[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8579340fc54 gpo: Do not get templates list on first run via 3f3ddfa699a gpo: Decode base64 root cert before importing via 0d1ff69936f gpo: Test certificate policy without NDES from 2713023250f smbd: use dirfsp and atname in open_directory() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8579340fc540633c13c017d896034904a8dbd55c Author: Gabriel Nagy Date: Fri Jan 19 11:36:19 2024 +0200 gpo: Do not get templates list on first run This is a visual fix and has no impact on functionality apart from cleaner log messages. The point of this is to get the list of supported templates in order to compute a diff between the current applied templates and the updated list, so we are able to unapply and reapply the policy in case there are differences. However this code path is executed on first applies as well, at which point the root CA is not yet set up. This causes the `get_supported_templates` call to fail, which is not a hard failure but still pollutes the logs. In this case it's safe to avoid executing the command as the policy will be applied regardless. Signed-off-by: Gabriel Nagy Reviewed-by: David Mulder Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Mon Jan 22 16:48:57 UTC 2024 on atb-devel-224 commit 3f3ddfa699a33c2c8a59f7fb9ee044bb2a6e0e06 Author: Gabriel Nagy Date: Thu Jan 18 20:23:24 2024 +0200 gpo: Decode base64 root cert before importing The reasoning behind this is described in the previous commit message, but essentially this should either be wrapped in certificate blocks and imported as PEM, or converted back to binary and imported as DER. I've opted for the latter since it's how it used to work before it regressed in 157335ee93e. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557 Signed-off-by: Gabriel Nagy Reviewed-by: David Mulder Reviewed-by: Andreas Schneider commit 0d1ff69936f18ea729fc11fbbb1569a833302572 Author: Gabriel Nagy Date: Mon Jan 8 18:05:08 2024 +0200 gpo: Test certificate policy without NDES As of 8231eaf856b, the NDES feature is no longer required on Windows, as cert auto-enroll can use the certificate from the LDAP request. However, 157335ee93e changed the implementation to convert the LDAP certificate to base64 due to it failing to cleanly convert to a string. Because of insufficient test coverage I missed handling the part where NDES is disabled or not reachable and the LDAP certificate was imported. The call to load_der_x509_certificate now fails with an error because it expects binary data, yet it receives a base64 encoded string. This adds a test to confirm the issue. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557 Signed-off-by: Gabriel Nagy Reviewed-by: David Mulder Reviewed-by: Andreas Schneider --- Summary of changes: python/samba/gp/gp_cert_auto_enroll_ext.py | 8 +- python/samba/tests/gpo.py | 126 +++-- 2 files changed, 125 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py index e2f81b3f3f8..8ba1960efe5 100644 --- a/python/samba/gp/gp_cert_auto_enroll_ext.py +++ b/python/samba/gp/gp_cert_auto_enroll_ext.py @@ -217,10 +217,11 @@ def getca(ca, url, trust_dir): ' installed or not configured.') if 'cACertificate' in ca: log.warn('Installing the server certificate only.') +der_certificate = base64.b64decode(ca['cACertificate']) try: -cert = load_der_x509_certificate(ca['cACertificate']) +cert = load_der_x509_certificate(der_certificate) except TypeError: -cert = load_der_x509_certificate(ca['cACertificate'], +cert = load_der_x509_certificate(der_certificate, default_backend()) cert_data = cert.public_bytes(Encoding.PEM) with open(root_cert, 'wb') as w: @@ -358,7 +359,8 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): # If the policy has changed, unapply, then apply new policy old_val = self.cache_get_attribute_value(guid, attribute) old_data = json.loads(old_val) if old_val is not None else {} -templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] +templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] \ +if
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2713023250f smbd: use dirfsp and atname in open_directory() via 1965fc77b38 smbd: use safe_symlink_target_path() in symlink_target_below_conn() via fc80c72d658 smbd: add a directory argument to safe_symlink_target_path() via 0515dded4dd smbd: pass symlink target path to safe_symlink_target_path() via 62cbe145c7e CI: disable /proc/fds and RESOLVE_NO_SYMLINK in samba-no-opath-build runner via 5c2f96442a2 vfs_default: allow disabling /proc/fds and RESOLVE_NO_SYMLINK at compile time from fdf3656d30c autobuild: Run ad_member_idmap_nss tests as part of samba-admem https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2713023250f15cf9971d88620cab9dd4afd0dc73 Author: Ralph Boehme Date: Mon Dec 18 12:35:58 2023 +0100 smbd: use dirfsp and atname in open_directory() On systems without /proc/fd support this avoid the expensive chdir() logic in non_widelink_open(). open_file_ntcreate() already passes dirfsp and atname to reopen_from_fsp(), it was just missed in the conversion. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549 Reviewed-by: Volker Lendecke Signed-off-by: Ralph Boehme Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Mon Jan 22 12:00:56 UTC 2024 on atb-devel-224 commit 1965fc77b3852a0593e13897af08f5304a1ce3a2 Author: Ralph Boehme Date: Tue Jan 2 14:34:26 2024 +0100 smbd: use safe_symlink_target_path() in symlink_target_below_conn() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549 Signed-off-by: Ralph Boehme Reviewed-by: Volker Lendecke commit fc80c72d658a41fe4d93b24b793b52c91b350175 Author: Ralph Boehme Date: Tue Jan 2 13:25:25 2024 +0100 smbd: add a directory argument to safe_symlink_target_path() Existing caller passes NULL, no change in behaviour. Prepares for replacing symlink_target_below_conn() in open.c. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549 Signed-off-by: Ralph Boehme Reviewed-by: Volker Lendecke commit 0515dded4ddb49e5570ae7df51126af1a2d643de Author: Ralph Boehme Date: Tue Jan 2 12:49:14 2024 +0100 smbd: pass symlink target path to safe_symlink_target_path() Moves creating the symlink target path via symlink_target_path() to the caller. This prepares for using this in non_widelink_open(), where it will replace symlink_target_below_conn() with the same functionality. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549 Signed-off-by: Ralph Boehme Reviewed-by: Volker Lendecke commit 62cbe145c7e500c4759ed2005c78bd5056c87f43 Author: Ralph Boehme Date: Tue Dec 19 11:12:49 2023 +0100 CI: disable /proc/fds and RESOLVE_NO_SYMLINK in samba-no-opath-build runner This is a more sensible combination of missing Linux specific features: - O_PATH - openat2() with RESOLVE_NO_SYMLINKS - somehow safely reopen an O_PATH file handle Currently only O_PATH is disabled for these jobs, but that doesn't really match and know OS. The following list shows which features are available and used by Samba on a few OSes: | O_PATH | RESOLVE_NO_SYMLINKS | Safe reopen| CI covered ||-| | Supported Used | Supported Used | Supported Used | Linux | + +| + + | + +| + FreeBSD | + +| + [1] - | + [2] -| - AIX | - -| - - | - -| + So by also disabling RESOLVE_NO_SYMLINKS and Safe Reopen, we cover classic UNIX systems like AIX. [1] via open() flag O_RESOLVE_BENEATH [2] via open() flag O_EMPTY_PATH BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549 Signed-off-by: Ralph Boehme Reviewed-by: Volker Lendecke commit 5c2f96442a25a1725809a28b3719afbc0bd01830 Author: Ralph Boehme Date: Tue Dec 19 11:11:55 2023 +0100 vfs_default: allow disabling /proc/fds and RESOLVE_NO_SYMLINK at compile time This will be used in CI to have a gitlab runner without all modern Linux features we make use of as part of path processing: - O_PATH - openat2() with RESOLVE_NO_SYMLINKS - somehow safely reopen an O_PATH file handle That gives what a classix UNIX like AIX or Solaris offers feature wise. Other OSes support other combinations of those features, but we leave the exersize of possibly adding more runners supporting those combinations to the reader. The following list shows which features are available and used by Samba on a few
[SCM] Samba Shared Repository - branch v4-19-test updated
The branch, v4-19-test has been updated via 283ff41ee92 s3:passdb: smbpasswd reset permissions only if not 0600 via 9c43625c47e system.c: fix fake directory create times via a86c1087681 time.c: fix ctime which was feeded with the mtime seconds from df025598884 python:gp: Print a nice message if cepces-submit can't be found https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log - commit 283ff41ee9273ee345ee8432e77eac950810581c Author: Jones Syue Date: Fri Jan 12 11:52:34 2024 +0800 s3:passdb: smbpasswd reset permissions only if not 0600 Browsing files or download files from samba server, smbd would check user's id to decide whether this user could access these files, by lookup user's information from the password file (e.g. /usr/local/samba/private/smbpasswd). smbd might goes through startsmbfilepwent(), this api calls [f]chmod() to make sure the password file has valid permissions 0600. Consider a scenario: we are doing a read performance benchmark about downloading a bunch of files (e.g. a thousand files) from a samba server, monitoring file system i/o activities counters, and expecting that should be only read operations on file system because this is just downloading, no uploading is involved. But actually found that still write operations on file system, because smbd lookup user and always reset 0600 permissions on password file while access each file, it makes dirty pages (inode modification) in ram, later triggered a kernel journal daemon to sync dirty pages into back storage (e.g. ext3 kjournald, or ext4 jbd2). This looks like not friendly for read performance benchmark if it happened on an entry-level systems with much less memory and limited computation power, because dirty pages syncing in the meantime slows down read performance. This patch adds fstat() before [f]chmod(), it would check whether password file has valid permissions 0600 or not. If 0600 smbd would bypass [f]chmod() to avoid making dirty pages on file systems. If not 0600 smbd would warn and go through [f]chmod() to set valid permissions 0600 to password file as earlier days. BUG: https://bugzilla.samba.org/show_bug.cgi?id=1 Signed-off-by: Jones Syue Reviewed-by: Jeremy Allison Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Thu Jan 18 10:28:19 UTC 2024 on atb-devel-224 (cherry picked from commit c82a267b2a1b7617e818548aa486b7cfbda74657) Autobuild-User(v4-19-test): Jule Anger Autobuild-Date(v4-19-test): Mon Jan 22 10:53:03 UTC 2024 on atb-devel-224 commit 9c43625c47e5a663716b05ebdcb61bce70e9c1d1 Author: Bjoern Jacke Date: Mon Jan 8 15:04:12 2024 + system.c: fix fake directory create times This was broken by c9c3d4312d7281904fc back in 2009 already. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12421 Signed-off-by: Bjoern Jacke Reviewed-by: Volker Lendecke (cherry picked from commit 56c3dbc2ff8531772bf79eb9da3497767a20ce6f) commit a86c1087681ba6cabc267a5af30abf77fc89b7ae Author: Björn Jacke Date: Sun Jan 7 05:09:58 2024 +0100 time.c: fix ctime which was feeded with the mtime seconds This bug was introduced with 53a1d034f3e47ed3c in 2020. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15550 Signed-off-by: Bjoern Jacke Reviewed-by: Volker Lendecke (cherry picked from commit 2df2e34c3c1ccf76bbcc78586cbbb6433b6d30d5) --- Summary of changes: lib/util/time.c| 2 +- source3/lib/system.c | 1 + source3/passdb/pdb_smbpasswd.c | 36 3 files changed, 30 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/util/time.c b/lib/util/time.c index c2a77d664d3..9393a754d73 100644 --- a/lib/util/time.c +++ b/lib/util/time.c @@ -1450,7 +1450,7 @@ struct timespec get_ctimespec(const struct stat *pst) { struct timespec ret; - ret.tv_sec = pst->st_mtime; + ret.tv_sec = pst->st_ctime; ret.tv_nsec = get_ctimensec(pst); return ret; } diff --git a/source3/lib/system.c b/source3/lib/system.c index 57e917fa79c..be8297e34fd 100644 --- a/source3/lib/system.c +++ b/source3/lib/system.c @@ -186,6 +186,7 @@ static void make_create_timespec(const struct stat *pst, struct stat_ex *dst, if (S_ISDIR(pst->st_mode) && fake_dir_create_times) { dst->st_ex_btime.tv_sec = 315493200L; /* 1/1/1980 */ dst->st_ex_btime.tv_nsec = 0; + return; } dst->st_ex_iflags &= ~ST_EX_IFLAG_CALCULATED_BTIME; diff --git a/source3/passdb/pdb_smbpasswd.c
[SCM] Samba Shared Repository - branch v4-18-test updated
The branch, v4-18-test has been updated via e6745b15107 s3:passdb: smbpasswd reset permissions only if not 0600 via 161efeac21d system.c: fix fake directory create times via 0d75a9acaf3 time.c: fix ctime which was feeded with the mtime seconds from ee2df0bbb34 smbd: move access override for previous versions to the SMB layer https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test - Log - commit e6745b151074c620fe5d102b0b5f0c47023e12e1 Author: Jones Syue Date: Fri Jan 12 11:52:34 2024 +0800 s3:passdb: smbpasswd reset permissions only if not 0600 Browsing files or download files from samba server, smbd would check user's id to decide whether this user could access these files, by lookup user's information from the password file (e.g. /usr/local/samba/private/smbpasswd). smbd might goes through startsmbfilepwent(), this api calls [f]chmod() to make sure the password file has valid permissions 0600. Consider a scenario: we are doing a read performance benchmark about downloading a bunch of files (e.g. a thousand files) from a samba server, monitoring file system i/o activities counters, and expecting that should be only read operations on file system because this is just downloading, no uploading is involved. But actually found that still write operations on file system, because smbd lookup user and always reset 0600 permissions on password file while access each file, it makes dirty pages (inode modification) in ram, later triggered a kernel journal daemon to sync dirty pages into back storage (e.g. ext3 kjournald, or ext4 jbd2). This looks like not friendly for read performance benchmark if it happened on an entry-level systems with much less memory and limited computation power, because dirty pages syncing in the meantime slows down read performance. This patch adds fstat() before [f]chmod(), it would check whether password file has valid permissions 0600 or not. If 0600 smbd would bypass [f]chmod() to avoid making dirty pages on file systems. If not 0600 smbd would warn and go through [f]chmod() to set valid permissions 0600 to password file as earlier days. BUG: https://bugzilla.samba.org/show_bug.cgi?id=1 Signed-off-by: Jones Syue Reviewed-by: Jeremy Allison Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Thu Jan 18 10:28:19 UTC 2024 on atb-devel-224 (cherry picked from commit c82a267b2a1b7617e818548aa486b7cfbda74657) Autobuild-User(v4-18-test): Jule Anger Autobuild-Date(v4-18-test): Mon Jan 22 10:09:52 UTC 2024 on atb-devel-224 commit 161efeac21dd2d4f36d72b50c25f1e4b434c15a7 Author: Bjoern Jacke Date: Mon Jan 8 15:04:12 2024 + system.c: fix fake directory create times This was broken by c9c3d4312d7281904fc back in 2009 already. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12421 Signed-off-by: Bjoern Jacke Reviewed-by: Volker Lendecke (cherry picked from commit 56c3dbc2ff8531772bf79eb9da3497767a20ce6f) commit 0d75a9acaf31aecbe3d0f5409350ddcadfd8e00a Author: Björn Jacke Date: Sun Jan 7 05:09:58 2024 +0100 time.c: fix ctime which was feeded with the mtime seconds This bug was introduced with 53a1d034f3e47ed3c in 2020. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15550 Signed-off-by: Bjoern Jacke Reviewed-by: Volker Lendecke (cherry picked from commit 2df2e34c3c1ccf76bbcc78586cbbb6433b6d30d5) --- Summary of changes: lib/util/time.c| 2 +- source3/lib/system.c | 1 + source3/passdb/pdb_smbpasswd.c | 36 3 files changed, 30 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/util/time.c b/lib/util/time.c index 773fd611a33..bc1ea5f6473 100644 --- a/lib/util/time.c +++ b/lib/util/time.c @@ -1450,7 +1450,7 @@ struct timespec get_ctimespec(const struct stat *pst) { struct timespec ret; - ret.tv_sec = pst->st_mtime; + ret.tv_sec = pst->st_ctime; ret.tv_nsec = get_ctimensec(pst); return ret; } diff --git a/source3/lib/system.c b/source3/lib/system.c index 16fe3839446..5874afadd3c 100644 --- a/source3/lib/system.c +++ b/source3/lib/system.c @@ -186,6 +186,7 @@ static void make_create_timespec(const struct stat *pst, struct stat_ex *dst, if (S_ISDIR(pst->st_mode) && fake_dir_create_times) { dst->st_ex_btime.tv_sec = 315493200L; /* 1/1/1980 */ dst->st_ex_btime.tv_nsec = 0; + return; } dst->st_ex_iflags &= ~ST_EX_IFLAG_CALCULATED_BTIME; diff --git a/source3/passdb/pdb_smbpasswd.c
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fdf3656d30c autobuild: Run ad_member_idmap_nss tests as part of samba-admem from 45962d416f4 source3/lib: Properly log the change in capability https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fdf3656d30cedf95f4d4585f98db9ba03b28 Author: Pavel Filipenský Date: Mon Jan 15 10:33:05 2024 +0100 autobuild: Run ad_member_idmap_nss tests as part of samba-admem Those are currently running as part of the normal 'samba' target. It makes more sense to run them togehter with the other ad_member tests. Signed-off-by: Pavel Filipenský Pair-Programmed-With: Andreas Schneider Reviewed-by: Andreas Schneider Autobuild-User(master): Pavel Filipensky Autobuild-Date(master): Mon Jan 22 08:17:32 UTC 2024 on atb-devel-224 --- Summary of changes: script/autobuild.py | 4 1 file changed, 4 insertions(+) Changeset truncated at 500 lines: diff --git a/script/autobuild.py b/script/autobuild.py index a10b9aebdef..7eea3653e0b 100755 --- a/script/autobuild.py +++ b/script/autobuild.py @@ -334,6 +334,7 @@ tasks = { "admem_idmap_autorid", "ad_member_idmap_ad", "ad_member_rfc2307", +"ad_member_idmap_nss", "ad_member_oneway", "chgdcpass", "vampire_2000_dc", @@ -403,6 +404,7 @@ tasks = { "admem_idmap_autorid", "ad_member_idmap_ad", "ad_member_rfc2307", +"ad_member_idmap_nss", "ad_member_oneway", "chgdcpass", "vampire_2000_dc", @@ -514,6 +516,7 @@ tasks = { "admem_idmap_autorid", "ad_member_idmap_ad", "ad_member_rfc2307", +"ad_member_idmap_nss", "ad_member_offlogon", ])), ("lcov", LCOV_CMD), @@ -720,6 +723,7 @@ tasks = { "admem_idmap_autorid", "ad_member_idmap_ad", "ad_member_rfc2307", +"ad_member_idmap_nss", "ad_member_offlogon", ])), ("lcov", LCOV_CMD), -- Samba Shared Repository