' (line 128) [160, 168) 'domain_dn' (line 388) [192, 208) 'kdf_parameters_blob' (line 129) [224, 240) 'root_key_data_blob' (line 353) [256, 272) 'guid_blob' (line 467) [288, 312) 'kdf_parameters' (line 226) [352, 368) 'root_key_id' (line 116) [384, 400) 'guid_buf' (line 466) [416, 480) 'root_key_data' (line 352) <== Memory access at offset 416 is inside this variable Signed-off-by: Andreas Schneider Reviewed-by: Joseph Sutton Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Fri May 3 12:20:55 UTC 2024 on atb-devel-224 --- Summary of changes: source4/dsdb/gmsa/gkdi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/gmsa/gkdi.c b/source4/dsdb/gmsa/gkdi.c index 5aa675b67f3..7acc1b4996e 100644 --- a/source4/dsdb/gmsa/gkdi.c +++ b/source4/dsdb/gmsa/gkdi.c @@ -128,6 +128,7 @@ static int gkdi_create_root_key(TALLOC_CTX *mem_ctx, struct KdfAlgorithm kdf_algorithm; DATA_BLOB kdf_parameters_blob = data_blob_null; struct ldb_message *add_msg = NULL; + uint8_t root_key_data[GKDI_KEY_LEN]; NTSTATUS status = NT_STATUS_OK; int ret = LDB_SUCCESS; @@ -349,7 +350,6 @@ static int gkdi_create_root_key(TALLOC_CTX *mem_ctx, } { - uint8_t root_key_data[GKDI_KEY_LEN]; const DATA_BLOB root_key_data_blob = { .data = root_key_data, .length = sizeof root_key_data}; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
db_data(id_buf, sizeof(id_buf))); return status; @@ -131,7 +131,7 @@ static NTSTATUS fget_acl_blob(TALLOC_CTX *ctx, id = vfs_file_id_from_sbuf(handle->conn, >fsp_name->st); /* For backwards compatibility only store the dev/inode. */ - push_file_id_16((char *)id_buf, ); + push_file_id_16(id_buf, ); status = dbwrap_fetch(db, ctx, @@ -179,7 +179,7 @@ static NTSTATUS store_acl_blob_fsp(vfs_handle_struct *handle, id = vfs_file_id_from_sbuf(handle->conn, >fsp_name->st); /* For backwards compatibility only store the dev/inode. */ - push_file_id_16((char *)id_buf, ); + push_file_id_16(id_buf, ); status = dbwrap_store( db, make_tdb_data(id_buf, sizeof(id_buf)), data, 0); diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c index 62ad5063af0..379802fc547 100644 --- a/source3/modules/vfs_default.c +++ b/source3/modules/vfs_default.c @@ -1478,7 +1478,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle, case FSCTL_CREATE_OR_GET_OBJECT_ID: { unsigned char objid[16]; - char *return_data = NULL; + uint8_t *return_data = NULL; /* This should return the object-id on this file. * I think I'll make this be the inode+dev. JRA. @@ -1490,7 +1490,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle, *out_len = MIN(max_out_len, 64); /* Hmmm, will this cause problems if less data asked for? */ - return_data = talloc_array(ctx, char, 64); + return_data = talloc_array(ctx, uint8_t, 64); if (return_data == NULL) { return NT_STATUS_NO_MEMORY; } @@ -1498,9 +1498,9 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle, /* For backwards compatibility only store the dev/inode. */ push_file_id_16(return_data, >file_id); memcpy(return_data+16,create_volume_objectid(fsp->conn,objid),16); - push_file_id_16(return_data+32, >file_id); + push_file_id_16(return_data + 32, >file_id); memset(return_data+48, 0, 16); - *out_data = return_data; + *_out_data = return_data; return NT_STATUS_OK; } diff --git a/source3/modules/vfs_streams_depot.c b/source3/modules/vfs_streams_depot.c index f9701cc66ed..1221b2c2be2 100644 --- a/source3/modules/vfs_streams_depot.c +++ b/source3/modules/vfs_streams_depot.c @@ -215,7 +215,7 @@ static char *stream_dir(vfs_handle_struct *handle, id = SMB_VFS_FILE_ID_CREATE(handle->conn, _sbuf_tmp); - push_file_id_16((char *)id_buf, ); + push_file_id_16(id_buf, ); hash = hash_fn(data_blob_const(id_buf, sizeof(id_buf))); diff --git a/source3/passdb/machine_sid.c b/source3/passdb/machine_sid.c index 16ef6ce266c..c6b8ed403ea 100644 --- a/source3/passdb/machine_sid.c +++ b/source3/passdb/machine_sid.c @@ -21,7 +21,6 @@ */ #include "includes.h" -#include "lib/util/util_file.h" #include "passdb/machine_sid.h" #include "secrets.h" #include "dbwrap/dbwrap.h" @@ -42,19 +41,24 @@ static struct dom_sid *global_sam_sid=NULL; static bool read_sid_from_file(const char *fname, struct dom_sid *sid) { - char **lines; - int numlines; - bool ret; - - lines = file_lines_load(fname, ,0, NULL); + char *line = NULL; + size_t n; + ssize_t len; + bool ret = false; + FILE *f = NULL; + + f = fopen(fname, "r"); + if (f == NULL) { + return false; + } - if (!lines || numlines < 1) { - TALLOC_FREE(lines); - return False; + len = getline(, , f); + if (len >= 0) { + ret = string_to_sid(sid, line); + SAFE_FREE(line); } - ret = string_to_sid(sid, lines[0]); - TALLOC_FREE(lines); + fclose(f); return ret; } diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c index 29d224c427d..1129576f751 100644 --- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c +++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c @@ -30,6 +30,7 @@ #include "librpc/rpc/dcesrv_core.h" #include "librpc/gen_ndr/ndr_srvsvc.h" #include "librpc/gen_ndr/ndr_srvsvc_scompat.h" +#include "librpc/gen_ndr/ndr_open_files.h" #include "../libcli/security/security.h" #include "../librpc/gen_ndr/ndr_security.h" -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
ldif.c index 96237dd0abf..24a0bcdefa5 100644 --- a/lib/ldb/common/ldb_ldif.c +++ b/lib/ldb/common/ldb_ldif.c @@ -45,7 +45,8 @@ static int ldb_read_data_file(TALLOC_CTX *mem_ctx, struct ldb_val *value) { struct stat statbuf; char *buf; - int count, size, bytes; + size_t count, size; + ssize_t bytes; int ret; int f; const char *fname = (const char *)value->data; diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c index bbb7ff96233..8477ab2b00b 100644 --- a/lib/ldb/common/ldb_msg.c +++ b/lib/ldb/common/ldb_msg.c @@ -1256,7 +1256,7 @@ int ldb_msg_normalize(struct ldb_context *ldb, sizeof(struct ldb_val) * el2->num_values); el1->num_values += el2->num_values; talloc_free(discard_const_p(char, el2->name)); - if ((i+1) < msg2->num_elements) { + if ((i + 1 > i) && ((i + 1) < msg2->num_elements)) { memmove(el2, el2+1, sizeof(struct ldb_message_element) * (msg2->num_elements - (i+1))); } diff --git a/lib/tdb/pytdb.c b/lib/tdb/pytdb.c index 4d75d7a9041..3b1842c02c1 100644 --- a/lib/tdb/pytdb.c +++ b/lib/tdb/pytdb.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. Python interface to tdb. @@ -44,7 +44,7 @@ static PyTypeObject PyTdb; static void PyErr_SetTDBError(TDB_CONTEXT *tdb) { - PyErr_SetObject(PyExc_RuntimeError, + PyErr_SetObject(PyExc_RuntimeError, Py_BuildValue("(i,s)", tdb_error(tdb), tdb_errorstr(tdb))); } @@ -294,7 +294,7 @@ static PyObject *obj_nextkey(PyTdbObject *self, PyObject *args) key = PyBytes_AsTDB_DATA(py_key); if (!key.dptr) return NULL; - + return PyBytes_FromTDB_DATA(tdb_nextkey(self->ctx, key)); } @@ -383,6 +383,10 @@ static PyObject *obj_storev(PyTdbObject *self, PyObject *args) PyErr_SetFromErrno(PyExc_OverflowError); return NULL; } + if (num_values > INT_MAX) { + PyErr_SetFromErrno(PyExc_OverflowError); + return NULL; + } values = malloc(sizeof(TDB_DATA) * num_values); if (values == NULL) { PyErr_NoMemory(); @@ -398,7 +402,7 @@ static PyObject *obj_storev(PyTdbObject *self, PyObject *args) values[i] = value; } - ret = tdb_storev(self->ctx, key, values, num_values, flag); + ret = tdb_storev(self->ctx, key, values, (int)num_values, flag); free(values); PyErr_TDB_ERROR_IS_ERR_RAISE(ret, self->ctx); Py_RETURN_NONE; @@ -466,7 +470,7 @@ PyTypeObject PyTdbIterator = { static PyObject *tdb_object_iter(PyTdbObject *self, PyObject *Py_UNUSED(ignored)) { - PyTdbIteratorObject *ret; + PyTdbIteratorObject *ret; PyErr_TDB_RAISE_IF_CLOSED(self); @@ -514,7 +518,7 @@ static PyObject *obj_increment_seqnum_nonblock(PyTdbObject *self, } static PyMethodDef tdb_object_methods[] = { - { "transaction_cancel", (PyCFunction)obj_transaction_cancel, METH_NOARGS, + { "transaction_cancel", (PyCFunction)obj_transaction_cancel, METH_NOARGS, "S.transaction_cancel() -> None\n" "Cancel the currently active transaction." }, { "transaction_commit", (PyCFunction)obj_transaction_commit, METH_NOARGS, @@ -713,9 +717,9 @@ static int obj_setitem(PyTdbObject *self, PyObject *key, PyObject *value) tkey = PyBytes_AsTDB_DATA(key); - if (value == NULL) { + if (value == NULL) { ret = tdb_delete(self->ctx, tkey); - } else { + } else { if (!PyBytes_Check(value)) { PyErr_SetString(PyExc_TypeError, "Expected string as value"); return -1; @@ -729,7 +733,7 @@ static int obj_setitem(PyTdbObject *self, PyObject *key, PyObject *value) if (ret != 0) { PyErr_SetTDBError(self->ctx); return -1; - } + } return ret; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 80159018e41 s3:utils: Fix Inherit-Only flag being automatically propagated to children via eba2bfde347 python/samba/tests/blackbox: Add tests for Inherit-only flag propagation from 96b5cfe4e6c s3:libsmb: Pass a memory context to get_ipc_connect() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 80159018e411c643fbfe7ef82bd33e30b6147901 Author: Anna Popova Date: Fri Apr 12 17:32:37 2024 +0300 s3:utils: Fix Inherit-Only flag being automatically propagated to children Inherit-only flag applies only to the container it was set to and it shouldn't be automatically propagated to children. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636 Signed-off-by: Anna Popova Reviewed-by: Noel Power Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Mon Apr 29 10:56:48 UTC 2024 on atb-devel-224 commit eba2bfde347041a395f0fbd3c57235be63b1890d Author: yuzu367 Date: Thu Apr 11 11:31:07 2024 +0300 python/samba/tests/blackbox: Add tests for Inherit-only flag propagation BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636 Signed-off-by: Anna Popova Reviewed-by: Noel Power Reviewed-by: Ralph Boehme --- Summary of changes: .../blackbox/smbcacls_propagate_inhertance.py | 108 + source3/utils/smbcacls.c | 4 + 2 files changed, 112 insertions(+) Changeset truncated at 500 lines: diff --git a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py index cc13727b8fb..5b3a27111d5 100644 --- a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py +++ b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py @@ -1288,3 +1288,111 @@ class InheritanceSmbCaclsTests(SmbCaclsBlockboxTestBase): except BlackboxProcessError as e: self.fail(str(e)) + +def test_simple_iocioi_add(self): +"""test smbcacls '--propagate-inheritance --add' which attempts to add the ACL +for the file and additionally use inheritance rules to propagate appropriate +changes to children + +This test adds an ACL with (IO)(CI)(OI)(READ) + +before: + ++-tar_test_dir/(OI)(CI)(I)(F) + +-oi_dir/(OI)(CI)(I)(F) + | +-file.1(I)(F) + | +-nested/ (OI)(CI)(I)(F) + | +-file.2 (I)(F) + | +-nested_again/ (OI)(CI)(I)(F) + | +-file.3 (I)(F) + +after/expected: + ++-tar_test_dir/(OI)(CI)(I)(F) + +-oi_dir/(OI)(CI)(I)(F), (IO)(CI)(OI)(READ) + | +-file.1(I)(F), (I)(READ) + | +-nested/ (OI)(CI)(I)(F), (I)(CI)(OI)(READ) + | +-file.2 (I)(F), (I)(READ) + | +-nested_again/ (OI)(CI)(I)(F), (I)(CI)(OI)(READ) + | +-file.3 (I)(F), (I)(READ)""" + +dir_add_acl_str = "ACL:%s:ALLOWED/OI|CI|IO/READ" % self.user +obj_inherited_ace_str = "ACL:%s:ALLOWED/I/READ" % self.user +dir_inherited_ace_str = "ACL:%s:ALLOWED/OI|CI|I/READ" % self.user + +try: + +self.smb_cacls(["--propagate-inheritance", "--add", +dir_add_acl_str, self.oi_dir]) + +# check top level container 'oi_dir' has IO|CI|OI/READ +dir_ace = self.ace_parse_str(dir_add_acl_str) +self.assertTrue(self.file_ace_check(self.oi_dir, dir_ace)) + +# file 'oi_dir/file-1' should have inherited I/READ +child_file_ace = self.ace_parse_str(obj_inherited_ace_str) +self.assertTrue(self.file_ace_check(self.f1, child_file_ace)) + +# nested dir 'oi_dir/nested/' should have I|CI|OI/READ +child_dir_ace = self.ace_parse_str(dir_inherited_ace_str) +self.assertTrue(self.file_ace_check(self.nested_dir, child_dir_ace)) + +# nested file 'oi_dir/nested/file-2' should have inherited I/READ +self.assertTrue(self.file_ace_check(self.f2, child_file_ace)) + +# nested_again dir 'oi_dir/nested/nested_again' should have I|CI|OI/READ +child_dir_ace = self.ace_parse_str(dir_inherited_ace_str) +self.assertTrue(self.file_ace_check(self.nested_again_dir, child_dir_ace)) +# nested_again file 'oi_dir/nested/nested_again/file-3' should have inherited I/READ +self.assertTrue(self.file_ace_check(self.f3, child_file_ace)) +except BlackboxProcessError as e: +self.fail(str(e)) + +def test_simple_ioci_add(self): +
[SCM] Samba Shared Repository - branch master updated
{ + nt_status = cli_full_connection_creds(NULL, + _cli, + lp_netbios_name(), + server, + NULL, + 0, + "IPC$", + "?", + creds, + flags); + if (! NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(creds); DEBUG(1,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status))); diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c index b3304ed6fc5..3231d0bfff2 100644 --- a/source3/libsmb/passchange.c +++ b/source3/libsmb/passchange.c @@ -44,8 +44,15 @@ NTSTATUS remote_password_change(const char *remote_machine, *err_str = NULL; - result = cli_connect_nb(remote_machine, NULL, 0, 0x20, NULL, - SMB_SIGNING_IPC_DEFAULT, 0, ); + result = cli_connect_nb(talloc_tos(), + remote_machine, + NULL, + 0, + 0x20, + NULL, + SMB_SIGNING_IPC_DEFAULT, + 0, + ); if (!NT_STATUS_IS_OK(result)) { if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) { if (asprintf(err_str, "Unable to connect to SMB server on " diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h index 35b6577a4bd..afeea0f739e 100644 --- a/source3/libsmb/proto.h +++ b/source3/libsmb/proto.h @@ -82,10 +82,17 @@ NTSTATUS cli_tree_connect_creds(struct cli_state *cli, NTSTATUS cli_tree_connect(struct cli_state *cli, const char *share, const char *dev, const char *pass); NTSTATUS cli_tdis(struct cli_state *cli); -NTSTATUS cli_connect_nb(const char *host, const struct sockaddr_storage *dest_ss, - uint16_t port, int name_type, const char *myname, - enum smb_signing_setting signing_state, int flags, struct cli_state **pcli); -NTSTATUS cli_start_connection(struct cli_state **output_cli, +NTSTATUS cli_connect_nb(TALLOC_CTX *mem_ctx, + const char *host, + const struct sockaddr_storage *dest_ss, + uint16_t port, + int name_type, + const char *myname, + enum smb_signing_setting signing_state, + int flags, + struct cli_state **pcli); +NTSTATUS cli_start_connection(TALLOC_CTX *mem_ctx, + struct cli_state **output_cli, const char *my_name, const char *dest_host, const struct sockaddr_storage *dest_ss, int port, @@ -103,8 +110,10 @@ struct tevent_req *cli_full_connection_creds_send( int flags, struct smb2_negotiate_contexts *negotiate_contexts); NTSTATUS cli_full_connection_creds_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
: note: (near initialization for ‘max_gkid.l1_idx’) ../../lib/crypto/gkdi.c:204:4: error: initializer element is not constant UINT64_MAX / gkdi_key_cycle_duration % ^ ../../lib/crypto/gkdi.c:204:4: note: (near initialization for ‘max_gkid.l2_idx’) Fix the build by removing the ‘static’ specifier on this constant. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 82224fca78c4de1f9ae8524eb14dd0478641779c Author: Jo Sutton Date: Wed Apr 24 14:26:20 2024 +1200 ctdb: Report errors from getline() Signed-off-by: Jo Sutton Reviewed-by: Martin Schwenke commit f9309c221b9e918462c3c4ac8a71a4dc288a35fc Author: Jo Sutton Date: Wed Apr 24 14:26:35 2024 +1200 ctdb: Ensure ‘ret’ is always initialized This avoids a compilation error: ../../ctdb/protocol/protocol_util.c: In function ‘ctdb_connection_list_read’: ../../ctdb/protocol/protocol_util.c:787:9: error: ‘ret’ may be used uninitialized in this function [-Werror=maybe-uninitialized] 787 | return ret; | ^~~ Signed-off-by: Jo Sutton Reviewed-by: Martin Schwenke --- Summary of changes: ctdb/protocol/protocol_util.c | 14 +++--- lib/crypto/gkdi.c | 2 +- lib/ldb/pyldb.c | 1 - python/samba/gkdi.py | 6 ++ python/samba/samdb.py | 7 +++ python/samba/tests/dckeytab.py| 10 -- python/samba/tests/krb5/gmsa_tests.py | 19 +++ selftest/knownfail.d/gmsa | 1 - source4/auth/kerberos/srv_keytab.c| 2 +- source4/auth/ntlm/auth_sam.c | 2 ++ source4/dsdb/samdb/ldb_modules/password_hash.c| 2 ++ source4/dsdb/tests/python/unicodepwd_encrypted.py | 13 +++-- source4/kdc/db-glue.c | 12 +--- source4/kdc/db-glue.h | 2 ++ 14 files changed, 67 insertions(+), 26 deletions(-) delete mode 100644 selftest/knownfail.d/gmsa Changeset truncated at 500 lines: diff --git a/ctdb/protocol/protocol_util.c b/ctdb/protocol/protocol_util.c index 25e668b73ee..5e48c1513bc 100644 --- a/ctdb/protocol/protocol_util.c +++ b/ctdb/protocol/protocol_util.c @@ -749,9 +749,8 @@ int ctdb_connection_list_read(TALLOC_CTX *mem_ctx, struct ctdb_connection_list_read_state state; char *line = NULL; FILE *f = NULL; - int ret; + int ret = 0; size_t len = 0; - ssize_t nread; if (conn_list == NULL) { return EINVAL; @@ -769,7 +768,16 @@ int ctdb_connection_list_read(TALLOC_CTX *mem_ctx, return errno; } - while ((nread = getline(, , f)) != -1) { + for (;;) { + ssize_t nread = getline(, , f); + if (nread == -1) { + if (!feof(f)) { + /* real error */ + ret = errno; + } + break; + } + if ((nread > 0) && (line[nread-1] == '\n')) { line[nread-1] = '\0'; } diff --git a/lib/crypto/gkdi.c b/lib/crypto/gkdi.c index af00ea4217e..ae269d64a3e 100644 --- a/lib/crypto/gkdi.c +++ b/lib/crypto/gkdi.c @@ -193,7 +193,7 @@ bool gkdi_get_key_start_time(const struct Gkid gkid, NTTIME *start_time_out) * Make sure that the GKID is not so large its start time can’t * be represented in NTTIME. */ - static const struct Gkid max_gkid = { + const struct Gkid max_gkid = { UINT64_MAX / (gkdi_l1_key_iteration * gkdi_l2_key_iteration * gkdi_key_cycle_duration), diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c index d54a952ac01..53b855990bb 100644 --- a/lib/ldb/pyldb.c +++ b/lib/ldb/pyldb.c @@ -57,7 +57,6 @@ struct py_ldb_search_iterator_reply { PyObject *obj; }; -void initldb(void); static PyObject *PyLdbMessage_FromMessage(struct ldb_message *msg, PyLdbObject *pyldb); static PyObject *PyExc_LdbError; diff --git a/python/samba/gkdi.py b/python/samba/gkdi.py index 22890c83ff3..6d29b5d8d2b 100644 --- a/python/samba/gkdi.py +++ b/python/samba/gkdi.py @@ -289,6 +289,12 @@ class Gkid: return start_time +def previous(self) -> "Gkid": +return Gkid.from_nt_time(NtTime(self.start_nt_time() - KEY_CYCLE_DURATION)) + +def next(self) -> "Gkid": +return Gkid.from_nt_time(NtTime(self.start_nt_time() + KEY_CYCLE_DURATION)) + @staticmethod def from_key_envelope(env: gkdi.KeyEnvelope) -> &
[SCM] Samba Shared Repository - branch master updated
an Metzmacher Reviewed-by: Andrew Bartlett --- Summary of changes: WHATSNEW.txt | 64 ++ auth/gensec/gensec.c | 63 ++ auth/gensec/gensec.h | 8 + auth/gensec/gensec_internal.h | 18 + auth/gensec/gensec_start.c | 1 + auth/gensec/spnego.c | 10 - auth/ntlmssp/ntlmssp_client.c | 13 +- auth/ntlmssp/ntlmssp_private.h | 2 + auth/ntlmssp/ntlmssp_server.c | 47 ++ auth/ntlmssp/ntlmssp_util.c| 98 +++ .../smbdotconf/ldap/clientldapsaslwrapping.xml | 7 + .../ldap/ldapserverrequirestrongauth.xml | 38 +- .../security/clientusepsnegoprincipal.xml | 35 - docs-xml/smbdotconf/security/tlscadirs.xml | 14 + docs-xml/smbdotconf/security/tlscafile.xml | 2 + docs-xml/smbdotconf/security/tlstrustsystemcas.xml | 17 + docs-xml/smbdotconf/security/tlsverifypeer.xml | 8 +- lib/crypto/gnutls_helpers.h| 6 + lib/crypto/gnutls_server_end_point_cb.c| 130 lib/crypto/wscript | 6 +- lib/ldb-samba/ldb_ildap.c | 9 +- lib/param/loadparm.c | 1 - lib/param/loadparm.h | 1 + lib/param/param_table.c| 4 + python/samba/netcmd/testparm.py| 10 + python/samba/tests/segfault.py | 4 + selftest/expectedfail.d/samba4.ldb.simple.ldap-tls | 28 + selftest/expectedfail_heimdal | 14 + selftest/knownfail | 6 - selftest/target/Samba3.pm | 2 +- selftest/target/Samba4.pm | 2 +- selftest/wscript | 4 + source3/include/includes.h | 5 - source3/include/tldap.h| 37 +- source3/lib/tldap.c| 346 +++-- source3/lib/tldap_gensec_bind.c| 219 +++--- source3/lib/tldap_gensec_bind.h| 14 +- source3/lib/tldap_tls_connect.c| 229 ++ .../lib/tldap_tls_connect.h| 30 +- source3/libads/ads_proto.h | 10 + source3/libads/ads_struct.c| 15 +- source3/libads/authdata.c | 1 - source3/libads/ldap.c | 104 ++- source3/libads/sasl.c | 321 ++-- source3/libads/sasl_wrapping.c | 10 +- source3/libads/tls_wrapping.c | 226 ++ source3/librpc/crypto/gse.c| 95 ++- source3/librpc/idl/ads.idl | 26 +- source3/libsmb/cliconnect.c| 1 - source3/rpc_server/mdssvc/mdssvc_es.c | 25 +- source3/selftest/tests.py | 5 +- source3/torture/torture.c | 54 +- source3/utils/testparm.c | 12 + source3/winbindd/idmap_ad.c| 67 +- source3/wscript| 6 +- source3/wscript_build | 4 + source4/auth/gensec/gensec_gssapi.c| 77 +- source4/auth/gensec/gensec_gssapi.h| 1 + source4/client/http_test.c | 4 + source4/ldap_server/ldap_backend.c | 1 - source4/ldap_server/ldap_bind.c| 62 +- source4/ldap_server/ldap_server.c | 11 + source4/lib/tls/tls.h | 28 + source4/lib/tls/tls_tstream.c | 848 +++-- source4/lib/tls/wscript_build | 1 + source4/libcli/ldap/ldap_bind.c| 111 +-- source4/libcli/ldap/ldap_client.c | 112 ++- source4/libcli/ldap/ldap_client.h | 1 + source4/librpc/rpc/dcerpc_roh.c| 20 +- source4/scripting/bin/wscript_build| 2 +- source4/scripting/wscript_build| 2 +- source4/selftest/tests.py | 36 +- testprogs/blackbox/test_net_ads_search_server.sh | 42 + third_party/heimdal/lib/gssapi/krb5/8003.c | 5 + .../heimdal/lib/gssapi/krb5/init_sec_context.c | 10 + third_party/heimdal/lib/gssapi/test_context.c | 4 + third_party/heimdal/lib/krb5/build_auth.c | 100 ++- third_party/heimdal/lib/krb5/mk_req_ext.c | 1 + third_party/heimdal/tests/gss/check-context.in | 35 + wscript
[SCM] Samba Shared Repository - branch master updated
bool txn_active = false; - bool need_db_reread; + bool need_db_reread = false; mem_ctx = talloc_new(msg); if (mem_ctx == NULL) { diff --git a/source4/dsdb/common/rodc_helper.c b/source4/dsdb/common/rodc_helper.c index b4982aee9ed..5ed60e0af43 100644 --- a/source4/dsdb/common/rodc_helper.c +++ b/source4/dsdb/common/rodc_helper.c @@ -243,7 +243,7 @@ WERROR samdb_confirm_rodc_allowed_to_repl_to(struct ldb_context *sam_ctx, { TALLOC_CTX *frame = talloc_stackframe(); WERROR werr; - uint32_t num_token_sids; + uint32_t num_token_sids = 0; struct dom_sid *token_sids; const struct dom_sid *object_sid = NULL; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
PDU_FRAG_LEN, - .bind.num_contexts = 1, - .bind.ctx_list = _list, + .bind.num_contexts = ptype == DCERPC_PKT_BIND ? 2 : 1, + .bind.ctx_list = ctx_list, .bind.auth_info = *auth_info, }; uint8_t pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST; @@ -1656,8 +1667,9 @@ static NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ct / static bool check_bind_response(const struct dcerpc_bind_ack *r, - const struct ndr_syntax_id *transfer) + struct rpc_pipe_client *cli) { + const struct ndr_syntax_id *transfer = >transfer_syntax; struct dcerpc_ack_ctx ctx; bool equal; @@ -1678,9 +1690,22 @@ static bool check_bind_response(const struct dcerpc_bind_ack *r, return False; } - if (r->num_results != 0x1 || ctx.result != 0) { - DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n", - r->num_results, ctx.reason.value)); + if (ctx.result != DCERPC_BIND_ACK_RESULT_ACCEPTANCE) { + DBG_NOTICE("bind denied result: %d reason: %x\n", + ctx.result, ctx.reason.value); + return false; + } + + if (r->num_results >= 2) { + const struct dcerpc_ack_ctx *neg = >ctx_list[1]; + + if (neg->result == DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK) { + cli->bind_time_features = neg->reason.negotiate; + } else { + DBG_DEBUG("bind_time_feature failed - " + "result: %d reason %x\n", + neg->result, neg->reason.value); + } } DEBUG(5,("check_bind_response: accepted!\n")); @@ -1866,7 +1891,7 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq) return; } - if (!check_bind_response(>u.bind_ack, >cli->transfer_syntax)) { + if (!check_bind_response(>u.bind_ack, state->cli)) { DEBUG(2, ("rpc_pipe_bind: check_bind_response failed.\n")); tevent_req_nterror(req, NT_STATUS_BUFFER_TOO_SMALL); return; diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h index f1be075fea9..55eb4dec90b 100644 --- a/source3/rpc_client/rpc_client.h +++ b/source3/rpc_client/rpc_client.h @@ -37,6 +37,13 @@ struct rpc_pipe_client { struct rpc_cli_transport *transport; struct dcerpc_binding_handle *binding_handle; + /* +* This is per association_group, but +* for now we only have one connection +* per association_group. +*/ + uint16_t bind_time_features; + struct ndr_syntax_id abstract_syntax; struct ndr_syntax_id transfer_syntax; bool verified_pcontext; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2674df4cc0e s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed via aff2932c420 python/samba/getopt: don't prompt for a password for --use-krb5-ccache=... via 0ba9e5dacbb lib/cmdline: only call cli_credentials_get_password_and_obtained if needed via 994e12e8f7a lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of POPT_CALLBACK_REASON_POST via e2170431f1d s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds() via 5af5bf26457 auth/credentials: don't call talloc_free(ccache_name) on callers memory via d221f930efc auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy() via 126357e2e73 lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal krb5_cc_get_lifetime via e58f83d3958 s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as strings via e6f92edba69 s3:notify: don't log user_can_stat_name_under_fsp with level 0 for OBJECT_NAME_NOT_FOUND from c49c48afe09 ldb:utf8: ldb_ascii_toupper() avoids real toupper() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2674df4cc0e124d74eb9d764c29a07c9c84b94d6 Author: Stefan Metzmacher Date: Thu Apr 14 15:36:51 2022 +0200 s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed Only legacy protocols need a password for share level authentication, so avoid triggering the password prompt for the common case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Apr 23 15:21:38 UTC 2024 on atb-devel-224 commit aff2932c420fd102c077063b8d1f66cdd8a777cb Author: Stefan Metzmacher Date: Fri Mar 8 14:14:34 2024 +0100 python/samba/getopt: don't prompt for a password for --use-krb5-ccache=... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 0ba9e5dacbb4e5bf94600e0a4a1cbd9f7a9c5d9e Author: Stefan Metzmacher Date: Thu Apr 14 13:31:20 2022 +0200 lib/cmdline: only call cli_credentials_get_password_and_obtained if needed BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 994e12e8f7a6b089342a32a6c3269048bfef1545 Author: Stefan Metzmacher Date: Thu Apr 14 13:30:56 2022 +0200 lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of POPT_CALLBACK_REASON_POST BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit e2170431f1d4a6f4ce7e3e6949282d5bc60b5d08 Author: Stefan Metzmacher Date: Thu Mar 7 00:11:26 2024 +0100 s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 5af5bf264571b732b5236e6db2061b523e603c05 Author: Stefan Metzmacher Date: Tue Feb 27 16:22:14 2024 +0100 auth/credentials: don't call talloc_free(ccache_name) on callers memory The internally allocated ccache_name has ccc as parent, so we don't need to cleanup explicitly. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit d221f930efcff09a9b5dc18c5dfb6475ade1312a Author: Stefan Metzmacher Date: Tue Feb 27 16:07:22 2024 +0100 auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy() A simple krb5_cc_close() doesn't remove it from the global memory list. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 126357e2e7302eb219fda80e3cfbef3da02c1d6d Author: Stefan Metzmacher Date: Fri Mar 8 11:39:35 2024 +0100 lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal krb5_cc_get_lifetime If the ccache doesn't have a intial TGT the shortest lifetime of service tickets should be returned. This is needed in order to work with special ccaches used for things like S2U4Self/S4U2Proxy tickets or other things where the caller only wants to pass a single service ticket. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit e58f83d3958d7b6a16d7d75a7a266cead4befb48 Author: Stefan Metzmacher Date: Wed Apr 3 16:00:41 2024 +0200 s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as strings Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit e6f92edba690923ec8ef427bc6d5b30d609c129a Author: Stefan Metzmacher Date: Wed Apr 3 16:35:35 2024 +0200 s3:notify: don't log
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c49c48afe09 ldb:utf8: ldb_ascii_toupper() avoids real toupper() via dca6b2d2552 ldb:attrib_handlers: use ldb_ascii_toupper() in first loop via 078ecf486a6 ldb:pytests: test for Turkic i-dots in ldb_comparison_fold via a75c98ad688 ldb:attrib_handlers: make ldb_comparison_Boolean more consistent via 7280c8e53f4 ldb-samba:ldif_handlers: dn_link_comparison: sort invalid DNs via 341b8fb60e2 ldb-samba:ldif_handlers: dn_link_comparison leaks less via 70356592563 ldb-samba:ldif_handlers: dn_link_comparison correctly sorts deleted objects via 11d5a809325 ldb-samba:ldif_handlers: dn_link_comparison semi-sorts invalid DNs via db963b1674e ldb-samba:ldif_handlers: dn_link_comparison semi-sorts deleted objects via 2d3b917d0a0 ldb-samba:ldif_handlers: extended_dn_read_Sid(): free on failure via 42f2d96f82a ldb-samba:ldif_handlers: ldif_read_objectSid(): free a thing on failure via 6722e80d1b3 ldb-samba: ldif-handlers: make ldif_comparison_objectSid() accurate via 4af670384a1 s4:dsdb: fix spelling in comment via a9eaf8a3abe ldb: comment for ldb_dn_compare_base via 6229feab74a s4:rpcsrv:samr: improve a comment in compare_msgRid via 7be535315a5 s4:rpcsrv:dnsserver: make dns_name_compare transitive with NULLs via 31c322874b8 s3:libsmb:nmblib: use NUMERIC_CMP in status_compare via 7ba6fcb9365 lib/socket: rearrange iface_comp() to use NUMERIC_CMP via acaa1323d03 gensec: sort_gensec uses NUMERIC_CMP via 75682e397b9 s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP via 8317a617364 dsdb:schema: use NUMERIC_CMP in place of uint32_cmp via 386216d4a15 s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp via 8b2605a5d9c s3:mod:posixacl_xattr: use NUMERIC_CMP in posixacl_xattr_entry_compare via 9b73235d495 s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare via 5fe488d515a ldb:dn: make ldb_dn_compare() self-consistent via 531f31df993 ldb:sort: generalise both-NULL check to equality check via d4e69734c65 ldb:sort: check that elements have values via d785c1991c9 ldb:mod:sort: rearrange NULL checks from 20ce68f1594 tests/krb5: Test retrieving a denied gMSA password over an unsealed connection https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c49c48afe09a1a78989628bbffd49dd3efc154dd Author: Douglas Bagnall Date: Sat Apr 20 09:57:15 2024 +1200 ldb:utf8: ldb_ascii_toupper() avoids real toupper() If a non-lowercase ASCII character has an uppercase counterpart in some locale, toupper() will convert it to an int codepoint. Probably that codepoint is too big to fit in our char return type, so we would truncate it to 8 bit. So it becomes an arbitrary mapping. It would also behave strangely with a byte with the top bit set, say 0xE2. If char is unsigned on this system, that is 'â', which uppercases to 'Â', with the codepoint 0xC2. That seems fine in isolation, but remember this is ldb_utf8.c, and that byte was not a codepoint but a piece of a long utf-8 encoding. In the more likely case where char is signed, toupper() is being passed a negative number, the result of which is undefined. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Apr 23 02:37:25 UTC 2024 on atb-devel-224 commit dca6b2d25529288eaf7b31baf37ca4f6de4f4b9d Author: Douglas Bagnall Date: Thu Apr 11 13:46:28 2024 +1200 ldb:attrib_handlers: use ldb_ascii_toupper() in first loop In a dotless-I locale, we might meet an 'i' before we meet a byte with the high bit set, in which case we still want the ldb casefold comparison. Many ldb operations will do some case-folding before getting here, so hitting this might be quite rare even in those locales. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 078ecf486a62dc3aaa2842ada96456ac9870dad7 Author: Douglas Bagnall Date: Wed Apr 17 11:42:30 2024 +1200 ldb:pytests: test for Turkic i-dots in ldb_comparison_fold In tr_TR and some other locales where the letter 'i' uppercases to 'İ', which is not ideal for LDB as we need certain strings like 'guid' to casefold in the ASCII way. In fixing https://bugzilla.samba.org/show_bug.cgi?id=15248) we solved this problem in many cases, but for unindexed searches where the 'i' is not the last character in the string. This test shows that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit
[SCM] Samba Shared Repository - branch master updated
2024 +1200 tests/krb5: Skip loop iteration if attribute has no values Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 5eea17a71bd69f39226a32725a0b09b60dd5308c Author: Jo Sutton Date: Thu Apr 18 12:47:28 2024 +1200 ldb: Check result of py_ldb_msg_keys() Passing NULL into PyObject_GetIter() can cause a segmentation fault. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: auth/credentials/pycredentials.c | 2 - auth/credentials/tests/bind.py| 2 +- lib/crypto/test_gkdi.c| 183 +++ lib/ldb/pyldb.c | 3 + python/pyglue.c | 1 - python/samba/nt_time.py | 18 +- python/samba/tests/krb5/gmsa_tests.py | 202 +++- python/samba/tests/krb5/kdc_base_test.py | 52 +-- python/samba/tests/krb5/lockout_tests.py | 5 +- selftest/knownfail_mit_kdc_1_20 | 1 + source3/passdb/pdb_samba_dsdb.c | 7 +- source4/auth/sam.c| 11 +- source4/dsdb/common/util.c| 149 ++--- source4/dsdb/gmsa/gkdi.c | 2 +- source4/dsdb/gmsa/util.c | 378 +- source4/dsdb/gmsa/util.h | 25 ++ source4/dsdb/samdb/ldb_modules/managed_pwd.c | 23 ++ source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 1 + source4/dsdb/tests/python/unicodepwd_encrypted.py | 4 +- source4/kdc/db-glue.c | 25 +- source4/kdc/kdc-heimdal.c | 3 +- source4/kdc/wscript_build | 2 +- source4/ldap_server/ldap_backend.c| 44 +++ source4/ntp_signd/ntp_signd.c | 28 +- source4/ntp_signd/wscript_build | 3 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 90 -- source4/rpc_server/wscript_build | 1 + 27 files changed, 1087 insertions(+), 178 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 5cdbe7796e6..0bcb894f920 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -35,8 +35,6 @@ #include "auth/kerberos/kerberos.h" #include "libcli/smb/smb_constants.h" -void initcredentials(void); - static PyObject *py_creds_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) { return pytalloc_steal(type, cli_credentials_init(NULL)); diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py index ce81b736e86..97370666b3b 100755 --- a/auth/credentials/tests/bind.py +++ b/auth/credentials/tests/bind.py @@ -140,7 +140,7 @@ unicodePwd:: """ + base64.b64encode(u"\"P@ssw0rd\"".encode('utf-16-le')).decode( res = ldb_virtual.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) def test_computer_account_bind(self): -# create a computer acocount for the test +# create a computer account for the test delete_force(self.ldb, self.computer_dn) self.ldb.add_ldif(""" dn: """ + self.computer_dn + """ diff --git a/lib/crypto/test_gkdi.c b/lib/crypto/test_gkdi.c index e6d3b28ae58..083d71eefd3 100644 --- a/lib/crypto/test_gkdi.c +++ b/lib/crypto/test_gkdi.c @@ -136,10 +136,193 @@ static void test_password_based_on_key_id(void **state) talloc_free(mem_ctx); } +static void assert_gkid_equal(const struct Gkid g1, const struct Gkid g2) +{ + assert_int_equal(g1.l0_idx, g2.l0_idx); + assert_int_equal(g1.l1_idx, g2.l1_idx); + assert_int_equal(g1.l2_idx, g2.l2_idx); +} + +static void test_gkdi_rollover_interval(void **state) +{ + NTTIME interval; + bool ok; + + ok = gkdi_rollover_interval(0, ); + assert_true(ok); + assert_int_equal(0, interval); + + ok = gkdi_rollover_interval(1, ); + assert_true(ok); + assert_int_equal(UINT64_C(7200), interval); + + ok = gkdi_rollover_interval(2, ); + assert_true(ok); + assert_int_equal(UINT64_C(14400), interval); + + ok = gkdi_rollover_interval(3, ); + assert_true(ok); + assert_int_equal(UINT64_C(25200), interval); + + ok = gkdi_rollover_interval(4, ); + assert_true(ok); + assert_int_equal(UINT64_C(32400), interval); + + ok = gkdi_rollover_interval(5, ); + assert_true(ok); + assert_int_equal(UINT64_C(43200), interval); + + ok = gkdi_rollover_interval(-1, ); + assert_false(ok); + + ok =
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0159c48e897 ctdb-scripts: Do not de-duplicate the interfaces list from 7a5e7b82125 python: Fix NtVer check for site_dn_for_machine() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0159c48e897a7c07c399767f5ffddbb11d80ab5d Author: Martin Schwenke Date: Thu Apr 18 14:13:11 2024 +1000 ctdb-scripts: Do not de-duplicate the interfaces list Using xargs with sort -u to de-duplicate this list was my idea and causes a couple of things to go wrong. The use of xargs causes double-quotes to be lost. The resulting $public_ifaces value also contains newlines. The newlines could be removed with an additional xargs at the end of the pipeline... but that would add an extra level of quote stripping. I have unsuccessfully tried to find an alternative, but still elegant, command pipeline that de-duplicates the list, while maintaining quoting. So, just drop the de-duplication. This might make interface_ifindex_exists_with_options() slightly less efficient. However, that function walks the whole list, only terminating early when a match is found on both interface and options, so at least it will be correct. Include an extra testcase. Signed-off-by: Martin Schwenke Reviewed-by: Andrew Bartlett Autobuild-User(master): Martin Schwenke Autobuild-Date(master): Thu Apr 18 09:08:34 UTC 2024 on atb-devel-224 --- Summary of changes: ctdb/config/events/legacy/50.samba.script | 1 - .../UNIT/eventscripts/50.samba.startup.012.sh | 25 ++ 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100755 ctdb/tests/UNIT/eventscripts/50.samba.startup.012.sh Changeset truncated at 500 lines: diff --git a/ctdb/config/events/legacy/50.samba.script b/ctdb/config/events/legacy/50.samba.script index 90de6a3f31b..c9d34cd2245 100755 --- a/ctdb/config/events/legacy/50.samba.script +++ b/ctdb/config/events/legacy/50.samba.script @@ -40,7 +40,6 @@ generate_smb_interfaces_config() if [ -n "$CTDB_SAMBA_INTERFACES_EXTRA" ]; then public_ifaces="$public_ifaces $CTDB_SAMBA_INTERFACES_EXTRA" fi - public_ifaces=$(echo "$public_ifaces" | xargs -n 1 | sort -u) cat < "$CTDB_SAMBA_INTERFACES_FILE" bind interfaces only = yes diff --git a/ctdb/tests/UNIT/eventscripts/50.samba.startup.012.sh b/ctdb/tests/UNIT/eventscripts/50.samba.startup.012.sh new file mode 100755 index 000..fb7627c5898 --- /dev/null +++ b/ctdb/tests/UNIT/eventscripts/50.samba.startup.012.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +. "${TEST_SCRIPTS_DIR}/unit.sh" + +define_test "startup, with interfaces list generation" + +setup + +interfaces_file="${CTDB_TEST_TMP_DIR}/interfaces.conf" + +setup_script_options <
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7a5e7b82125 python: Fix NtVer check for site_dn_for_machine() from cc7c12e5d5c lib: Remove an obsolete comment https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7a5e7b821259890dd2978e6f113f4a3dad110ea4 Author: Andreas Schneider Date: Mon Apr 15 07:32:02 2024 +0200 python: Fix NtVer check for site_dn_for_machine() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15633 Signed-off-by: Andreas Schneider Reviewed-by: David Mulder Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Wed Apr 17 19:32:11 UTC 2024 on atb-devel-224 --- Summary of changes: python/samba/gp/gpclass.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py index 08be472e707..d86aacec138 100644 --- a/python/samba/gp/gpclass.py +++ b/python/samba/gp/gpclass.py @@ -805,9 +805,7 @@ def site_dn_for_machine(samdb, dc_hostname, lp, creds, hostname): samlogon_response = ndr_unpack(nbt.netlogon_samlogon_response, bytes(res.msgs[0]['Netlogon'][0])) -if samlogon_response.ntver not in [nbt.NETLOGON_NT_VERSION_5EX, - (nbt.NETLOGON_NT_VERSION_1 -| nbt.NETLOGON_NT_VERSION_5EX)]: +if not (samlogon_response.ntver & nbt.NETLOGON_NT_VERSION_5EX): raise RuntimeError('site_dn_for_machine: Invalid NtVer in ' + 'netlogon_samlogon_response') -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-20-test updated
nistrator" +# + +dom_users="$DOMAIN/domain users" # Extra step to make sure that all is one word +out="$($wbinfo --group-info "$dom_users")" +testit_grep_count "no_posix_id1" "no_posix_id" 0 echo "$out" || failed=$(expr $failed + 1) +testit_grep "no_posix_id2" "SAMBA2008R2/administrator" echo "$out" || failed=$(expr $failed + 1) + # # Trusted domain test 1: Test uid of Administrator, should be 250 # @@ -241,6 +260,9 @@ gidNumber: 202 dn: cn=forbidden,ou=sub,$BASE_DN changetype: delete +dn: CN=no_posix_id,CN=Users,$BASE_DN +changetype: delete + dn: ou=sub,$BASE_DN changetype: delete EOF diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index bbce55ea508..cf40633d127 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1420,6 +1420,7 @@ sub setup_ad_member_idmap_ad idmap config $dcvars->{TRUST_DOMAIN} : range = 200-299 gensec_gssapi:requested_life_time = 5 winbind scan trusted domains = yes + winbind expand groups = 1 "; my $ret = $self->provision( diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index 7e572e5d41f..7d6324033ea 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -1039,7 +1039,7 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, } static NTSTATUS add_primary_group_members( - ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, + ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, const char *domname, char ***all_members, size_t *num_all_members) { char *filter; @@ -1051,10 +1051,13 @@ static NTSTATUS add_primary_group_members( char **members; size_t num_members; ads_control args; + bool all_groupmem = idmap_config_bool(domname, "all_groupmem", false); filter = talloc_asprintf( - mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))", - (unsigned)rid); + mem_ctx, + "(&(objectCategory=user)(primaryGroupID=%u)%s)", + (unsigned)rid, + all_groupmem ? "" : "(uidNumber=*)(!(uidNumber=0))"); if (filter == NULL) { goto done; } @@ -1206,7 +1209,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members)); - status = add_primary_group_members(ads, mem_ctx, rid, + status = add_primary_group_members(ads, mem_ctx, rid, domain->name, , _members); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("%s: add_primary_group_members failed: %s\n", -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
session->global->encryption_key); diff --git a/source3/smbd/smb2_trans2.c b/source3/smbd/smb2_trans2.c index 8997c402c12..5198a04a74c 100644 --- a/source3/smbd/smb2_trans2.c +++ b/source3/smbd/smb2_trans2.c @@ -648,7 +648,7 @@ unsigned int estimate_ea_size(files_struct *fsp) _ea_len, _list); - if(fsp->conn->sconn->using_smb2) { + if(conn_using_smb2(fsp->conn->sconn)) { unsigned int ret_data_size; /* * We're going to be using fill_ea_chained_buffer() to @@ -1741,7 +1741,7 @@ static NTSTATUS smbd_marshall_dir_entry(TALLOC_CTX *ctx, DBG_DEBUG("SMB2_FILE_POSIX_INFORMATION\n"); - if (!(conn->sconn->using_smb2)) { + if (!conn_using_smb2(conn->sconn)) { return NT_STATUS_INVALID_LEVEL; } @@ -1990,7 +1990,7 @@ static bool fsinfo_unix_valid_level(connection_struct *conn, struct files_struct *fsp, uint16_t info_level) { - if (conn->sconn->using_smb2 && + if (conn_using_smb2(conn->sconn) && fsp->posix_flags == FSP_POSIX_FLAGS_OPEN && info_level == SMB2_FS_POSIX_INFORMATION_INTERNAL) { @@ -3038,7 +3038,7 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, ok = true; } - if (conn->sconn->using_smb2 && + if (conn_using_smb2(conn->sconn) && (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN)) { DBG_DEBUG("SMB2 posix open\n"); @@ -3407,7 +3407,8 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, { char *nfname = NULL; - if (fsp == NULL || !fsp->conn->sconn->using_smb2) { + if (fsp == NULL || + !conn_using_smb2(fsp->conn->sconn)) { return NT_STATUS_INVALID_LEVEL; } @@ -3696,7 +3697,7 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, }; enum ndr_err_code ndr_err; - if (!(conn->sconn->using_smb2)) { + if (!conn_using_smb2(conn->sconn)) { return NT_STATUS_INVALID_LEVEL; } if (fsp == NULL) { @@ -5202,7 +5203,7 @@ NTSTATUS smbd_do_setfilepathinfo(connection_struct *conn, case SMB_FILE_LINK_INFORMATION: { - if (conn->sconn->using_smb2) { + if (conn_using_smb2(conn->sconn)) { status = smb2_file_link_information(conn, req, pdata, -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
rface.script +++ b/ctdb/config/events/legacy/10.interface.script @@ -12,37 +12,16 @@ load_script_options -ctdb_public_addresses="${CTDB_BASE}/public_addresses" - -if [ ! -f "$ctdb_public_addresses" ]; then +if ! have_public_addresses; then if [ "$1" = "init" ] ; then echo "No public addresses file found" fi exit 0 fi -# This sets $all_interfaces as a side-effect. -get_all_interfaces () -{ -# Get all the interfaces listed in the public_addresses file -all_interfaces=$(sed -e '/^#.*/d' \ --e 's/^[^\t ]*[\t ]*//' \ --e 's/,/ /g' \ --e 's/[\t ]*$//' "$ctdb_public_addresses") - -# Get the interfaces for which CTDB has public IPs configured. -# That is, for all but the 1st line, get the 1st field. -ctdb_ifaces=$($CTDB -X ifaces | sed -e '1d' -e 's@^|@@' -e 's@|.*@@') - -# Add $ctdb_ifaces and make $all_interfaces unique -# Use word splitting to squash whitespace -# shellcheck disable=SC2086 -all_interfaces=$(echo $all_interfaces $ctdb_ifaces | tr ' ' '\n' | sort -u) -} - monitor_interfaces() { - get_all_interfaces + get_public_ifaces down_interfaces_found=false up_interfaces_found=false @@ -50,7 +29,10 @@ monitor_interfaces() # Note that this loop must not exit early. It must process # all interfaces so that the correct state for each interface # is set in CTDB using setifacelink. - for _iface in $all_interfaces ; do + # + # public_ifaces set by get_public_ifaces() above + # shellcheck disable=SC2154 + for _iface in $public_ifaces ; do if interface_monitor "$_iface" ; then up_interfaces_found=true $CTDB setifacelink "$_iface" up >/dev/null 2>&1 diff --git a/ctdb/config/events/legacy/50.samba.script b/ctdb/config/events/legacy/50.samba.script index 84600e25024..90de6a3f31b 100755 --- a/ctdb/config/events/legacy/50.samba.script +++ b/ctdb/config/events/legacy/50.samba.script @@ -27,6 +27,27 @@ load_script_options ctdb_setup_state_dir "service" "$service_name" +generate_smb_interfaces_config() +{ + get_public_ifaces + pub_iface_list=$public_ifaces + public_ifaces="" + for iface in $pub_iface_list; + do + public_ifaces="$public_ifaces \"$iface;options=dynamic\"" + done + + if [ -n "$CTDB_SAMBA_INTERFACES_EXTRA" ]; then + public_ifaces="$public_ifaces $CTDB_SAMBA_INTERFACES_EXTRA" + fi + public_ifaces=$(echo "$public_ifaces" | xargs -n 1 | sort -u) + +cat < "$CTDB_SAMBA_INTERFACES_FILE" +bind interfaces only = yes +interfaces = lo $public_ifaces +EOT +} + service_start() { # make sure samba is not already started @@ -36,6 +57,9 @@ service_start() # make absolutely sure samba is dead killall -q -9 smbd } + if [ -n "$CTDB_SAMBA_INTERFACES_FILE" ]; then + generate_smb_interfaces_config + fi # start Samba service. Start it reniced, as under very heavy load # the number of smbd processes will mean that it leaves few cycles # for anything else diff --git a/ctdb/config/functions b/ctdb/config/functions index a40b276e2b8..e76082b7cb3 100755 --- a/ctdb/config/functions +++ b/ctdb/config/functions @@ -651,6 +651,30 @@ drop_ip() fi } +have_public_addresses() +{ + [ -f "${CTDB_BASE}/public_addresses" ] +} + +# This sets $public_ifaces as a side-effect. +get_public_ifaces() +{ + # Get all the interfaces listed in the public_addresses file + public_ifaces=$(sed -e '/^#.*/d' \ + -e 's/^[^\t ]*[\t ]*//' \ + -e 's/,/ /g' \ + -e 's/[\t ]*$//' "${CTDB_BASE}/public_addresses") + + # Get the interfaces for which CTDB has public IPs configured. + # That is, for all but the 1st line, get the 1st field. + ctdb_ifaces=$($CTDB -X ifaces | sed -e '1d' -e 's@^|@@' -e 's@|.*@@') + + # Add $ctdb_ifaces and make $public_ifaces unique + # Use word splitting to squash whitespace + # shellcheck disable=SC2086 + public_ifaces=$(echo $public_ifaces $ctdb_ifaces | tr ' ' '\n' | sort -u) +} + drop_all_public_ips() { # _x is intentionally ignored diff --git a/ctdb/doc/ctdb-script.options.5.xml b/ctdb/doc/ctdb-script.options.5.xml index ef3ad416d0d..ffe4c3abd62 100644 --- a/ctdb/doc/ctdb-script.options.5.xml +++ b/ctdb/doc/ctdb-script.options.5.xml @@ -691,6 +691,51 @@ CTDB_PER_IP_ROUTING_TABLE_ID_HIGH=9000 + + + CTDB_SAMBA_INTERFACES_FILE=FILENAME + + +
[SCM] Samba Shared Repository - branch master updated
{ TDB_CONTEXT *tdb; TDB_DATA key, value; @@ -120,10 +132,14 @@ static int dump_tdb(const char *fname, const char *keyname, bool emergency) } if (emergency) { - return tdb_rescue(tdb, emergency_walk, discard_const(keyname)) == 0; + struct traverse_state traverse = + { .hex_output = hex_output, + .keyname = keyname }; + return tdb_rescue(tdb, emergency_walk, ) == 0; } if (!keyname) { - return tdb_traverse(tdb, traverse_fn, NULL) == -1 ? 1 : 0; + struct traverse_state traverse = { .hex_output = hex_output }; + return tdb_traverse(tdb, traverse_fn, ) == -1 ? 1 : 0; } else { key.dptr = discard_const_p(uint8_t, keyname); key.dsize = strlen(keyname); @@ -131,7 +147,7 @@ static int dump_tdb(const char *fname, const char *keyname, bool emergency) if (!value.dptr) { return 1; } else { - print_data(value); + print_data(value, hex_output); free(value.dptr); } } @@ -150,7 +166,7 @@ static void usage( void) int main(int argc, char *argv[]) { char *fname, *keyname=NULL; - bool emergency = false; + bool emergency = false, hex_output = false; int c; if (argc < 2) { @@ -158,7 +174,7 @@ static void usage( void) exit(1); } - while ((c = getopt( argc, argv, "hk:e")) != -1) { + while ((c = getopt( argc, argv, "hk:ex")) != -1) { switch (c) { case 'h': usage(); @@ -169,6 +185,9 @@ static void usage( void) case 'e': emergency = true; break; + case 'x': + hex_output = true; + break; default: usage(); exit( 1); @@ -177,5 +196,5 @@ static void usage( void) fname = argv[optind]; - return dump_tdb(fname, keyname, emergency); + return dump_tdb(fname, keyname, emergency, hex_output); } diff --git a/lib/tdb/wscript b/lib/tdb/wscript index 2c587fbee44..04121498723 100644 --- a/lib/tdb/wscript +++ b/lib/tdb/wscript @@ -216,7 +216,8 @@ def testonly(ctx): if not os.path.exists(link): os.symlink(ctx.path.make_node('test').abspath(), link) -sh_tests = ["test/test_tdbbackup.sh test/jenkins-be-hash.tdb"] +sh_tests = ["test/test_tdbbackup.sh test/jenkins-be-hash.tdb", +"test/test_tdbdump.sh test/sample_tdb.tdb test/sample_tdb.txt test/sample_tdb_x.txt"] for sh_test in sh_tests: cmd = "BINDIR=%s %s" % (blddir, sh_test) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via 215bb9bd48e Do not fail checksums for RFC8009 types via db60a1947b8 s4:dns_server: less noisy, more informative debug messages via 9155d89a2ae packaging: Provide a systemd service file for samba-bgqd from 077f39baf7c libcli/http: Detect unsupported Transfer-encoding type https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit 215bb9bd48e9aae04ff39633f6dd9255a989bf98 Author: Alexander Bokovoy Date: Thu Jun 22 09:56:12 2023 +0300 Do not fail checksums for RFC8009 types While Active Directory does not support yet RFC 8009 encryption and checksum types, it is possible to verify these checksums when running with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA domain controller which uses them by default. [2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)] ../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative) smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab [2023/06/16 21:51:04.924196, 2, pid=51149, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum) check_pac_checksum: Checksum Type 20 is not supported [2023/06/16 21:51:04.924228, 5, pid=51149, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument BUG: https://bugzilla.samba.org/show_bug.cgi?id=15635 Signed-off-by: Alexander Bokovoy Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 8e931fce126e8c1128da893c806702731c08758a) Autobuild-User(v4-20-test): Jule Anger Autobuild-Date(v4-20-test): Tue Apr 16 12:24:55 UTC 2024 on atb-devel-224 commit db60a1947b88a8ddb289f63ac22a6d7b1500f0df Author: Douglas Bagnall Date: Thu Apr 11 11:52:14 2024 +1200 s4:dns_server: less noisy, more informative debug messages This shouldn't have been DBG_ERR, and it might as well say something about the tombstone. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15630 Signed-off-by: Douglas Bagnall Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Fri Apr 12 15:18:05 UTC 2024 on atb-devel-224 (cherry picked from commit dde973d170e479632d1a411279f4f0fad6608539) commit 9155d89a2ae04f45d809c46129687c6f5a510a0d Author: Andreas Schneider Date: Mon Mar 4 10:58:23 2024 +0100 packaging: Provide a systemd service file for samba-bgqd There might be scenarios where the background queue daemon should be running all the time instead of being started on demand. This makes especially sense for bigger printing servers with a lot of printers. It takes ~1 sec to get a printer from cups, so a print server with 100 printers needs 100 seconds to update the printer_list.tdb. The service will be killed because of idle in the meantime. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15600 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit c97071726e163b40f0e391af70e81b3e6c1ab0eb) --- Summary of changes: auth/kerberos/kerberos_pac.c | 47 +- lib/krb5_wrap/krb5_samba.h | 28 + .../{samba.service.in => samba-bgqd.service.in}| 9 ++--- packaging/wscript_build| 3 +- source4/dns_server/dnsserver_common.c | 9 +++-- 5 files changed, 67 insertions(+), 29 deletions(-) copy packaging/systemd/{samba.service.in => samba-bgqd.service.in} (50%) Changeset truncated at 500 lines: diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index ae4557bbd6f..b6272ac15eb 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -33,6 +33,7 @@ #include "librpc/gen_ndr/auth.h" #include "auth/common_auth.h" #include "auth/kerberos/pac_utils.h" +#include "lib/krb5_wrap/krb5_samba.h" krb5_error_code check_pac_checksum(DATA_BLOB pac_data, struct PAC_SIGNATURE_DATA *sig, @@ -44,26 +45,34 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, krb5_keyusage usage = 0; krb5_boolean checksum_valid = false; krb5_data input; - - switch (sig->type) { - case CKSUMTYPE_HMAC_MD5: - /* ignores the key type */ - break; - case CKSUMTYPE_HMAC_SHA1_96_AES_256: - if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) { - return EINVAL; -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 48493735e2d s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs from 532789b4f3f s4:dsdb: Implement msDS-ManagedPassword attribute https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 48493735e2d2091740fe784cf07a4258dfc0b512 Author: Shaleen Bathla Date: Wed Apr 10 18:31:39 2024 +0530 s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs Add missing free for entry variable and its members : key and principal Found definite memory leaks via valgrind as shown below. Leak 1 : ==1686== 76,800 bytes in 2,400 blocks are definitely lost in loss record 432 of 433 ==1686==at 0x4C38185: malloc (vg_replace_malloc.c:431) ==1686==by 0x79CBFED: krb5int_c_copy_keyblock_contents (keyblocks.c:101) ==1686==by 0x621CFA3: krb5_mkt_get_next (kt_memory.c:500) ==1686==by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384) ==1686==by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434) ==1686==by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68) ==1686==by 0x127F45: process_request_send (winbindd.c:502) ==1686==by 0x127F45: winbind_client_request_read (winbindd.c:749) ==1686==by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126) ==1686==by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142) ==1686==by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737) ==1686==by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938) ==1686==by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110) ==1686==by 0x66D39B4: _tevent_loop_once (tevent.c:823) ==1686==by 0x1232F3: main (winbindd.c:1718) Leak 2 : ==1686==at 0x4C38185: malloc (vg_replace_malloc.c:431) ==1686==by 0x62255E4: krb5_copy_principal (copy_princ.c:38) ==1686==by 0x621D003: krb5_mkt_get_next (kt_memory.c:503) ==1686==by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384) ==1686==by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434) ==1686==by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68) ==1686==by 0x127F45: process_request_send (winbindd.c:502) ==1686==by 0x127F45: winbind_client_request_read (winbindd.c:749) ==1686==by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126) ==1686==by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142) ==1686==by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737) ==1686==by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938) ==1686==by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110) ==1686==by 0x66D39B4: _tevent_loop_once (tevent.c:823) ==1686==by 0x1232F3: main (winbindd.c:1718) Signed-off-by: Shaleen Bathla Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Tue Apr 16 10:22:51 UTC 2024 on atb-devel-224 --- Summary of changes: source3/winbindd/winbindd_pam.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 6c890c8acd5..e7d64189b7e 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -3433,12 +3433,17 @@ static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob, NULL, /* client_principal */ 0, /* tgs_authtime */ p_pac_data); + (void)smb_krb5_kt_free_entry(krbctx, ); if (NT_STATUS_IS_OK(status)) { break; } - k5ret = smb_krb5_kt_free_entry(krbctx, ); k5ret = krb5_kt_next_entry(krbctx, keytab, , ); } + if (k5ret != 0 && k5ret != KRB5_KT_END) { + DEBUG(1, ("Failed to get next entry: %s\n", + error_message(k5ret))); + (void)smb_krb5_kt_free_entry(krbctx, ); + } k5ret = krb5_kt_end_seq_get(krbctx, keytab, ); if (k5ret) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
Reviewed-by: Andrew Bartlett commit 7df4bdd0fe722da63862d46f809f7ac0498ebe59 Author: Jo Sutton Date: Tue Apr 16 14:17:33 2024 +1200 s4:ldap_server: Fix code spelling BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634 Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 1a6dbcfb1054a2f140a50a039e4f054c43cfb77d Author: Jo Sutton Date: Tue Apr 16 14:17:02 2024 +1200 s4:ldap_server: Remove trailing whitespace BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634 Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit c9370d3ced2fb32bd42883366b4400c65f18512f Author: Andrew Bartlett Date: Thu Apr 11 16:26:49 2024 +1200 selftest: Move some KDS root key tests around to prepare for gMSA server side Once we have a gMSA server side the impact of deleting root keys becomes real and so we must do this in a quiet place where it can not impact on other things. Likewise, we want the samba.tests.dsdb_quiet_provision_tests tests to run somewhere that is not doing other things, so we can see what a bare provision will do. We must not allow test ordering inside the file to cause tests that create root keys to run before checking if provision created a usable root key. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit bd60c605ca1cf3f3568646dc3c0ca3501f0bfbec Author: Andrew Bartlett Date: Thu Apr 11 14:33:16 2024 +1200 selftest: Remove duplicate setup of "spn/upn namespaces" in the customdc testenv The call to $self->setup_namespaces() was allways in error, as the design is to have the in the state that it was backed up in, but before commit 08be28241b808845c4b51a4c47765a9416ca3aa7 the error return was not checked and so this was harmless. The customdc environment is not tested in selftest currently, as it is intended to be used for manual testing of domains from backup files not as an automatically constructed environment. This makes: BACKUP_FILE=samba-backup-2024-04-11T14-10-20.437096.tar.bz2 SELFTEST_TESTENV=customdc make testenv work again. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit aa6795b32ff6335c2136f9c97482da6a09a2f059 Author: Andreas Schneider Date: Thu Apr 11 10:29:18 2024 +0200 s3:auth: Add support standalone server with MIT Keberos 1.21 This adds support for MIT Kerberos minimal PAC. Tickets from pure Kerberos realms with MIT Kerberos 1.21 or newer will always include a minimal PAC. The PAC include the checksum buffers and a logon_name PAC buffer. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit b58395e5c37e952667f31370c593742328ff324e Author: Andreas Schneider Date: Thu Apr 11 10:21:16 2024 +0200 s3:auth: Split auth3_generate_session_info_pac() into functions This gets rid of the multiple goto and just have a single destructor goto. Best view this commit with `git show -b --color-moved=zebra` Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 20c546f928dfc952e701afe7ee76ea3602580d35 Author: Andreas Schneider Date: Fri Apr 12 14:36:32 2024 +0200 s3:auth: Re-format auth3_generate_session_info_pac() This is in preparation to split up the function into several functions. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit cdb31d7e45bf1ca8a899dea82bd5b1ecc0ef1838 Author: Andreas Schneider Date: Fri Mar 15 12:41:19 2024 +0100 s3:auth: Remove trailing spaces Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- Summary of changes: lib/crypto/gmsa.c |8 +- python/samba/gkdi.py | 24 +- python/samba/nt_time.py |3 +- python/samba/tests/blackbox/gmsa.py |2 +- python/samba/tests/dckeytab.py |4 +- ..._provision_tests.py => dsdb_quiet_env_tests.py} | 28 +- python/samba/tests/dsdb_quiet_provision_tests.py | 211 --- python/samba/tests/gkdi.py | 73 +- python/samba/tests/krb5/gkdi_tests.py | 41 +- python/samba/tests/krb5/gmsa_tests.py | 905 + python/samba/tests/krb5/kdc_base_test.py |3 + python/samba/tests/krb5/pkinit_tests.py| 14 +- python/samba/tests/samba_tool/service_account.py |2 +- .../tests/samba_tool/user_getpassword_gmsa.py | 29 +- selftest/knownfail.d/gmsa |1 - .../samba-tool-user-get-kerberos-ticket|3 - selftest/knownfail.d/user_getpassword_gmsa |4 +- selftest/knownfail_mit_kdc_1_20|5 + selftest/target/Samba4.pm
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 75a4fbbf6a3 smbdotconf: Enable "winbind debug traceid" by default from eb59d7c9b04 s3:libsmb: Fix panic in cliconnect.c https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 75a4fbbf6a340defc884861bc71c5103f16e8d9e Author: Pavel Filipenský Date: Thu Apr 11 13:01:28 2024 +0200 smbdotconf: Enable "winbind debug traceid" by default The traceid debug header field is a useful feature, let's make it default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15631 Signed-off-by: Pavel Filipenský Reviewed-by: Andreas Schneider Autobuild-User(master): Pavel Filipensky Autobuild-Date(master): Mon Apr 15 18:47:41 UTC 2024 on atb-devel-224 --- Summary of changes: docs-xml/smbdotconf/logging/debugtraceid.xml | 2 +- lib/param/loadparm.c | 1 + source3/param/loadparm.c | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/logging/debugtraceid.xml b/docs-xml/smbdotconf/logging/debugtraceid.xml index 61a451da3e7..7646208af48 100644 --- a/docs-xml/smbdotconf/logging/debugtraceid.xml +++ b/docs-xml/smbdotconf/logging/debugtraceid.xml @@ -9,5 +9,5 @@ -no +yes diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 6ef29ed9656..0984ca7195b 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2707,6 +2707,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "debug pid", "No"); lpcfg_do_global_parameter(lp_ctx, "debug uid", "No"); lpcfg_do_global_parameter(lp_ctx, "debug class", "No"); + lpcfg_do_global_parameter(lp_ctx, "winbind debug traceid", "Yes"); lpcfg_do_global_parameter(lp_ctx, "server role", "auto"); lpcfg_do_global_parameter(lp_ctx, "domain logons", "No"); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 797baa66309..a67fc8cf51e 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -952,6 +952,8 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx, Globals.kdc_enable_fast = true; + Globals.winbind_debug_traceid = true; + Globals.aio_max_threads = 100; lpcfg_string_set(Globals.ctx, -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via eb59d7c9b04 s3:libsmb: Fix panic in cliconnect.c from dde973d170e s4:dns_server: less noisy, more informative debug messages https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit eb59d7c9b04275574deab3e5489dc2e5d05e4bbb Author: Pavel Filipenský Date: Fri Apr 12 14:57:11 2024 +0200 s3:libsmb: Fix panic in cliconnect.c This command line panics: $ bin/rpcclient ncacn_np: -c epmlookup 0 __pthread_kill_implementation (threadid=, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 1 0x764ae8a3 in __pthread_kill_internal (signo=6, threadid=) at pthread_kill.c:78 2 0x7645c8ee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 3 0x764448ff in __GI_abort () at abort.c:79 4 0x77b01524 in tevent_req_is_nterror (req=0x55728610, status=0x7fff9bb4) at ../../lib/util/tevent_ntstatus.c:66 5 0x77b9fd91 in cli_connect_nb_recv (req=0x55728610, pcli=0x556fcb18) at ../../source3/libsmb/cliconnect.c:2731 6 0x77ba02a8 in cli_start_connection_connected (subreq=0x55728610) at ../../source3/libsmb/cliconnect.c:2882 7 0x77aecb1a in _tevent_req_notify_callback (req=0x55728610, location=0x77bde0e0 "../../source3/libsmb/cliconnect.c:2686") at ../../lib/tevent/tevent_req.c:177 8 0x77aeccab in tevent_req_finish (req=0x55728610, state=TEVENT_REQ_USER_ERROR, location=0x77bde0e0 "../../source3/libsmb/cliconnect.c:2686") at ../../lib/tevent/tevent_req.c:234 9 0x77aecdda in tevent_req_trigger (ev=0x557182e0, im=0x55728720, private_data=0x55728610) at ../../lib/tevent/tevent_req.c:291 10 0x77aeb513 in tevent_common_invoke_immediate_handler (im=0x55728720, removed=0x0) at ../../lib/tevent/tevent_immediate.c:190 11 0x77aeb685 in tevent_common_loop_immediate (ev=0x557182e0) at ../../lib/tevent/tevent_immediate.c:236 12 0x77af7502 in epoll_event_loop_once (ev=0x557182e0, location=0x77af8ac0 "../../lib/tevent/tevent_req.c:342") at ../../lib/tevent/tevent_epoll.c:905 13 0x77af2d22 in std_event_loop_once (ev=0x557182e0, location=0x77af8ac0 "../../lib/tevent/tevent_req.c:342") at ../../lib/tevent/tevent_standard.c:110 14 0x77ae93ab in _tevent_loop_once (ev=0x557182e0, location=0x77af8ac0 "../../lib/tevent/tevent_req.c:342") at ../../lib/tevent/tevent.c:820 15 0x77aecf9e in tevent_req_poll (req=0x55728290, ev=0x557182e0) at ../../lib/tevent/tevent_req.c:342 16 0x77b01647 in tevent_req_poll_ntstatus (req=0x55728290, ev=0x557182e0, status=0x7fff9f4c) at ../../lib/util/tevent_ntstatus.c:109 17 0x77ba246a in cli_full_connection_creds (output_cli=0x7fffa220, my_name=0x55701990 "CLUSTEREDMEMBER", dest_host=0x0, dest_ss=0x0, port=0, service=0x556981d1 "IPC$", service_type=0x556981d6 "IPC", creds=0x556fa410, flags=4096) at ../../source3/libsmb/cliconnect.c:3807 18 0x55619ae9 in main (argc=4, argv=0x7fffa3e8) at ../../source3/rpcclient/rpcclient.c:1308 tevent_req_is_nterror() expects error set by tevent_req_nterror() - to have TEVENT_NTERROR_MAGIC, otherwise it calls abort(). Signed-off-by: Pavel Filipenský Reviewed-by: Volker Lendecke Autobuild-User(master): Pavel Filipensky Autobuild-Date(master): Mon Apr 15 14:55:21 UTC 2024 on atb-devel-224 --- Summary of changes: source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 61e35042586..d42f08fbb1a 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -2683,7 +2683,7 @@ static struct tevent_req *cli_connect_nb_send( } } else { /* No host or dest_ss given. Error out. */ - tevent_req_error(req, EINVAL); + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX); return tevent_req_post(req, ev); } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dde973d170e s4:dns_server: less noisy, more informative debug messages from 81598b42455 s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dde973d170e479632d1a411279f4f0fad6608539 Author: Douglas Bagnall Date: Thu Apr 11 11:52:14 2024 +1200 s4:dns_server: less noisy, more informative debug messages This shouldn't have been DBG_ERR, and it might as well say something about the tombstone. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15630 Signed-off-by: Douglas Bagnall Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Fri Apr 12 15:18:05 UTC 2024 on atb-devel-224 --- Summary of changes: source4/dns_server/dnsserver_common.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c index d82e309f982..1cbd7d94593 100644 --- a/source4/dns_server/dnsserver_common.c +++ b/source4/dns_server/dnsserver_common.c @@ -1034,10 +1034,11 @@ WERROR dns_common_replace(struct ldb_context *samdb, * record. */ if (records[i].data.EntombedTime != 0) { - if (rec_count != 1) { - DBG_ERR("tombstone record has %u neighbour " - "records.\n", - rec_count - 1); + if (rec_count != 1 && DEBUGLVL(DBGLVL_NOTICE)) { + DBG_NOTICE("tombstone record [%u] has " + "%u neighbour records.\n", + i, rec_count - 1); + NDR_PRINT_DEBUG(dnsp_DnssrvRpcRecord, [i]); } was_tombstoned = true; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via 077f39baf7c libcli/http: Detect unsupported Transfer-encoding type via 2fb1bf0205f selftest: Add new test for testing non-chunk transfer encoding via 30bf3d1430f selftest: fix potential reference before assigned error via a70e3a36c82 libcli/http: Handle http chunked transfer encoding via 7e17e4809d5 tests: add test for chunked encoding with http cli library via 26206392153 libcli/http: Optimise reading for content-length via 71eac5a065f selftest: Add basic content-lenght http tests via 19250e13ab6 Add simple http_client for use in black box tests (in following commits) from eaefe50327d VERSION: Bump version up to Samba 4.20.1... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit 077f39baf7cc7f4e4ee8709d48b1cb23b8736c1c Author: Noel Power Date: Thu Mar 28 10:48:58 2024 + libcli/http: Detect unsupported Transfer-encoding type Also removes knownfail for test that now passes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett (cherry picked from commit a18c53a9b98e2e8dea08cf0ef08efc59e58ec137) Autobuild-User(v4-20-test): Jule Anger Autobuild-Date(v4-20-test): Thu Apr 11 12:24:08 UTC 2024 on atb-devel-224 commit 2fb1bf0205f9b5f72d8e1f51e55cf86997639a46 Author: Noel Power Date: Thu Mar 28 09:16:33 2024 + selftest: Add new test for testing non-chunk transfer encoding And add a known fail because there is a bug :-( BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett (cherry picked from commit 93709d31590d4ca25fbac813b9e499755b81ddb5) commit 30bf3d1430f96a42c7b90ef215daa33b427da8b9 Author: Noel Power Date: Thu Mar 28 09:09:02 2024 + selftest: fix potential reference before assigned error This would only happen if the test failed (but the message would be incorrect as 'e' the exception to be stringified doesn't exist. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett (cherry picked from commit efdbf0511e0a89f865210170001fbebf17a45278) commit a70e3a36c8244a324f5e8fa7b138dae5684055e0 Author: Noel Power Date: Mon Mar 25 19:44:10 2024 + libcli/http: Handle http chunked transfer encoding Also removes the knownfail for the chunked transfer test Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 (cherry picked from commit 03240c91fb6ffcf5afe47c14a1ba7a8bc12f2348) commit 7e17e4809d593e1ce2d51583a351b38300a20e2a Author: Noel Power Date: Thu Sep 23 12:18:22 2021 +0100 tests: add test for chunked encoding with http cli library Adds http test client to excercise the http client library and a blackbox test to run the client. This client is built only with selftest also adds a knownfail for the test Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 (cherry picked from commit 30acd609f560352d3edb0c931b9a864110025b2c) commit 26206392153248fb2be1ec95a2e3ac14f9356125 Author: Noel Power Date: Fri Mar 22 08:55:49 2024 + libcli/http: Optimise reading for content-length Instead of reading byte-by-byte we know the content length we want to read so lets use it. Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 (cherry picked from commit 5f03d84e3b52bf5a31a0f885cb83bdcb48ec96f7) commit 71eac5a065fac4023601b067b850d209a7dec149 Author: Noel Power Date: Mon Mar 25 16:25:55 2024 + selftest: Add basic content-lenght http tests very simple test of basic http request/response plus some checks to ensure http response doesn't exceed the response max length set by the client call. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett (cherry picked from commit 74cdebeae3d1bc35eea96b51b9491f6c52844b10) commit 19250e13ab6c654405baf7c7d9c18f514ceade0f Author: Noel Power Date: Mon Mar 25 19:21:54 2024 + Add simple http_client for use in black box tests (in following commits) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett (cherry picked from commit cd6c075476c820b4fe8bdc10a24d8fc8ac74e9c9) --- Summary of changes: libcli/http/http.c | 309 +++-- libcli/http/http_internal.h | 4
[SCM] Samba Shared Repository - branch v4-19-test updated
The branch, v4-19-test has been updated via 2930a1955bf libcli/http: Detect unsupported Transfer-encoding type via 65bb329e166 selftest: Add new test for testing non-chunk transfer encoding via a269412c71e selftest: fix potential reference before assigned error via cbd4a6633c6 libcli/http: Handle http chunked transfer encoding via 57757be4dfd tests: add test for chunked encoding with http cli library via a05d96e4b96 libcli/http: Optimise reading for content-length via c27ad381b39 selftest: Add basic content-lenght http tests via 6636ec3bb2a Add simple http_client for use in black box tests (in following commits) from 4b7785226ad VERSION: Bump version up to Samba 4.19.7... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log - commit 2930a1955bfac736754783ef54a0c1083d8ea161 Author: Noel Power Date: Thu Mar 28 10:48:58 2024 + libcli/http: Detect unsupported Transfer-encoding type Also removes knownfail for test that now passes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett (cherry picked from commit a18c53a9b98e2e8dea08cf0ef08efc59e58ec137) Autobuild-User(v4-19-test): Jule Anger Autobuild-Date(v4-19-test): Thu Apr 11 10:50:52 UTC 2024 on atb-devel-224 commit 65bb329e1668499e1d58b2fca69908990293dd16 Author: Noel Power Date: Thu Mar 28 09:16:33 2024 + selftest: Add new test for testing non-chunk transfer encoding And add a known fail because there is a bug :-( BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett (cherry picked from commit 93709d31590d4ca25fbac813b9e499755b81ddb5) commit a269412c71ee05019b3ab8a38bcea727963ae22b Author: Noel Power Date: Thu Mar 28 09:09:02 2024 + selftest: fix potential reference before assigned error This would only happen if the test failed (but the message would be incorrect as 'e' the exception to be stringified doesn't exist. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett (cherry picked from commit efdbf0511e0a89f865210170001fbebf17a45278) commit cbd4a6633c6e88bb2e5d6b5162016c7f9fb94332 Author: Noel Power Date: Mon Mar 25 19:44:10 2024 + libcli/http: Handle http chunked transfer encoding Also removes the knownfail for the chunked transfer test Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 (cherry picked from commit 03240c91fb6ffcf5afe47c14a1ba7a8bc12f2348) commit 57757be4dfd50d640c20ef91f3e4f425f72067d4 Author: Noel Power Date: Thu Sep 23 12:18:22 2021 +0100 tests: add test for chunked encoding with http cli library Adds http test client to excercise the http client library and a blackbox test to run the client. This client is built only with selftest also adds a knownfail for the test Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 (cherry picked from commit 30acd609f560352d3edb0c931b9a864110025b2c) commit a05d96e4b967e26c92b1f175a1e9d11b54b339c7 Author: Noel Power Date: Fri Mar 22 08:55:49 2024 + libcli/http: Optimise reading for content-length Instead of reading byte-by-byte we know the content length we want to read so lets use it. Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 (cherry picked from commit 5f03d84e3b52bf5a31a0f885cb83bdcb48ec96f7) commit c27ad381b393a437fd241405f7156997d343650c Author: Noel Power Date: Mon Mar 25 16:25:55 2024 + selftest: Add basic content-lenght http tests very simple test of basic http request/response plus some checks to ensure http response doesn't exceed the response max length set by the client call. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett (cherry picked from commit 74cdebeae3d1bc35eea96b51b9491f6c52844b10) commit 6636ec3bb2aa6e7b2fb86787f814a934d545adfb Author: Noel Power Date: Mon Mar 25 19:21:54 2024 + Add simple http_client for use in black box tests (in following commits) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett (cherry picked from commit cd6c075476c820b4fe8bdc10a24d8fc8ac74e9c9) --- Summary of changes: libcli/http/http.c | 309 +++-- libcli/http/http_internal.h | 4
[SCM] Samba Shared Repository - branch master updated
- a/lib/util/tsort.h +++ b/lib/util/tsort.h @@ -37,4 +37,23 @@ do { \ } while (0) #endif + +#ifndef NUMERIC_CMP +/* + * NUMERIC_CMP is a safe replacement for `a - b` in comparison + * functions. It will work on integers, pointers, and floats. + * + * Rather than + * + * return a - b; + * + * use + * + * return NUMERIC_CMP(a, b); + * + * and you won't have any troubles if a - b would overflow. + */ +#define NUMERIC_CMP(a, b) (((a) > (b)) - ((a) < (b))) +#endif + #endif diff --git a/libcli/security/dom_sid.c b/libcli/security/dom_sid.c index eaece2a55f5..21012b70884 100644 --- a/libcli/security/dom_sid.c +++ b/libcli/security/dom_sid.c @@ -28,6 +28,7 @@ #include "librpc/gen_ndr/security.h" #include "dom_sid.h" #include "lib/util/smb_strtox.h" +#include "lib/util/tsort.h" /* Compare the auth portion of two sids. @@ -46,11 +47,12 @@ int dom_sid_compare_auth(const struct dom_sid *sid1, return 1; if (sid1->sid_rev_num != sid2->sid_rev_num) - return sid1->sid_rev_num - sid2->sid_rev_num; + return NUMERIC_CMP(sid1->sid_rev_num, sid2->sid_rev_num); for (i = 0; i < 6; i++) - if (sid1->id_auth[i] != sid2->id_auth[i]) - return sid1->id_auth[i] - sid2->id_auth[i]; + if (sid1->id_auth[i] != sid2->id_auth[i]) { + return NUMERIC_CMP(sid1->id_auth[i], sid2->id_auth[i]); + } return 0; } @@ -71,9 +73,9 @@ int dom_sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2) return 1; /* Compare most likely different rids, first: i.e start at end */ - if (sid1->num_auths != sid2->num_auths) - return sid1->num_auths - sid2->num_auths; - + if (sid1->num_auths != sid2->num_auths) { + return NUMERIC_CMP(sid1->num_auths, sid2->num_auths); + } for (i = sid1->num_auths-1; i >= 0; --i) { if (sid1->sub_auths[i] < sid2->sub_auths[i]) { return -1; diff --git a/selftest/knownfail-32bit b/selftest/knownfail-32bit index 2946f3e9936..8ab625d969e 100644 --- a/selftest/knownfail-32bit +++ b/selftest/knownfail-32bit @@ -65,14 +65,8 @@ # [171(1386)/261 at 6m24s, 4 errors] samba4.local.charset # UNEXPECTED(failure): samba4.local.charset.strcasecmp(none) # REASON: Exception: Exception: ../../lib/util/charset/tests/charset.c:56: strcasecmp("foo", "bar") was 1 (0x1), expected 4 (0x4): different strings both lower -# UNEXPECTED(failure): samba4.local.charset.strcasecmp_m(none) -# REASON: Exception: Exception: ../../lib/util/charset/tests/charset.c:85: strcasecmp_m(file_iso8859_1, file_utf8) was 1 (0x1), expected 38 (0x26): file.{accented e} -# should differ # UNEXPECTED(failure): samba4.local.charset.strncasecmp(none) # REASON: Exception: Exception: ../../lib/util/charset/tests/charset.c:132: strncasecmp("foo", "bar", 3) was 1 (0x1), expected 4 (0x4): different strings both lower -# UNEXPECTED(failure): samba4.local.charset.strncasecmp_m(none) -# REASON: Exception: Exception: ../../lib/util/charset/tests/charset.c:167: strncasecmp_m(file_iso8859_1, file_utf8, 6) was 1 (0x1), expected 38 (0x26): file.{accent -# ed e} should differ # command: /home/samba/samba.git/bin/smbtorture $LOADLIST --configfile=$SMB_CONF_PATH --option='fss:sequence timeout=1' --maximum-runtime=$SELFTEST_MAXTIME --based # ir=$SELFTEST_TMPDIR --format=subunit --option=torture:progress=no --target=samba4 ncalrpc:localhost local.charset 2>&1 | python3 /home/samba/samba.git/selftest/fi # lter-subunit --fail-on-empty --prefix="samba4.local.charset." --suffix="(none)" @@ -82,9 +76,7 @@ # ERROR: Testsuite[samba4.local.charset] # REASON: Exit code was 1 ^samba4.local.charset.strcasecmp.none -^samba4.local.charset.strcasecmp_m.none ^samba4.local.charset.strncasecmp.none -^samba4.local.charset.strncasecmp_m.none # # [229(2702)/261 at 8m44s, 5 errors] samba.tests.samba_tool.provision_lmdb_size # UNEXPECTED(failure): samba.tests.samba_tool.provision_lmdb_size.samba.tests.samba_tool.provision_lmdb_size.ProvisionLmdbSizeTestCase.test_134217728b(none) diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c index d85f676fbcf..3c7c1945f58 100644 --- a/source3/lib/util_tdb.c +++ b/source3/lib/util_tdb.c @@ -324,11 +324,11 @@ int tdb_data_cmp(TDB_DATA t1, TDB_DATA t2) return 1; } if (t1.dptr == t2.dptr) { - return t1.dsize - t2.dsize; + return NUMERIC_CMP(t1.dsize, t2.dsize); } ret = memcmp(t1.dptr, t2.dptr, MIN(t1.dsize, t2.dsize)); if (ret == 0) { - return t1.dsize - t2.dsize; + return NUMERIC_CMP(t1.dsize, t2.dsize); } return ret; } diff --git a/source3/libsmb/libsmb_xattr.c b/source3/libsmb/libsmb_xattr.c index dcb2f9e74a7..a9023419376 100644 --- a/source3/libsmb/libsmb_xattr.c +++ b/source3/libsmb/libsmb_xattr.c -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 60df2a09a43 selftest: move some more expected failures to expectedfail.d via bda4e1233a1 ldb: Add more segfault tests DN handling via 8ac18495ba2 pyldb: don't allow py_ldb_dn_copy() with the wrong pyldb via d38a9e93cf3 python:upgrade/upgradeprovision: use dn.copy to align ldbs via 345eb854c3b pyldb: add dn.copy() python method. via fa9a32139ff s4:samba_upgradeprovision: align DN ownership via ed6d151c1b7 pyldb: add Message.ldb accessor via 8b6df2d0bca pyldb: add Dn.ldb accessor via a95e6aa5667 pyldb: add PyErr_internal_LDB_DN_OR_RAISE via d712c8d2edd pyldb: normalise name of pyldb_Message_Check via 72ad126ab74 ldb:pyldb: reorder structs for possible type-punning via c39021a494f pyldb: py_ldb_msg_set_dn checks dn ldb equality via 61ba0cc17df pyldb: py_ldb_msg_elements uses PyErr_LDB_MESSAGE_OR_RAISE via 9cadc61cd4c pyldb: py_ldb_msg_items checks for more errors via 6a2e6139ad0 pldb: py_ldb_msg_items uses PyErr_LDB_MESSAGE_OR_RAISE via b5fcc55b5ec pyldb: py_ldb_msg_contains() checks ldb equality via acba42b126c pyldb: py_ldb_msg_keys() uses PyErr_LDB_MESSAGE_OR_RAISE via d05ae6872b1 pyldb: py_ldb_msg_richcmp() uses PyErr_LDB_MESSAGE_OR_RAISE() via bc45a258d2a pyldb: use PyErr_LDB_MESSAGE_OR_RAISE() in various functions via f0e665f4a9a pyldb: add PyErr_LDB_MESSAGE_OR_RAISE() macro via b81b2578ad1 pyldb: catch up with README.Coding for some `PyArg_ParseTuple`s via 13545ed1390 pyldb: py_ldb_dn_concat() uses PyErr_LDB_DN_OR_RAISE via 1bbca1e3b42 pyldb: py_ldb_dn_len checks dn and ldb validity via f8b92e52811 pyldb: make py_ldb_dn_add_base() a bit less leaky via b83ea997e75 pyldb: py_ldb_dn_add_base() uses PyErr_LDB_DN_OR_RAISE via 67a9e573b00 pyldb: make py_ldb_dn_add_child() a bit less leaky via 310624ead50 pyldb: py_ldb_dn_add_child() uses PyErr_LDB_DN_OR_RAISE via 1eeb0e36516 pyldb: py_ldb_dn_get_parent() uses PyErr_LDB_DN_OR_RAISE via 8830149ef96 pyldb: py_ldb_dn_richcmp() uses PyErr_LDB_DN_OR_RAISE via 982a87cedfc pyldb: py_ldb_dn_get_extended_component() uses PyErr_LDB_DN_OR_RAISE via 5154c8c996f pyldb: py_ldb_dn_extended_str() uses PyErr_LDB_DN_OR_RAISE() via 0ce3f355022 pyldb: py_ldb_dn_get_casefold() uses PyErr_LDB_DN_OR_RAISE() via 85ba5d2c8f2 pyldb: py_ldb_dn_get_extended_component uses PyErr_LDB_DN_OR_RAISE() via 087d43ac615 pyldb: adapt some simple dn methods to use LDB_DN_OR_RAISE() via f98035a2a31 ldb:pyldb: PyErr_LDB_DN_OR_RAISE makes more rigourous checks via 8bb6287c3ba pytest:segfault: some more ldb crashes via 0bf80c10ca5 samba-tool domain backup: Use new ldb.disconnect() method to force-close files during backup via 8612b3e38b3 ldb:pytests: test ldb.connect() works after .disconnect() via fdc3212275b pyldb: Add ldb.disconnect() method to ensure DB handles are closed via 784ee21616a pyldb: Include a reference to the Ldb in objects that use via ffbe623963a selftest: Add tests that demonstrate the issues with ldb use after free via 3ffc6c139b0 pytest:krb5/lockout: associate user DN with the ldb it is used with from dbba6c22a41 auth/credentials: Read managed_password.passwords.query_interval only after parsing https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 60df2a09a4394d2b494224ad3d33314079e73066 Author: Douglas Bagnall Date: Fri Mar 22 16:20:18 2024 +1300 selftest: move some more expected failures to expectedfail.d Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Apr 10 06:15:46 UTC 2024 on atb-devel-224 commit bda4e1233a145f11aa92b89a5658d94cd9252267 Author: Andrew Bartlett Date: Mon Mar 25 22:21:19 2024 +1300 ldb: Add more segfault tests DN handling - from_dict DN use-after-free - check for the same directly creating the ldb.Message Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 8ac18495ba238985a82dbe5a3c95c78c3c51f4b6 Author: Douglas Bagnall Date: Mon Mar 18 12:24:53 2024 +1300 pyldb: don't allow py_ldb_dn_copy() with the wrong pyldb Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit d38a9e93cf3444d7fe3939728673a637a03eb819 Author: Douglas Bagnall Date: Sun Mar 17 18:07:44 2024 +1300 python:upgrade/upgradeprovision: use dn.copy to align ldbs We need to do this when the dn is on a message from another ldb. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 345eb854c3b03a3c8e0e19fba0edb9eafd055ab9 Author: Douglas Bagnall Date: Sun Mar 17 17:56:09
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dbba6c22a41 auth/credentials: Read managed_password.passwords.query_interval only after parsing via 811c184bbb3 smbd: Simplify an if-condition via 51c950c1629 smbd: Save 3 lines via f573a513415 smbd: Remove an obsolete comment via 798826d4f1a smbXsrv_session: Remove a "can't happen" NULL check via 89981987379 smbXsrv_session: Use talloc_tos() for pushing smbXsrv_session_globalB via 292c2645468 smbXsrv_session: Remove two implicit NULL initializations via c5f98c0d95c smbXsrv_session: Use struct initialization via 005ce15aab3 python/samba/tests: Fix gMSA blackbox test to expect failure to get password after membership change via 50f424e8d35 s3:rpc_server: Implement _lsa_CreateTrustedDomainEx3() via 8df1728e124 s3:rpc_server: Implement lsa_CreateTrustedDomain_common() via 3385c2fe44a s3:rpc_server: Implement and use lsa_CreateTrustedDomain_precheck() via 8f52b649799 s3:rpc_server: Log error in _lsa_CreateTrustedDomainEx2() via 56e1051ad7e s3:rpc_client: Implement createtrustdomex3 command via bb4d8de9a80 s3:rpc_client: Implement createtrustdomex2 command via d078ee6af61 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info_aes() via 97499a47550 s4:torture: Add test for lsa_CreateTrustedDomainEx3 via f390981c1a7 s4:rpc_server: Enable AES in dcesrv_lsa_OpenPolicy3() via 933ba496073 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomainEx3() via 87595140c34 s4:rpc_server: Implement get_trustdom_auth_blob_aes() for LSA via 0177cd898ef s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() in lsa_CreateTrustedDomain via b957cb34d44 s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx via 1790828bc5f s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx2 via 6d90397ff28 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_common() via dad8c78edc7 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_precheck() via 18af510bd50 s4:rpc_server: Use talloc_zero in dcesrv_lsa_CreateTrustedDomain() via 8b1c0bd718b s4:rpc_server: Fix trailing white spaces in dcesrv_lsa.c via 354f61d868d s4:torture: Use dcerpc_lsa_OpenPolicy3_r() via 8e35e5f5675 s4:torture: Use rpc_lsa_encrypt_trustdom_info() via 05e9cb36b77 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info() via dbe9e9a8393 s4:torture: Use init_lsa_String() from init_lsa.h via 84d51503630 librpc:rpc: Add dcerpc_lsa.h via 2d60d1b96aa python: Use OpenPolicyFallback() in trust.py via 859e7f8c5f1 python: Implement CreateTrustedDomainFallback() via 812d4e0d6cc python: Add aead_aes_256_cbc_hmac_sha512() via 23e61d2cebc python: Use secrets.token_bytes instead of random via decacb0e7e1 python: Set parameter types for CreateTrustedDomainRelax() via 9e5fc815644 python:tests: Clean lsa_utils.py code according to Python standards via e32be2ade4f python:tests: Rename createtrustrelax.py to lsa_utils.py via 00ed209e483 python: Implement OpenPolicyFallback() via 85d0ab38f7c python:samba: Rename trust_utils.py to lsa_utils.py via 01940ae7afa buildtools: Fix PYTHONPATH and print it from be2ade2d88b netcmd: fix broken shell command missing Model https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dbba6c22a41ab12bd9804f10a878c965100ac7c0 Author: Andrew Bartlett Date: Tue Apr 9 16:11:16 2024 +1200 auth/credentials: Read managed_password.passwords.query_interval only after parsing The code previously read the uninitialised stack not the parsed structure, and so could segfault if the stack was not zero. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Apr 9 23:59:54 UTC 2024 on atb-devel-224 commit 811c184bbb30f8364a6c2f1835732d0c25e1b9c7 Author: Volker Lendecke Date: Fri Feb 9 12:37:53 2024 +0100 smbd: Simplify an if-condition current_sid == NULL is true if and only if we could not assign current_sid because num_sids was too small. Make that more explicit. Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 51c950c16297ce45aeec85dff53af04f7f3b620f Author: Volker Lendecke Date: Fri Feb 9 12:47:48 2024 +0100 smbd: Save 3 lines Just cosmetic Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit f573a5134151e029329f19f292e6d6a324e291b8 Author: Volker Lendecke Date: Thu Feb 8 18:16:39 2024 +0100 smbd: Remove an obsolete comment This looks like a cut from other smbXsrv files.
[Announce] Samba 4.19.6 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.19 release series. Changes since 4.19.5 o Ralph Boehme * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close(). o Guenther Deschner * BUG 15588: samba-gpupdate: Correctly implement site support. o Noel Power * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close(). o Andreas Schneider * BUG 15588: samba-gpupdate: Correctly implement site support. * BUG 15599: libgpo: Segfault in python bindings. o Martin Schwenke * BUG 15580: Packet marshalling push support missing for CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and CTDB_CONTROL_TCP_CLIENT_PASSED. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.19.6.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[SCM] Samba Shared Repository - branch v4-19-stable updated
The branch, v4-19-stable has been updated via b400092dd0a VERSION: Disable GIT_SNAPSHOT for the 4.19.6 release. via 8333c396015 WHATSNEW: Add release notes for Samba 4.19.6. via 0ac741b5705 s3/smbd: If we fail to close file_handle ensure we should reset the fd via 3634df5d59e smbd: simplify handling of failing fstat() after unlinking file via a58338ec926 libgpo: Do not segfault if we don't have a valid security descriptor via 51a3797f57e libgpo: Fix trailing spaces in pygpo.c via 8ea3973ad40 python:gp: Implement client site lookup in site_dn_for_machine() via 111e85a589c librpc:idl: Make netlogon_samlogon_response public via eebe6d8c890 ctdb-protocol: Add missing push support for new controls via 19e7ea8ffa8 VERSION: Bump version up to Samba 4.19.6... from 7bef2f7f1c8 VERSION: Disable GIT_SNAPSHOT for the 4.19.5 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-stable - Log - --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 59 -- ctdb/protocol/protocol_control.c | 8 + ctdb/tests/src/protocol_common_ctdb.c | 33 + ctdb/tests/src/protocol_ctdb_test.c | 2 +- libgpo/pygpo.c| 7 +++- librpc/idl/nbt.idl| 2 +- librpc/ndr/ndr_nbt.c | 2 +- librpc/ndr/ndr_nbt.h | 2 +- python/samba/gp/gpclass.py| 68 +++ source3/smbd/close.c | 1 + source3/smbd/open.c | 27 +- 12 files changed, 163 insertions(+), 50 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 9151d8de1ce..066af506941 100644 --- a/VERSION +++ b/VERSION @@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2023" SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=19 -SAMBA_VERSION_RELEASE=5 +SAMBA_VERSION_RELEASE=6 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 79abe2da103..be2edfb6ac4 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,59 @@ + == + Release Notes for Samba 4.19.6 + April 08, 2024 + == + + +This is the latest stable release of the Samba 4.19 release series. + + +Changes since 4.19.5 + + +o Ralph Boehme + * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if + vfs_stat_fsp() fails in fd_close(). + +o Guenther Deschner + * BUG 15588: samba-gpupdate: Correctly implement site support. + +o Noel Power + * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if + vfs_stat_fsp() fails in fd_close(). + +o Andreas Schneider + * BUG 15588: samba-gpupdate: Correctly implement site support. + * BUG 15599: libgpo: Segfault in python bindings. + +o Martin Schwenke + * BUG 15580: Packet marshalling push support missing for + CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and + CTDB_CONTROL_TCP_CLIENT_PASSED. + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + == Release Notes for Samba 4.19.5 February 19, 2024 @@ -59,8 +115,7 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: - +-- == Release Notes fo
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 4728e21 NEWS[4.19.6]: Samba 4.19.6 Available for Download from f8e7137 NEWS[4.20.0]: Samba 4.20.0 Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 4728e210013ff2ce9b41a06dacb0e08c7dd08bd3 Author: Jule Anger Date: Mon Apr 8 09:31:53 2024 +0200 NEWS[4.19.6]: Samba 4.19.6 Available for Download Signed-off-by: Jule Anger --- Summary of changes: history/header_history.html | 1 + history/samba-4.19.6.html| 55 posted_news/20240408-073243.4.19.6.body.html | 13 ++ posted_news/20240408-073243.4.19.6.headline.html | 3 ++ 4 files changed, 72 insertions(+) create mode 100644 history/samba-4.19.6.html create mode 100644 posted_news/20240408-073243.4.19.6.body.html create mode 100644 posted_news/20240408-073243.4.19.6.headline.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index eb8f7b6..8f60ff2 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -10,6 +10,7 @@ samba-4.20.0 + samba-4.19.6. samba-4.19.5. samba-4.19.4. samba-4.19.3. diff --git a/history/samba-4.19.6.html b/history/samba-4.19.6.html new file mode 100644 index 000..af5d5eb --- /dev/null +++ b/history/samba-4.19.6.html @@ -0,0 +1,55 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;> +http://www.w3.org/1999/xhtml;> + +Samba 4.19.6 - Release Notes + + +Samba 4.19.6 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.19.6.tar.gz;>Samba 4.19.6 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.19.6.tar.asc;>Signature + + +https://download.samba.org/pub/samba/patches/samba-4.19.5-4.19.6.diffs.gz;>Patch (gzipped) against Samba 4.19.5 +https://download.samba.org/pub/samba/patches/samba-4.19.5-4.19.6.diffs.asc;>Signature + + + + == + Release Notes for Samba 4.19.6 + April 08, 2024 + == + + +This is the latest stable release of the Samba 4.19 release series. + + +Changes since 4.19.5 + + +o Ralph Boehme s...@samba.org + * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if + vfs_stat_fsp() fails in fd_close(). + +o Guenther Deschner g...@samba.org + * BUG 15588: samba-gpupdate: Correctly implement site support. + +o Noel Power noel.po...@suse.com + * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if + vfs_stat_fsp() fails in fd_close(). + +o Andreas Schneider a...@samba.org + * BUG 15588: samba-gpupdate: Correctly implement site support. + * BUG 15599: libgpo: Segfault in python bindings. + +o Martin Schwenke mschwe...@ddn.com + * BUG 15580: Packet marshalling push support missing for + CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and + CTDB_CONTROL_TCP_CLIENT_PASSED. + + + + + + diff --git a/posted_news/20240408-073243.4.19.6.body.html b/posted_news/20240408-073243.4.19.6.body.html new file mode 100644 index 000..ece27a0 --- /dev/null +++ b/posted_news/20240408-073243.4.19.6.body.html @@ -0,0 +1,13 @@ + +08 April 2024 +Samba 4.19.6 Available for Download + +This is the latest stable release of the Samba 4.19 release series. + + +The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620). +The source code can be https://download.samba.org/pub/samba/stable/samba-4.19.6.tar.gz;>downloaded now. +A https://download.samba.org/pub/samba/patches/samba-4.19.5-4.19.6.diffs.gz;>patch against Samba 4.19.5 is also available. +See https://www.samba.org/samba/history/samba-4.19.6.html;>the release notes for more info. + + diff --git a/posted_news/20240408-073243.4.19.6.headline.html b/posted_news/20240408-073243.4.19.6.headline.html new file mode 100644 index 000..dde472d --- /dev/null +++ b/posted_news/20240408-073243.4.19.6.headline.html @@ -0,0 +1,3 @@ + + 08 April 2024 Samba 4.19.6 Available for Download + -- Samba Website Repository
[SCM] Samba Shared Repository - annotated tag samba-4.19.6 created
The annotated tag, samba-4.19.6 has been created at 4826796513729aad06646b9ab838910737d52d09 (tag) tagging b400092dd0a5248544f6e05fc4f85bcc0efb6a3c (commit) replaces samba-4.19.5 tagged by Jule Anger on Mon Apr 8 09:30:50 2024 +0200 - Log - samba: tag release samba-4.19.6 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmYTnSoACgkQqplEL7aA tiAumg/9FioMDXlmSrJx2YOxD0FBQHERghr5REFLKiCK0g+b9Cq6tg9rZXC6YkWI Ihm8+0LsGiKq4ZAMauI4v1ud1gWgPwQfdQppTwI+4HFTCoK2b6hkJhKUtPs0JNt2 QdjU7TyXz3edzliYWuQrAu2MZRZX9IIb4K9WzTlf5rT+bfBwnTsvBAU+tpKqJTmj 1wdZ2q0jq4rNbOuR/t5NJZsMes2CIEyvHTBzVY1cf/VOosjsfhdUQkDtZWsr12W7 KoMb7ziLQimniLUSIMWMTVGd9mjBFD0xB9uC7/8HbuDiGMfQk2bDHULn6JSGc1g4 nMXDkzOJ1DIMlSpNvWzXLtA8961Dsaf++x66wR/1c3aJM+0m11sMt5ZA8Aff189L NMIIEahMp1BxAPFFj0CTNcTyXQArLQxnZP2VnpvbBBn3v8A+tIv+zvBe8T1jDfKz 0aSqNmHwbwoFpqH7siAEKS5DlFpsKAnLfpsVR7bOO4U+JOJJw+1Vvrk1aW77eSQL jCXpyD0AZcOhWuoSv7/q94tVzamrvi8Se+4+JEybeULwk/DPqMT6jcBamXNx1PyX OoF4Ic79QsM6A14skvfhLoSmYAS4iBkWjFEWobwb8SFHXZk61dMgSMkB+nF5nQA3 zQDSatoULkn3TWXKFYTN3BjYFfpv9DP54PWNhFzhprEddGMfuII= =KcC5 -END PGP SIGNATURE- Andreas Schneider (4): librpc:idl: Make netlogon_samlogon_response public python:gp: Implement client site lookup in site_dn_for_machine() libgpo: Fix trailing spaces in pygpo.c libgpo: Do not segfault if we don't have a valid security descriptor Jule Anger (3): VERSION: Bump version up to Samba 4.19.6... WHATSNEW: Add release notes for Samba 4.19.6. VERSION: Disable GIT_SNAPSHOT for the 4.19.6 release. Martin Schwenke (1): ctdb-protocol: Add missing push support for new controls Noel Power (1): s3/smbd: If we fail to close file_handle ensure we should reset the fd Ralph Boehme (1): smbd: simplify handling of failing fstat() after unlinking file --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-19-test updated
The branch, v4-19-test has been updated via 4b7785226ad VERSION: Bump version up to Samba 4.19.7... via b400092dd0a VERSION: Disable GIT_SNAPSHOT for the 4.19.6 release. via 8333c396015 WHATSNEW: Add release notes for Samba 4.19.6. from 0ac741b5705 s3/smbd: If we fail to close file_handle ensure we should reset the fd https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log - commit 4b7785226ad4ffe77f308188c4b1a229d9bba4a3 Author: Jule Anger Date: Mon Apr 8 09:25:07 2024 +0200 VERSION: Bump version up to Samba 4.19.7... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger commit b400092dd0a5248544f6e05fc4f85bcc0efb6a3c Author: Jule Anger Date: Mon Apr 8 09:24:50 2024 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.19.6 release. Signed-off-by: Jule Anger commit 8333c3960154fc582213b90dbf32b956cea08245 Author: Jule Anger Date: Mon Apr 8 09:20:40 2024 +0200 WHATSNEW: Add release notes for Samba 4.19.6. Signed-off-by: Jule Anger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 59 +-- 2 files changed, 58 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index aeede60164d..939e114840c 100644 --- a/VERSION +++ b/VERSION @@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2023" SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=19 -SAMBA_VERSION_RELEASE=6 +SAMBA_VERSION_RELEASE=7 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 79abe2da103..be2edfb6ac4 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,59 @@ + == + Release Notes for Samba 4.19.6 + April 08, 2024 + == + + +This is the latest stable release of the Samba 4.19 release series. + + +Changes since 4.19.5 + + +o Ralph Boehme + * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if + vfs_stat_fsp() fails in fd_close(). + +o Guenther Deschner + * BUG 15588: samba-gpupdate: Correctly implement site support. + +o Noel Power + * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if + vfs_stat_fsp() fails in fd_close(). + +o Andreas Schneider + * BUG 15588: samba-gpupdate: Correctly implement site support. + * BUG 15599: libgpo: Segfault in python bindings. + +o Martin Schwenke + * BUG 15580: Packet marshalling push support missing for + CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and + CTDB_CONTROL_TCP_CLIENT_PASSED. + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + == Release Notes for Samba 4.19.5 February 19, 2024 @@ -59,8 +115,7 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: - +-- == Release Notes for Samba 4.19.4 January 08, 2024 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via be2ade2d88b netcmd: fix broken shell command missing Model via bcae4c2dbea python: lint: fix pylint R1720 unnecessary "raise" after "else" via 3dd49b9f567 python: lint: remove unused imports in claims and gmsa commands via 8f7ff1c7ef4 python: tests: type check should always use "is" or "is not" via e388bf4b4a2 python: tests: fix closing quote in docstring example via a18c53a9b98 libcli/http: Detect unsupported Transfer-encoding type via 93709d31590 selftest: Add new test for testing non-chunk transfer encoding via efdbf0511e0 selftest: fix potential reference before assigned error via 8e931fce126 Do not fail checksums for RFC8009 types via 2ecb69d9b7f python:tests: Improve keytab comparison of dckeytab from 814ae222ca1 s3:winbindd: use better debug messages than 'talloc_strdup failed' https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit be2ade2d88bb89763fce2a34f8f68941424ad9ee Author: Rob van der Linde Date: Thu Mar 28 16:06:05 2024 +1300 netcmd: fix broken shell command missing Model This is already in MODELS which is populated in ModelMeta Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Apr 8 04:07:22 UTC 2024 on atb-devel-224 commit bcae4c2dbea7067932e931456998b1ada20d615c Author: Rob van der Linde Date: Thu Mar 28 16:15:06 2024 +1300 python: lint: fix pylint R1720 unnecessary "raise" after "else" Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 3dd49b9f567fdf14e7a616351805d1aac9a3083a Author: Rob van der Linde Date: Thu Mar 28 16:09:44 2024 +1300 python: lint: remove unused imports in claims and gmsa commands Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8f7ff1c7ef4a570193faa2e3181a757bc98c3e08 Author: Rob van der Linde Date: Thu Mar 28 15:59:33 2024 +1300 python: tests: type check should always use "is" or "is not" Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e388bf4b4a2012bd1fdde7e63b957b32c1a69c75 Author: Rob van der Linde Date: Thu Mar 28 15:58:34 2024 +1300 python: tests: fix closing quote in docstring example Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit a18c53a9b98e2e8dea08cf0ef08efc59e58ec137 Author: Noel Power Date: Thu Mar 28 10:48:58 2024 + libcli/http: Detect unsupported Transfer-encoding type Also removes knownfail for test that now passes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 93709d31590d4ca25fbac813b9e499755b81ddb5 Author: Noel Power Date: Thu Mar 28 09:16:33 2024 + selftest: Add new test for testing non-chunk transfer encoding And add a known fail because there is a bug :-( BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit efdbf0511e0a89f865210170001fbebf17a45278 Author: Noel Power Date: Thu Mar 28 09:09:02 2024 + selftest: fix potential reference before assigned error This would only happen if the test failed (but the message would be incorrect as 'e' the exception to be stringified doesn't exist. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 8e931fce126e8c1128da893c806702731c08758a Author: Alexander Bokovoy Date: Thu Jun 22 09:56:12 2023 +0300 Do not fail checksums for RFC8009 types While Active Directory does not support yet RFC 8009 encryption and checksum types, it is possible to verify these checksums when running with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA domain controller which uses them by default. [2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)] ../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative) smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab [2023/06/16 21:51:04.924196, 2, pid=51149, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum) check_pac_checksum: Checksum Type 20 is not supported [2023/06/16 21:51:04.924228, 5, pid=51149, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac) PAC Decode: Failed to verify the service sig
[SCM] Samba Shared Repository - branch master updated
winbindd/winbindd_cm.c | 11 +- source3/wscript_build | 1 + source4/libcli/dgram/dgramsocket.c | 40 ++- source4/libcli/dgram/libdgram.h| 3 + source4/nbt_server/dgram/request.c | 56 ++- source4/nbt_server/interfaces.c| 29 ++ source4/nbt_server/nbt_server.c| 143 source4/nbt_server/nbt_server.h| 2 + source4/nbt_server/wscript_build | 2 +- 30 files changed, 793 insertions(+), 426 deletions(-) copy lib/util/unix_match.h => source3/include/fstring.h (76%) Changeset truncated at 500 lines: diff --git a/libcli/nbt/libnbt.h b/libcli/nbt/libnbt.h index 204484be73f..6a30c9fedb5 100644 --- a/libcli/nbt/libnbt.h +++ b/libcli/nbt/libnbt.h @@ -331,6 +331,9 @@ NTSTATUS nbt_set_unexpected_handler(struct nbt_name_socket *nbtsock, void (*handler)(struct nbt_name_socket *, struct nbt_name_packet *, struct socket_address *), void *private_data); +NTSTATUS nbt_name_send_raw(struct nbt_name_socket *nbtsock, + struct socket_address *dest, + const DATA_BLOB pkt_blob); NTSTATUS nbt_name_reply_send(struct nbt_name_socket *nbtsock, struct socket_address *dest, struct nbt_name_packet *request); diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c index 47e73cf2e8d..b2945ad912f 100644 --- a/libcli/nbt/nbtsocket.c +++ b/libcli/nbt/nbtsocket.c @@ -448,6 +448,50 @@ failed: return NULL; } +/* + send off a nbt name packet +*/ +_PUBLIC_ NTSTATUS nbt_name_send_raw(struct nbt_name_socket *nbtsock, + struct socket_address *dest, + const DATA_BLOB pkt_blob) +{ + struct nbt_name_request *req; + + req = talloc_zero(nbtsock, struct nbt_name_request); + NT_STATUS_HAVE_NO_MEMORY(req); + + req->nbtsock = nbtsock; + req->dest = socket_address_copy(req, dest); + if (req->dest == NULL) { + goto failed; + } + req->state = NBT_REQUEST_SEND; + /* +* We don't expect a response so +* just pretent it is a request, +* but we really don't care about the +* content. +*/ + req->is_reply = true; + + req->encoded = data_blob_dup_talloc(req, pkt_blob); + if (req->encoded.length != pkt_blob.length) { + goto failed; + } + + talloc_set_destructor(req, nbt_name_request_destructor); + + DLIST_ADD_END(nbtsock->send_queue, req); + + TEVENT_FD_WRITEABLE(nbtsock->fde); + + return NT_STATUS_OK; + +failed: + talloc_free(req); + return NT_STATUS_NO_MEMORY; +} + /* send off a nbt name reply diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 2d449e4a652..f2b84b4f9b7 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -618,6 +618,7 @@ sub provision_raw_prepare($$) $ctx->{statedir} = "$prefix_abs/statedir"; $ctx->{cachedir} = "$prefix_abs/cachedir"; $ctx->{winbindd_socket_dir} = "$prefix_abs/wbsock"; + $ctx->{nmbd_socket_dir} = "$prefix_abs/nmbsock"; $ctx->{ntp_signd_socket_dir} = "$prefix_abs/ntp_signd_socket"; $ctx->{nsswrap_passwd} = "$ctx->{etcdir}/passwd"; $ctx->{nsswrap_group} = "$ctx->{etcdir}/group"; @@ -774,6 +775,7 @@ sub provision_raw_step1($$) state directory = $ctx->{statedir} cache directory = $ctx->{cachedir} winbindd socket directory = $ctx->{winbindd_socket_dir} + nmbd:socket dir = $ctx->{nmbd_socket_dir} ntp signd socket directory = $ctx->{ntp_signd_socket_dir} winbind separator = / interfaces = $interfaces diff --git a/lib/util/unix_match.h b/source3/include/fstring.h similarity index 76% copy from lib/util/unix_match.h copy to source3/include/fstring.h index a7b693500b2..dfc8f17a8f3 100644 --- a/lib/util/unix_match.h +++ b/source3/include/fstring.h @@ -1,7 +1,6 @@ /* Unix SMB/CIFS implementation. - Utility functions for Samba - Copyright (C) Jeremy Allison 2001 + Copyright (C) 2002 by Martin Pool This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -17,9 +16,12 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ -#ifndef _UNIX_MASK_H_ -#define _UNIX_MASK_H_ - -bool unix_wild_match(const char *pattern, const char *string); +#ifndef _SAMBA_FSTRING_H +#define _SAMBA_FSTRING_H +#ifndef FSTRING_LEN +#define FSTRING_LEN 256 +typed
[SCM] Samba Shared Repository - branch master updated
failed=$(expr $failed + 1) + # # Trusted domain test 1: Test uid of Administrator, should be 250 # @@ -241,6 +260,9 @@ gidNumber: 202 dn: cn=forbidden,ou=sub,$BASE_DN changetype: delete +dn: CN=no_posix_id,CN=Users,$BASE_DN +changetype: delete + dn: ou=sub,$BASE_DN changetype: delete EOF diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index bbce55ea508..cf40633d127 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1420,6 +1420,7 @@ sub setup_ad_member_idmap_ad idmap config $dcvars->{TRUST_DOMAIN} : range = 200-299 gensec_gssapi:requested_life_time = 5 winbind scan trusted domains = yes + winbind expand groups = 1 "; my $ret = $self->provision( diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index 7e572e5d41f..7d6324033ea 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -1039,7 +1039,7 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, } static NTSTATUS add_primary_group_members( - ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, + ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, const char *domname, char ***all_members, size_t *num_all_members) { char *filter; @@ -1051,10 +1051,13 @@ static NTSTATUS add_primary_group_members( char **members; size_t num_members; ads_control args; + bool all_groupmem = idmap_config_bool(domname, "all_groupmem", false); filter = talloc_asprintf( - mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))", - (unsigned)rid); + mem_ctx, + "(&(objectCategory=user)(primaryGroupID=%u)%s)", + (unsigned)rid, + all_groupmem ? "" : "(uidNumber=*)(!(uidNumber=0))"); if (filter == NULL) { goto done; } @@ -1206,7 +1209,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members)); - status = add_primary_group_members(ads, mem_ctx, rid, + status = add_primary_group_members(ads, mem_ctx, rid, domain->name, , _members); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("%s: add_primary_group_members failed: %s\n", -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
me->st.st_ex_btime = saved_btime; + + return NT_STATUS_OK; +} + / Extended attribute operations. */ @@ -1933,6 +1956,7 @@ static struct vfs_fn_pointers ceph_fns = { .fchflags_fn = cephwrap_fchflags, .get_real_filename_at_fn = cephwrap_get_real_filename_at, .connectpath_fn = cephwrap_connectpath, + .fget_dos_attributes_fn = cephwrap_fget_dos_attributes, /* EA operations. */ .getxattrat_send_fn = vfs_not_implemented_getxattrat_send, diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c index 4d897d6d7a1..674a13076e1 100644 --- a/source3/smbd/dosmode.c +++ b/source3/smbd/dosmode.c @@ -1189,7 +1189,8 @@ int file_ntimes(connection_struct *conn, } if (SMB_VFS_FNTIMES(fsp, ft) == 0) { - return 0; + ret = 0; + goto done; } if((errno != EPERM) && (errno != EACCES)) { @@ -1214,6 +1215,11 @@ int file_ntimes(connection_struct *conn, unbecome_root(); } +done: + if (ret == 0) { + copy_stat_ex_timestamps(fsp, ft); + } + return ret; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a3126ebfe57 lib: Use struct initialization in imessaging_client_init() via 2d4aa599943 lib: Fix whitespace via ff747f691ec lib: Fix dbwrap_tdb.h prerequisites via b1b5d32c540 lib: Give tallocmsg.c its own header via b8e409e755b lib: Fix whitespace via 00141ca4704 smbd: Remove an outdated comment via 18d9b1b17cf smbd: Remove struct open_symlink_err via adca0ffd712 smbd: Remove "unparsed" from struct open_symlink_err via 8ca649025ae smbd: Remove "st" from struct open_symlink_err via 331a49ca394 smbd: Fix returning symlink stat info in the NO_OPATH case via a2a77842a13 smbd: Make read_symlink_reparse() return a reparse_data_buffer via 57e548841f9 smbd: Simplify users of fsp_fullbasepath() from 06c589aaa1a python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a3126ebfe5736f5e8af9bff3a6e8d7db1929e377 Author: Volker Lendecke Date: Tue Feb 27 15:39:30 2024 +0100 lib: Use struct initialization in imessaging_client_init() Signed-off-by: Volker Lendecke Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Mar 28 09:13:43 UTC 2024 on atb-devel-224 commit 2d4aa599943a5860ebc0cc54d85012b360453bdc Author: Volker Lendecke Date: Tue Feb 27 15:39:16 2024 +0100 lib: Fix whitespace Signed-off-by: Volker Lendecke Reviewed-by: Andreas Schneider commit ff747f691ec30c964094550e6a9a0fc1f19fb0ff Author: Volker Lendecke Date: Wed Feb 21 10:55:55 2024 +0100 lib: Fix dbwrap_tdb.h prerequisites It uses enum dbwrap_lock_order, so include dbwrap.h Signed-off-by: Volker Lendecke Reviewed-by: Andreas Schneider commit b1b5d32c54099e4a1c61d0a81ceaab986b62ce52 Author: Volker Lendecke Date: Tue Feb 20 13:04:28 2024 +0100 lib: Give tallocmsg.c its own header Signed-off-by: Volker Lendecke Reviewed-by: Andreas Schneider commit b8e409e755baf77184995f72d640f0de7ed6808e Author: Volker Lendecke Date: Wed Feb 28 16:45:57 2024 +0100 lib: Fix whitespace Signed-off-by: Volker Lendecke Reviewed-by: Andreas Schneider commit 00141ca4704698028fa0137d4eecb37ba2385e8b Author: Volker Lendecke Date: Sat Feb 10 14:27:38 2024 +0100 smbd: Remove an outdated comment Signed-off-by: Volker Lendecke Reviewed-by: Andreas Schneider commit 18d9b1b17cfee79b8d2b78ac99ca31600b002a6e Author: Volker Lendecke Date: Sun Feb 4 18:07:19 2024 +0100 smbd: Remove struct open_symlink_err This was just a wrapper for a single pointer, remove it Signed-off-by: Volker Lendecke Reviewed-by: Andreas Schneider commit adca0ffd712ecfa26f2255f86e3882a9c124c429 Author: Volker Lendecke Date: Sun Feb 4 17:42:28 2024 +0100 smbd: Remove "unparsed" from struct open_symlink_err We have the reserved field unparsed_path_length as part of struct symlink_reparse_struct. Signed-off-by: Volker Lendecke Reviewed-by: Andreas Schneider commit 8ca649025aee31b4a3a0f5f8fb62861d4a41b864 Author: Volker Lendecke Date: Sun Feb 4 17:27:50 2024 +0100 smbd: Remove "st" from struct open_symlink_err Since c96010a2a9f nobody reads it anymore Signed-off-by: Volker Lendecke Reviewed-by: Andreas Schneider commit 331a49ca394f185473d0b5ba1c566a32ab01b6ff Author: Volker Lendecke Date: Sun Feb 4 18:50:47 2024 +0100 smbd: Fix returning symlink stat info in the NO_OPATH case Our callers don't look at symlink_err's struct stat anymore, they look at the fname's one since we return them properly even for symlinks. So don't bother filling in symlink_err->st, nobody reads it anyways. Signed-off-by: Volker Lendecke Reviewed-by: Andreas Schneider commit a2a77842a13c3c4a561ec8d5d298bbab60fafd1a Author: Volker Lendecke Date: Sun Feb 4 16:07:22 2024 +0100 smbd: Make read_symlink_reparse() return a reparse_data_buffer Will make generalized handling of reparse point error returns easier once we will also allow creating symlink reparse point files over smb. Signed-off-by: Volker Lendecke Reviewed-by: Andreas Schneider commit 57e548841f9b560e7caf84965e3ca4d36997bf17 Author: Volker Lendecke Date: Sun Feb 4 11:10:18 2024 +0100 smbd: Simplify users of fsp_fullbasepath() All three users had to strip a trailing "/.". Centralize this. Signed-off-by: Volker Lendecke Reviewed-by: Andreas Schneider --- Summary of changes: lib/dbwrap/dbwrap_tdb.h| 2 +- source3/include/pr
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 06c589aaa1a python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED via f29693d1311 python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash via 2fd5166a8c1 python/tests/krb5: Allow getting a TGT in pkinit tests via b2fe1ea1c6a python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED via 7cc8f455191 tests/krb5: Fix PK-INIT test framework to allow expired password keys via 46263c5c202 python/samba/krb5: Allow client address (caddr) to be missing or empty via 3d1ec5dc676 auth/credentials: Remove use of pytalloc_get_type() of NDR types in pycredentials via 93f4be16471 netcmd: docs: update documentation for new auth policy command structure via 6e02c97193c netcmd: auth policy: remove old service-allowed-to-authenticate-from-silo and group via dcb6a14fa23 netcmd: auth policy: add service-allowed-to-authenticate-from subcommands via 97c2ff19daa netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group via e88be1aed97 netcmd: auth policy: add user-allowed-to-authenticate-from subcommands via 2cbacad82d6 netcmd: auth policy: remove old service-allowed-to-authenticate-to-silo and group via 316a84a5975 netcmd: auth policy: add service-allowed-to-authenticate-to subcommands via 5db2a1581d3 netcmd: auth policy: remove old user-allowed-to-authenticate-to-silo and group via 4ba087f8187 netcmd: auth policy: add user-allowed-to-authenticate-to subcommands via 49c3bca8033 netcmd: auth policy: remove old computer-allowed-to-authenticate-to-silo and group via 86d3706bd26 netcmd: auth policy: add computer-allowed-to-authenticate-to subcommands via 96f00738cec netcmd: auth policy: extract policy base commands into policy.py via c0e748f0117 netcmd: auth policy: turn policy.py into module via 13d53ee3e25 netcmd: auth silo: extract silo base commands into silo.py via a2e9529ee63 netcmd: auth silo: move silo_member.py into silo module via 4d2c8ea9578 netcmd: auth silo: turn silo.py into module via 2af65446cfd netcmd: docs: add section headings for auth policies and silos via 7fbe5156096 netcmd: docs: consistently put around GROUP and SILO via 4e1d12835ff netcmd: docs: --user-allowed-to-authenticate-from-device-group was missing via 26feb09fd10 netcmd: docs: --user-allowed-to-authenticate-from-device-silo missing "device" via a7edd5b5367 netcmd: docs: add documentation for service-account group-msa-membership commands via 03a6740a90b netcmd: docs: add documentation for service-account base command via cf60e3cad6b netcmd: gmsa: improve descriptions of --dns-host-name and match docs via 828420b4f09 python: domain: models: add OrganizationalUnit container model via 5ac4b6969be python: domain: models: move OrganizationalPerson to org.py via 3c0833ead51 python: domain: models: move MODELS to registry.py because it's not really a constant via bfd1f8cd467 python: domain: models: MODELS lookup does need to include base Model for shell command via 0c5d09ae143 python: domain: models: add children method to return a models direct children via cca0cfe421c python: tests: write a test for the Model.as_dict method via 917e2a73538 python: tests: computer model tests should clean up via ed07dee8649 python: domain: models: as_dict() should also exclude empty list fields via fc982e550f4 s4-dsdb: Create KdfParameters at runtime via d316e5f0869 s4-dsdb: Indent DH parameters table in gkdi_create_root_key() via 3687bf22aa1 s4-dsdb: Populate new GKDI root keys from the server configuration object via 565314f4482 pyldb: Improve search for error string in PyErr_SetLdbError via 06912de3b2a dsdb: Add API tests for new_gkdi_root_key() via f379ea8b812 pyldb: Consolidate PyErr_SetLdbError() using the pyldb version via 287cf82682c plydb: Keep talloc_reference() to the DN in PyDict_AsMessage via 37327afd0aa pyldb: Fix documentation comment on Message.from_dict() method from f0a8d832683 s4/torture: Fix misplaced positional arguments for u64 comparison https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 06c589aaa1a30e5577d9de4532246949f30809e5 Author: Andrew Bartlett Date: Wed Mar 20 14:56:47 2024 +1300 python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED This in particular tests the returned NTLM password buffers as well as the password rotation on expired accounts described at https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-
[Announce] Samba 4.20.0 Available for Download
Release Announcements - This is the first stable release of the Samba 4.20 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES New Minimum MIT Krb5 version for Samba AD Domain Controller --- Samba now requires MIT 1.21 when built against a system MIT Krb5 and acting as an Active Directory DC. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack. Removed dependency on Perl JSON module -- Distributions are advised that the Perl JSON package is no longer required by Samba builds that use the imported Heimdal. The build instead uses Perl's JSON::PP built into recent perl5 versions. Current lists of packages required by Samba for major distributions are found in the bootstrap/generated-dists/ directory of a Samba source tree. While there will be some differences - due to features chosen by packagers - comparing these lists with the build dependencies in a package may locate other dependencies we no longer require. samba-tool user getpassword / syncpasswords ;rounds= change --- The password access tool "samba-tool user getpassword" and the password sync tool "samba-tool user syncpasswords" allow attributes to be chosen for output, and accept parameters like pwdLastSet;format=GeneralizedTime These attributes then appear, in the same format, as the attributes in the LDIF output. This was not the case for the ;rounds= parameter of virtualCryptSHA256 and virtualCryptSHA512, for example as --attributes="virtualCryptSHA256;rounds=5" This release makes the behaviour consistent between these two features. Installations using GPG-encrypted passwords (or plaintext storage) and the rounds= option, will find the output has changed from: virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF to: virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF Group Managed service account client-side features ------ samba-tool has been extended to provide client-side support for Group Managed Service accounts. These accounts have passwords that change automatically, giving the advantages of service isolation without risk of poor, unchanging passwords. Where possible, Samba's existing samba-tool password handling commands, which in the past have only operated against the local sam.ldb have been extended to permit operation against a remote server with authenticated access to "-H ldap://$DCNAME; Supported operations include: - reading the current and previous gMSA password via "samba-tool user getpassword" - writing a Kerberos Ticket Granting Ticket (TGT) to a local credentials cache with a new command "samba-tool user get-kerberos-ticket" New Windows Search Protocol Client -- Samba now by default builds new experimental Windows Search Protocol (WSP) command line client "wspsearch" The "wspsearch" cmd-line utility allows a WSP search request to be sent to a server (such as a windows server) that has the (WSP) Windows Search Protocol service configured and enabled. For more details see the wspsearch man page. Allow 'smbcacls' to save/restore DACLs to file 'smbcacls' has been extended to allow DACLs to be saved and restored to/from a file. This feature mimics the functionality that windows cmd line tool 'icacls.exe' provides. Additionally files created either by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by either tool as the same file format is used. New options added are: - '--save savefile' Saves DACLs in sddl format to file - '--recurse' Performs the '--save' operation above on directory and all files/directories below. - '--restore savefile' Restores the stored DACLS to files in directory Samba-tool extensions for AD Claims, Authentication Policies and Silos ------ samba-tool now allows users to be associated with claims. In the Samba AD DC, claims derive from Active Directory attributes mapped into specific names. These claims can be used in rules, which are conditional ACEs in a security descriptor, that decide if a user is restricted by an authentication policy. samba-tool also allows the creation and management of authentication policies, which are rules about where a user may authenticate from, if NTLM is permitted, and what services a user may authenticate to. Finally, support is added for the creation and management of authentication silos, which are helpful in defining net
[SCM] Samba Shared Repository - branch v4-20-stable updated
The branch, v4-20-stable has been updated via 8fdd82c8b9c VERSION: Disable GIT_SNAPSHOT for the 4.20.0 release. via 797464b7624 WHATSNEW: Add release notes for Samba 4.20.0. via 5cedf3b5eb0 Revert "token_util.c: prefer capabilities over become_root" via f7491b29941 Revert "dosmode.c: prefer use of capabilities at two places over become_root" via 6ca9461a1db Revert "nfs4_acls.c: prefer capabilities over become_root" via 52b1d9d7cb8 Revert "vfs_acl_common.c: prefer capabilities over become_root" via 6e0986b2c30 Revert "vfs_default.c: prefer capabilities over become_root" via f6d549de47c Revert "vfs_posix_eadb.c: prefer capabilities over become_root" via d0c295e5344 Revert "vfs_recycle.c: prefer capabilities over become_root" via 4f38859f5d8 Revert "open.c: prefer capabilities over become_root" via dc161626303 Revert "posix_acls.c: prefer capabilities over become_root" via bb68b730290 Revert "dosmode: prefer capabilities over become_root" via aee05f11670 s3/smbd: If we fail to close file_handle ensure we should reset the fd via 72f70868257 smbd: simplify handling of failing fstat() after unlinking file via 3be368ff2bc ndr: always attempt ACE coda pull if ACE type suggests a coda via 1273cb7e10b tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ via 28fc1850e5c libcli/security: check again for NULL values via ce78896e262 libcli/security: claims_conversions: check for NULL in claims array via 99b6feac932 WHATSNEW: announce Service Witness Protocol [MS-SWN] and related options via 69b69bb2085 libgpo: Do not segfault if we don't have a valid security descriptor via 72bd247c97d libgpo: Fix trailing spaces in pygpo.c via 4d1536f86b9 VERSION: Bump version up to Samba 4.20.0rc5... from 964c0e97e7a VERSION: Disable GIT_SNAPSHOT for the 4.20.0rc4 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-stable - Log - --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 112 +++- libcli/security/claims-conversions.c | 13 + libgpo/pygpo.c | 7 +- librpc/ndr/ndr_sec_helper.c | 5 +- python/samba/tests/krb5/authn_policy_tests.py | 372 ++ selftest/knownfail_mit_kdc| 8 + source3/auth/token_util.c | 4 +- source3/modules/nfs4_acls.c | 4 +- source3/modules/vfs_acl_common.c | 8 +- source3/modules/vfs_default.c | 4 +- source3/modules/vfs_posix_eadb.c | 4 +- source3/modules/vfs_recycle.c | 4 +- source3/smbd/close.c | 1 + source3/smbd/dosmode.c| 16 +- source3/smbd/open.c | 39 +-- source3/smbd/posix_acls.c | 40 +-- 17 files changed, 559 insertions(+), 84 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index fcee8581107..482360b7d68 100644 --- a/VERSION +++ b/VERSION @@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=4 +SAMBA_VERSION_RC_RELEASE= # To mark SVN snapshots this should be set to 'yes'# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index dd80f116a10..5c97836d36f 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,16 +1,11 @@ -Release Announcements -===== + == + Release Notes for Samba 4.20.0 + March 27, 2024 + == -This is the fourth release candidate of Samba 4.20. This is *not* -intended for production environments and is designed for testing -purposes only. Please report any defects via the Samba bug reporting -system at https://bugzilla.samba.org/. -Samba 4.20 will be the next version of the Samba suite. - - -UPGRADING -= +This is the first stable release of the Samba 4.20 release series. +Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES @@ -191,6 +186,68 @@ The Security Descriptor Definition Language has extensions for conditional ACEs and resource attribute ACEs; these are now supported by Samba. +Service Witness Protocol [MS-SWN] +- + +In a
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via f8e7137 NEWS[4.20.0]: Samba 4.20.0 Available for Download from 1fac108 NEWS[4.18.11]: Samba 4.18.11 Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit f8e71377ac590ab45b564672c6e0290a2b92b769 Author: Jule Anger Date: Wed Mar 27 18:10:23 2024 +0100 NEWS[4.20.0]: Samba 4.20.0 Available for Download Signed-off-by: Jule Anger --- Summary of changes: history/header_history.html | 1 + history/samba-4.20.0.html| 369 +++ posted_news/20240327-171133.4.20.0.body.html | 12 + posted_news/20240327-171133.4.20.0.headline.html | 3 + 4 files changed, 385 insertions(+) create mode 100644 history/samba-4.20.0.html create mode 100644 posted_news/20240327-171133.4.20.0.body.html create mode 100644 posted_news/20240327-171133.4.20.0.headline.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index d939308..eb8f7b6 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,6 +9,7 @@ Release Notes + samba-4.20.0 samba-4.19.5. samba-4.19.4. samba-4.19.3. diff --git a/history/samba-4.20.0.html b/history/samba-4.20.0.html new file mode 100644 index 000..375ab40 --- /dev/null +++ b/history/samba-4.20.0.html @@ -0,0 +1,369 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;> +http://www.w3.org/1999/xhtml;> + +Samba 4.20.0 - Release Notes + + +Samba 4.20.0 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.20.0.tar.gz;>Samba 4.20.0 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.20.0.tar.asc;>Signature + + + + == + Release Notes for Samba 4.20.0 + March 27, 2024 + == + + +This is the first stable release of the Samba 4.20 release series. +Please read the release notes carefully before upgrading. + + +NEW FEATURES/CHANGES + + +New Minimum MIT Krb5 version for Samba AD Domain Controller +------- + +Samba now requires MIT 1.21 when built against a system MIT Krb5 and +acting as an Active Directory DC. This addresses the issues that were +fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that +Samba builds against the MIT version that allows us to avoid that +attack. + +Removed dependency on Perl JSON module +-- + +Distributions are advised that the Perl JSON package is no longer +required by Samba builds that use the imported Heimdal. The build +instead uses Perls JSON::PP built into recent perl5 versions. + +Current lists of packages required by Samba for major distributions +are found in the bootstrap/generated-dists/ directory of a Samba +source tree. While there will be some differences - due to features +chosen by packagers - comparing these lists with the build dependencies +in a package may locate other dependencies we no longer require. + +samba-tool user getpassword / syncpasswords ;rounds= change +--- + +The password access tool samba-tool user getpassword and the +password sync tool samba-tool user syncpasswords allow attributes to +be chosen for output, and accept parameters like +pwdLastSet;format=GeneralizedTime + +These attributes then appear, in the same format, as the attributes in +the LDIF output. This was not the case for the ;rounds= parameter of +virtualCryptSHA256 and virtualCryptSHA512, for example as +--attributes=virtualCryptSHA256;rounds=5 + +This release makes the behaviour consistent between these two +features. Installations using GPG-encrypted passwords (or plaintext +storage) and the rounds= option, will find the output has changed + +from: +virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF + +to: +virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF + +Group Managed service account client-side features +------ + +samba-tool has been extended to provide client-side support for Group +Managed Service accounts. These accounts have passwords that change +automatically, giving the advantages of service isolation without risk +of poor, unchanging passwords. + +Where possible, Sambas existing samba-tool password handling +commands, which in the past have only operated against the local +sam.ldb have been extended to permit operation against a remote server +with authenticated
[SCM] Samba Shared Repository - annotated tag samba-4.20.0 created
The annotated tag, samba-4.20.0 has been created at 5e0b7110dac9b3e9d4c304c407095541e212315d (tag) tagging 8fdd82c8b9ccc39f0b5f5d6cc22fa69f67c913a4 (commit) replaces samba-4.20.0rc4 tagged by Jule Anger on Wed Mar 27 18:10:07 2024 +0100 - Log - samba: tag release samba-4.20.0 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmYEUu8ACgkQqplEL7aA tiCS5A//fPAtzxtvkVgdCWCDRtm2nhq8731RhHiQsYdFm4FRB21eRga7iPVLF5yp R1u6DsELyt1jYrH39bIwOqFOauOIP7bulB3jDBHdYFoBf1OtVnTLBlBmCdVLbgz3 4K2aAcO3aVDrUNzx32CRnPyIZeTzhW5DQAPp6E5/lVCWV4jxUFGOELWu5Okgdu19 SXQEZkjytqoIm/a5aqmjRo7xAmzEgaZCKSRXjFe+NW2C+f+ziLW/0Wft9CjFIS6h 4geFbMEZ8RXXvj3q49IbriE/ESL7nvy3WvjqUhBg5CkXjucjxZt235WnnbPRt+Yh Gz10Vdon2FEsfOB9/6SLq5v/32dovWbEzys9Afnio1vF1HVxB5ADVN7YIpARrmDJ KNr3O/kx5Akiyb+vkZ+TYMYIMOhH3ruUfM95iEQC1MxxkVmb1e7N5DPqqHaJdHj6 /N14j/IkQtz1OVnlDRSVCzPFWWpPrQC2COkpa2ClnSMF3OVptdRVdjH6qT9lT83A J+hxRCokXcdnRRh3axJUo5AKgOH6VtYu1aW0PvUcMSDP0YOhAixhkStyBMKeHugc tYeZdAtpaI/EudGjQhWwpr9bDRiIaU0qg0tLtW/no+Pc6l6WUl55a4aHNmjqPSUU dgDeiYpfEWfkNzrFBV55Uz5tk7Iy15HhusWnxDYiecAjFgAWzfk= =7xFi -END PGP SIGNATURE- Andreas Schneider (2): libgpo: Fix trailing spaces in pygpo.c libgpo: Do not segfault if we don't have a valid security descriptor Björn Jacke (10): Revert "dosmode: prefer capabilities over become_root" Revert "posix_acls.c: prefer capabilities over become_root" Revert "open.c: prefer capabilities over become_root" Revert "vfs_recycle.c: prefer capabilities over become_root" Revert "vfs_posix_eadb.c: prefer capabilities over become_root" Revert "vfs_default.c: prefer capabilities over become_root" Revert "vfs_acl_common.c: prefer capabilities over become_root" Revert "nfs4_acls.c: prefer capabilities over become_root" Revert "dosmode.c: prefer use of capabilities at two places over become_root" Revert "token_util.c: prefer capabilities over become_root" Douglas Bagnall (3): libcli/security: claims_conversions: check for NULL in claims array libcli/security: check again for NULL values ndr: always attempt ACE coda pull if ACE type suggests a coda Jo Sutton (1): tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ Jule Anger (3): VERSION: Bump version up to Samba 4.20.0rc5... WHATSNEW: Add release notes for Samba 4.20.0. VERSION: Disable GIT_SNAPSHOT for the 4.20.0 release. Noel Power (1): s3/smbd: If we fail to close file_handle ensure we should reset the fd Ralph Boehme (1): smbd: simplify handling of failing fstat() after unlinking file Stefan Metzmacher (1): WHATSNEW: announce Service Witness Protocol [MS-SWN] and related options --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via eaefe50327d VERSION: Bump version up to Samba 4.20.1... via 8fdd82c8b9c VERSION: Disable GIT_SNAPSHOT for the 4.20.0 release. via 797464b7624 WHATSNEW: Add release notes for Samba 4.20.0. from 5cedf3b5eb0 Revert "token_util.c: prefer capabilities over become_root" https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit eaefe50327d05834dd35fb49ad5c38eabf527f03 Author: Jule Anger Date: Wed Mar 27 17:13:13 2024 +0100 VERSION: Bump version up to Samba 4.20.1... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger commit 8fdd82c8b9ccc39f0b5f5d6cc22fa69f67c913a4 Author: Jule Anger Date: Wed Mar 27 17:12:54 2024 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.20.0 release. Signed-off-by: Jule Anger commit 797464b762469d5261aaa920fe4b2738042f42f7 Author: Jule Anger Date: Wed Mar 27 17:10:58 2024 +0100 WHATSNEW: Add release notes for Samba 4.20.0. Signed-off-by: Jule Anger --- Summary of changes: VERSION | 4 ++-- WHATSNEW.txt | 44 +--- 2 files changed, 35 insertions(+), 13 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 35bf60077a8..81c319ddc0c 100644 --- a/VERSION +++ b/VERSION @@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2024" SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=20 -SAMBA_VERSION_RELEASE=0 +SAMBA_VERSION_RELEASE=1 # If a official release has a serious bug # @@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=5 +SAMBA_VERSION_RC_RELEASE= # To mark SVN snapshots this should be set to 'yes'# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 9385a05f99e..5c97836d36f 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,16 +1,11 @@ -Release Announcements -= + == + Release Notes for Samba 4.20.0 + March 27, 2024 + == -This is the fourth release candidate of Samba 4.20. This is *not* -intended for production environments and is designed for testing -purposes only. Please report any defects via the Samba bug reporting -system at https://bugzilla.samba.org/. -Samba 4.20 will be the next version of the Samba suite. - - -UPGRADING -= +This is the first stable release of the Samba 4.20 release series. +Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES @@ -280,6 +275,33 @@ smb.conf changes smb3 share cap:SCALE OUTnew see 'man smb.conf' +Changes since 4.20.0rc4 +=== + +o Douglas Bagnall + * BUG 15606: Avoid null-dereference with bad claims. + * BUG 15613: ndr_pull_security_ace can leave resource attribute ACE coda + claim struct undefined. + +o Ralph Boehme + * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if + vfs_stat_fsp() fails in fd_close(). + +o Björn Jacke + * BUG 15583: set_nt_acl sometimes fails with NT_STATUS_INVALID_PARAMETER - + openat() EACCES. + +o Noel Power + * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if + vfs_stat_fsp() fails in fd_close(). + +o Andreas Schneider + * BUG 15599: libgpo: Segfault in python bindings. + +o Jo Sutton + * BUG 15607: Samba AD is missing some authentication policy tests. + + CHANGES SINCE 4.20.0rc3 === -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-20-test updated
effective_capability(DAC_OVERRIDE_CAPABILITY); + become_root(); } ret = set_canon_ace_list(fsp, dir_ace_list, true, >fsp_name->st, _set_support); if (set_acl_as_root) { - drop_effective_capability(DAC_OVERRIDE_CAPABILITY); + unbecome_root(); } if (ret == false) { DEBUG(3,("set_nt_acl: failed to set default " @@ -3751,11 +3751,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct */ if (set_acl_as_root) { - set_effective_capability(DAC_OVERRIDE_CAPABILITY); + become_root(); } sret = SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp); if (set_acl_as_root) { - drop_effective_capability(DAC_OVERRIDE_CAPABILITY); + unbecome_root(); } if (sret == -1) { if (acl_group_override_fsp(fsp)) { @@ -3765,10 +3765,10 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct "Override delete_def_acl\n", fsp_str_dbg(fsp))); - set_effective_capability(DAC_OVERRIDE_CAPABILITY); + become_root(); sret = SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp); - drop_effective_capability(DAC_OVERRIDE_CAPABILITY); + unbecome_root(); } if (sret == -1) { @@ -3786,14 +3786,14 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct if (acl_set_support) { if (set_acl_as_root) { - set_effective_capability(DAC_OVERRIDE_CAPABILITY); + become_root(); } store_inheritance_attributes(fsp, file_ace_list, dir_ace_list, psd->type); if (set_acl_as_root) { - drop_effective_capability(DAC_OVERRIDE_CAPABILITY); + unbecome_root(); } } @@ -3820,11 +3820,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct fsp_str_dbg(fsp), (unsigned int)posix_perms)); if (set_acl_as_root) { - set_effective_capability(DAC_OVERRIDE_CAPABILITY); + become_root(); } sret = SMB_VFS_FCHMOD(fsp, posix_perms); if (set_acl_as_root) { - drop_effective_capability(DAC_OVERRIDE_CAPABILITY); + unbecome_root(); } if(sret == -1) { if (acl_group_override_fsp(fsp)) { @@ -3834,9 +3834,9 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct "Override chmod\n", fsp_str_dbg(fsp))); - set_effective_capability(DAC_OVERRIDE_CAPABILITY); + become_root(); sret = SMB_VFS_FCHMOD(fsp, posix_perms); - drop_effective_capability(DAC_OVERRIDE_CAPABILITY); + unbecome_root(); } if (sret == -1) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-19-test updated
The branch, v4-19-test has been updated via 0ac741b5705 s3/smbd: If we fail to close file_handle ensure we should reset the fd via 3634df5d59e smbd: simplify handling of failing fstat() after unlinking file from a58338ec926 libgpo: Do not segfault if we don't have a valid security descriptor https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log - commit 0ac741b5705b7e0801a7ec5355d0f9be21e024c6 Author: Noel Power Date: Tue Feb 20 09:26:29 2024 + s3/smbd: If we fail to close file_handle ensure we should reset the fd if fsp_flags.fstat_before_close == true then close_file_smb will call vfs_stat which can fail. If it does fail then the fd associated with the file handle will still be set (and we will hit an assert is the file handle destructor) when calling file_free. We need to set fd to -1 to avoid that. To achieve that we capture and return the vfs_stat_fsp failure status while still processing the rest of the fd_close logic. [2024/02/20 09:23:48.454671, 0, pid=9744] ../../source3/smbd/smb2_close.c:226(smbd_smb2_close) smbd_smb2_close: close_file[]: NT_STATUS_ACCESS_DENIED [2024/02/20 09:23:48.454757, 0, pid=9744] ../../source3/smbd/fd_handle.c:40(fd_handle_destructor) PANIC: assert failed at ../../source3/smbd/fd_handle.c(40): (fh->fd == -1) || (fh->fd == AT_FDCWD) [2024/02/20 09:23:48.454781, 0, pid=9744] ../../lib/util/fault.c:178(smb_panic_log) === [2024/02/20 09:23:48.454804, 0, pid=9744] ../../lib/util/fault.c:185(smb_panic_log) INTERNAL ERROR: assert failed: (fh->fd == -1) || (fh->fd == AT_FDCWD) in smbd (smbd[192.168.10) (client [192.168.100.15]) pid 9744 (4.21.0pre1-DEVELOPERBUILD) [2024/02/20 09:23:48.454844, 0, pid=9744] ../../lib/util/fault.c:190(smb_panic_log) If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting [2024/02/20 09:23:48.454869, 0, pid=9744] ../../lib/util/fault.c:191(smb_panic_log) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527 Signed-off-by: Noel Power Reviewed-by: Jeremy Allison Autobuild-User(master): Noel Power Autobuild-Date(master): Wed Mar 13 10:34:45 UTC 2024 on atb-devel-224 (cherry picked from commit 6ee3f809a54d7b833ff798e68a93ada00a215d4d) Autobuild-User(v4-19-test): Jule Anger Autobuild-Date(v4-19-test): Wed Mar 27 15:53:39 UTC 2024 on atb-devel-224 commit 3634df5d59e9f47345932a00098aead7efe55009 Author: Ralph Boehme Date: Mon Feb 5 15:03:48 2024 +0100 smbd: simplify handling of failing fstat() after unlinking file close_remove_share_mode() already called vfs_stat_fsp(), so we can skip the fstat() triggered in fd_close() by fsp->fsp_flags.fstat_before_close being true. This avoids getting an EACCESS error when doing an fstat() on the removed file which seems to happen with some FUSE filesystems. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 6e6324cff29089a636823786183222a73fe7cb28) --- Summary of changes: source3/smbd/close.c | 1 + source3/smbd/open.c | 27 --- 2 files changed, 9 insertions(+), 19 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/close.c b/source3/smbd/close.c index af5e78daa10..e16cb2d3485 100644 --- a/source3/smbd/close.c +++ b/source3/smbd/close.c @@ -603,6 +603,7 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp, */ fsp->fsp_flags.delete_on_close = false; + fsp->fsp_flags.fstat_before_close = false; lck_state.reset_delete_on_close = true; done: diff --git a/source3/smbd/open.c b/source3/smbd/open.c index c3b27928510..36c890dc9d5 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -942,7 +942,7 @@ NTSTATUS fd_openat(const struct files_struct *dirfsp, NTSTATUS fd_close(files_struct *fsp) { - NTSTATUS status; + NTSTATUS stat_status = NT_STATUS_OK; int ret; if (fsp == fsp->conn->cwd_fsp) { @@ -950,23 +950,12 @@ NTSTATUS fd_close(files_struct *fsp) } if (fsp->fsp_flags.fstat_before_close) { - status = vfs_stat_fsp(fsp); - if (!NT_STATUS_IS_OK(status)) { - /* -* If this is a stream and delete-on-close was set, the -* backing object (an xattr from streams_xattr) might -* already be deleted so fstat() fails with -
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via aee05f11670 s3/smbd: If we fail to close file_handle ensure we should reset the fd via 72f70868257 smbd: simplify handling of failing fstat() after unlinking file from 3be368ff2bc ndr: always attempt ACE coda pull if ACE type suggests a coda https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit aee05f11670df006e50c225bbd7bce597482e856 Author: Noel Power Date: Tue Feb 20 09:26:29 2024 + s3/smbd: If we fail to close file_handle ensure we should reset the fd if fsp_flags.fstat_before_close == true then close_file_smb will call vfs_stat which can fail. If it does fail then the fd associated with the file handle will still be set (and we will hit an assert is the file handle destructor) when calling file_free. We need to set fd to -1 to avoid that. To achieve that we capture and return the vfs_stat_fsp failure status while still processing the rest of the fd_close logic. [2024/02/20 09:23:48.454671, 0, pid=9744] ../../source3/smbd/smb2_close.c:226(smbd_smb2_close) smbd_smb2_close: close_file[]: NT_STATUS_ACCESS_DENIED [2024/02/20 09:23:48.454757, 0, pid=9744] ../../source3/smbd/fd_handle.c:40(fd_handle_destructor) PANIC: assert failed at ../../source3/smbd/fd_handle.c(40): (fh->fd == -1) || (fh->fd == AT_FDCWD) [2024/02/20 09:23:48.454781, 0, pid=9744] ../../lib/util/fault.c:178(smb_panic_log) === [2024/02/20 09:23:48.454804, 0, pid=9744] ../../lib/util/fault.c:185(smb_panic_log) INTERNAL ERROR: assert failed: (fh->fd == -1) || (fh->fd == AT_FDCWD) in smbd (smbd[192.168.10) (client [192.168.100.15]) pid 9744 (4.21.0pre1-DEVELOPERBUILD) [2024/02/20 09:23:48.454844, 0, pid=9744] ../../lib/util/fault.c:190(smb_panic_log) If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting [2024/02/20 09:23:48.454869, 0, pid=9744] ../../lib/util/fault.c:191(smb_panic_log) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527 Signed-off-by: Noel Power Reviewed-by: Jeremy Allison Autobuild-User(master): Noel Power Autobuild-Date(master): Wed Mar 13 10:34:45 UTC 2024 on atb-devel-224 (cherry picked from commit 6ee3f809a54d7b833ff798e68a93ada00a215d4d) Autobuild-User(v4-20-test): Jule Anger Autobuild-Date(v4-20-test): Wed Mar 27 15:41:37 UTC 2024 on atb-devel-224 commit 72f7086825778ac434afdcab7251fecb5751ea44 Author: Ralph Boehme Date: Mon Feb 5 15:03:48 2024 +0100 smbd: simplify handling of failing fstat() after unlinking file close_remove_share_mode() already called vfs_stat_fsp(), so we can skip the fstat() triggered in fd_close() by fsp->fsp_flags.fstat_before_close being true. This avoids getting an EACCESS error when doing an fstat() on the removed file which seems to happen with some FUSE filesystems. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 6e6324cff29089a636823786183222a73fe7cb28) --- Summary of changes: source3/smbd/close.c | 1 + source3/smbd/open.c | 27 --- 2 files changed, 9 insertions(+), 19 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/close.c b/source3/smbd/close.c index 538435ca834..bbca474a28a 100644 --- a/source3/smbd/close.c +++ b/source3/smbd/close.c @@ -603,6 +603,7 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp, */ fsp->fsp_flags.delete_on_close = false; + fsp->fsp_flags.fstat_before_close = false; lck_state.reset_delete_on_close = true; done: diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 08656c42521..c9c64fc4b76 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -943,7 +943,7 @@ NTSTATUS fd_openat(const struct files_struct *dirfsp, NTSTATUS fd_close(files_struct *fsp) { - NTSTATUS status; + NTSTATUS stat_status = NT_STATUS_OK; int ret; if (fsp == fsp->conn->cwd_fsp) { @@ -951,23 +951,12 @@ NTSTATUS fd_close(files_struct *fsp) } if (fsp->fsp_flags.fstat_before_close) { - status = vfs_stat_fsp(fsp); - if (!NT_STATUS_IS_OK(status)) { - /* -* If this is a stream and delete-on-close was set, the -* backing object (an xattr from streams_xattr) might -* already be deleted so fstat() fails with -*
[SCM] Samba Shared Repository - branch master updated
ol test_time_t(struct torture_context *tctx, "smb2_find_level failed\n"); torture_assert_u64_equal_goto(tctx, - nttime, d[0].id_both_directory_info.create_time, + nttime, ret, done, "Wrong create time\n"); torture_assert_u64_equal_goto(tctx, - nttime, d[0].id_both_directory_info.write_time, + nttime, ret, done, "Wrong write time\n"); torture_assert_u64_equal_goto(tctx, - nttime, d[0].id_both_directory_info.change_time, + nttime, ret, done, "Wrong change time\n"); @@ -423,18 +423,18 @@ static bool test_freeze_thaw(struct torture_context *tctx, nt_time_string(tctx, gi.basic_info.out.change_time)); torture_assert_u64_equal_goto(tctx, - nttime, gi.basic_info.out.create_time, + nttime, ret, done, "Wrong create time\n"); torture_assert_u64_equal_goto(tctx, - nttime, gi.basic_info.out.write_time, + nttime, ret, done, "Wrong write time\n"); torture_assert_u64_equal_goto(tctx, - nttime, gi.basic_info.out.change_time, + nttime, ret, done, "Wrong change time\n"); @@ -477,18 +477,18 @@ static bool test_freeze_thaw(struct torture_context *tctx, nt_time_string(tctx, gi.basic_info.out.change_time)); torture_assert_u64_equal_goto(tctx, - nttime, gi.basic_info.out.create_time, + nttime, ret, done, "Wrong create time\n"); torture_assert_u64_equal_goto(tctx, - nttime, gi.basic_info.out.write_time, + nttime, ret, done, "Wrong write time\n"); torture_assert_u64_equal_goto(tctx, - nttime, gi.basic_info.out.change_time, + nttime, ret, done, "Wrong change time\n"); @@ -531,18 +531,18 @@ static bool test_freeze_thaw(struct torture_context *tctx, nt_time_string(tctx, gi.basic_info.out.change_time)); torture_assert_u64_equal_goto(tctx, - nttime, gi.basic_info.out.create_time, + nttime, ret, done, "Wrong create time\n"); torture_assert_u64_equal_goto(tctx, - nttime, gi.basic_info.out.write_time, + nttime, ret, done, "Wrong write time\n"); torture_assert_u64_equal_goto(tctx, - nttime, gi.basic_info.out.change_time, + nttime, ret, done, "Wrong change time\n"); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
; + become_root(); } sret = SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp); if (set_acl_as_root) { - drop_effective_capability(DAC_OVERRIDE_CAPABILITY); + unbecome_root(); } if (sret == -1) { if (acl_group_override_fsp(fsp)) { @@ -3765,10 +3765,10 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct "Override delete_def_acl\n", fsp_str_dbg(fsp))); - set_effective_capability(DAC_OVERRIDE_CAPABILITY); + become_root(); sret = SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp); - drop_effective_capability(DAC_OVERRIDE_CAPABILITY); + unbecome_root(); } if (sret == -1) { @@ -3786,14 +3786,14 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct if (acl_set_support) { if (set_acl_as_root) { - set_effective_capability(DAC_OVERRIDE_CAPABILITY); + become_root(); } store_inheritance_attributes(fsp, file_ace_list, dir_ace_list, psd->type); if (set_acl_as_root) { - drop_effective_capability(DAC_OVERRIDE_CAPABILITY); + unbecome_root(); } } @@ -3820,11 +3820,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct fsp_str_dbg(fsp), (unsigned int)posix_perms)); if (set_acl_as_root) { - set_effective_capability(DAC_OVERRIDE_CAPABILITY); + become_root(); } sret = SMB_VFS_FCHMOD(fsp, posix_perms); if (set_acl_as_root) { - drop_effective_capability(DAC_OVERRIDE_CAPABILITY); + unbecome_root(); } if(sret == -1) { if (acl_group_override_fsp(fsp)) { @@ -3834,9 +3834,9 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct "Override chmod\n", fsp_str_dbg(fsp))); - set_effective_capability(DAC_OVERRIDE_CAPABILITY); + become_root(); sret = SMB_VFS_FCHMOD(fsp, posix_perms); - drop_effective_capability(DAC_OVERRIDE_CAPABILITY); + unbecome_root(); } if (sret == -1) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9550d37f2f9 winbind: Log NOT_IMPLEMENTED as debug via 03240c91fb6 libcli/http: Handle http chunked transfer encoding via 30acd609f56 tests: add test for chunked encoding with http cli library via 5f03d84e3b5 libcli/http: Optimise reading for content-length via 74cdebeae3d selftest: Add basic content-lenght http tests via cd6c075476c Add simple http_client for use in black box tests (in following commits) from 6fb98f70c62 ndr: always attempt ACE coda pull if ACE type suggests a coda https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9550d37f2f9170c183d5a5e8f666cbbf21c5f444 Author: David Mulder Date: Mon Mar 11 07:36:58 2024 -0600 winbind: Log NOT_IMPLEMENTED as debug This message happens frequently when running a PDC/NT4 mode w/out winbind. Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Mar 27 02:15:31 UTC 2024 on atb-devel-224 commit 03240c91fb6ffcf5afe47c14a1ba7a8bc12f2348 Author: Noel Power Date: Mon Mar 25 19:44:10 2024 + libcli/http: Handle http chunked transfer encoding Also removes the knownfail for the chunked transfer test Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 commit 30acd609f560352d3edb0c931b9a864110025b2c Author: Noel Power Date: Thu Sep 23 12:18:22 2021 +0100 tests: add test for chunked encoding with http cli library Adds http test client to excercise the http client library and a blackbox test to run the client. This client is built only with selftest also adds a knownfail for the test Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 commit 5f03d84e3b52bf5a31a0f885cb83bdcb48ec96f7 Author: Noel Power Date: Fri Mar 22 08:55:49 2024 + libcli/http: Optimise reading for content-length Instead of reading byte-by-byte we know the content length we want to read so lets use it. Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 commit 74cdebeae3d1bc35eea96b51b9491f6c52844b10 Author: Noel Power Date: Mon Mar 25 16:25:55 2024 + selftest: Add basic content-lenght http tests very simple test of basic http request/response plus some checks to ensure http response doesn't exceed the response max length set by the client call. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit cd6c075476c820b4fe8bdc10a24d8fc8ac74e9c9 Author: Noel Power Date: Mon Mar 25 19:21:54 2024 + Add simple http_client for use in black box tests (in following commits) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett --- Summary of changes: libcli/http/http.c | 265 +- libcli/http/http_internal.h | 4 + python/samba/tests/blackbox/http_chunk.py | 116 python/samba/tests/blackbox/http_content.py | 95 +++ selftest/tests.py | 2 + source3/auth/auth_winbind.c | 6 +- source4/client/http_test.c | 401 source4/wscript_build | 5 + 8 files changed, 886 insertions(+), 8 deletions(-) create mode 100644 python/samba/tests/blackbox/http_chunk.py create mode 100644 python/samba/tests/blackbox/http_content.py create mode 100644 source4/client/http_test.c Changeset truncated at 500 lines: diff --git a/libcli/http/http.c b/libcli/http/http.c index 96c573af137..3681500f194 100644 --- a/libcli/http/http.c +++ b/libcli/http/http.c @@ -45,6 +45,12 @@ static int http_response_needs_body(struct http_request *req) char c; unsigned long long v; + cmp = strcasecmp(h->key, "Transfer-Encoding"); + if (cmp == 0) { + cmp = strcasecmp(h->value, "chunked"); + return 2; + } + cmp = strcasecmp(h->key, "Content-Length"); if (cmp != 0) { continue; @@ -66,6 +72,11 @@ static int http_response_needs_body(struct http_request *req) return 0; } +struct http_chunk +{ + struct http_chunk *prev, *next; + DATA_BLOB blob; +}; struct http_read_response_state { enum http_parser_state parser_state; @@ -73,6 +84,7 @@ struct http
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via 3be368ff2bc ndr: always attempt ACE coda pull if ACE type suggests a coda from 1273cb7e10b tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit 3be368ff2bc6d7818d41a36ae99a7c9b19ba77b8 Author: Douglas Bagnall Date: Sat Mar 23 08:27:41 2024 +1300 ndr: always attempt ACE coda pull if ACE type suggests a coda We were skipping the pull in cases where the coda size was calculated to be zero. This has the right result for empty conditional ACEs, but not for Resource Attribute ACEs where the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 coda was not intialised. The situation is made a bit worse, because the function that calculates the coda size (ndr_subcontext_size_of_ace_coda()) can return zero in conditions that are not exactly errors, but in which the would-be calculated value makes so little sense that zero is thought to be a safer default. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66577 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15613 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Mar 25 06:00:21 UTC 2024 on atb-devel-224 (cherry picked from commit 6fb98f70c6274e172787c8d5f73aa93920171e7c) Autobuild-User(v4-20-test): Jule Anger Autobuild-Date(v4-20-test): Tue Mar 26 11:17:58 UTC 2024 on atb-devel-224 --- Summary of changes: librpc/ndr/ndr_sec_helper.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c index f870a17aafc..1a156b01d40 100644 --- a/librpc/ndr/ndr_sec_helper.c +++ b/librpc/ndr/ndr_sec_helper.c @@ -104,7 +104,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, ndr_flags { NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); if (ndr_flags & NDR_SCALARS) { - ssize_t sub_size; NDR_CHECK(ndr_pull_align(ndr, 5)); NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS, >type)); NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS, >flags)); @@ -112,12 +111,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, ndr_flags NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, >access_mask)); NDR_CHECK(ndr_maybe_pull_security_ace_object_ctr(ndr, NDR_SCALARS, r)); NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, >trustee)); - sub_size = ndr_subcontext_size_of_ace_coda(r, r->size, ndr->flags); - if (!sec_ace_has_extra_blob(r->type) || sub_size == 0) { + if (!sec_ace_has_extra_blob(r->type)) { r->coda.ignored.data = NULL; r->coda.ignored.length = 0; } else { struct ndr_pull *_ndr_coda; + ssize_t sub_size = ndr_subcontext_size_of_ace_coda(r, r->size, ndr->flags); NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_coda, 0, sub_size)); NDR_CHECK(ndr_pull_set_switch_value(_ndr_coda, >coda, r->type)); NDR_CHECK(ndr_pull_security_ace_coda(_ndr_coda, NDR_SCALARS|NDR_BUFFERS, >coda)); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6fb98f70c62 ndr: always attempt ACE coda pull if ACE type suggests a coda from 7edf5467fc7 lib: Remove timeval_set() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6fb98f70c6274e172787c8d5f73aa93920171e7c Author: Douglas Bagnall Date: Sat Mar 23 08:27:41 2024 +1300 ndr: always attempt ACE coda pull if ACE type suggests a coda We were skipping the pull in cases where the coda size was calculated to be zero. This has the right result for empty conditional ACEs, but not for Resource Attribute ACEs where the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 coda was not intialised. The situation is made a bit worse, because the function that calculates the coda size (ndr_subcontext_size_of_ace_coda()) can return zero in conditions that are not exactly errors, but in which the would-be calculated value makes so little sense that zero is thought to be a safer default. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66577 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15613 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Mar 25 06:00:21 UTC 2024 on atb-devel-224 --- Summary of changes: librpc/ndr/ndr_sec_helper.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c index f870a17aafc..1a156b01d40 100644 --- a/librpc/ndr/ndr_sec_helper.c +++ b/librpc/ndr/ndr_sec_helper.c @@ -104,7 +104,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, ndr_flags { NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); if (ndr_flags & NDR_SCALARS) { - ssize_t sub_size; NDR_CHECK(ndr_pull_align(ndr, 5)); NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS, >type)); NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS, >flags)); @@ -112,12 +111,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, ndr_flags NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, >access_mask)); NDR_CHECK(ndr_maybe_pull_security_ace_object_ctr(ndr, NDR_SCALARS, r)); NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, >trustee)); - sub_size = ndr_subcontext_size_of_ace_coda(r, r->size, ndr->flags); - if (!sec_ace_has_extra_blob(r->type) || sub_size == 0) { + if (!sec_ace_has_extra_blob(r->type)) { r->coda.ignored.data = NULL; r->coda.ignored.length = 0; } else { struct ndr_pull *_ndr_coda; + ssize_t sub_size = ndr_subcontext_size_of_ace_coda(r, r->size, ndr->flags); NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_coda, 0, sub_size)); NDR_CHECK(ndr_pull_set_switch_value(_ndr_coda, >coda, r->type)); NDR_CHECK(ndr_pull_security_ace_coda(_ndr_coda, NDR_SCALARS|NDR_BUFFERS, >coda)); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via 1273cb7e10b tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ from 28fc1850e5c libcli/security: check again for NULL values https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit 1273cb7e10b79d005be822b805fa1775421ebfc7 Author: Jo Sutton Date: Tue May 2 15:42:24 2023 +1200 tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15607 Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Mar 21 04:19:18 UTC 2024 on atb-devel-224 (cherry picked from commit 4f0ed9b00389fa641a423b88ab5462b32dd7bbca) Autobuild-User(v4-20-test): Jule Anger Autobuild-Date(v4-20-test): Fri Mar 22 11:06:51 UTC 2024 on atb-devel-224 --- Summary of changes: python/samba/tests/krb5/authn_policy_tests.py | 372 ++ selftest/knownfail_mit_kdc| 8 + 2 files changed, 380 insertions(+) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py index 2f15f8b2417..43db839cee7 100755 --- a/python/samba/tests/krb5/authn_policy_tests.py +++ b/python/samba/tests/krb5/authn_policy_tests.py @@ -295,6 +295,115 @@ class AuthnPolicyBaseTests(AuthLogTestBase, KdcTgsBaseTests): opts=opts, use_cache=cached) +def _fast_as_req(self, + client_creds, + target_creds, + armor_tgt, + expected_error=0, + expect_status=None, + expected_status=None, + expected_groups=None, + expect_device_info=None, + expected_device_groups=None, + expect_device_claims=None, + expected_device_claims=None): +client_username = client_creds.get_username() +client_realm = client_creds.get_realm() +client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[client_username]) + +target_name = target_creds.get_username() +target_sname = self.PrincipalName_create( +name_type=NT_PRINCIPAL, names=[target_name]) +target_realm = target_creds.get_realm() +target_decryption_key = self.TicketDecryptionKey_from_creds( +target_creds) +target_etypes = target_creds.tgs_supported_enctypes + +authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256) +armor_key = self.generate_armor_key(authenticator_subkey, +armor_tgt.session_key) + +preauth_key = self.PasswordKey_from_creds(client_creds, + kcrypto.Enctype.AES256) + +client_challenge_key = ( +self.generate_client_challenge_key(armor_key, preauth_key)) +fast_padata = [self.get_challenge_pa_data(client_challenge_key)] + +def _generate_fast_padata(kdc_exchange_dict, + _callback_dict, + req_body): +return list(fast_padata), req_body + +etypes = kcrypto.Enctype.AES256, kcrypto.Enctype.RC4 + +if expected_error: +check_error_fn = self.generic_check_kdc_error +check_rep_fn = None +else: +check_error_fn = None +check_rep_fn = self.generic_check_kdc_rep + +pac_options = '1' # claims support + +samdb = self.get_samdb() +domain_sid_str = samdb.get_domain_sid() + +if expected_groups is not None: +expected_groups = self.map_sids(expected_groups, None, domain_sid_str) + +if expected_device_groups is not None: +expected_device_groups = self.map_sids(expected_device_groups, None, domain_sid_str) + +kdc_exchange_dict = self.as_exchange_dict( +creds=client_creds, +expected_crealm=client_realm, +expected_cname=client_cname, +expected_srealm=target_realm, +expected_sname=target_sname, +expected_supported_etypes=target_etypes, +ticket_decryption_key=target_decryption_key, +generate_fast_fn=self.generate_simple_fast, +generate_fast_armor_fn=self.generate_ap_req, +generate_fast_padata_fn=_generate_fast_padata, +fast_armor_type=FX_FAST_ARMOR_AP_REQUEST, +check_error_fn=check_error_fn, +check_rep_fn=check_rep_fn, +check_kdc_private_fn
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7edf5467fc7 lib: Remove timeval_set() via a3e186b6171 lib: Remove timeval_until() via 842e7378439 fuzz:fuzz_ndr_X: don't skip printing on push error via cebe12bc85a ldb-samba: matching rules: notify of search failure in transitive filter via 90964caaf2e fuzz:_conditional_ace_blob discards a const via e1071cd1df6 fuzz:fuzz_conditional_ace_blob lets long generated SDDL fail via 168e5df62f9 fuzzing: fuzz_ndr_X ndr_print does printing from 4f0ed9b0038 tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7edf5467fc77cc1039c0ef9fd4579bfb7333c159 Author: Volker Lendecke Date: Wed Mar 13 16:19:48 2024 +0100 lib: Remove timeval_set() We have the same function in tevent, no need to duplicate code. More lines just due to clang-format. Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Mar 22 06:07:42 UTC 2024 on atb-devel-224 commit a3e186b61719cd0e1ec60006d7ea675c01d69c36 Author: Volker Lendecke Date: Wed Mar 13 16:07:00 2024 +0100 lib: Remove timeval_until() We have the same function in tevent, no need to duplicate code. Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 842e7378439fcf354260c98b9ea7dadf59c601c7 Author: Douglas Bagnall Date: Thu Mar 21 14:48:34 2024 +1300 fuzz:fuzz_ndr_X: don't skip printing on push error push should not have changed the struct, so it is valid to try to print it also. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit cebe12bc85a7f178e7ccaecd1c075f2e40478139 Author: Douglas Bagnall Date: Thu Dec 28 12:45:41 2023 +1300 ldb-samba: matching rules: notify of search failure in transitive filter It can be very hard to known where transitive checks fail, and this will help. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15515 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 90964caaf2e2ae0c36aa223ddfb66a5cdec42a6c Author: Douglas Bagnall Date: Thu Dec 28 13:46:48 2023 +1300 fuzz:_conditional_ace_blob discards a const Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e1071cd1df6b639a2a4b273b82bdc968df363dbb Author: Douglas Bagnall Date: Wed Mar 20 17:29:52 2024 +1300 fuzz:fuzz_conditional_ace_blob lets long generated SDDL fail This can legitimately fail, due to e.g. integers being interpreted as local attributes due to their position (the original data is complete nonsense, bravely decompiled by sddl_from_conditional_ace). In the example found the original begins like 61 72 74 78 02 00 00 00 00 00 00 00 00 03 01 02 |artx| 0010 f7 ff ff ff ff ff ff ff 03 01 a1 02 00 3b 00 00 |.;..| 0020 00 00 00 00 03 01 a1 02 00 3b 00 00 00 00 00 00 |.;..| 0030 03 01 02 a5 ff ff ff ff ff ff ff 03 01 a1 02 78 |...x| 0040 00 00 00 00 00 00 00 03 01 85 02 00 3b 00 00 00 |;...| 0050 00 00 00 03 01 a1 02 00 3b 00 00 00 00 00 00 03 |;...| 0060 01 02 a5 00 00 00 00 00 00 00 03 01 81 02 00 00 || 0070 00 00 00 00 00 00 03 01 81 02 00 3b 00 00 00 00 |...;| while the SDDL cycled version looks like 61 72 74 78 f8 04 00 00 00 30 00 30 00 f8 2e 00 |artx.0.0| 0010 00 00 30 00 31 00 37 00 37 00 37 00 37 00 37 00 |..0.1.7.7.7.7.7.| 0020 37 00 37 00 37 00 37 00 37 00 37 00 37 00 37 00 |7.7.7.7.7.7.7.7.| 0030 37 00 37 00 37 00 37 00 37 00 37 00 36 00 37 00 |7.7.7.7.7.7.6.7.| 0040 a1 f8 0c 00 00 00 30 00 33 00 35 00 34 00 30 00 |..0.3.5.4.0.| 0050 30 00 a1 f8 0c 00 00 00 30 00 33 00 35 00 34 00 |0...0.3.5.4.| 0060 30 00 30 00 f8 2e 00 00 00 30 00 31 00 37 00 37 |0.0..0.1.7.7| 0070 00 37 00 37 00 37 00 37 00 37 00 37 00 37 00 37 |.7.7.7.7.7.7.7.7| and this new interpretation ends up being more than 1 bytes long, so the conversion fails. The SDDL ends up looking like this: (((00) || (0177767)) || (035400)) || \ (((035400) || (0177645)) \ >= 0170) || (035400)) || (((035400 != 0245) [...] where all the octal digits on the left hand side of operators are UTF-16 strings. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65322 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett com
[SCM] Samba Shared Repository - branch master updated
Tue Mar 12 16:02:45 2024 +1300 s4:auth: Fix grammar in error message Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: auth/credentials/credentials_gmsa.c | 2 - python/samba/nt_time.py | 8 +- python/samba/tests/dckeytab.py| 11 +- python/samba/tests/gkdi.py| 35 ++- python/samba/tests/krb5/authn_policy_tests.py | 372 ++ python/samba/tests/krb5/kdc_base_test.py | 12 +- selftest/knownfail_mit_kdc| 8 + source4/auth/kerberos/kerberos_util.c | 8 +- source4/auth/kerberos/srv_keytab.c| 6 +- source4/libnet/libnet_become_dc.c | 10 +- 10 files changed, 434 insertions(+), 38 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials_gmsa.c b/auth/credentials/credentials_gmsa.c index f1c794ba093..86422624f1e 100644 --- a/auth/credentials/credentials_gmsa.c +++ b/auth/credentials/credentials_gmsa.c @@ -20,7 +20,6 @@ */ #include "includes.h" -#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ #include "librpc/gen_ndr/ndr_gmsa.h" /* for struct MANAGEDPASSWORD_BLOB */ #include "auth/credentials/credentials.h" #include "auth/credentials/credentials_internal.h" @@ -127,4 +126,3 @@ NTSTATUS cli_credentials_set_gmsa_passwords(struct cli_credentials *creds, TALLOC_FREE(frame); return NT_STATUS_OK; } - diff --git a/python/samba/nt_time.py b/python/samba/nt_time.py index 496dde576b4..ff6903c8e68 100644 --- a/python/samba/nt_time.py +++ b/python/samba/nt_time.py @@ -18,7 +18,7 @@ # import datetime -from typing import NewType +from typing import NewType, Optional import re @@ -56,7 +56,7 @@ def datetime_from_nt_time(nt_time: NtTime) -> datetime.datetime: return NT_EPOCH + time_since_epoch -def nt_time_delta_from_datetime(dt: datetime.timedelta) -> NtTimeDelta: +def nt_time_delta_from_timedelta(dt: datetime.timedelta) -> NtTimeDelta: return NtTimeDelta(round(dt.total_seconds() * NT_TICKS_PER_SEC)) @@ -88,7 +88,7 @@ def nt_time_from_string(s: str) -> NtTime: dt = datetime.datetime.now(datetime.timezone.utc) elif re.match(r'^\d{14}\.0Z$', s): # "20230127223641.0Z" -dt = datetime.strptime(s, '%Y%m%d%H%M%S.0Z') +dt = datetime.datetime.strptime(s, '%Y%m%d%H%M%S.0Z') else: dt = datetime.datetime.fromisoformat(s) except ValueError: @@ -107,7 +107,7 @@ def nt_time_from_string(s: str) -> NtTime: return nt_time_from_datetime(dt) -def string_from_nt_time(nttime: NtTime, format:str=None) -> str: +def string_from_nt_time(nttime: NtTime, format: Optional[str] = None) -> str: """Format an NtTime date as a string. If format is not provided, an ISO 8601 string is used. diff --git a/python/samba/tests/dckeytab.py b/python/samba/tests/dckeytab.py index f87b95d9dc5..978e3753cc7 100644 --- a/python/samba/tests/dckeytab.py +++ b/python/samba/tests/dckeytab.py @@ -22,7 +22,7 @@ import string from samba.net import Net from samba import enable_net_export_keytab -from samba import credentials, ntstatus, NTSTATUSError, tests +from samba import credentials, dsdb, ntstatus, NTSTATUSError, tests from samba.dcerpc import krb5ccache, security from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT from samba.ndr import ndr_unpack, ndr_pack @@ -76,7 +76,7 @@ class DCKeytabTests(TestCaseInTempDir): keytab_as_set.add(entry_as_tuple) keytab_bytes = multiple_entry.further_entry -if keytab_bytes is None or len(keytab_bytes) == 0: +if not keytab_bytes: break return keytab_as_set @@ -345,7 +345,10 @@ class DCKeytabTests(TestCaseInTempDir): # Create gMSA account gmsa_username = "GMSA_K5KeytabTest$" gmsa_principal = f"{gmsa_username}@{self.samdb.domain_dns_name().upper()}" -gmsa_base_dn = f"CN=Managed Service Accounts,{self.samdb.domain_dn()}" +gmsa_base_dn = self.samdb.get_wellknown_dn( +self.samdb.get_default_basedn(), +dsdb.DS_GUID_MANAGED_SERVICE_ACCOUNTS_CONTAINER, +) gmsa_user_dn = f"CN={gmsa_username},{gmsa_base_dn}" msg = self.samdb.search(base="", scope=SCOPE_BASE, attrs=["tokenGroups"])[0] @@ -430,7 +433,7 @@ class DCKeytabTests(TestCaseInTempDir): while True: local_keys[local_keytab.entry.enctype] = local_keytab.entry.key.data keytab_bytes = local_keytab.further_entry -if keytab_bytes is None or len(keytab_bytes) == 0: + if not keytab_bytes: break local_keytab
[SCM] Samba Shared Repository - branch master updated
Douglas Bagnall Reviewed-by: Andrew Bartlett commit d58c2c299dee35bd4fde619481509b31a0ff9215 Author: Douglas Bagnall Date: Thu Mar 7 11:09:39 2024 +1300 ldb:pytests: test duplicate connections fail (they don't yet). Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit c7c42762c68e9cf9af41bdaf509c14f7fd385702 Author: Douglas Bagnall Date: Thu Mar 7 11:07:20 2024 +1300 ldb-samba:ldb_wrap: don't crash if "ldb_url" opaque is unset Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 4ce132cea930a22c9468ecd9061e9cacace9ff0b Author: Douglas Bagnall Date: Tue Mar 5 23:57:15 2024 + pyldb: py_ldb_init() uses py_ldb_connect() for connecting To avoid all the same logic, subtly different. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 14a6109e9a254e3fe5ba1b1d153047f90b421d3b Author: Douglas Bagnall Date: Fri Mar 8 11:02:23 2024 +1300 pyldb: catch errors in ldb_db_get_casefold Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit c17ff0a3357f7f1d12c755b291fcce7ce4c7eb5a Author: Douglas Bagnall Date: Thu Mar 14 14:48:23 2024 +1300 pytest:segfault: do not assume PLEASE_NO_GDB_BACKTRACE var is unset Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 5ceecd3f739b347e684895115c5f9cd79b91f4b7 Author: Douglas Bagnall Date: Thu Mar 7 11:05:55 2024 +1300 pytest:segfault: prevent @no_gdb_backtrace smearing on exception It is OK for one of these tests to raise an exception -- that is often the only reasonable thing to do when you'd otherwise crash -- but the @no_gdb_backtrace decorator would not clean up in that case, leading to no gdb backtraces for all subsequent tests. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 682a87fd0a81e13eabaa422d89209688b7b19098 Author: Andrew Bartlett Date: Mon Dec 4 10:34:57 2023 +1300 selftest: Run samba.tests.segfault with TALLOC_FREE_FILL This helps make use-after-free testing reliable. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit c04ac95ce404f13183688c2d0d7f1eeb0edc4c4b Author: Douglas Bagnall Date: Thu Mar 14 14:15:47 2024 +1300 py:samdb: make SamDB.__str__ show the URL and ID Getting the right samdb is going to matter more, so it is useful for debugging to see which is which. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit ecd65265ac05b1cf68a4378deb17f0ef08479e9b Author: Douglas Bagnall Date: Wed Mar 13 12:25:40 2024 +1300 selftest/gdb_backtrace: print `info threads` and some signpost headers Search for '###'. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 12ce289922ca594384ffb9e035fcd9815e2aa331 Author: Douglas Bagnall Date: Thu Mar 7 23:13:56 2024 +1300 selftest/gdb_backtrace: avoid printing backtrace twice with 1 thread We call 'thread apply all bt full' in case there are interesting things going on in other threads, but often there are no other threads and it only serves to repeat the original trace (and very slowly, for some reason). The $_inferior_thread_count convenience variable is new in gdb 13.1 (2022-ish) so we init-if-undefined it to default to the old behaviour. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 904479cdf6d58142baa012a7b588fca857f275f4 Author: Douglas Bagnall Date: Thu Mar 7 22:30:24 2024 +1300 selftest/gdb_backtrace: print python traceback if available If a program happens to have 'PyList_New' defined but is not a python script, gdb will print > Undefined command: "py-bt". Try "help". and probably stop. This happens after the C backtraces have been printed, so nothing is lost. The traceback is printed twice -- once in conventional Python style for clarity, and once with extra "full" information. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- Summary of changes: lib/ldb-samba/ldb_wrap.c | 2 +- lib/ldb/common/ldb.c | 11 +++ lib/ldb/common/ldb_dn.c| 13 ++-- lib/ldb/pyldb.c| 56 +++--- lib/ldb/pyldb.h| 2 ++ lib/ldb/pyldb_util.c | 1 + lib/ldb/tests/python/api.py | 14 + pidl/lib/Parse/Pidl/Samba3/Template.pm | 4 ++- python/samba/samdb.py | 8 + python/samba/tests/segfault.py | 10 -- selftest/gdb_backtrace | 18 ++- source3/librpc/idl/wscript_build | 9 +- source4/selftest/tests.py | 3 +- 13 files
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via 28fc1850e5c libcli/security: check again for NULL values via ce78896e262 libcli/security: claims_conversions: check for NULL in claims array from 99b6feac932 WHATSNEW: announce Service Witness Protocol [MS-SWN] and related options https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit 28fc1850e5c0b02f2ca0e0a8516457d56dc17cbd Author: Douglas Bagnall Date: Sun Mar 17 23:08:23 2024 +1300 libcli/security: check again for NULL values BUG: https://bugzilla.samba.org/show_bug.cgi?id=156067 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224 (cherry picked from commit b815abe77991d7929717ea3ed4b9d7bef7179715) Autobuild-User(v4-20-test): Jule Anger Autobuild-Date(v4-20-test): Wed Mar 20 12:03:45 UTC 2024 on atb-devel-224 commit ce78896e262b3133141f53aa27158a6eee4d53ff Author: Douglas Bagnall Date: Sun Mar 17 23:07:17 2024 +1300 libcli/security: claims_conversions: check for NULL in claims array If by mistake we end up with a NULL in our array of claims pointers, it is better to return an error than crash. There can be NULLs in the array if a resource attribute ACE has a claim that uses 0 as a relative data pointer. Samba assumes this means a NULL pointer, rather than a zero offset. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett (cherry picked from commit 78f728063a1e510966a45f7f1d9515ea3bd16214) --- Summary of changes: libcli/security/claims-conversions.c | 13 + 1 file changed, 13 insertions(+) Changeset truncated at 500 lines: diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c index bbba5973852..ccf1375fc8f 100644 --- a/libcli/security/claims-conversions.c +++ b/libcli/security/claims-conversions.c @@ -262,6 +262,9 @@ static bool claim_v1_offset_to_ace_token( uint8_t f = claim->flags & CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE; result->flags = f | CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR; + if (claim->values[offset].int_value == NULL) { + return false; + } switch (claim->value_type) { case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64: return claim_v1_int_to_ace_int(claim, offset, result); @@ -935,6 +938,16 @@ NTSTATUS claim_v1_check_and_sort(TALLOC_CTX *mem_ctx, .case_sensitive = case_sensitive }; + /* +* It could be that the values array contains a NULL pointer, in which +* case we don't need to worry about what type it is. +*/ + for (i = 0; i < claim->value_count; i++) { + if (claim->values[i].int_value == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + } + if (claim->value_type == CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN) { NTSTATUS status = claim_v1_check_and_sort_boolean(mem_ctx, claim); if (NT_STATUS_IS_OK(status)) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
- Summary of changes: .../dcerpc.py => python/samba/domain/__init__.py | 9 +- .../samba/{netcmd => }/domain/models/__init__.py | 1 + .../{netcmd => }/domain/models/auth_policy.py | 0 .../samba/{netcmd => }/domain/models/auth_silo.py | 0 .../samba/{netcmd => }/domain/models/claim_type.py | 0 .../samba/{netcmd => }/domain/models/computer.py | 37 +++- .../samba/{netcmd => }/domain/models/constants.py | 0 .../constants.py => domain/models/container.py}| 18 +- .../samba/{netcmd => }/domain/models/exceptions.py | 0 python/samba/{netcmd => }/domain/models/fields.py | 0 python/samba/{netcmd => }/domain/models/gmsa.py| 13 +- python/samba/{netcmd => }/domain/models/group.py | 0 python/samba/{netcmd => }/domain/models/model.py | 12 +- python/samba/{netcmd => }/domain/models/person.py | 0 python/samba/{netcmd => }/domain/models/query.py | 0 python/samba/{netcmd => }/domain/models/schema.py | 0 python/samba/{netcmd => }/domain/models/site.py| 0 python/samba/{netcmd => }/domain/models/subnet.py | 0 python/samba/{netcmd => }/domain/models/types.py | 0 python/samba/{netcmd => }/domain/models/user.py| 27 ++- .../samba/{netcmd => }/domain/models/value_type.py | 0 python/samba/netcmd/domain/auth/policy.py | 9 +- python/samba/netcmd/domain/auth/silo.py | 4 +- python/samba/netcmd/domain/auth/silo_member.py | 4 +- python/samba/netcmd/domain/claim/claim_type.py | 5 +- python/samba/netcmd/domain/claim/value_type.py | 4 +- python/samba/netcmd/encoders.py| 2 +- .../netcmd/service_account/group_msa_membership.py | 34 ++-- .../netcmd/service_account/service_account.py | 15 +- python/samba/netcmd/shell.py | 2 +- python/samba/netcmd/sites.py | 13 +- python/samba/netcmd/user/auth/policy.py | 4 +- python/samba/netcmd/user/auth/silo.py | 4 +- python/samba/samdb.py | 8 + python/samba/tests/blackbox/gmsa.py| 202 +++++ python/samba/tests/krb5/authn_policy_tests.py | 19 +- python/samba/tests/krb5/kdc_base_test.py | 33 ++-- .../samba/tests/samba_tool/domain_auth_policy.py | 2 +- python/samba/tests/samba_tool/domain_auth_silo.py | 2 +- python/samba/tests/samba_tool/domain_models.py | 34 +++- python/samba/tests/samba_tool/service_account.py | 4 +- python/samba/tests/samba_tool/silo_base.py | 2 +- python/samba/tests/samba_tool/user_auth_policy.py | 2 +- python/samba/tests/samba_tool/user_auth_silo.py| 2 +- .../tests/samba_tool/user_get_kerberos_ticket.py | 13 +- .../tests/samba_tool/user_getpassword_gmsa.py | 64 +++ selftest/knownfail.d/gmsa | 3 +- source4/selftest/tests.py | 2 + 48 files changed, 435 insertions(+), 174 deletions(-) copy source4/librpc/rpc/dcerpc.py => python/samba/domain/__init__.py (85%) rename python/samba/{netcmd => }/domain/models/__init__.py (97%) rename python/samba/{netcmd => }/domain/models/auth_policy.py (100%) rename python/samba/{netcmd => }/domain/models/auth_silo.py (100%) rename python/samba/{netcmd => }/domain/models/claim_type.py (100%) rename python/samba/{netcmd => }/domain/models/computer.py (64%) copy python/samba/{netcmd => }/domain/models/constants.py (100%) rename python/samba/{netcmd/domain/models/constants.py => domain/models/container.py} (70%) rename python/samba/{netcmd => }/domain/models/exceptions.py (100%) rename python/samba/{netcmd => }/domain/models/fields.py (100%) rename python/samba/{netcmd => }/domain/models/gmsa.py (93%) rename python/samba/{netcmd => }/domain/models/group.py (100%) rename python/samba/{netcmd => }/domain/models/model.py (97%) rename python/samba/{netcmd => }/domain/models/person.py (100%) rename python/samba/{netcmd => }/domain/models/query.py (100%) rename python/samba/{netcmd => }/domain/models/schema.py (100%) rename python/samba/{netcmd => }/domain/models/site.py (100%) rename python/samba/{netcmd => }/domain/models/subnet.py (100%) rename python/samba/{netcmd => }/domain/models/types.py (100%) rename python/samba/{netcmd => }/domain/models/user.py (75%) rename python/samba/{netcmd => }/domain/models/value_type.py (100%) create mode 100644 python/samba/tests/blackbox/gmsa.py Changeset truncated at 500 lines: diff --git a/source4/librpc/rpc/dcerpc.py b/python/samba/domain/__init__.py similarity index 85% copy from source4/librpc/rpc/dcerpc.py copy to python/samba/domain/__init__.py index 64dd6e3a433..40ffa8948b3 100644 --- a/source4/librpc/rpc/dcerpc.py +++ b/python/samba/domain/__init__.py @@ -1,5 +1,10 @@ # Unix SMB/CIFS implementation. -# Copyright (C) Jelmer
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via 99b6feac932 WHATSNEW: announce Service Witness Protocol [MS-SWN] and related options from 69b69bb2085 libgpo: Do not segfault if we don't have a valid security descriptor https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit 99b6feac9326673d0ce0d01172f8180c1f2232e7 Author: Stefan Metzmacher Date: Fri Mar 15 23:17:36 2024 +0100 WHATSNEW: announce Service Witness Protocol [MS-SWN] and related options Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Autobuild-User(v4-20-test): Stefan Metzmacher Autobuild-Date(v4-20-test): Tue Mar 19 13:30:31 UTC 2024 on atb-devel-224 --- Summary of changes: WHATSNEW.txt | 68 +++- 1 file changed, 67 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index dd80f116a10..9385a05f99e 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -191,6 +191,68 @@ The Security Descriptor Definition Language has extensions for conditional ACEs and resource attribute ACEs; these are now supported by Samba. +Service Witness Protocol [MS-SWN] +- + +In a ctdb cluster it is now possible to provide +the SMB witness service that allows clients to +monitor their current smb connection to cluster +node A by asking cluster node B to notify the +client if the ip address from node A or the +whole node A becomes unavailable. + +For disk shares in a ctdb cluster +SMB2_SHARE_CAP_SCALEOUT is now always returned +for SMB3 tree connect responses. + +If the witness service is active +SMB2_SHARE_CAP_CLUSTER is now also returned. + +In order to activate the witness service +"rpc start on demand helpers = no" needs to +be configured in the global section. +At the same time the 'samba-dcerpcd' service +needs to be started explicitly, typically +with the '--libexec-rpcds' option in order +to make all available services usable. +One important aspect is that tcp ports +135 (for the endpoint mapper) and various +ports in the 'rpc server dynamic port range' +will be used to provide the witness service +(rpcd_witness). + +ctdb provides a '47.samba-dcerpcd.script' in order +to manage the samba-dcerpcd.service. +Typically as systemd service, but that's up +to the packager and/or admin. + +Please note that current windows client +requires SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY +in addition to SMB2_SHARE_CAP_CLUSTER in order +to make use of the witness service. +But SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY implies +the windows clients always ask for persistent handle +(which are not implemented in samba yet), so +that every open generates a warning in the +windows smb client event log. +That's why SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY +is not returned by default. +An explicit 'smb3 share cap:CONTINUOUS AVAILABILITY = yes' +is needed. + +There are also new 'net witness' commands in order +to let the admin list active client registrations +or ask specific clients to move their smb connection +to another cluster node. These are available: + + net witness list + net witness client-move + net witness share-move + net witness force-unregister + net witness force-response + +Consult 'man net' or 'net witness help' for further details. + REMOVED FEATURES @@ -210,8 +272,12 @@ smb.conf changes Parameter Name Description Default -- --- --- - smb3 unix extensionsPer share - acl claims evaluation new AD DC only + smb3 unix extensionsPer share - + smb3 share cap:ASYMMETRIC new no + smb3 share cap:CLUSTER new see 'man smb.conf' + smb3 share cap:CONTINUOUS AVAILABILITY new no + smb3 share cap:SCALE OUTnew see 'man smb.conf' CHANGES SINCE 4.20.0rc3 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b815abe7799 libcli/security: check again for NULL values via 78f728063a1 libcli/security: claims_conversions: check for NULL in claims array from 97a23e57dc8 s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b815abe77991d7929717ea3ed4b9d7bef7179715 Author: Douglas Bagnall Date: Sun Mar 17 23:08:23 2024 +1300 libcli/security: check again for NULL values Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224 commit 78f728063a1e510966a45f7f1d9515ea3bd16214 Author: Douglas Bagnall Date: Sun Mar 17 23:07:17 2024 +1300 libcli/security: claims_conversions: check for NULL in claims array If by mistake we end up with a NULL in our array of claims pointers, it is better to return an error than crash. There can be NULLs in the array if a resource attribute ACE has a claim that uses 0 as a relative data pointer. Samba assumes this means a NULL pointer, rather than a zero offset. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- Summary of changes: libcli/security/claims-conversions.c | 13 + 1 file changed, 13 insertions(+) Changeset truncated at 500 lines: diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c index bbba5973852..ccf1375fc8f 100644 --- a/libcli/security/claims-conversions.c +++ b/libcli/security/claims-conversions.c @@ -262,6 +262,9 @@ static bool claim_v1_offset_to_ace_token( uint8_t f = claim->flags & CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE; result->flags = f | CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR; + if (claim->values[offset].int_value == NULL) { + return false; + } switch (claim->value_type) { case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64: return claim_v1_int_to_ace_int(claim, offset, result); @@ -935,6 +938,16 @@ NTSTATUS claim_v1_check_and_sort(TALLOC_CTX *mem_ctx, .case_sensitive = case_sensitive }; + /* +* It could be that the values array contains a NULL pointer, in which +* case we don't need to worry about what type it is. +*/ + for (i = 0; i < claim->value_count; i++) { + if (claim->values[i].int_value == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + } + if (claim->value_type == CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN) { NTSTATUS status = claim_v1_check_and_sort_boolean(mem_ctx, claim); if (NT_STATUS_IS_OK(status)) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-19-test updated
The branch, v4-19-test has been updated via a58338ec926 libgpo: Do not segfault if we don't have a valid security descriptor via 51a3797f57e libgpo: Fix trailing spaces in pygpo.c from 8ea3973ad40 python:gp: Implement client site lookup in site_dn_for_machine() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log - commit a58338ec926d4979253b86fcc273be66e708adbd Author: Andreas Schneider Date: Tue Mar 5 13:17:19 2024 +0100 libgpo: Do not segfault if we don't have a valid security descriptor Program received signal SIGSEGV, Segmentation fault. ndr_push_security_descriptor (ndr=ndr@entry=0x55bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713 713 NDR_CHECK(ndr_push_security_descriptor_revision(ndr, NDR_SCALARS, r->revision)); Thread 1 (Thread 0x77ece740 (LWP 21460) "python3"): #0 ndr_push_security_descriptor (ndr=ndr@entry=0x55bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713 _flags_save_STRUCT = 0 _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = __FUNCTION__ = "ndr_push_security_descriptor" #1 0x7617237f in ndr_push_struct_blob (blob=blob@entry=0x7fffdb20, mem_ctx=0x55aa3bd0, p=0x0, fn=0x76074ad0 , fn@entry=0x760706c8 ) at ../../librpc/ndr/ndr.c:1438 _status = ndr = 0x55bf41b0 #2 0x7607cccf in marshall_sec_desc (mem_ctx=, secdesc=, data=data@entry=0x7fffdb80, len=len@entry=0x7fffdb78) at ../../libcli/security/secdesc.c:241 blob = {data = 0x7fffdb40 "`\333\377\377\377\177", length = 140737352374299} ndr_err = __FUNCTION__ = "marshall_sec_desc" #3 0x729edd94 in GPO_marshall_get_sec_desc_buf (self=, args=, kwds=) at ../../libgpo/pygpo.c:119 gpo_ptr = status = data = 0x0 len = 0 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15599 Signed-off-by: Andreas Schneider Reviewed-by: David Mulder (cherry picked from commit b13d4359f2f16e391763d1dc6a5718def973fabb) Autobuild-User(v4-19-test): Jule Anger Autobuild-Date(v4-19-test): Fri Mar 15 11:20:39 UTC 2024 on atb-devel-224 commit 51a3797f57ea988677016395784bd8d117062b11 Author: Andreas Schneider Date: Mon Mar 4 16:42:38 2024 +0100 libgpo: Fix trailing spaces in pygpo.c Signed-off-by: Andreas Schneider Reviewed-by: David Mulder (cherry picked from commit 6fb86a0fa62d93c1c84c2000f01c381a9e8217e1) --- Summary of changes: libgpo/pygpo.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index adbd5b4688d..0f7116313f2 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -116,6 +116,11 @@ static PyObject *GPO_marshall_get_sec_desc_buf(PyObject *self, PyObject *args, uint8_t *data = NULL; size_t len = 0; + if (gpo_ptr->security_descriptor == NULL) { + PyErr_SetString(PyExc_RuntimeError, "Uninitialized"); + return NULL; + } + status = marshall_sec_desc(gpo_ptr, gpo_ptr->security_descriptor, , ); if (!NT_STATUS_IS_OK(status)) { @@ -371,7 +376,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds) workgroup, ldap_server, ADS_SASL_PLAIN); - + return 0; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via 69b69bb2085 libgpo: Do not segfault if we don't have a valid security descriptor via 72bd247c97d libgpo: Fix trailing spaces in pygpo.c from 4d1536f86b9 VERSION: Bump version up to Samba 4.20.0rc5... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit 69b69bb2085dfc842292db14eadbcba71b096d69 Author: Andreas Schneider Date: Tue Mar 5 13:17:19 2024 +0100 libgpo: Do not segfault if we don't have a valid security descriptor Program received signal SIGSEGV, Segmentation fault. ndr_push_security_descriptor (ndr=ndr@entry=0x55bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713 713 NDR_CHECK(ndr_push_security_descriptor_revision(ndr, NDR_SCALARS, r->revision)); Thread 1 (Thread 0x77ece740 (LWP 21460) "python3"): #0 ndr_push_security_descriptor (ndr=ndr@entry=0x55bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713 _flags_save_STRUCT = 0 _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = _status = __FUNCTION__ = "ndr_push_security_descriptor" #1 0x7617237f in ndr_push_struct_blob (blob=blob@entry=0x7fffdb20, mem_ctx=0x55aa3bd0, p=0x0, fn=0x76074ad0 , fn@entry=0x760706c8 ) at ../../librpc/ndr/ndr.c:1438 _status = ndr = 0x55bf41b0 #2 0x7607cccf in marshall_sec_desc (mem_ctx=, secdesc=, data=data@entry=0x7fffdb80, len=len@entry=0x7fffdb78) at ../../libcli/security/secdesc.c:241 blob = {data = 0x7fffdb40 "`\333\377\377\377\177", length = 140737352374299} ndr_err = __FUNCTION__ = "marshall_sec_desc" #3 0x729edd94 in GPO_marshall_get_sec_desc_buf (self=, args=, kwds=) at ../../libgpo/pygpo.c:119 gpo_ptr = status = data = 0x0 len = 0 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15599 Signed-off-by: Andreas Schneider Reviewed-by: David Mulder (cherry picked from commit b13d4359f2f16e391763d1dc6a5718def973fabb) Autobuild-User(v4-20-test): Jule Anger Autobuild-Date(v4-20-test): Fri Mar 15 10:29:54 UTC 2024 on atb-devel-224 commit 72bd247c97da62789ab72111df11466dfb2a79fa Author: Andreas Schneider Date: Mon Mar 4 16:42:38 2024 +0100 libgpo: Fix trailing spaces in pygpo.c Signed-off-by: Andreas Schneider Reviewed-by: David Mulder (cherry picked from commit 6fb86a0fa62d93c1c84c2000f01c381a9e8217e1) --- Summary of changes: libgpo/pygpo.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index adbd5b4688d..0f7116313f2 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -116,6 +116,11 @@ static PyObject *GPO_marshall_get_sec_desc_buf(PyObject *self, PyObject *args, uint8_t *data = NULL; size_t len = 0; + if (gpo_ptr->security_descriptor == NULL) { + PyErr_SetString(PyExc_RuntimeError, "Uninitialized"); + return NULL; + } + status = marshall_sec_desc(gpo_ptr, gpo_ptr->security_descriptor, , ); if (!NT_STATUS_IS_OK(status)) { @@ -371,7 +376,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds) workgroup, ldap_server, ADS_SASL_PLAIN); - + return 0; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 97a23e57dc8 s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries() via 9d7a97dc982 samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export via a0867595fbd s4-libnet: Prepare for a "rolling update" keytab export via 7b662a92878 s4-auth/kerberos: Do not add true duplicates to exported keytab via 3bb215d1946 selftest: Add tests of samba-tool domain export-keytab --keep-stale-entries behaviour via f81d7047b6a selftest: Add tests for "samba-tool domain exportkeytab" with existing files" via b2dff173666 samba-tool domain exportkeytab: Raise a proper CommandError via 014f1b561e8 s4-libnet: Raise NTSTATUSError not RuntimeError in keytab export via 0cb1e4dbf8e samba-tool: Add option --keep-stale-entries to "samba-tool domain exportkeytab" via 2f97f6fe484 lib/krb5_wrap: Pull already_hashed case out of smb_krb5_kt_add_entry() via 9fc4070f89d lib/krb5_wrap: Rename confusing add_salt parameter to smb_krb5_kt_add_entry() via 43ce741d1ff python/tests: Add test that gMSA keytab export works and matches direct keytab export via 91c05536108 s4-auth/kerberos: Note the good possability that the msDS-KeyVersionNumber is wrong via 0490aed7168 auth/credentials: Cope with GMSA 5min password preview in cli_credentials_set_gmsa_passwords() via bd2edecff06 s4-libnet: Add export of gMSA keys to "samba-tool domain exportkeytab" via 66a9c1daa86 s4-kdc: Prepare for gMSA support by recording it on the entry via 48affb137fb auth/credentials: Allow generation of old Kerberos keys also via b8308f3fe06 auth/credentials: Make cli_credentials_get_aes256_key into generic key access via 13d346ce0c4 auth/credentials: Add hook to set credentials from msDS-ManagedPassword blob via 44063674734 s4-libnet: Pass the full struct smb_krb5_context to sdb_kt_copy() via dd993c21703 auth/credentials: Dynamically calculate the salt principal (unless speccified) via 9fc11e329c9 auth/credentials: Use salt on credentials object for Creds.get_aes256_key() via 74f9d2e5190 auth/credentials: Add bindings for getting and setting the salt principal via f34b910b5bc s4-libnet: Provide hint for "samba-tool domain exportkeytab" if used over LDAP without gMSA via d4155f8a998 Make "samba-tool domain exportkeytab" prune old keys via 6b3ce044d2d s4-auth/kerberos: Rename create_keytab() to smb_krb5_fill_keytab() via 2c33862b9e0 s4-auth/kerberos: Add define ENC_STRONG_SALTED_TYPES via a2ed51df7c0 s4-auth/kerberos: Remove unused paremters to create_keytab() via 9246ee48040 samba-tool domain exportkeytab: Add support for -H to point to a different sam.ldb via b6cffcb3fb0 libnet: Prepare to allow "samba-tool domain exportkeytab to support -H via 7a8c091698e python: Explain strange enable_net_export_keytab() behaviour is no longer due Heimdal from c97071726e1 packaging: Provide a systemd service file for samba-bgqd https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 97a23e57dc88fe6b4a851bb0e0db09a4ee9b37fb Author: Andrew Bartlett Date: Thu Mar 14 16:55:19 2024 +1300 s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries() Previously any errors noticed during the main loop would be ignored. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Mar 14 23:16:16 UTC 2024 on atb-devel-224 commit 9d7a97dc9820e9f69a25a7321d84eb18cd3c6c08 Author: Andrew Bartlett Date: Thu Mar 7 14:53:53 2024 +1300 samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export Since 87f67d336919172845f53067c67d1eab8e7ef18a samba-tool domain exportkeytab has silently unlinked the given target file. Instead, the administrator now needs to specify a file that does not exist. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit a0867595fbdb0e59b3c649f80f36e99ca74af41e Author: Andrew Bartlett Date: Wed Mar 6 17:48:09 2024 +1300 s4-libnet: Prepare for a "rolling update" keytab export This mode will allow keytabs to be exported with all current keys added to historical keys, which will be useful in a domain with many gMSA servers that require wireshark decryption. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit 7b662a928784c889f0d0e4124b723fa6fd20 Author: Andrew Bartlett Date: Wed Mar 6 17:43:47 2024 +1300 s4-auth/kerberos: Do not add true duplicates to exported key
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c97071726e1 packaging: Provide a systemd service file for samba-bgqd from 6ee3f809a54 s3/smbd: If we fail to close file_handle ensure we should reset the fd https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c97071726e163b40f0e391af70e81b3e6c1ab0eb Author: Andreas Schneider Date: Mon Mar 4 10:58:23 2024 +0100 packaging: Provide a systemd service file for samba-bgqd There might be scenarios where the background queue daemon should be running all the time instead of being started on demand. This makes especially sense for bigger printing servers with a lot of printers. It takes ~1 sec to get a printer from cups, so a print server with 100 printers needs 100 seconds to update the printer_list.tdb. The service will be killed because of idle in the meantime. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15600 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner Autobuild-User(master): Günther Deschner Autobuild-Date(master): Thu Mar 14 12:19:56 UTC 2024 on atb-devel-224 --- Summary of changes: packaging/systemd/{samba.service.in => samba-bgqd.service.in} | 9 - packaging/wscript_build | 3 ++- 2 files changed, 6 insertions(+), 6 deletions(-) copy packaging/systemd/{samba.service.in => samba-bgqd.service.in} (50%) Changeset truncated at 500 lines: diff --git a/packaging/systemd/samba.service.in b/packaging/systemd/samba-bgqd.service.in similarity index 50% copy from packaging/systemd/samba.service.in copy to packaging/systemd/samba-bgqd.service.in index e4baee1aeec..0254ebd59be 100644 --- a/packaging/systemd/samba.service.in +++ b/packaging/systemd/samba-bgqd.service.in @@ -1,17 +1,16 @@ [Unit] -Description=Samba AD Daemon -Documentation=man:samba(8) man:samba(7) man:smb.conf(5) +Description=Samba Background Queue Daemon for printing-related jobs +Documentation=man:samba-bgqd(8) man:smb.conf(5) Wants=network-online.target After=network.target network-online.target [Service] Type=notify -PIDFile=@PIDDIR@/samba.pid LimitNOFILE=16384 +PIDFile=@PIDDIR@/samba-bgqd.pid EnvironmentFile=-@SYSCONFDIR@/sysconfig/samba -ExecStart=@SBINDIR@/samba --foreground --no-process-group $SAMBAOPTIONS +ExecStart=@LIBEXECDIR@/samba/samba-bgqd --foreground --no-process-group $SAMBAOPTIONS ExecReload=/bin/kill -HUP $MAINPID -@systemd_samba_extra@ [Install] WantedBy=multi-user.target diff --git a/packaging/wscript_build b/packaging/wscript_build index 217bd996348..dc95bebf1c6 100644 --- a/packaging/wscript_build +++ b/packaging/wscript_build @@ -4,7 +4,8 @@ systemd_services = [ 'systemd/smb.service', 'systemd/nmb.service', 'systemd/winbind.service', -'systemd/samba.service' +'systemd/samba.service', +'systemd/samba-bgqd.service', ] for srv in systemd_services: -- Samba Shared Repository
[Announce] Samba 4.18.11 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.18 release series. There will be security releases only beyond this point. Changes since 4.18.10 - o Martin Schwenke * BUG 15580: Packet marshalling push support missing for CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and CTDB_CONTROL_TCP_CLIENT_PASSED ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.18.11.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 1fac108 NEWS[4.18.11]: Samba 4.18.11 Available for Download from 9506c5e NEWS[4.20.0rc4]: Samba 4.20.0rc4 Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 1fac10875aca9bfca765f20dc163d134d035ef74 Author: Jule Anger Date: Wed Mar 13 16:52:01 2024 +0100 NEWS[4.18.11]: Samba 4.18.11 Available for Download Signed-off-by: Jule Anger --- Summary of changes: history/header_history.html | 1 + history/samba-4.18.11.html| 40 +++ posted_news/20240313-155512.4.18.11.body.html | 13 posted_news/20240313-155512.4.18.11.headline.html | 3 ++ 4 files changed, 57 insertions(+) create mode 100644 history/samba-4.18.11.html create mode 100644 posted_news/20240313-155512.4.18.11.body.html create mode 100644 posted_news/20240313-155512.4.18.11.headline.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 17c67ec..d939308 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -15,6 +15,7 @@ samba-4.19.2 samba-4.19.1 samba-4.19.0 + samba-4.18.11 samba-4.18.10 samba-4.18.9 samba-4.18.8 diff --git a/history/samba-4.18.11.html b/history/samba-4.18.11.html new file mode 100644 index 000..f16699c --- /dev/null +++ b/history/samba-4.18.11.html @@ -0,0 +1,40 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;> +http://www.w3.org/1999/xhtml;> + +Samba 4.18.11 - Release Notes + + +Samba 4.18.11 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.18.11.tar.gz;>Samba 4.18.11 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.18.11.tar.asc;>Signature + + +https://download.samba.org/pub/samba/patches/samba-4.18.10-4.18.11.diffs.gz;>Patch (gzipped) against Samba 4.18.10 +https://download.samba.org/pub/samba/patches/samba-4.18.10-4.18.11.diffs.asc;>Signature + + + + === + Release Notes for Samba 4.18.11 + March 13, 2024 + === + + +This is the latest stable release of the Samba 4.18 release series. + + +Changes since 4.18.10 +- + +o Martin Schwenke mschwe...@ddn.com + * BUG 15580: Packet marshalling push support missing for + CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and + CTDB_CONTROL_TCP_CLIENT_PASSED + + + + + + diff --git a/posted_news/20240313-155512.4.18.11.body.html b/posted_news/20240313-155512.4.18.11.body.html new file mode 100644 index 000..965604b --- /dev/null +++ b/posted_news/20240313-155512.4.18.11.body.html @@ -0,0 +1,13 @@ + +13 March 2024 +Samba 4.18.11 Available for Download + +This is the latest stable release of the Samba 4.18 release series. + + +The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620). +The source code can be https://download.samba.org/pub/samba/stable/samba-4.18.11.tar.gz;>downloaded now. +A https://download.samba.org/pub/samba/patches/samba-4.18.10-4.18.11.diffs.gz;>patch against Samba 4.18.10 is also available. +See https://www.samba.org/samba/history/samba-4.18.11.html;>the release notes for more info. + + diff --git a/posted_news/20240313-155512.4.18.11.headline.html b/posted_news/20240313-155512.4.18.11.headline.html new file mode 100644 index 000..61c7b57 --- /dev/null +++ b/posted_news/20240313-155512.4.18.11.headline.html @@ -0,0 +1,3 @@ + + 13 March 2024 Samba 4.18.11 Available for Download + -- Samba Website Repository
[SCM] Samba Shared Repository - branch v4-18-stable updated
The branch, v4-18-stable has been updated via 4017976e8c0 VERSION: Disable GIT_SNAPSHOT for the 4.18.11 release. via 2edd0aac9f1 WHATSNEW: Add release notes for Samba 4.18.11. via 081a6d5fc1d ctdb-protocol: Add missing push support for new controls via 18305d8d86c VERSION: Bump version up to Samba 4.18.11... from 51a13a23371 VERSION: Disable GIT_SNAPSHOT for the 4.18.10 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-stable - Log - --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 44 +-- ctdb/protocol/protocol_control.c | 8 +++ ctdb/tests/src/protocol_common_ctdb.c | 33 ++ ctdb/tests/src/protocol_ctdb_test.c | 2 +- 5 files changed, 85 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 5c79a0c8dde..a15ddc2bc94 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=18 -SAMBA_VERSION_RELEASE=10 +SAMBA_VERSION_RELEASE=11 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index be2f81f823b..1bcbbdedcfc 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,44 @@ + === + Release Notes for Samba 4.18.11 + March 13, 2024 + === + + +This is the latest stable release of the Samba 4.18 release series. + + +Changes since 4.18.10 +- + +o Martin Schwenke + * BUG 15580: Packet marshalling push support missing for + CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and + CTDB_CONTROL_TCP_CLIENT_PASSED + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + === Release Notes for Samba 4.18.10 January 31, 2024 @@ -75,8 +116,7 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: - +-- == Release Notes for Samba 4.18.9 November 29, 2023 diff --git a/ctdb/protocol/protocol_control.c b/ctdb/protocol/protocol_control.c index 83ed6cb4ee1..e4491159937 100644 --- a/ctdb/protocol/protocol_control.c +++ b/ctdb/protocol/protocol_control.c @@ -693,6 +693,14 @@ static void ctdb_req_control_data_push(struct ctdb_req_control_data *cd, case CTDB_CONTROL_ECHO_DATA: ctdb_echo_data_push(cd->data.echo_data, buf, ); break; + + case CTDB_CONTROL_TCP_CLIENT_DISCONNECTED: + ctdb_connection_push(cd->data.conn, buf, ); + break; + + case CTDB_CONTROL_TCP_CLIENT_PASSED: + ctdb_connection_push(cd->data.conn, buf, ); + break; } *npush = np; diff --git a/ctdb/tests/src/protocol_common_ctdb.c b/ctdb/tests/src/protocol_common_ctdb.c index 384076824a4..8a8e114f67a 100644 --- a/ctdb/tests/src/protocol_common_ctdb.c +++ b/ctdb/tests/src/protocol_common_ctdb.c @@ -593,6 +593,19 @@ void fill_ctdb_req_control_data(TALLOC_CTX *mem_ctx, case CTDB_CONTROL_ENABLE_NODE: break; + + case CTDB_CONTROL_TCP_CLIENT_DISCONNECTED: + cd->data.conn = talloc(mem_ctx, struct ctdb_connection); + assert(cd->data.conn != NULL); + fill_ctdb_connection(mem_ctx, cd->data.conn); + break; + + case CTDB_CONTROL_TCP_CLIENT_PASSED: + cd->data.conn
[SCM] Samba Shared Repository - annotated tag samba-4.18.11 created
The annotated tag, samba-4.18.11 has been created at 181a7b50e0983c6bf3916ed5eec31ba25f2a4e51 (tag) tagging 4017976e8c0f5d1ae79ea01f1d4a46608ee0f61f (commit) replaces samba-4.18.10 tagged by Jule Anger on Wed Mar 13 16:50:56 2024 +0100 - Log - samba: tag release samba-4.18.11 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmXxy2AACgkQqplEL7aA tiBCIQ/9E8smpgoDagZ8Bhwn5T6NphHG6NhA3TSLYvFG/OAMlYzs5X8HYi/jTtHt DcuFM+dtarMBvvCmL95fXXwB5XJbH6IbCWoGiIppcW1TzLRZ4AfaPG/xuk7Et6RX O9HVY75GAMRm6rw0w5YLTKF7+osmemGH5/pKhaMkVRu0Q4xFLkWdw3DmWFxRiQq3 PrDjyTo7kLC12LxolC3PjN6yB0QG3tQ4C47uHAKZL+EQsS8AutBv+/e1B4Z7zeyG 8YgF0sFQiN2XJ1IxbBrDq73u9ylcm0OA/D6l3CyyY+wWo5Jq0KvjMhxU7SjjeR/6 +RuVgq0J7ib98N/FvvdKMluSu3lLAdfPUQE3UKnMnOIX1YNAfd2ipBVfJT/6E5Ks 6qgH27p+5gepSZ3ZjDiBq7Ftr1jJelt5LZ4cTkkJg0PA0mGEoIDvffQriFid1MZv 0pQl6FRHzAbkheU164B8vXnCuXD07wcn7WR+uDXrALRtNlLDN0Xwdsi8on/CD3Cc V2+E+G5WlUZrJcsilgaNGkHAG3Ge8wCuHQTQackK3FiCCQrO2jtrq01H3tvXJfSf nUyM8D1M0N4QHU0bG34/w5GUb4BgVD8pPPquhaL65nrA0HcqG6e4lHjYsCCajeIl X4yVv1TpMOGTnaj0/qZ5nnM9gwpDEGa+ZzpiOVIWx2EAJUt4Nyk= =2ojj -END PGP SIGNATURE- Jule Anger (3): VERSION: Bump version up to Samba 4.18.11... WHATSNEW: Add release notes for Samba 4.18.11. VERSION: Disable GIT_SNAPSHOT for the 4.18.11 release. Martin Schwenke (1): ctdb-protocol: Add missing push support for new controls --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-18-test updated
The branch, v4-18-test has been updated via 105e6d817dd VERSION: Bump version up to Samba 4.18.12... via 4017976e8c0 VERSION: Disable GIT_SNAPSHOT for the 4.18.11 release. via 2edd0aac9f1 WHATSNEW: Add release notes for Samba 4.18.11. from 081a6d5fc1d ctdb-protocol: Add missing push support for new controls https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test - Log - commit 105e6d817ddd2654bf44db92027d20c7cb0e85eb Author: Jule Anger Date: Wed Mar 13 16:48:07 2024 +0100 VERSION: Bump version up to Samba 4.18.12... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger commit 4017976e8c0f5d1ae79ea01f1d4a46608ee0f61f Author: Jule Anger Date: Wed Mar 13 16:47:33 2024 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.18.11 release. Signed-off-by: Jule Anger commit 2edd0aac9f115b21b7c58b254c7b814ee664380e Author: Jule Anger Date: Wed Mar 13 16:47:00 2024 +0100 WHATSNEW: Add release notes for Samba 4.18.11. Signed-off-by: Jule Anger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 44 ++-- 2 files changed, 43 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index a4cb410d3b8..25cf7311e9c 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=18 -SAMBA_VERSION_RELEASE=11 +SAMBA_VERSION_RELEASE=12 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index be2f81f823b..1bcbbdedcfc 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,44 @@ + === + Release Notes for Samba 4.18.11 + March 13, 2024 + === + + +This is the latest stable release of the Samba 4.18 release series. + + +Changes since 4.18.10 +- + +o Martin Schwenke + * BUG 15580: Packet marshalling push support missing for + CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and + CTDB_CONTROL_TCP_CLIENT_PASSED + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + === Release Notes for Samba 4.18.10 January 31, 2024 @@ -75,8 +116,7 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: - +-- == Release Notes for Samba 4.18.9 November 29, 2023 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6ee3f809a54 s3/smbd: If we fail to close file_handle ensure we should reset the fd via 6e6324cff29 smbd: simplify handling of failing fstat() after unlinking file from 78208d4fe47 ctdb: Remove an unnecessary cast https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6ee3f809a54d7b833ff798e68a93ada00a215d4d Author: Noel Power Date: Tue Feb 20 09:26:29 2024 + s3/smbd: If we fail to close file_handle ensure we should reset the fd if fsp_flags.fstat_before_close == true then close_file_smb will call vfs_stat which can fail. If it does fail then the fd associated with the file handle will still be set (and we will hit an assert is the file handle destructor) when calling file_free. We need to set fd to -1 to avoid that. To achieve that we capture and return the vfs_stat_fsp failure status while still processing the rest of the fd_close logic. [2024/02/20 09:23:48.454671, 0, pid=9744] ../../source3/smbd/smb2_close.c:226(smbd_smb2_close) smbd_smb2_close: close_file[]: NT_STATUS_ACCESS_DENIED [2024/02/20 09:23:48.454757, 0, pid=9744] ../../source3/smbd/fd_handle.c:40(fd_handle_destructor) PANIC: assert failed at ../../source3/smbd/fd_handle.c(40): (fh->fd == -1) || (fh->fd == AT_FDCWD) [2024/02/20 09:23:48.454781, 0, pid=9744] ../../lib/util/fault.c:178(smb_panic_log) === [2024/02/20 09:23:48.454804, 0, pid=9744] ../../lib/util/fault.c:185(smb_panic_log) INTERNAL ERROR: assert failed: (fh->fd == -1) || (fh->fd == AT_FDCWD) in smbd (smbd[192.168.10) (client [192.168.100.15]) pid 9744 (4.21.0pre1-DEVELOPERBUILD) [2024/02/20 09:23:48.454844, 0, pid=9744] ../../lib/util/fault.c:190(smb_panic_log) If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting [2024/02/20 09:23:48.454869, 0, pid=9744] ../../lib/util/fault.c:191(smb_panic_log) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527 Signed-off-by: Noel Power Reviewed-by: Jeremy Allison Autobuild-User(master): Noel Power Autobuild-Date(master): Wed Mar 13 10:34:45 UTC 2024 on atb-devel-224 commit 6e6324cff29089a636823786183222a73fe7cb28 Author: Ralph Boehme Date: Mon Feb 5 15:03:48 2024 +0100 smbd: simplify handling of failing fstat() after unlinking file close_remove_share_mode() already called vfs_stat_fsp(), so we can skip the fstat() triggered in fd_close() by fsp->fsp_flags.fstat_before_close being true. This avoids getting an EACCESS error when doing an fstat() on the removed file which seems to happen with some FUSE filesystems. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- Summary of changes: source3/smbd/close.c | 1 + source3/smbd/open.c | 27 --- 2 files changed, 9 insertions(+), 19 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/close.c b/source3/smbd/close.c index 538435ca834..bbca474a28a 100644 --- a/source3/smbd/close.c +++ b/source3/smbd/close.c @@ -603,6 +603,7 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp, */ fsp->fsp_flags.delete_on_close = false; + fsp->fsp_flags.fstat_before_close = false; lck_state.reset_delete_on_close = true; done: diff --git a/source3/smbd/open.c b/source3/smbd/open.c index e63ebf2e7c6..bd397376d26 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -943,7 +943,7 @@ NTSTATUS fd_openat(const struct files_struct *dirfsp, NTSTATUS fd_close(files_struct *fsp) { - NTSTATUS status; + NTSTATUS stat_status = NT_STATUS_OK; int ret; if (fsp == fsp->conn->cwd_fsp) { @@ -951,23 +951,12 @@ NTSTATUS fd_close(files_struct *fsp) } if (fsp->fsp_flags.fstat_before_close) { - status = vfs_stat_fsp(fsp); - if (!NT_STATUS_IS_OK(status)) { - /* -* If this is a stream and delete-on-close was set, the -* backing object (an xattr from streams_xattr) might -* already be deleted so fstat() fails with -* NT_STATUS_NOT_FOUND. So if fsp refers to a stream we -* ignore the error and only bail for normal files where -* an fstat() should still work. NB. We cannot use -* fsp_is_alternate_stream(fsp) for this as the base_fsp -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 78208d4fe47 ctdb: Remove an unnecessary cast via 8eaba9dbc5b smbd: Fix a DBG message from 072cb98e432 smbd: Avoid a ZERO_STRUCT() with direct struct initialization https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 78208d4fe47a0c634a6bd7c04f3d01f0020ee88b Author: Volker Lendecke Date: Thu Feb 29 15:33:56 2024 +0100 ctdb: Remove an unnecessary cast nl->srvid is uint64_t, as is the srvid parameter of ctdb_daemon_send_message() Signed-off-by: Volker Lendecke Reviewed-by: Martin Schwenke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Wed Mar 13 08:43:16 UTC 2024 on atb-devel-224 commit 8eaba9dbc5bd4befd6d1a651cf0666da0ff36265 Author: Volker Lendecke Date: Tue Feb 20 12:50:36 2024 +0100 smbd: Fix a DBG message Signed-off-by: Volker Lendecke Reviewed-by: Martin Schwenke --- Summary of changes: ctdb/server/ctdb_daemon.c | 5 - source3/smbd/notifyd/notifyd.c | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/ctdb/server/ctdb_daemon.c b/ctdb/server/ctdb_daemon.c index eb9d63454de..0a53770a6bf 100644 --- a/ctdb/server/ctdb_daemon.c +++ b/ctdb/server/ctdb_daemon.c @@ -2016,7 +2016,10 @@ static int ctdb_client_notify_destructor(struct ctdb_client_notify_list *nl) DEBUG(DEBUG_ERR,("Sending client notify message for srvid:%llu\n", (unsigned long long)nl->srvid)); - ret = ctdb_daemon_send_message(nl->ctdb, CTDB_BROADCAST_CONNECTED, (unsigned long long)nl->srvid, nl->data); + ret = ctdb_daemon_send_message(nl->ctdb, + CTDB_BROADCAST_CONNECTED, + nl->srvid, + nl->data); if (ret != 0) { DEBUG(DEBUG_ERR,("Failed to send client notify message\n")); } diff --git a/source3/smbd/notifyd/notifyd.c b/source3/smbd/notifyd/notifyd.c index ca303bd4d51..4af62a9a1f9 100644 --- a/source3/smbd/notifyd/notifyd.c +++ b/source3/smbd/notifyd/notifyd.c @@ -228,7 +228,7 @@ struct tevent_req *notifyd_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, ret = server_id_db_set_exclusive(names_db, "notify-daemon"); if (ret != 0) { - DBG_DEBUG("server_id_db_add failed: %s\n", + DBG_DEBUG("server_id_db_set_exclusive() failed: %s\n", strerror(ret)); tevent_req_error(req, ret); goto deregister_get_db; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 072cb98e432 smbd: Avoid a ZERO_STRUCT() with direct struct initialization via 02d9631cf33 tools: Fix whitespace via f948b6267e4 smbd: Fix a typo via 17caec0ead0 smbd: Fix and modernize a few DBG statements via 965fec35472 smbd: Give smbXsrv_session.c its own header file via c37eb90d731 vfs: Fix a typo via d393fd46936 auth: Simplify smb_krb5_send_to_kdc_state_destructor() via 7f5d5ddde1d smbd: Fix a comment via ac8d38cf13f smbXsrv_version: Use a struct assignment via 5885a69a985 smbXsrv_version: Remove unused smbXsrv_version_global0->db_rec via f1af8843def smbXsrv_version: Use a struct assignment instead of ZERO_STRUCT via 90bd197dd57 smbXsrv_version: Modernize DEBUG statements via 97896fa7e54 lib: Simplify _hexcharval via 01cbfab9538 smbd: Add parentheses for easier readability via 56233406de4 torture: Fix an error message via 32ecf1fe607 lib: Simplify copy_unix_token() via 9f565512755 libsmb: Simplify an if-condition via 7c68d88cefb lib: Make GUID_to_ndr_buf() return void via ea09be77523 smbd: Remove get_Protocol() via 67f6fcfe17b smbd: Remove the last use of get_Protocol() via 72492de5783 smbd: Add conn_protocol() via 51bb236a698 smbd: Modernize a DEBUG statement via 5246267d173 smbd: Simplify fsp_fullbasepath() via be15ab4c785 smbd: Remove unused declarations in smbXsrv.idl from 0e40506d21b selftest: add tests for "samba-tool user list --locked-only" https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 072cb98e4326c4124c649e911970acbf004f16bb Author: Volker Lendecke Date: Mon Feb 19 09:57:16 2024 +0100 smbd: Avoid a ZERO_STRUCT() with direct struct initialization Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Tue Mar 12 14:33:14 UTC 2024 on atb-devel-224 commit 02d9631cf3319ead42487ea301aa268f659d9f0b Author: Volker Lendecke Date: Thu Feb 8 11:02:15 2024 +0100 tools: Fix whitespace Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit f948b6267e413b33672d4de7d78fe4eb5b838c5a Author: Volker Lendecke Date: Thu Feb 8 10:28:02 2024 +0100 smbd: Fix a typo Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 17caec0ead0913836ca136663fc5c591dc983f84 Author: Volker Lendecke Date: Thu Feb 8 10:24:56 2024 +0100 smbd: Fix and modernize a few DBG statements There were still a few function names in DBGs Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 965fec354729fd63a25616fc52989d524826f4b4 Author: Volker Lendecke Date: Thu Feb 8 10:04:32 2024 +0100 smbd: Give smbXsrv_session.c its own header file Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit c37eb90d73131d005b563d7f0944daf39cd92de6 Author: Volker Lendecke Date: Sun Feb 4 10:09:07 2024 +0100 vfs: Fix a typo Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit d393fd469365d64c4acde3c399a167123916c348 Author: Volker Lendecke Date: Mon Feb 12 13:35:19 2024 +0100 auth: Simplify smb_krb5_send_to_kdc_state_destructor() Replace a call to dbwrap_fetch_locked() with the higherlevel dbwrap_delete(). Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 7f5d5ddde1d8fa7674c352f049f49298d5169975 Author: Volker Lendecke Date: Sun Feb 11 12:44:10 2024 +0100 smbd: Fix a comment Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit ac8d38cf13f6feee9ae70c851a3a045ed63dbb6d Author: Volker Lendecke Date: Sat Feb 10 10:40:46 2024 +0100 smbXsrv_version: Use a struct assignment Make sure everything is initialized Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 5885a69a9855e450a27980462f58654c80a9782b Author: Volker Lendecke Date: Sat Feb 10 10:37:42 2024 +0100 smbXsrv_version: Remove unused smbXsrv_version_global0->db_rec Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit f1af8843defeaaf03b1e7d77655419b6c9e67f39 Author: Volker Lendecke Date: Sat Feb 10 10:36:51 2024 +0100 smbXsrv_version: Use a struct assignment instead of ZERO_STRUCT Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 90bd197dd57d7872b730b488e9d16144bde60438 Author: Volker Lendecke Date: Sat Feb 10 10:29:35 2024 +0100 smbXsrv_version: Modernize DEBUG statements Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 97896fa7e54039b0a56510f9ccd22e71fb42b42c Author: Volker Lendecke Date: Mon Feb 19 13:15:55 202