[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via daf6d371f36 s3:rpc_client: implement bind time feature negotiation via 713a8022573 s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context via 6548ccb31bf s3:rpc_client: pass struct rpc_pipe_client to check_bind_response() via 0cc0970d359 dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags() from 2674df4cc0e s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit daf6d371f3639cbd64f9ac9f8a3be5b7d37393a7 Author: Stefan Metzmacher Date: Fri Apr 19 01:22:17 2024 +0200 s3:rpc_client: implement bind time feature negotiation This is not strictly needed as we don't use any of the optional features yet. But it will make it easier to add bind time features we'll actually use later. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Apr 23 17:29:55 UTC 2024 on atb-devel-224 commit 713a8022573a1b917422d888e4bb901539d20a91 Author: Stefan Metzmacher Date: Fri Apr 19 01:17:46 2024 +0200 s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context We should fail if we didn't get DCERPC_BIND_ACK_RESULT_ACCEPTANCE. It's also not needed to require a single array element. We already checked above that we have at least one. The next patch will all bind time feature negotiation and that means we'll have 2 array elements... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 6548ccb31bfefdfa5d4ddd14ced900c64a68224e Author: Stefan Metzmacher Date: Fri Apr 19 01:15:52 2024 +0200 s3:rpc_client: pass struct rpc_pipe_client to check_bind_response() This prepares adding bind time feature negotiation in the next commits. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 0cc0970d359f6521b1621c87149291c597f4b0d6 Author: Stefan Metzmacher Date: Tue Oct 13 15:43:05 2015 +0200 dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags() dcerpc_ncacn_push_auth() already calls dcerpc_set_frag_length(). Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- Summary of changes: librpc/rpc/dcesrv_reply.c | 2 -- source3/rpc_client/cli_pipe.c | 49 +++-- source3/rpc_client/rpc_client.h | 7 ++ 3 files changed, 44 insertions(+), 14 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/rpc/dcesrv_reply.c b/librpc/rpc/dcesrv_reply.c index 6d605168176..4890169c98b 100644 --- a/librpc/rpc/dcesrv_reply.c +++ b/librpc/rpc/dcesrv_reply.c @@ -130,8 +130,6 @@ NTSTATUS dcesrv_fault_with_flags(struct dcesrv_call_state *call, return status; } - dcerpc_set_frag_length(>blob, rep->blob.length); - DLIST_ADD_END(call->replies, rep); dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index b4289e9d35d..cf551f6f548 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -1130,17 +1130,28 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx, { uint16_t auth_len = auth_info->length; NTSTATUS status; - struct dcerpc_ctx_list ctx_list = { - .context_id = 0, - .num_transfer_syntaxes = 1, - .abstract_syntax = *abstract, - .transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer), + struct ndr_syntax_id bind_time_features = dcerpc_construct_bind_time_features( + DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING | + DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN); + struct dcerpc_ctx_list ctx_list[2] = { + [0] = { + .context_id = 0, + .num_transfer_syntaxes = 1, + .abstract_syntax = *abstract, + .transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer), + }, + [1] = { + .context_id = 1, + .num_transfer_syntaxes = 1, + .abstract_syntax = *abstract, + .transfer_syntaxes = _time_features, + }, }; union dcerpc_payload u = { .bind.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN, .bind.max_recv_frag = RPC_MAX_
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2674df4cc0e s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed via aff2932c420 python/samba/getopt: don't prompt for a password for --use-krb5-ccache=... via 0ba9e5dacbb lib/cmdline: only call cli_credentials_get_password_and_obtained if needed via 994e12e8f7a lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of POPT_CALLBACK_REASON_POST via e2170431f1d s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds() via 5af5bf26457 auth/credentials: don't call talloc_free(ccache_name) on callers memory via d221f930efc auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy() via 126357e2e73 lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal krb5_cc_get_lifetime via e58f83d3958 s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as strings via e6f92edba69 s3:notify: don't log user_can_stat_name_under_fsp with level 0 for OBJECT_NAME_NOT_FOUND from c49c48afe09 ldb:utf8: ldb_ascii_toupper() avoids real toupper() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2674df4cc0e124d74eb9d764c29a07c9c84b94d6 Author: Stefan Metzmacher Date: Thu Apr 14 15:36:51 2022 +0200 s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed Only legacy protocols need a password for share level authentication, so avoid triggering the password prompt for the common case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Apr 23 15:21:38 UTC 2024 on atb-devel-224 commit aff2932c420fd102c077063b8d1f66cdd8a777cb Author: Stefan Metzmacher Date: Fri Mar 8 14:14:34 2024 +0100 python/samba/getopt: don't prompt for a password for --use-krb5-ccache=... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 0ba9e5dacbb4e5bf94600e0a4a1cbd9f7a9c5d9e Author: Stefan Metzmacher Date: Thu Apr 14 13:31:20 2022 +0200 lib/cmdline: only call cli_credentials_get_password_and_obtained if needed BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 994e12e8f7a6b089342a32a6c3269048bfef1545 Author: Stefan Metzmacher Date: Thu Apr 14 13:30:56 2022 +0200 lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of POPT_CALLBACK_REASON_POST BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit e2170431f1d4a6f4ce7e3e6949282d5bc60b5d08 Author: Stefan Metzmacher Date: Thu Mar 7 00:11:26 2024 +0100 s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 5af5bf264571b732b5236e6db2061b523e603c05 Author: Stefan Metzmacher Date: Tue Feb 27 16:22:14 2024 +0100 auth/credentials: don't call talloc_free(ccache_name) on callers memory The internally allocated ccache_name has ccc as parent, so we don't need to cleanup explicitly. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit d221f930efcff09a9b5dc18c5dfb6475ade1312a Author: Stefan Metzmacher Date: Tue Feb 27 16:07:22 2024 +0100 auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy() A simple krb5_cc_close() doesn't remove it from the global memory list. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 126357e2e7302eb219fda80e3cfbef3da02c1d6d Author: Stefan Metzmacher Date: Fri Mar 8 11:39:35 2024 +0100 lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal krb5_cc_get_lifetime If the ccache doesn't have a intial TGT the shortest lifetime of service tickets should be returned. This is needed in order to work with special ccaches used for things like S2U4Self/S4U2Proxy tickets or other things where the caller only wants to pass a single service ticket. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit e58f83d3958d7b6a16d7d75a7a266cead4befb48 Author: Stefan Metzmacher Date: Wed Apr 3 16:00:41 2024 +0200 s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as strings Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit e6f92edba690923ec8ef427bc6d5b30d609c129a Author: Stefan Metzmacher Date: Wed Apr 3 16:35:35 2024 +0200 s3:notify: don't log
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 814ae222ca1 s3:winbindd: use better debug messages than 'talloc_strdup failed' via 72a4d3ad5a9 s3:passdb: use DBG_ERR() for 'talloc_strdup failed' messages via ca859e55d28 s3:libads: avoid changing ADS->server.workgroup via 796f33c05a0 s4:nbt_server: simulate nmbd and provide unexpected handling via bfb10774b65 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs via 77f4f1c7dba s4:libcli/dgram: make use of socket_address_copy() via 11861bcfc30 s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages via cca373b806e libcli/nbt: add nbt_name_send_raw() via 2b3c75c s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL via 696505a1efb s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}() via f90cf0822d6 s3:libsmb/unexpected: don't use talloc_tos() in async code via 011f68ae5dd s3:wscript: LIBNMB requires lp_ functions via 105247c9000 s3:include: split out fstring.h via 7f96c21029e s3:include: let nameserv.h be useable on its own from f8b72aa1f72 tests: Add a test for "all_groups=no" to test_idmap_ad.sh https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 814ae222ca15ff7093a71639cdcc97b9937670ce Author: Stefan Metzmacher Date: Fri Jan 26 09:25:11 2024 +0100 s3:winbindd: use better debug messages than 'talloc_strdup failed' Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Apr 5 13:28:42 UTC 2024 on atb-devel-224 commit 72a4d3ad5a9d1ea5cd0b2a940893727f0283879a Author: Stefan Metzmacher Date: Fri Jan 26 09:21:03 2024 +0100 s3:passdb: use DBG_ERR() for 'talloc_strdup failed' messages Otherwise it's completely unclear where the messages come from Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit ca859e55d28f421196bc2660cfa84595ec5b57c6 Author: Stefan Metzmacher Date: Fri Oct 15 03:34:11 2021 +0200 s3:libads: avoid changing ADS->server.workgroup ads_find_dc() uses c_domain = ads->server.workgroup and don't expect it to get out of scope deep in resolve_and_ping_dns(). The result are corrupted domain values in the debug output. Valgrind shows this: Invalid read of size 1 at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x608BE94: __vfprintf_internal (vfprintf-internal.c:1688) by 0x609ED49: __vasprintf_internal (vasprintf.c:57) by 0x5D2EC0F: __dbgtext_va (debug.c:1860) by 0x5D2ED3F: dbgtext (debug.c:1881) by 0x4BFFB50: ads_find_dc (ldap.c:570) by 0x4C001F4: ads_connect (ldap.c:704) by 0x4C1DC12: ads_dc_name (namequery_dc.c:84) Address 0xb69f6f0 is 0 bytes inside a block of size 11 free'd at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x4BFF0AF: ads_try_connect (ldap.c:299) by 0x4BFF40E: cldap_ping_list (ldap.c:367) by 0x4BFF75F: resolve_and_ping_dns (ldap.c:468) by 0x4BFFA91: ads_find_dc (ldap.c:556) by 0x4C001F4: ads_connect (ldap.c:704) by 0x4C1DC12: ads_dc_name (namequery_dc.c:84) Block was alloc'd at at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x60B250E: strdup (strdup.c:42) by 0x4FF1492: smb_xstrdup (util.c:743) by 0x4C10E62: ads_init (ads_struct.c:148) by 0x4C1DB68: ads_dc_name (namequery_dc.c:73) BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 796f33c05a0ca337b675b5d4d127f7c53b22528f Author: Stefan Metzmacher Date: Wed Feb 14 12:34:48 2024 +0100 s4:nbt_server: simulate nmbd and provide unexpected handling This is needed in order to let nbt_getdc() work against another AD DC and get back a modern response with DNS based names. Instead of falling back to the ugly name_status_find() that simulates just an NETLOGON_SAM_LOGON_RESPONSE_NT40 response. This way dsgetdcname() can work with just the netbios domain name given and still return an active directory response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit bfb10774b65af65f9c438a5d3e87529b1fcf46a1 Author: Stefan Metzmacher Date: Wed Feb 14 13:49:21 2024 +0100 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620 Signed-off-by
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via 99b6feac932 WHATSNEW: announce Service Witness Protocol [MS-SWN] and related options from 69b69bb2085 libgpo: Do not segfault if we don't have a valid security descriptor https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit 99b6feac9326673d0ce0d01172f8180c1f2232e7 Author: Stefan Metzmacher Date: Fri Mar 15 23:17:36 2024 +0100 WHATSNEW: announce Service Witness Protocol [MS-SWN] and related options Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Autobuild-User(v4-20-test): Stefan Metzmacher Autobuild-Date(v4-20-test): Tue Mar 19 13:30:31 UTC 2024 on atb-devel-224 --- Summary of changes: WHATSNEW.txt | 68 +++- 1 file changed, 67 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index dd80f116a10..9385a05f99e 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -191,6 +191,68 @@ The Security Descriptor Definition Language has extensions for conditional ACEs and resource attribute ACEs; these are now supported by Samba. +Service Witness Protocol [MS-SWN] +- + +In a ctdb cluster it is now possible to provide +the SMB witness service that allows clients to +monitor their current smb connection to cluster +node A by asking cluster node B to notify the +client if the ip address from node A or the +whole node A becomes unavailable. + +For disk shares in a ctdb cluster +SMB2_SHARE_CAP_SCALEOUT is now always returned +for SMB3 tree connect responses. + +If the witness service is active +SMB2_SHARE_CAP_CLUSTER is now also returned. + +In order to activate the witness service +"rpc start on demand helpers = no" needs to +be configured in the global section. +At the same time the 'samba-dcerpcd' service +needs to be started explicitly, typically +with the '--libexec-rpcds' option in order +to make all available services usable. +One important aspect is that tcp ports +135 (for the endpoint mapper) and various +ports in the 'rpc server dynamic port range' +will be used to provide the witness service +(rpcd_witness). + +ctdb provides a '47.samba-dcerpcd.script' in order +to manage the samba-dcerpcd.service. +Typically as systemd service, but that's up +to the packager and/or admin. + +Please note that current windows client +requires SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY +in addition to SMB2_SHARE_CAP_CLUSTER in order +to make use of the witness service. +But SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY implies +the windows clients always ask for persistent handle +(which are not implemented in samba yet), so +that every open generates a warning in the +windows smb client event log. +That's why SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY +is not returned by default. +An explicit 'smb3 share cap:CONTINUOUS AVAILABILITY = yes' +is needed. + +There are also new 'net witness' commands in order +to let the admin list active client registrations +or ask specific clients to move their smb connection +to another cluster node. These are available: + + net witness list + net witness client-move + net witness share-move + net witness force-unregister + net witness force-response + +Consult 'man net' or 'net witness help' for further details. + REMOVED FEATURES @@ -210,8 +272,12 @@ smb.conf changes Parameter Name Description Default -- --- --- - smb3 unix extensionsPer share - acl claims evaluation new AD DC only + smb3 unix extensionsPer share - + smb3 share cap:ASYMMETRIC new no + smb3 share cap:CLUSTER new see 'man smb.conf' + smb3 share cap:CONTINUOUS AVAILABILITY new no + smb3 share cap:SCALE OUTnew see 'man smb.conf' CHANGES SINCE 4.20.0rc3 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 447e131ebf2 smb2_tcon: add "smb3 share cap:{CONTINUOUS AVAILABILITY,SCALE OUT,CLUSTER,ASYMMETRIC}" options via 941f53f0c93 python:tests/rpcd_witness_samba_only: add tests for 'net witness force-response' via 946bf100685 s3:utils: add 'net witness force-response' via 8a643fea95c python:tests/rpcd_witness_samba_only: add tests for 'net witness force-unregister' via 8536a217922 s3:utils: add 'net witness force-unregister' via 290ef547d86 python:tests/rpcd_witness_samba_only: add tests for 'net witness {client,share}-move' via df3b5f93390 s3:utils: add 'net witness client-move' and 'net witness share-move' via 4fba5bcaad7 s3:rpc_server/witness: add handling of MSG_RPCD_WITNESS_REGISTRATION_UPDATE messages via b722dc74f86 s3:rpcd_witness.idl: add rpcd_witness_registration_updateB message definitions via 0744d55be03 messaging.idl: add MSG_RPCD_WITNESS_REGISTRATION_UPDATE via 3e70b31f013 python:tests/rpcd_witness_samba_only: add tests for 'net witness list' via 46fdeca696e s3:utils: add 'net witness list' command via fcc8e0978b6 s3:rpc_server/witness: let Register[Ex] store rpcd_witness_registration.tdb records via a9829ce6cf3 s3:rpcd_witness.idl: introduce definitions for rpcd_witness_registration.tdb records via b17e090e7c1 python/blackbox: add rpcd_witness_samba_only.py test via b3c51c4b825 python/tests: add TestCase.get_loadparm(s3=True) support via ea1ec424ad0 script/autobuild.py: also pass PYTHONPATH to make test of 'samba-ctdb' via 3ede69552ca selftest/Samba: export CTDB_PREFIX in clusteredmember testenv via 2f9dfaae448 selftest/Samba3: start samba_dcerpcd in clusteredmember via 15b17f1fffc selftest/Samba3: remove unused variable in setup_clusteredmember via bc2a77373a0 selftest/Samba3: get NETBIOSNAME correct for clusteredmember via cb1d711e25a s3:rpc_server/witness: add implementation based on CTDB_SRVID_IPREALLOCATED and ctdbd_all_ip_foreach() via 85f30bcf0b6 s3:rpc_server: add basic rpcd_witness template via 9083f49e767 s3:ctdbd_conn: add ctdbd_all_ip_foreach() helper via 3106709c891 s3:ctdbd_conn: split out ctdbd_control_get_nodemap() via ceda79b6cc0 s3:ctdbd_conn: pass vnn to ctdbd_control_get_public_ips() via f21e3800644 witness.idl: make witness_interfaceList public to that ndr_print works in python via b9bd7e89f28 smbstatus: let --json include session.{creation,expiration,auth}_time from fe8d866d2c6 vfs_ceph: Implement SMB_VFS_FSTATAT https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 447e131ebf2b7bb02e7dfbb0ee38c2d656632856 Author: Stefan Metzmacher Date: Tue Jul 31 08:55:20 2012 +0200 smb2_tcon: add "smb3 share cap:{CONTINUOUS AVAILABILITY,SCALE OUT,CLUSTER,ASYMMETRIC}" options Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Jan 26 18:04:10 UTC 2024 on atb-devel-224 commit 941f53f0c937fa75562183e9a4e1c95adf5d9524 Author: Stefan Metzmacher Date: Mon Jan 22 19:27:03 2024 +0100 python:tests/rpcd_witness_samba_only: add tests for 'net witness force-response' Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner commit 946bf100685da22cebbc38bcf96139c02ea35921 Author: Stefan Metzmacher Date: Fri Dec 15 14:49:37 2023 +0100 s3:utils: add 'net witness force-response' This allows generating any possible AsyncNotify response for the specified selection of witness registrations from rpcd_witness_registration.tdb. This can be used by developers to test the (windows) client behavior to specific AsyncNotify responses. Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner commit 8a643fea95c2d7d4f6709a10ff798bf3f9e210aa Author: Stefan Metzmacher Date: Mon Jan 15 14:20:00 2024 +0100 python:tests/rpcd_witness_samba_only: add tests for 'net witness force-unregister' Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner commit 8536a217922f7a2c5545b8f87084d08ea955ac61 Author: Stefan Metzmacher Date: Fri Dec 15 14:49:37 2023 +0100 s3:utils: add 'net witness force-unregister' This allows removing of the specified selection of witness registrations from rpcd_witness_registration.tdb. Any pending AsyncNotify will get WERR_NOT_FOUND. Typically this triggers a clean re-registration on the client. Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner commit 290ef547d869100bdea42784b8a8783085eed805 Author: Stefan Metzmacher Date: Mon Jan 15 14:20:00 2024 +0100 python:tests/rpcd_witness_samba_only: add tests for '
[SCM] Samba Shared Repository - branch master updated
of r->out.domains->array and r->out.domains->count to the end of the function ensures we don't return inconsistent state in case of an error. Also, r->out.domains is already set by the NDR layer, no need to create and assign a struct netr_DomainTrustList object. Using talloc_move() ensures we don't leave dangling pointers. Better to crash reliably on accessing NULL, then accessing some unknown memory via a wild pointer. As talloc_move() can't fail, there's no need to check the return value. And using a struct initializer ensures all members are properly initialized. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sat Jan 20 14:23:51 UTC 2024 on atb-devel-224 commit 000bbede59e4ca78427fa57b56fa251d4d779adb Author: Ralph Boehme Date: Thu Jan 18 17:42:33 2024 +0100 selftest: test listing trusted domains that includes an NT4 domain BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit 53ca19851dbfc3cab7345424c029a7c90745e24a Author: Ralph Boehme Date: Thu Jan 18 19:12:34 2024 +0100 s4/rpc_server: return NULL dns_name for NT4 trusts That's what Windows returns for an NT4 trust: array: struct netr_DomainTrust netbios_name : * netbios_name : 'NT4TRUST' dns_name : NULL trust_flags : 0x0020 (32) 0: NETR_TRUST_FLAG_IN_FOREST 0: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x (0) trust_type : LSA_TRUST_TYPE_DOWNLEVEL (1) trust_attributes : 0x (0) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION 0: LSA_TRUST_ATTRIBUTE_PIM_TRUST 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION sid : * sid : S-1-5-21-4267984555-3675415144-1682400025 guid : ---- Even though when creating the trust the DNS name must not be NULL and the trustPartner and name attributes are set to the flatName in the trustedDomain object: dn: CN=NT4TRUST,CN=System,DC=wdom2,DC=site objectClass: top objectClass: leaf objectClass: trustedDomain cn: NT4TRUST distinguishedName: CN=NT4TRUST,CN=System,DC=wdom2,DC=site instanceType: 4 whenCreated: 20240118175040.0Z whenChanged: 20240118175040.0Z uSNCreated: 4939915 uSNChanged: 4939916 showInAdvancedViewOnly: TRUE name: NT4TRUST objectGUID: c2273b74-19ff-4f5a-b528-9e5ae21960dd securityIdentifier: S-1-5-21-4267984555-3675415144-1682400025 trustDirection: 1 trustPartner: NT4TRUST trustPosixOffset: 0 trustType: 1 trustAttributes: 0 flatName: NT4TRUST objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=wdom2,DC=site isCriticalSystemObject: TRUE dSCorePropagationData: 1601010100.0Z BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit 3a95e135472a495a90637e5dc0f9e3c8de052ff9 Author: Ralph Boehme Date: Wed Jan 10 14:50:05 2024 +0100 selftest: add a test for NT4 trusts BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit 645a725603ca03f27c1347b1e2ed9fea94a6319d Author: Ralph Boehme Date: Sat Jan 13 08:48:54 2024 +0100 selftest: create trust between fl2008r2dc and nt4_dc BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit 9725aa932e24622566baf208586d1fe03885da9f Author: Ralph Boehme Date: Thu Jan 18 16:04:34 2024 +0100 selftest: rename a variable in setup_fl2008r2dc() Prepares f
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 1b6ef968d83 dcesrv_reply: just drop responses if the connection is already terminating via e829f5d8ec3 dcesrv_core: add dcesrv_call_state->subreq in order to allow tevent_req_cancel() on termination via 87e37e73a9b witness.idl: add flag(NDR_PAHEX) to some hex based enums via 290b0b04ae4 witness.idl: make some types public in order to be used elsewhere via 5beef87816d witness.idl: Set cifs as auth service name for the witness interface via 78ec47a6674 tdb: fix python/tdbdump.py example via 3c73d201d45 examples/scripts: add smbXsrvdump via 8e850685a10 smbXsrv.idl: add python bindings via b96ce32f826 smbstatus: let --json dump also session channels via 3f92a684abb smbstatus: let --json report the client_guid a session belongs to via c1c326ebccb smbXsrv_session: store session_global->client_guid via 88b1c8723b3 s3:sessionid: export smbXsrv_session_global via sessionid->global via d52f7279063 lib/util: let is_zero_addr() return true for AF_UNSPEC via 10b084f824f s3:smbd multichannel: improve smbXsrv_connection_dbg() via 475784d63e9 s3:smbd multichannel: let a cross-node session binding NT_STATUS_REQUEST_NOT_ACCEPTED via 8a3707e3ed9 s3:smbd multichannel: always allow multichannel to the ip of the queried connection via f94d2ed13e6 libcli/security: remove PRIMARY_{USER,GROUP}_SID_INDEX defines from security.h via 6331d33ae49 libcli/smb: add new SMB2_SHAREFLAG_ defines in smb2_constants.h from f14a7065690 smbd: move access override for previous versions to the SMB layer https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1b6ef968d8370757cb472a1e3bfe030f8066c50d Author: Stefan Metzmacher Date: Fri Nov 24 14:42:35 2023 +0100 dcesrv_reply: just drop responses if the connection is already terminating There's no reason to waste resources... Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Jan 9 11:26:55 UTC 2024 on atb-devel-224 commit e829f5d8ec3a77acb52a22d45e61dcce03762a10 Author: Stefan Metzmacher Date: Fri Nov 24 14:02:02 2023 +0100 dcesrv_core: add dcesrv_call_state->subreq in order to allow tevent_req_cancel() on termination Requests might be cancelled if the connection got disconnected, we got an ORPHANED or CO_CANCEL pdu. But this is all opt-in for the backends to choose. Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider commit 87e37e73a9ba13ed92a33a385a387b225b2b9190 Author: Stefan Metzmacher Date: Fri Dec 29 10:20:02 2023 +0100 witness.idl: add flag(NDR_PAHEX) to some hex based enums Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider commit 290b0b04ae41b835f864bba02b1320693ef199d3 Author: Stefan Metzmacher Date: Fri Nov 24 16:38:06 2023 +0100 witness.idl: make some types public in order to be used elsewhere Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider commit 5beef87816d103a729508ce88368c30c87b1fa4e Author: Samuel Cabrero Date: Wed Oct 21 18:30:29 2020 +0200 witness.idl: Set cifs as auth service name for the witness interface Windows clients use the 'cifs' service name to bind to the witness interface. Signed-off-by: Samuel Cabrero Reviewed-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider commit 78ec47a6674db65d738305cf00861aa711886a43 Author: Stefan Metzmacher Date: Fri Nov 24 16:28:38 2023 +0100 tdb: fix python/tdbdump.py example Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider commit 3c73d201d454a88135757065a2b238e6d94a1ac9 Author: Ralph Boehme Date: Sun Jan 28 15:35:44 2018 +0100 examples/scripts: add smbXsrvdump A simple python tool to dump smbXsrv TDB databases. Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider commit 8e850685a1052a16bea402df3e8057218080c373 Author: Stefan Metzmacher Date: Fri Nov 24 16:09:58 2023 +0100 smbXsrv.idl: add python bindings This is useful for some scripting examples and debugging... Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider commit b96ce32f826ba03384e6a7535200d7e18354fc4b Author: Stefan Metzmacher Date: Fri Dec 15 16:46:50 2023 +0100 smbstatus: let --json dump also session channels This makes if easier to
[SCM] Samba Shared Repository - branch v4-19-test updated
The branch, v4-19-test has been updated via 50f74d04884 s3:smbd multichannel: always refresh the network information from 8c63b219a26 s3:ctdbd_conn: fix ctdbd_public_ip_foreach() for ipv6 addresses https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log - commit 50f74d0488438e722eaeb492ae40f07432eb4530 Author: Jones Syue Date: Thu Jan 4 09:42:15 2024 +0800 s3:smbd multichannel: always refresh the network information To maintain SMB Multichannel, windows client might periodically query with FSCTL_QUERY_NETWORK_INTERFACE_INFO to get SMB server's network information, in my case windows server 2022 would do this every 10 minutes (600 seconds). Consider a scenario: the network information might have changed between these queries, some become link down, new interface is link up, network speed is changed, and etc. So far smbd might not aware of these changes and still report out-of-date network information to windows client, until we manually send a SIGHUP to smbd in order to trigger load_interfaces(): smbd_sig_hup_handler() > reload_services () > load_interfaces() This might be a bit inconvenient because it is hard to decide when should we manually send a SIGHUP to smbd for refreshing network information. This patch adds load_interfaces() at fsctl_network_iface_info(), while smbd received FSCTL_QUERY_NETWORK_INTERFACE_INFO would go through this and refresh local_interfaces, then respond to client with up-to-date network information; also refresh num_ifaces to make sure interfaces count is consistent. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15547 Signed-off-by: Jones Syue Reviewed-by: Stefan Metzmacher Reviewed-by: Björn Jacke (cherry picked from commit 318fd95d5ea63724798592eb6b4eebaecfa0cbfb) Autobuild-User(v4-19-test): Stefan Metzmacher Autobuild-Date(v4-19-test): Fri Jan 5 13:47:03 UTC 2024 on atb-devel-224 --- Summary of changes: source3/smbd/smb2_ioctl_network_fs.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/smb2_ioctl_network_fs.c b/source3/smbd/smb2_ioctl_network_fs.c index 5b396855ca6..9ef99dca90f 100644 --- a/source3/smbd/smb2_ioctl_network_fs.c +++ b/source3/smbd/smb2_ioctl_network_fs.c @@ -366,7 +366,7 @@ static NTSTATUS fsctl_network_iface_info(TALLOC_CTX *mem_ctx, struct fsctl_net_iface_info *first = NULL; struct fsctl_net_iface_info *last = NULL; size_t i; - size_t num_ifaces = iface_count(); + size_t num_ifaces; enum ndr_err_code ndr_err; struct cluster_movable_ips *cluster_movable_ips = NULL; int ret; @@ -375,6 +375,16 @@ static NTSTATUS fsctl_network_iface_info(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } + /* +* The list of probed interfaces might have changed, we might need to +* refresh local_interfaces to get up-to-date network information, and +* respond to clients which sent FSCTL_QUERY_NETWORK_INTERFACE_INFO. +* For example, network speed is changed, interfaces count is changed +* (some link down or link up), and etc. +*/ + load_interfaces(); + num_ifaces = iface_count(); + *out_output = data_blob_null; array = talloc_zero_array(mem_ctx, -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-18-test updated
The branch, v4-18-test has been updated via 9f8a73d7cc4 s3:smbd multichannel: always refresh the network information from c2c111688c4 s3:ctdbd_conn: fix ctdbd_public_ip_foreach() for ipv6 addresses https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test - Log - commit 9f8a73d7cc4bc0662aa527b045bc9925b9b4c71a Author: Jones Syue Date: Thu Jan 4 09:42:15 2024 +0800 s3:smbd multichannel: always refresh the network information To maintain SMB Multichannel, windows client might periodically query with FSCTL_QUERY_NETWORK_INTERFACE_INFO to get SMB server's network information, in my case windows server 2022 would do this every 10 minutes (600 seconds). Consider a scenario: the network information might have changed between these queries, some become link down, new interface is link up, network speed is changed, and etc. So far smbd might not aware of these changes and still report out-of-date network information to windows client, until we manually send a SIGHUP to smbd in order to trigger load_interfaces(): smbd_sig_hup_handler() > reload_services () > load_interfaces() This might be a bit inconvenient because it is hard to decide when should we manually send a SIGHUP to smbd for refreshing network information. This patch adds load_interfaces() at fsctl_network_iface_info(), while smbd received FSCTL_QUERY_NETWORK_INTERFACE_INFO would go through this and refresh local_interfaces, then respond to client with up-to-date network information; also refresh num_ifaces to make sure interfaces count is consistent. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15547 Signed-off-by: Jones Syue Reviewed-by: Stefan Metzmacher Reviewed-by: Björn Jacke (cherry picked from commit 318fd95d5ea63724798592eb6b4eebaecfa0cbfb) Autobuild-User(v4-18-test): Stefan Metzmacher Autobuild-Date(v4-18-test): Fri Jan 5 13:46:39 UTC 2024 on atb-devel-224 --- Summary of changes: source3/smbd/smb2_ioctl_network_fs.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/smb2_ioctl_network_fs.c b/source3/smbd/smb2_ioctl_network_fs.c index 5b396855ca6..9ef99dca90f 100644 --- a/source3/smbd/smb2_ioctl_network_fs.c +++ b/source3/smbd/smb2_ioctl_network_fs.c @@ -366,7 +366,7 @@ static NTSTATUS fsctl_network_iface_info(TALLOC_CTX *mem_ctx, struct fsctl_net_iface_info *first = NULL; struct fsctl_net_iface_info *last = NULL; size_t i; - size_t num_ifaces = iface_count(); + size_t num_ifaces; enum ndr_err_code ndr_err; struct cluster_movable_ips *cluster_movable_ips = NULL; int ret; @@ -375,6 +375,16 @@ static NTSTATUS fsctl_network_iface_info(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } + /* +* The list of probed interfaces might have changed, we might need to +* refresh local_interfaces to get up-to-date network information, and +* respond to clients which sent FSCTL_QUERY_NETWORK_INTERFACE_INFO. +* For example, network speed is changed, interfaces count is changed +* (some link down or link up), and etc. +*/ + load_interfaces(); + num_ifaces = iface_count(); + *out_output = data_blob_null; array = talloc_zero_array(mem_ctx, -- Samba Shared Repository
Re: [SCM] Samba Shared Repository - branch master updated
Am 04.01.24 um 15:36 schrieb Brown, James William: On 1/4/2024 7:46 AM, Stefan Metzmacher wrote: @@ -3905,7 +3937,24 @@ static int moveip(TALLOC_CTX *mem_ctx, struct ctdb_context *ctdb, return ret; } - return 0; + /* +* It isn't strictly necessary to wait until takeover runs are +* re-enabled but doing so can't hurt. +*/ + ret = disable_takeover_runs(mem_ctx, + ctdb, + 0, + connected_pnn, + connected_count); + if (ret != 0) { + fprintf(stderr, "Failed to enable takeover runs\n"); + return ret; + } Message should be "Failed to disable takeover runs\n" like previous change at 3886. This is a bit confusing but correct, the function name is strange. We have "disable" with a timeout of 2*options.timelimit and "enable" with a timeout of 0. metze
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 16d802f9c1f script/autobuild.py: add some --private-libraries=ALL testing via 6da49582c21 wafsamba: fix the usage of --private-extension-exception via f22df59b065 wscript: use opt.PRIVATE_EXTENSION_DEFAULT('private-samba') via 3ae5afa6ad0 script/autobuild.py: nonshared-test works now via a80614fe309 third_party/*_wrapper: use SAMBA_LIBRARY(force_unversioned=True) via 533e5daf772 wafsamba: introduce SAMBA_LIBRARY(force_unversioned=False) via 318fd95d5ea s3:smbd multichannel: always refresh the network information via 62654f0aeb1 ctdb: add comments to "addip"/"delip" when CTDB_{CONTROL,EVENT,SRVID}_IPREALLOCATED happens via 589ebabc95e ctdb: let "moveip" end with CTDB_CONTROL_IPREALLOCATED to all connected nodes via 2c6b455bd76 ctdb: remove unused ctdb_message_disable_ip_check() via cad1969b171 ctdb: let "moveip" also use disable_takeover_runs() via b1d0d5d5142 ctdb: send a CTDB_SRVID_IPREALLOCATED message after CTDB_EVENT_IPREALLOCATED from 1134c4f3a63 s3:utils: Fix the auth function to print correct values to the user https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 16d802f9c1f61cebb3699942242fbd3717f0dc4e Author: Stefan Metzmacher Date: Fri Dec 29 15:28:37 2023 + script/autobuild.py: add some --private-libraries=ALL testing BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Jan 4 12:45:58 UTC 2024 on atb-devel-224 commit 6da49582c212aefe859c71688a2d7beb72125fa9 Author: Stefan Metzmacher Date: Fri Dec 29 10:05:18 2023 + wafsamba: fix the usage of --private-extension-exception It was completely unused... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Ralph Boehme commit f22df59b0655f9bb812c39734782b0ff3c71c954 Author: Stefan Metzmacher Date: Fri Dec 29 10:04:59 2023 + wscript: use opt.PRIVATE_EXTENSION_DEFAULT('private-samba') The problem was that we used opt.PRIVATE_EXTENSION_DEFAULT('samba4') and libndr as private will become libndr-samba4 and that already exists as libndr-samba4 as we don't append the extension if it's already there. So meant with --private-libraries=ALL we hit the following problem: $ ./configure --private-libraries=ALL $ make smbd/smbd Waf: Leaving directory `/samba/bin/default' Task dependency cycle in "run_after" constraints: {task ...: cshlib dcerpc-samba4.empty.c.12.o,ndr_winbind_c.c.229.o -> libdcerpc-samba4.so} make: *** [Makefile:131: smbd/smbd] Error 1 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Ralph Boehme commit 3ae5afa6ad0421f479c5fe63ed692593eaed7078 Author: Stefan Metzmacher Date: Fri Dec 29 15:27:38 2023 + script/autobuild.py: nonshared-test works now I guess the problem was related to wrapper libraries... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Ralph Boehme commit a80614fe3098be42f330a73c5af28e646a86a042 Author: Stefan Metzmacher Date: Fri Dec 29 14:32:51 2023 + third_party/*_wrapper: use SAMBA_LIBRARY(force_unversioned=True) This prevents --private-libraries=ALL from creating unuseable wrapper libraries, as they can't work with symbol versioning. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Ralph Boehme commit 533e5daf772b38e21830251d779f083da7197058 Author: Stefan Metzmacher Date: Fri Dec 29 14:32:02 2023 + wafsamba: introduce SAMBA_LIBRARY(force_unversioned=False) This can be used in order to avoid a library to be catched by --private-libraries=ALL. It is needed for our wrapper libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Ralph Boehme commit 318fd95d5ea63724798592eb6b4eebaecfa0cbfb Author: Jones Syue Date: Thu Jan 4 09:42:15 2024 +0800 s3:smbd multichannel: always refresh the network information To maintain SMB Multichannel, windows client might periodically query with FSCTL_QUERY_NETWORK_INTERFACE_INFO to get SMB server's network information, in my case windows server 2022 would do this every 10 minutes (600 seconds).
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 314eb730833 Happy New Year 2024! from bab0ac776ca s4/ldap_backend: do_call: use modern DBG macros https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 314eb7308338d31baf909b705917fedc9b094069 Author: Stefan Metzmacher Date: Mon Jan 1 00:03:20 2024 + Happy New Year 2024! Signed-off-by: Stefan Metzmacher --- Summary of changes: VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 620024528ad..bde2e90dffc 100644 --- a/VERSION +++ b/VERSION @@ -13,7 +13,7 @@ # # -SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2023" +SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2024" # This are the main SAMBA version numbers # -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bab0ac776ca s4/ldap_backend: do_call: use modern DBG macros via 80c2513da4c s4/ldap_backend: abandonrequest: use modern DBG macros via 70a5309bf1f s4/ldap_backend: CompareRequest: use modern DBG macros via 24a01b673cc s4/ldap_backend: modifydnrequest: use modern DBG macros via 2a4d291e824 s4/ldap_backend: delrequest: use modern DBG macros via 9129042eb0a s4/ldap_backend: addrequest: use modern DBG macros via ac3ed2486b7 s4/ldap_backend: modifyrequest: use modern DBG_ macro via 6d4bb12c49c s4/ldap_backend: SearchRequest: use modern DBG_ macro via 54a88491e5f s4/ldap_backend: unwilling: use modern DBG_ macro via 1324732e801 s4/ldap_backend: encode: use modern DBG_ macro via 10002e94009 s4/ldap_backend: change a printf %d to %u for results via d4168fce7b0 s4/ldap_backend: fix a NULL dereference via b41f95f891a winbind_nss_netbsd: fix missing semicolon via b9f32b32e0e docs-xml: use XML_CATALOG_FILES env var if defined via 2073bbf9dca doc-xml: fix name of vfs_linux_xfs man page from 5f5a49d78af lib:crypto: Add tests for GKDI key derivation https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bab0ac776cad50452e42d3c418b60a1635111935 Author: Björn Jacke Date: Mon Dec 25 21:48:35 2023 +0100 s4/ldap_backend: do_call: use modern DBG macros Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Dec 29 13:50:05 UTC 2023 on atb-devel-224 commit 80c2513da4c4f414e4ab88ad1ba3f1e59657391c Author: Björn Jacke Date: Mon Dec 25 21:46:47 2023 +0100 s4/ldap_backend: abandonrequest: use modern DBG macros Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 70a5309bf1f526cd3c00d303570ab7e7d6f15e7a Author: Björn Jacke Date: Mon Dec 25 21:45:55 2023 +0100 s4/ldap_backend: CompareRequest: use modern DBG macros Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 24a01b673cc1002e16cc806d600acbef0856ea54 Author: Björn Jacke Date: Mon Dec 25 21:37:29 2023 +0100 s4/ldap_backend: modifydnrequest: use modern DBG macros Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 2a4d291e8246058ef8818b56c9861a3eed49cad4 Author: Björn Jacke Date: Mon Dec 25 21:34:28 2023 +0100 s4/ldap_backend: delrequest: use modern DBG macros Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 9129042eb0a19d922ce77e8f51af204fd41ca6bc Author: Björn Jacke Date: Mon Dec 25 21:32:49 2023 +0100 s4/ldap_backend: addrequest: use modern DBG macros Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit ac3ed2486b793865133d2006031ccf4a2c37458b Author: Björn Jacke Date: Mon Dec 25 21:31:27 2023 +0100 s4/ldap_backend: modifyrequest: use modern DBG_ macro Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 6d4bb12c49cde2bc8d14712e3563b32038c6ae45 Author: Björn Jacke Date: Mon Dec 25 21:26:58 2023 +0100 s4/ldap_backend: SearchRequest: use modern DBG_ macro Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 54a88491e5fb1ec949960fad426e9ee51a68fe2f Author: Björn Jacke Date: Mon Dec 25 21:24:13 2023 +0100 s4/ldap_backend: unwilling: use modern DBG_ macro Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 1324732e8013b8ff5833799e86f9fd8f10e3ea41 Author: Björn Jacke Date: Mon Dec 25 21:22:48 2023 +0100 s4/ldap_backend: encode: use modern DBG_ macro Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 10002e94009dc132867e3100c86fd351ce93bc99 Author: Björn Jacke Date: Mon Dec 25 20:37:38 2023 +0100 s4/ldap_backend: change a printf %d to %u for results Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit d4168fce7b07f417c81c801da0fd664fbb90715a Author: Björn Jacke Date: Mon Dec 25 20:30:43 2023 +0100 s4/ldap_backend: fix a NULL dereference Signed-off-by: Bjoern Jacke > Reviewed-by: Stefan Metzmacher commit b41f95f891ab5b1d1878735a513be5d9a13f63c6 Author: Björn Jacke Date: Mon Dec 25 19:53:30 2023 +0100 winbind_nss_netbsd: fix missing semicolon BUG: https://bugzilla.samba.org/show_bug.cgi?id=15541 Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit b9f32b32e0e1463b8ca3e696d682ecf86503464b Author: Björn Jacke Date: Mon Dec 25 19:50:55 2023 +0100 docs-xml: use XML_CATALOG_FILES env var if defined Thanks to Thierry LARONDE for the fix. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15540 Signed-off-by: Björn Jacke Reviewed-by: Stefan Metzmacher com
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 828f3c99122 s3:ctdbd_conn: fix ctdbd_public_ip_foreach() for ipv6 addresses from 31637d40371 WHATSNEW: Add entry for "samba-tool user get-kerberos-ticket" https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 828f3c99122fb033ecb79e24ed24821b8510f0f8 Author: Stefan Metzmacher Date: Tue Aug 15 08:57:57 2023 +0200 s3:ctdbd_conn: fix ctdbd_public_ip_foreach() for ipv6 addresses BUG: https://bugzilla.samba.org/show_bug.cgi?id=15534 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Dec 21 11:09:30 UTC 2023 on atb-devel-224 --- Summary of changes: source3/lib/ctdbd_conn.c | 33 - 1 file changed, 28 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/ctdbd_conn.c b/source3/lib/ctdbd_conn.c index a739c97f3fd..3698c9d3672 100644 --- a/source3/lib/ctdbd_conn.c +++ b/source3/lib/ctdbd_conn.c @@ -1438,6 +1438,32 @@ static int ctdbd_control_get_public_ips(struct ctdbd_connection *conn, return 0; } +static struct samba_sockaddr ctdbd_sock_addr_to_samba(const ctdb_sock_addr *c) +{ + struct samba_sockaddr s = {}; + + switch (c->sa.sa_family) { + case AF_INET: + s.u.in = c->ip; + break; + case AF_INET6: + /* +* ctdb always requires HAVE_IPV6, +* so we don't need an ifdef here. +*/ + s.u.in6 = c->ip6; + break; + default: + /* +* ctdb_sock_addr only supports ipv4 and ipv6 +*/ + smb_panic(__location__); + break; + } + + return s; +} + int ctdbd_public_ip_foreach(struct ctdbd_connection *conn, int (*cb)(uint32_t total_ip_count, const struct sockaddr_storage *ip, @@ -1457,11 +1483,8 @@ int ctdbd_public_ip_foreach(struct ctdbd_connection *conn, } for (i=0; i < ips->num; i++) { - struct samba_sockaddr tmp = { - .u = { - .sa = ips->ips[i].addr.sa, - }, - }; + const ctdb_sock_addr *addr = >ips[i].addr; + struct samba_sockaddr tmp = ctdbd_sock_addr_to_samba(addr); ret = cb(ips->num, , -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8cfc6ea9232 Revert "rpc_server:srvsvc - retrieve share ACL via root context" via ff3b50034e2 rpcd_classic: Open share_info.tdb as root from 6d3146f94b2 smbd: Modernize a few DEBUG statements https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8cfc6ea92320be4ef26b91fce58fd76bfc7b95eb Author: Volker Lendecke Date: Tue Dec 19 10:30:58 2023 +0100 Revert "rpc_server:srvsvc - retrieve share ACL via root context" This reverts commit 80c0b416892bfacc0d919fe032461748d7962f05. With the previous patch it is no longer required. We open share_info.tdb as root when starting up rpcd_classic and keep it open. Commit 80c0b416892bfacc0d919fe032461748d7962f05 only fixed the problem in one place, but we had it in a lot more places... Bug: https://bugzilla.samba.org/show_bug.cgi?id=15265 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Dec 20 11:20:51 UTC 2023 on atb-devel-224 commit ff3b50034e2821e54633daafc751d3ea3c00f4c3 Author: Volker Lendecke Date: Wed Dec 13 12:07:00 2023 +0100 rpcd_classic: Open share_info.tdb as root srvsvc needs it, but for example NetShareGetInfo() runs as a user. Opening share_info.tdb at that point is too late. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15265 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- Summary of changes: source3/rpc_server/rpcd_classic.c | 6 ++ source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 17 +++-- 2 files changed, 9 insertions(+), 14 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/rpc_server/rpcd_classic.c b/source3/rpc_server/rpcd_classic.c index 9766d0a760b..2b7e9398d90 100644 --- a/source3/rpc_server/rpcd_classic.c +++ b/source3/rpc_server/rpcd_classic.c @@ -115,6 +115,12 @@ static NTSTATUS classic_servers( exit(1); } + status = share_info_db_init(); + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("share_info_db_init failed: %s\n", nt_errstr(status)); + exit(1); + } + lp_load_with_shares(get_dyn_CONFIGFILE()); mangle_reset_cache(); diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c index d6e7bed5949..29d224c427d 100644 --- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c +++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c @@ -542,7 +542,6 @@ static bool is_hidden_share(int snum) static bool is_enumeration_allowed(struct pipes_struct *p, int snum) { - bool allowed; struct dcesrv_call_state *dce_call = p->dce_call; struct auth_session_info *session_info = dcesrv_call_session_info(dce_call); @@ -559,19 +558,9 @@ static bool is_enumeration_allowed(struct pipes_struct *p, return false; } - - /* -* share_access_check() must be opened as root -* because it ultimately gets a R/W db handle on share_info.tdb -* which has 0o600 permissions -*/ - become_root(); - allowed = share_access_check(session_info->security_token, -lp_servicename(talloc_tos(), lp_sub, snum), -FILE_READ_DATA, NULL); - unbecome_root(); - - return allowed; + return share_access_check(session_info->security_token, + lp_servicename(talloc_tos(), lp_sub, snum), + FILE_READ_DATA, NULL); } / -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4b7329f1582 ctdb-server: Drop unnecessary copy of destination address via 8fc3872557f ctdb-daemon: Use ctdb_connection_to_buf() to simplify via ddf47e7fe31 smbd: Remove callback for release_ip when "state" is free'ed via 082c7df4d04 s3:selftest: add samba3.blackbox.smbXsrv_client_ctdb_registered_ips via 38b74d4ca9a selftest: export/use CTDB related envvars in order to run the ctdb command via 2e784789d78 ctdbd_conn: add ctdbd_passed_ips() via f3a03f3f774 ctdbd_conn: add ctdbd_unregister_ips() via 75aa6693940 ctdbd_conn: Add deregister_from_ctdbd() via 77a559432ff ctdbd_conn: let register_with_ctdbd() call CTDB_CONTROL_REGISTER_SRVID just once via 240139370aa ctdbd_conn: don't use uninitialized memory in ctdbd_register_ips() via 037e8e449de ctdb: add/implement CTDB_CONTROL_TCP_CLIENT_PASSED via c6602b686b4 ctdb: add/implement CTDB_CONTROL_TCP_CLIENT_DISCONNECTED via 8395fd369d3 ctdb: add ctdb_connection_same() helper via 5f52d140f7b ctdb: make use of ctdb_canonicalize_ip_inplace() in ctdb_control_tcp_client() via f2d9c012fc8 ctdb: add ctdb_canonicalize_ip_inplace() helper via 92badd3bdd8 ctdb: remove unused ctdb->client_ip_list and print debug on ctdb_tcp_list instead from d23d6145bf0 VERSION: move COPYRIGHT_STARTUP_MESSAGE as SAMBA_COPYRIGHT_STRING into version.h https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4b7329f15820f1b4d9a7b7f0947719c4217b312a Author: Martin Schwenke Date: Wed Dec 13 10:29:05 2023 +1100 ctdb-server: Drop unnecessary copy of destination address Modernise debug while touching the code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523 Signed-off-by: Martin Schwenke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Dec 15 12:09:21 UTC 2023 on atb-devel-224 commit 8fc3872557f715dc38f9898754a785fd073ace96 Author: Martin Schwenke Date: Wed Dec 13 10:22:04 2023 +1100 ctdb-daemon: Use ctdb_connection_to_buf() to simplify The one case that is no longer handled specially is when the destination address is IPv4 loopback. This may previously have been used to avoid flooding the logs when testing. However, that seems unnecessary - if testing with 127.0.0.1 then make it a public address. Modernise debug while touching the code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523 Signed-off-by: Martin Schwenke Reviewed-by: Stefan Metzmacher commit ddf47e7fe314e0f5bf71ff53e35350e0ba530d08 Author: Volker Lendecke Date: Thu Oct 12 17:19:45 2023 +0200 smbd: Remove callback for release_ip when "state" is free'ed If a client connects to a non-public address first followed by a connect to public address with the same client_guid and a connection to the non-public address gets disconnected first, we hit by a use-after-free talloc_get_type_abort() called from release_ip() as "xconn" is already gone, taking smbd_release_ip_state with it. We need to decide between calling ctdbd_unregister_ips() by default, as it means the tcp connection is really gone and ctdb needs to remove the 'tickle' information. But when a connection was passed to a different smbd process, we need to use ctdbd_passed_ips() as the tcp connection is still alive and the 'tickle' information should not be removed within ctdb. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Volker Lendecke Signed-off-by: Stefan Metzmacher Reviewed-by: Martin Schwenke commit 082c7df4d04c2a94c5413c1d6b7eae7be610f950 Author: Stefan Metzmacher Date: Fri Nov 17 11:46:27 2023 +0100 s3:selftest: add samba3.blackbox.smbXsrv_client_ctdb_registered_ips This demonstrates the crash that happens if a client connects to a non-public address first followed by a connect to public address with the same client_guid and a connection to the non-public address gets disconnected first, we hit by a use-after-free talloc_get_type_abort() called from release_ip() as "xconn" is already gone, taking smbd_release_ip_state with it. Note that we also need to mark some subtests as flapping as there's a 2nd problem that happens in the interaction between smbd processes and ctdb when passing a multichannel connection to an existing process, it means we sometimes loose the 'tickle' information within ctdb to that tcp connection. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523 Signed-off-by: Stefan Metzmacher Reviewed-by: Martin Schwenke commit 38b7
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d23d6145bf0 VERSION: move COPYRIGHT_STARTUP_MESSAGE as SAMBA_COPYRIGHT_STRING into version.h from 83e36d97c95 netcmd: add shell command https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d23d6145bf08c4765479951237e697c4b2b11aa2 Author: Stefan Metzmacher Date: Thu Dec 14 11:35:19 2023 +0100 VERSION: move COPYRIGHT_STARTUP_MESSAGE as SAMBA_COPYRIGHT_STRING into version.h We also prodive a samba_copyright_string() helper similar to samba_version_string(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Dec 15 10:44:42 UTC 2023 on atb-devel-224 --- Summary of changes: VERSION | 2 ++ buildtools/wafsamba/samba_patterns.py | 2 +- buildtools/wafsamba/samba_version.py | 1 + lib/param/param.h | 1 + lib/util/copyright.h | 28 source3/include/includes.h| 3 --- source3/include/proto.h | 1 + source3/lib/version.c | 5 + source3/nmbd/nmbd.c | 6 +++--- source3/rpc_server/rpc_host.c | 8 source3/rpc_server/rpc_worker.c | 8 source3/smbd/server.c | 6 +++--- source3/winbindd/winbindd.c | 6 +++--- source3/wscript_build | 3 +-- source4/include/includes.h| 3 --- source4/samba/server.c| 8 16 files changed, 33 insertions(+), 58 deletions(-) delete mode 100644 lib/util/copyright.h Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index f0170b01ce1..620024528ad 100644 --- a/VERSION +++ b/VERSION @@ -13,6 +13,8 @@ # # +SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2023" + # This are the main SAMBA version numbers # # # diff --git a/buildtools/wafsamba/samba_patterns.py b/buildtools/wafsamba/samba_patterns.py index a9c5fcc4b4c..41296810e13 100644 --- a/buildtools/wafsamba/samba_patterns.py +++ b/buildtools/wafsamba/samba_patterns.py @@ -15,7 +15,7 @@ def write_version_header(task): return 0 -def SAMBA_MKVERSION(bld, target, source='VERSION'): +def SAMBA_MKVERSION(bld, target, source='VERSION buildtools/wafsamba/samba_version.py'): '''generate the version.h header for Samba''' # We only force waf to re-generate this file if we are installing, diff --git a/buildtools/wafsamba/samba_version.py b/buildtools/wafsamba/samba_version.py index 54ae62f38bd..31103e0f8c4 100644 --- a/buildtools/wafsamba/samba_version.py +++ b/buildtools/wafsamba/samba_version.py @@ -174,6 +174,7 @@ also accepted as dictionary entries here def __str__(self): string="/* Autogenerated by waf */\n" +\ +"#define SAMBA_COPYRIGHT_STRING \"%s\"\n" % self.SAMBA_COPYRIGHT_STRING +\ "#define SAMBA_VERSION_MAJOR %u\n" % self.MAJOR +\ "#define SAMBA_VERSION_MINOR %u\n" % self.MINOR +\ "#define SAMBA_VERSION_RELEASE %u\n" % self.RELEASE diff --git a/lib/param/param.h b/lib/param/param.h index 7ead57f6130..aed48c1660c 100644 --- a/lib/param/param.h +++ b/lib/param/param.h @@ -276,6 +276,7 @@ int lpcfg_rpc_port_high(struct loadparm_context *lp_ctx); /* The following definitions come from lib/version.c */ const char *samba_version_string(void); +const char *samba_copyright_string(void); #endif /* _PARAM_H */ diff --git a/lib/util/copyright.h b/lib/util/copyright.h deleted file mode 100644 index a29f2285d13..000 --- a/lib/util/copyright.h +++ /dev/null @@ -1,28 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Copyright (C) Björn Jacke 2023 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http:/
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f5c76c3c814 Revert "README.Coding.md: add DBG_STARTUP_NOTICE macro" via cd8dcff9e9c lib/util: convert DBG_STARTUP_NOTICE() to use debug_set_forced_log_priority(DBGLVL_NOTICE) via bd21a0cdefb lib/util: add debug_set_forced_log_priority() from 83e8971c0f1 Claims initial black box tests https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f5c76c3c814dac2b0c09026520f75c0b0e22b6b4 Author: Stefan Metzmacher Date: Thu Nov 23 13:20:23 2023 +0100 Revert "README.Coding.md: add DBG_STARTUP_NOTICE macro" This reverts commit bb370b9381e5d223ff4ac62f612888f90a63fcc5. We no longer use log level -1 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Nov 24 10:34:58 UTC 2023 on atb-devel-224 commit cd8dcff9e9cbfffab8c502c8701c00b0c8e3512b Author: Stefan Metzmacher Date: Wed Nov 22 17:18:29 2023 +0100 lib/util: convert DBG_STARTUP_NOTICE() to use debug_set_forced_log_priority(DBGLVL_NOTICE) Using -1 as log level is not compatible without our infrastructure. As all backends are initialized with .log_level = -1, which means they don't log the message, but now they all try to handle the startup message even if they are not configured. E.g. is means that systemd's journalctl get the message twice now, first via the syslog and also the systemd backend. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Andrew Bartlett commit bd21a0cdefb30ef5522f81d865c03d11a182a63c Author: Stefan Metzmacher Date: Wed Nov 22 17:03:30 2023 +0100 lib/util: add debug_set_forced_log_priority() By default the priority for syslog/systemd is derived from the log level of the debug message. But for things like startup messages we want to change the priority temporary, like this: debug_set_forced_log_priority(DBGLVL_NOTICE); D_ERR("Startup...\n"); debug_set_forced_log_priority(-1); BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Andrew Bartlett --- Summary of changes: README.Coding.md | 11 +-- lib/util/debug.c | 10 ++ lib/util/debug.h | 9 +++-- 3 files changed, 22 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/README.Coding.md b/README.Coding.md index 132f3f4fa58..76f2c70e95a 100644 --- a/README.Coding.md +++ b/README.Coding.md @@ -539,12 +539,11 @@ It should be: Use these following macros instead of DEBUG: ``` -DBG_STARTUP_NOTICE log level -1 startup like notice -DBG_ERR log level 0error conditions -DBG_WARNING log level 1warning conditions -DBG_NOTICE log level 3normal, but significant, condition -DBG_INFOlog level 5informational message -DBG_DEBUG log level 10 debug-level message +DBG_ERR log level 0error conditions +DBG_WARNING log level 1warning conditions +DBG_NOTICE log level 3normal, but significant, condition +DBG_INFOlog level 5informational message +DBG_DEBUG log level 10 debug-level message ``` Example usage: diff --git a/lib/util/debug.c b/lib/util/debug.c index 6872f2dfe46..f1f91ebe7a7 100644 --- a/lib/util/debug.c +++ b/lib/util/debug.c @@ -94,6 +94,7 @@ static struct { char hostname[HOST_NAME_MAX+1]; bool reopening_logs; bool schedule_reopen_logs; + int forced_log_priority; struct debug_settings settings; debug_callback_fn callback; @@ -230,6 +231,10 @@ static int debug_level_to_priority(int level) }; int priority; + if (state.forced_log_priority != -1) { + level = state.forced_log_priority; + } + if (level < 0 || (size_t)level >= ARRAY_SIZE(priority_map)) priority = LOG_DEBUG; else @@ -1133,6 +1138,11 @@ void debug_set_hostname(const char *name) strlcpy(state.hostname, name, sizeof(state.hostname)); } +void debug_set_forced_log_priority(int forced_log_priority) +{ + state.forced_log_priority = forced_log_priority; +} + /** * Ensure debug logs are initialised. * diff --git a/lib/util/debug.h b/lib/util/debug.h index 90230a2d88f..4687ac074b1 100644 --- a/lib/util/debug.h +++ b/lib/util/debug.h @@ -269,14 +269,18 @@ void debugl
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bf79979f847 s4:kdc: fix user2user tgs-requests for normal user accounts via cbb8145d0c5 third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4)) via c99fe118fdf tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account via 97e4aab1a6e CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers via 70586061128 CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container via 498542be0bb CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry() via 7f8b15faa76 CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container via 0c329a0fda3 CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files via 3be190dcf71 CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor() from 6e862bd3690 s4/torture: fix exit status of raw.bench-lookup https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bf79979f847de36db9da9646a396cdfe6b0e1c6f Author: Stefan Metzmacher Date: Wed Oct 11 15:58:22 2023 +0200 s4:kdc: fix user2user tgs-requests for normal user accounts User2User tgs requests use the session key of the additional ticket instead of the long term keys based on the password. In addition User2User also asserts that client and server are the same account (cecked based on the sid). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224 commit cbb8145d0c58b34b76a579afd81f0e19ec7106b6 Author: Stefan Metzmacher Date: Mon Oct 16 12:33:15 2023 +1300 third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4)) This allows HDB backends to do special handling for User2User TGS-REQs. The main reason is to let the HDB_F_GET_SERVER lookup to succeed even for non-computer accounts. In Samba these are typically not returned in HDB_F_GET_SERVER in order to avoid generating tickets with the user password. But for User2User the account password is not used, so it is safe to return the server entry. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett [abart...@samba.org Adapted to be an import from lorikeet-heimdal as requested] commit c99fe118fdf11c641d74a51d33b52ac411db95f5 Author: Stefan Metzmacher Date: Wed Oct 11 15:54:15 2023 +0200 tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566 Author: Stefan Metzmacher Date: Fri Jan 29 23:35:31 2016 +0100 CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 70586061128f90afa33f25e104d4570a1cf778db Author: Stefan Metzmacher Date: Wed Jun 7 18:18:58 2023 +0200 CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 498542be0bbf4f26558573c1f87b77b8e3509371 Author: Stefan Metzmacher Date: Mon Jun 26 15:14:24 2023 +0200 CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry() This makes the next change easier to understand. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 7f8b15faa76d05023c987fac2c4c31f9ac61bb47 Author: Stefan Metzmacher Date: Fri Jan 29 23:34:15 2016 +0100 CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container This revealed a bug in our dirsync code, so we mark test_search_with_dirsync_deleted_objects as knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 0c329a0fda37d87ed737e4b579b6d04ec907604c Author: Stefan Metzmacher Date: Fri Jan 29 23:33:37 2016 +0100 CVE-2018
[SCM] Samba Shared Repository - annotated tag tevent-0.16.0 created
The annotated tag, tevent-0.16.0 has been created at af9580411a92603c958fe83245780fb645bb8172 (tag) tagging acd9248b13cba06d5b748f17aa9bc5d62079d9cc (commit) replaces samba-4.19.0rc1 tagged by Stefan Metzmacher on Mon Oct 16 10:16:27 2023 +0200 - Log - tevent: tag release tevent-0.16.0 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmUs8VsACgkQR5ORYRMI QCVwuAgArQ9DCWIxmeG3AZ/U6HhadH9FbzmTMen821xZ8bM9MqzRjlqPCd309r3+ SpvdjQc3J5/AGVWJOm4VNMCuUHdKw4/+BNmDDr5Q3P8SNqQYiW+h8NYmj9h5UHZy yJY+zK6kfGqZeuxii98Jo9CdE+tq9K1qnvNq82Gw7u5k/GBoVUZXh+WYEUvooPGD /Vi1n67FpqnWkpayT1vs8z2w+aoZC819V7v8j8+9iNGX7hDapdKOsIzM0SUbB1tO O0h4b0m/uko7+S1LPNiucUH7+JzPLiGZ3ne5ZTU0tkg/S4i987pmG5XRaWvCRhjK 85sddxP8GcrpsR1oXqFKssMKwirBcw== =UhV/ -END PGP SIGNATURE- Andreas Schneider (58): lib:fuzzing: Fix code spelling lib:tevent: Fix code spelling s3:utils: Fix code spelling s3:spoolss: Remove dead code s4:auth: Fix code spelling s4:cldap_server: Fix code spelling s4:client: Fix code spelling s4:dns_server: Fix code spelling s4:dsdb:common: Fix code spelling s4:dsdb:kcc: Fix code spelling s4:dsdb:repl: Fix code spelling s4:dsdb:samdb: Fix code spelling s4:dsdb:schema: Fix trailing white spaces s4:dsdb:schema: Fix code spelling s4:dsdb:tests: Fix code spelling s4:kdc: Fix code spelling bootstrap: Install codespell s4:lib: Fix code spelling s4:libcli: Remove tailing white spaces s4:libcli: Fix code spelling s4:libnet: Fix code spelling s4:librpc: Fix code spelling s4:ntvfs: Fix code spelling s4:rpc_server: Fix code spelling s4:samba: Fix code spelling s4:scripting: Fix code spelling s4:selftest: Fix code spelling s3:ldap_server: Fix code spelling s4:setup: Fix code spelling s4:smb_server: Fix code spelling s4:torture:auth: Fix code spelling s4:torture:dfs: Fix code spelling s4:torture:drs: Fix code spelling s4:torture:basic: Fix code spelling s4:torture:dns: Fix code spelling s4:torture:krb5: Fix code spelling s4:torture:ldap: Remove trailing white spaces s4:torture:ldap: Fix code spelling s4:torture:ldb: Fix code spelling s4:torture:libnetapi: Fix code spelling s4:torture:nbench: Fix code spelling s4:torture:nbt: Fix code spelling s4:torture:raw: Fix code spelling s4:torture:rpc: Fix code spelling s4:torture:smb2: Fix code spelling s4:torture: Fix code spelling s4:wrepl_server: Remove trailing white spaces s4:wrepl_server: Fix code spelling testprogs: Fix code spelling tests: Fix code spelling wintest: Fix code spelling scripts: Add codespell check gitlab-ci: Add running codespell waf: Build nmbd with -Wno-error=stringop-overflow s3:torture: Remove masktest.c s4:samdb: Avoid memory leaks in partition_metadata_get_uint64() s3:client: Use lpcfg_set_cmdline() s3:param: Remove unused lp_set_cmdline() Andrew Bartlett (82): dsdb: Add new function samdb_system_container_dn() dsdb: Use samdb_system_container_dn() in samldb.c dsdb: Use samdb_get_system_container_dn() to get Password Settings Container s4-rpc_server/lsa: Use samdb_system_container_dn() in dcesrv_lsa_get_policy_state() s4-rpc_server/netlogon: Use samdb_system_container_dn() in fill_trusted_domains_array() s4-rpc_server/backupkey: Use samdb_system_container_dn() in set_lsa_secret() s4-rpc_server/backupkey: Use samdb_system_container_dn() in get_lsa_secret() dsdb: Use samdb_system_container_dn() in dsdb_trust_*() dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*() lib/util: Move DEBUG() calls in gendb_search_v to common levels and new DBG_*() pattern dsdb: Add dsdb_search_scope_as_string() and use in ldap_backend.c dsdb: Add tracing to dsdb_search() similar to gendb_search_v() dsdb: Add tracing to dsdb_search_dn() similar to gendb_search_v() selftest: Add test for combination of anr and paged_results dsdb: Replace talloc_steal() with a shallow copy and reference in dsdb_paged_results dsdb: Make a shallow copy of ldb_parse_tree in operational module s4-rpc_server/drsuapi: Add tmp_highest_usn tracking to replication log s4-rpc_server/drsuapi: Improve debugging of invalid DNs s4-rpc_server/drsuapi: Improve debug message for drs_ObjectIdentifier_to_dn_and_nc_root() failure s4-dsdb: Improve logging for drs_ObjectIdentifier_to_dn_and_nc_root() s4-rpc_server/drsuapi: Remove rudundant check for valid and non-NULL ncRoot_dn s4-torture/drs: Save the server dnsname on the DcConnection object s4-torture/drs: Create temp OU with a unique name per test s4-torture/drs: Use
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 10a4a977baf gitlab-ci: run samba-codecheck on ubuntu22.04 via 9a3c558aa44 bootstrap: install codespell, shfmt and shellcheck also on debian/ubuntu via d60af10e6af .codespellignore: adjust in order to pass on ubuntu 22.04 via 94462dfabf0 s4:torture/smb2: fix typo in acls.c from 6071220fcb1 libcli: Make debug_unix_user_token() use just one DEBUG statement https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 10a4a977bafaf2ca9578d0aeae9760bf5b65b5ff Author: Stefan Metzmacher Date: Wed Oct 11 10:15:42 2023 + gitlab-ci: run samba-codecheck on ubuntu22.04 There's no reason to run it on fedora38 and it makes sure autobuild and gitlab-ci use the same. Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Oct 11 12:52:57 UTC 2023 on atb-devel-224 commit 9a3c558aa442aef10d8edcfe811cc23afb9b2b4c Author: Stefan Metzmacher Date: Wed Oct 11 10:15:42 2023 + bootstrap: install codespell, shfmt and shellcheck also on debian/ubuntu Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme commit d60af10e6af97d0a4a69b3282dbfeeb001e669c9 Author: Stefan Metzmacher Date: Wed Oct 11 09:47:09 2023 + .codespellignore: adjust in order to pass on ubuntu 22.04 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme commit 94462dfabf0c14586c00a8161f125b2bd4d18ee1 Author: Ralph Boehme Date: Wed Oct 11 11:17:07 2023 +0200 s4:torture/smb2: fix typo in acls.c This fixes the failing samba-codecheck CI job and is not part of the functional security fix. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher --- Summary of changes: .codespellignore| 6 ++ .gitlab-ci-main.yml | 4 +--- bootstrap/config.py | 11 --- bootstrap/generated-dists/debian11-32bit/bootstrap.sh | 2 ++ bootstrap/generated-dists/debian11-32bit/packages.yml | 2 ++ bootstrap/generated-dists/debian11/bootstrap.sh | 2 ++ bootstrap/generated-dists/debian11/packages.yml | 2 ++ bootstrap/generated-dists/debian12-32bit/bootstrap.sh | 3 +++ bootstrap/generated-dists/debian12-32bit/packages.yml | 3 +++ bootstrap/generated-dists/debian12/bootstrap.sh | 3 +++ bootstrap/generated-dists/debian12/packages.yml | 3 +++ bootstrap/generated-dists/ubuntu1804-32bit/bootstrap.sh | 2 ++ bootstrap/generated-dists/ubuntu1804-32bit/packages.yml | 2 ++ bootstrap/generated-dists/ubuntu1804/bootstrap.sh | 2 ++ bootstrap/generated-dists/ubuntu1804/packages.yml | 2 ++ bootstrap/generated-dists/ubuntu2004/bootstrap.sh | 2 ++ bootstrap/generated-dists/ubuntu2004/packages.yml | 2 ++ bootstrap/generated-dists/ubuntu2204/bootstrap.sh | 3 +++ bootstrap/generated-dists/ubuntu2204/packages.yml | 3 +++ bootstrap/sha1sum.txt | 2 +- source4/torture/smb2/acls.c | 2 +- 21 files changed, 55 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/.codespellignore b/.codespellignore index ee56c0af3ec..c2f4c37feab 100644 --- a/.codespellignore +++ b/.codespellignore @@ -1,11 +1,15 @@ aas afile ags +alloced ans +ba blong browseable +bre bu clen +creat daa ect fo @@ -16,6 +20,7 @@ inout ist keypair mis +msdos nd ois ommit @@ -43,6 +48,7 @@ ue unsecure unx uptodateness +wan ypes som vas diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 9c1ddc69fd5..6614ef74e64 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -47,7 +47,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 21a93787675107f010836bbfa5e8542c272bc4b0 + SAMBA_CI_CONTAINER_TAG: 07a822597b5bce4af9e8e2987856b27eb20bd1b7 # # We use the ubuntu2204 image as default as # it matches what we have on atb-devel-224 @@ -391,8 +391,6 @@ samba-fips: samba-codecheck: extends: .shared_template needs: - variables: -SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora38} stage: build_first .private_test_only: diff --git a/bootstrap/config.py b/bootstrap/config.py index d531dfc0e63..cfee5e049ce 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -42,6 +42,7 @@ COMMON = [ 'ccache', 'curl', 'chrpath', +'codespell', 'flex', 'gcc', 'gdb', @@ -58,6 +59,7 @@ COMMON = [ 'rng-tools', 'rsync', 'sed', +'shfmt
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5b7f9840f76 selftest: add some basic testing for the io_uring vfs module from 96e18e17748 s3:param: Remove unused lp_set_cmdline() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5b7f9840f766eb91f1f9df68e6d2a01898612890 Author: Stefan Metzmacher Date: Sat Sep 16 20:00:33 2023 +0200 selftest: add some basic testing for the io_uring vfs module We're now able to build it on all linux systems and the ci runners have at least a 5.4 kernel. That's all the current vfs_io_uring requires. Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sun Sep 17 18:04:18 UTC 2023 on atb-devel-224 --- Summary of changes: selftest/target/Samba3.pm | 5 + source3/selftest/tests.py | 12 2 files changed, 17 insertions(+) Changeset truncated at 500 lines: diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 39831afc599..a28e2be0581 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -2010,6 +2010,11 @@ sub setup_fileserver acl_xattr:security_acl_name = user.hackme read only = no +[io_uring] + path = $share_dir + vfs objects = acl_xattr fake_acls xattr_tdb streams_depot time_audit full_audit io_uring + read only = no + [homes] comment = Home directories browseable = No diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index fa51f7fdcbd..5fece702372 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -1391,6 +1391,18 @@ plansmbtorture4testsuite( "simpleserver", '//$SERVER/external_streams_depot -U$USERNAME%$PASSWORD') +vfs_io_uring_tests = { +"smb2.connect", +"smb2.credits", +"smb2.rw", +"smb2.bench", +"smb2.ioctl", +} +for t in vfs_io_uring_tests: +plansmbtorture4testsuite(t, "fileserver", + '//$SERVER_IP/io_uring -U$USERNAME%$PASSWORD', + "vfs_io_uring") + test = 'rpc.lsa.lookupsids' auth_options = ["", "ntlm", "spnego", "spnego,ntlm", "spnego,smb1", "spnego,smb2"] signseal_options = ["", ",connect", ",packet", ",sign", ",seal"] -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4af3faace48 nsswitch/wb_common.c: fix socket fd and memory leaks of global state via 91b30a7261e nsswitch/wb_common.c: don't operate on a stale wb_global_ctx.key via 836823e5047 nsswitch/wb_common.c: winbind_destructor can always use get_wb_global_ctx() via 4faf806412c nsswitch/wb_common.c: fix build without HAVE_PTHREAD via 62af25d44e5 nsswitch: add test for pthread_key_delete missuse (bug 15464) via 19fb9a97dff .gitlab-ci: Allow ext4 jobs to run on shared runners via b1e83b6cede .gitlab-ci: make it explicit that some tests require ext4/5.15 kernel via 416ff2c651f .gitlab-ci: restore starting ubuntu2204-samba-o3 for the default pipeline from 0f1443d968c smbd: make vfs_stat_fsp() a no-op on fake file-handles https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4af3faace481d23869b64485b791bdd43d8972c5 Author: Stefan Metzmacher Date: Thu Sep 7 15:59:59 2023 +0200 nsswitch/wb_common.c: fix socket fd and memory leaks of global state When we are called in wb_atfork_child() or winbind_destructor(), wb_thread_ctx_destructor() is not called for the global state of the current nor any other thread, which means we would leak the related memory and socket fds. Now we maintain a global list protected by a global mutex. We traverse the list and close all socket fds, which are no longer used (winbind_destructor) or no longer valid in the current process (wb_atfork_child), in addition we 'autofree' the ones, which are only visible internally as global (per thread) context. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 Tested-by: Krzysztof Piotr Oledzki Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Sep 14 18:53:07 UTC 2023 on atb-devel-224 commit 91b30a7261e6455d3a4f31728c23e4849e3945b9 Author: Stefan Metzmacher Date: Fri Sep 8 09:56:47 2023 +0200 nsswitch/wb_common.c: don't operate on a stale wb_global_ctx.key If nss_winbind is loaded into a process that uses fork multiple times without any further calls into nss_winbind, wb_atfork_child handler was using a wb_global_ctx.key that was no longer registered in the pthread library, so we operated on a slot that was potentially reused by other libraries or the main application. Which is likely to cause memory corruption. So we better don't call pthread_key_delete() in wb_atfork_child(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 Reported-by: Krzysztof Piotr Oledzki Tested-by: Krzysztof Piotr Oledzki Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 836823e5047d0eb18e66707386ba03b812adfaf8 Author: Stefan Metzmacher Date: Fri Sep 8 09:53:42 2023 +0200 nsswitch/wb_common.c: winbind_destructor can always use get_wb_global_ctx() The HAVE_PTHREAD logic inside of get_wb_global_ctx() will do all required magic. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 4faf806412c4408db25448b1f67c09359ec2f81f Author: Stefan Metzmacher Date: Thu Sep 7 16:02:32 2023 +0200 nsswitch/wb_common.c: fix build without HAVE_PTHREAD BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 62af25d44e542548d8cdecb061a6001e0071ee76 Author: Stefan Metzmacher Date: Fri Sep 8 13:57:26 2023 +0200 nsswitch: add test for pthread_key_delete missuse (bug 15464) This is based on https://bugzilla.samba.org/attachment.cgi?id=18081 written by Krzysztof Piotr Oledzki BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 19fb9a97dff2c0222d89a19bc9b0cd27f0306408 Author: Andrew Bartlett Date: Wed Sep 6 09:37:19 2023 +1200 .gitlab-ci: Allow ext4 jobs to run on shared runners At the time of this commit, GitLab shared runners tagged "gce" were 2x AMD EPYC 7B12 with 8GB ram. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher commit b1e83b6cede6ad50e417a6cff583a9ab25f8c980 Author: Stefan Metzmacher Date: Thu Sep 14 10:42:55 2023 +0200 .gitlab-ci: make it explicit that some tests require ext4/5.15 kernel This is better then requiring private runners, as we'll be able to use shared runners for ext4 soon. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 416ff2c651fcbfae83cdf3b6f3c3317d1c146d3f Author: Stefan Metzmacher Date: Wed Sep 13 17:
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 171171565f1 .gitlab-ci: Do builds under /builds as this is never an overlayfs from 0e244ff79b6 s3:torture: Remove masktest.c https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 171171565f1909592cf728d3f6d78c611c6a30ed Author: Andrew Bartlett Date: Tue Sep 5 20:28:02 2023 +1200 .gitlab-ci: Do builds under /builds as this is never an overlayfs On the GitLab shared runners / is overlayfs, which /builds being ext, so we want this real filesystem, which should be faster in any case. This may allow us to use GitLab shared runners for more jobs. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Sep 5 14:20:48 UTC 2023 on atb-devel-224 --- Summary of changes: .gitlab-ci-main.yml | 54 ++--- 1 file changed, 27 insertions(+), 27 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 729de8654bb..30c1980209f 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -170,7 +170,7 @@ include: script: # gitlab predefines CI_JOB_NAME for each job. The gitlab job usually matches the # autobuild name, which means we can define a default template that runs most autobuild jobs -- script/autobuild.py $AUTOBUILD_JOB_NAME $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase +- script/autobuild.py $AUTOBUILD_JOB_NAME $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase # Ensure when adding a new job below that you also add it to # the dependencies for 'pages' below for the code coverage page @@ -179,14 +179,14 @@ include: others: extends: .shared_template script: -- script/autobuild.py ldb $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/ldb -- script/autobuild.py pidl $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/pidl -- script/autobuild.py replace $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/replace -- script/autobuild.py talloc $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/talloc -- script/autobuild.py tdb $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/tdb -- script/autobuild.py tevent $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/tevent -- script/autobuild.py samba-xc $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/samba-xc -- script/autobuild.py docs-xml $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/docs-xml +- script/autobuild.py ldb $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/ldb +- script/autobuild.py pidl $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/pidl +- script/autobuild.py replace $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/replace +- script/autobuild.py talloc $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/talloc +- script/autobuild.py tdb $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/tdb +- script/autobuild.py tevent $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/tevent +- script/autobuild.py samba-xc $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/samba-xc +- script/autobuild.py docs-xml $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/docs-xml .shared_template_build_only: extends: .shared_template @@ -203,20 +203,20 @@ others: script: # gitlab predefines CI_JOB_NAME for each job. The gitlab job usually matches the # autobuild name, which means we can define a default template that runs most autobuild jobs -- script/autobuild.py $AUTOBUILD_JOB_NAME $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5ec660160e4 smbclient3: Get all reparse data for allinfo via a0edab50920 libsmb: Retry with OPEN_REPARSE_POINT on IO_REPARSE_TAG_NOT_HANDLED via eb3e9315fc6 libsmb: Factor out cli_get_reparse_data() from cli_readlink() via 8ad55c382ac libsmb: Move symlink_reparse_buffer_parse() to reparse.c via e99e676bd29 libsmb: Some README.Coding for symlink_reparse_buffer_parse() via e71a6ab5dde pylibsmb: Use reparse_data_buffer_parse() via e20919af5b6 libsmb: Use reparse_data_buffer_parse() to get symlink error resp via 2e20e984e5f libsmb: Use reparse_data_buffer_parse() in cli_readlink() via 97ba7b681f3 libcli: Add general reparse point data parsing via 9831fbeb8f0 libcli: Make symlink_reparse_buffer_parse() more flexible via 874c693b581 smbd: Don't crash in cli_fsctl_send() from f348b84fbcf s3:smbd: fix multichannel connection passing race https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5ec660160e414c18a6ea0e61ef9e7c970dc3d7a1 Author: Volker Lendecke Date: Thu Jul 6 17:53:35 2023 +0200 smbclient3: Get all reparse data for allinfo If we hit a reparse point in point, it might be something but a symlink. Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Aug 10 14:36:40 UTC 2023 on atb-devel-224 commit a0edab509206bb0d4aa3ccd87542181bac486207 Author: Volker Lendecke Date: Wed Jul 5 16:38:32 2023 +0200 libsmb: Retry with OPEN_REPARSE_POINT on IO_REPARSE_TAG_NOT_HANDLED Eventually we'll have to make STOPPED_ON_SYMLINK special to handle the symlink response, but for now they are the same. STOPPED_ON_SYMLINK will tell us where the symlink is, REPARSE_TAG_NOT_HANDLED won't. So if there's an unhandled reparse point somewhere in the path, there's no really good way to handle this. We'll get the REPARSE_TAG_NOT_HANDLED the second time as well. Even SMB1 QPATHINFO gets this when you try to cross a NFS reparse point. Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit eb3e9315fc6eca6139a89ea25a367aa9d2559565 Author: Volker Lendecke Date: Thu Jul 6 17:34:31 2023 +0200 libsmb: Factor out cli_get_reparse_data() from cli_readlink() Will be used in smbclient's allinfo command: Reparse points are more than just symlinks. Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 8ad55c382ac7b76996936adcc73856eaef86b0fb Author: Volker Lendecke Date: Tue Aug 1 15:57:50 2023 +0200 libsmb: Move symlink_reparse_buffer_parse() to reparse.c The goal of this is to eventually remove reparse_symlink.c once we have marshalling routines for symlinks in reparse.c Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit e99e676bd29950c3c7806d7c8e1a5931ee0640a7 Author: Volker Lendecke Date: Tue Aug 1 15:36:15 2023 +0200 libsmb: Some README.Coding for symlink_reparse_buffer_parse() Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit e71a6ab5ddef9bdfff85f677a086e4ab1e03b232 Author: Volker Lendecke Date: Tue Aug 1 15:26:49 2023 +0200 pylibsmb: Use reparse_data_buffer_parse() Remove the last direct caller of symlink_reparse_buffer_parse() Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit e20919af5b65f6e056e1b2b01f58e19cc7f35a33 Author: Volker Lendecke Date: Fri Jul 7 11:55:50 2023 +0200 libsmb: Use reparse_data_buffer_parse() to get symlink error resp Gets a nicer error message Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 2e20e984e5fee41e66b03552fdd921fa4fb7ed2e Author: Volker Lendecke Date: Fri Jul 7 11:40:19 2023 +0200 libsmb: Use reparse_data_buffer_parse() in cli_readlink() Gives the chance of better debug higher up (not used yet) Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 97ba7b681f38793d59d5753830f0cac942120ed8 Author: Volker Lendecke Date: Thu Jul 6 11:51:07 2023 +0200 libcli: Add general reparse point data parsing When we retrieve reparse point data, we don't know before what we get. Right now all we do is expect a symlink, but we could get other types as well. Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 9831fbeb8f08587a36372da653bc78ed2ff0493c Author: Volker Lendecke Date: Thu Jul 6 16:19:06 2023 +0200 libcli: Make symlink_reparse_buffer_parse() more flexible Allow the destination struct to be preallocated Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 874c693b5817f7512cf435be498764fbe329e507 Author: Volker Lendecke
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 00316255984 dsdb: Make a shallow copy of ldb_parse_tree in operational module via 3b51091c20a dsdb: Replace talloc_steal() with a shallow copy and reference in dsdb_paged_results via 1b68bd977af paged_results: add no memory checks in paged_search() via c67534fe3ff selftest: Add test for combination of anr and paged_results via 8f4c1c67b4f vfs_aio_pthread: fix segfault if samba-tool ntacl get from d23dd3e26c5 dsdb: Add tracing to dsdb_search_dn() similar to gendb_search_v() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 003162559848ce45d4f5bd3fb66642960538120f Author: Andrew Bartlett Date: Wed Aug 2 14:13:00 2023 +1200 dsdb: Make a shallow copy of ldb_parse_tree in operational module We should not be making modifications to caller memory. In particular, this causes problems for logging of requests if the original request becomes modified. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Aug 2 12:10:20 UTC 2023 on atb-devel-224 commit 3b51091c20a3c807932bcc986ebb8a676e0ffe6a Author: Andrew Bartlett Date: Wed Aug 2 14:12:07 2023 +1200 dsdb: Replace talloc_steal() with a shallow copy and reference in dsdb_paged_results We should not be stealing caller memory like this, and while a talloc_reference() is not much better, this combined with a shallow copy should be a little better in terms of polite memory management. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 1b68bd977af39263a71af2c6a314c5ccb29e348c Author: Stefan Metzmacher Date: Tue Feb 8 00:41:54 2022 +0100 paged_results: add no memory checks in paged_search() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442 Signed-off-by: Arvid Requate Signed-off-by: Stefan Metzmacher Signed-off-by: Andrew Bartlett [abart...@samba.org combination of two patches by the above authors] commit c67534fe3ff1652dcf95eac2030778b066cdf7a4 Author: Andrew Bartlett Date: Wed Aug 2 13:40:03 2023 +1200 selftest: Add test for combination of anr and paged_results This combination was known to cause a segfault in Samba 4.13, fixed by 5f0590362c5c0c5ee20503a67467f9be2d50e73b in later versions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14970 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 8f4c1c67b4f118a9a47b09ac7908cd3d969b19c2 Author: Jones Syue Date: Wed Aug 2 09:48:40 2023 +0800 vfs_aio_pthread: fix segfault if samba-tool ntacl get If configured as AD DC and aio_pthread appended into 'vfs objects'[1], run these commands would get segfault: 1. sudo samba-tool ntacl get . 2. sudo net vfs getntacl sysvol . gdb said it goes through aio_pthread_openat_fn() @ vfs_aio_pthread.c[2], and the fsp->conn->sconn->client is null (0x0). 'sconn->client' memory is allocated when a new connection is accpeted: smbd_accept_connection > smbd_process > smbXsrv_client_create While running local commands looks like it would not go through smbXsrv_client_create so the 'client' is null, segfault might happen. We should not dereference 'client->server_multi_channel_enabled', if 'client' is null. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15441 [1] smb.conf example, samba-4.18.5, ubuntu 22.04.2 [global] dns forwarder = 127.0.0.53 netbios name = U22-JONES-88X1 realm = U22-JONES-88X1.X88X1.JONES server role = active directory domain controller workgroup = X88X1 idmap_ldb:use rfc2307 = yes vfs objects = dfs_samba4 acl_xattr aio_pthread [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/u22-jones-88x1.x88x1.jones/scripts read only = No [2] gdb (gdb) run /usr/local/samba/bin/samba-tool ntacl get . Starting program: /usr/local/Python3/bin/python3 /usr/local/samba/bin/samba-tool ntacl get . [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x7fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0) at ../../source3/modules/vfs_aio_pthread.c:467 warning: Source file is more recent than executable. 467 if (fsp->conn->sconn-
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d23dd3e26c5 dsdb: Add tracing to dsdb_search_dn() similar to gendb_search_v() via 78669a04589 dsdb: Add tracing to dsdb_search() similar to gendb_search_v() via acf6d89c3e2 dsdb: Add dsdb_search_scope_as_string() and use in ldap_backend.c via 5cc861603a6 lib/util: Move DEBUG() calls in gendb_search_v to common levels and new DBG_*() pattern via c58a714232b lib:krb5_wrap: Fix resource leak in smb_krb5_kt_seek_and_delete_old_entries via 3ef5162dcdd auth:credentials: Fix resource leak in cli_credentials_set_from_ccache() via 256471299ac auth:kerberos: Fix resource leak in smb_krb5_update_keytab() via f1356805ba5 auth:kerberos: Fix resource leak in smb_krb5_get_keytab_container() via dfc26dc494e auth:kerberos: Fix resource leak in parse_principal() via f374da1dd91 s4:auth: Fix trailing whitespaces in kerberos_util.c from 16eaf7fd52e gp: Cleanup some unused code https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d23dd3e26c5291a381f3576e3a864d8b697ec5ae Author: Andrew Bartlett Date: Mon Jul 31 16:07:46 2023 +1200 dsdb: Add tracing to dsdb_search_dn() similar to gendb_search_v() The aim of this tracing is to make it simple to follow the requests made from the RPC server and similar to LDB now that gendb_search_v() is no longer the dominant interface. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jul 31 11:49:19 UTC 2023 on atb-devel-224 commit 78669a0458985175da6330c726f2da202db249ae Author: Andrew Bartlett Date: Mon Jul 31 16:03:53 2023 +1200 dsdb: Add tracing to dsdb_search() similar to gendb_search_v() The aim of this tracing is to make it simple to follow the requests made from the RPC server and similar to LDB now that gendb_search_v() is no longer the dominant interface. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit acf6d89c3e2c18784a8d0ba7c9bf0c07502ae000 Author: Andrew Bartlett Date: Mon Jul 31 16:02:25 2023 +1200 dsdb: Add dsdb_search_scope_as_string() and use in ldap_backend.c This will be useful when adding debugging to other routines. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 5cc861603a6b27a5a16ea4e0201953c65c1309d9 Author: Andrew Bartlett Date: Mon Jul 31 14:02:12 2023 +1200 lib/util: Move DEBUG() calls in gendb_search_v to common levels and new DBG_*() pattern This moves success logs 6 -> 10, failure logs 4 -> 5. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher commit c58a714232b1c904359d623e28ac53ed6ef0f30e Author: Pavel Filipenský Date: Wed Jul 26 22:37:51 2023 +0200 lib:krb5_wrap: Fix resource leak in smb_krb5_kt_seek_and_delete_old_entries Reported by Red Hat internal covscan leaked_storage: Variable "cursor" going out of scope leaks the storage it points to. Signed-off-by: Pavel Filipenský Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 3ef5162dcdd1a89497163cd361a2b61d6e1a1540 Author: Pavel Filipenský Date: Wed Jul 26 16:28:36 2023 +0200 auth:credentials: Fix resource leak in cli_credentials_set_from_ccache() Reported by Red Hat internal covscan leaked_storage: Variable "princ" going out of scope leaks the storage it points to. Signed-off-by: Pavel Filipenský Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 256471299ac2c19d813f98f513ac1a444bad7fca Author: Pavel Filipenský Date: Wed Jul 26 16:25:26 2023 +0200 auth:kerberos: Fix resource leak in smb_krb5_update_keytab() Reported by Red Hat internal covscan leaked_storage: Variable "keytab" going out of scope leaks the storage it points to. Signed-off-by: Pavel Filipenský Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit f1356805ba505e28b2daccd18b044b3c7255064c Author: Pavel Filipenský Date: Wed Jul 26 16:28:36 2023 +0200 auth:kerberos: Fix resource leak in smb_krb5_get_keytab_container() Reported by Red Hat internal covscan leaked_storage: Variable "keytab" going out of scope leaks the storage it points to. Signed-off-by: Pavel Filipenský Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit dfc26dc494eb9d80fe5b19b0ed41cedd0e187dbd Author: Pavel Filipenský Date: Wed Jul 26 16:28:36 2023 +0200 auth:kerberos: Fix resource leak in parse_principal() Reported by Red Hat internal covscan leaked_storage: Variable "princ" going out of scope leaks the storage
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5571ce9619d dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*() via 4250d07e4dc dsdb: Use samdb_system_container_dn() in dsdb_trust_*() via 9b4f3f3cb4e s4-rpc_server/backupkey: Use samdb_system_container_dn() in get_lsa_secret() via 13eed1e0e7d s4-rpc_server/backupkey: Use samdb_system_container_dn() in set_lsa_secret() via a900f6aa5d9 s4-rpc_server/netlogon: Use samdb_system_container_dn() in fill_trusted_domains_array() via 4e18066fa24 s4-rpc_server/lsa: Use samdb_system_container_dn() in dcesrv_lsa_get_policy_state() via 3669caa97f7 dsdb: Use samdb_get_system_container_dn() to get Password Settings Container via 97b682e0eb0 dsdb: Use samdb_system_container_dn() in samldb.c via 25b0e1102e1 dsdb: Add new function samdb_system_container_dn() via 2d461844a20 Bug #9959: Don't search for CN=System via b6e80733c3a For Bug #9959: local talloc frame for next commit from 0bf8b25aacd s3/modules: Fix DFS links when widelinks = yes https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5571ce9619d856d3c9545099366f4e0259aee8ef Author: Andrew Bartlett Date: Thu Jul 27 17:18:45 2023 +1200 dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*() This makes more calls to add children, but avoids the cn=system string in the codebase which makes it easier to audit that this is always being built correctly. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jul 31 07:20:21 UTC 2023 on atb-devel-224 commit 4250d07e4dcd43bf7450b1ae603ff46fdc892d02 Author: Andrew Bartlett Date: Thu Jul 27 17:14:30 2023 +1200 dsdb: Use samdb_system_container_dn() in dsdb_trust_*() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 9b4f3f3cb4ed17bb233d3b5ccd191be63f01f3f4 Author: Andrew Bartlett Date: Thu Jul 27 17:11:39 2023 +1200 s4-rpc_server/backupkey: Use samdb_system_container_dn() in get_lsa_secret() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 13eed1e0e7d0bdef6b5cdb6b858f124b812adbea Author: Andrew Bartlett Date: Thu Jul 27 17:09:31 2023 +1200 s4-rpc_server/backupkey: Use samdb_system_container_dn() in set_lsa_secret() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit a900f6aa5d909d912ee3ca529baa4047c9c4da87 Author: Andrew Bartlett Date: Thu Jul 27 17:00:21 2023 +1200 s4-rpc_server/netlogon: Use samdb_system_container_dn() in fill_trusted_domains_array() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 4e18066fa243da1c505f782ba87187c3bb1078ee Author: Andrew Bartlett Date: Thu Jul 27 16:58:13 2023 +1200 s4-rpc_server/lsa: Use samdb_system_container_dn() in dcesrv_lsa_get_policy_state() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 3669caa97f76d3e893ac6a1ab88341057929ee6a Author: Andrew Bartlett Date: Thu Jul 27 16:44:10 2023 +1200 dsdb: Use samdb_get_system_container_dn() to get Password Settings Container By doing this we use the common samdb_get_system_container_dn() routine and we avoid doing a linerize and parse step on the main DN, instead using the already stored parse of the DN. This is more hygenic. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 97b682e0eb0450513dcecb74be672e18e84fe7a2 Author: Andrew Bartlett Date: Thu Jul 27 16:29:34 2023 +1200 dsdb: Use samdb_system_container_dn() in samldb.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 25b0e1102e1a502152d2695aeddf7c6b16fb Author: Andrew Bartlett Date: Thu Jul 27 16:12:11 2023 +1200 dsdb: Add new function samdb_system_container_dn() This will replace many calls crafting or searching for this DN elsewhere in the code
[SCM] Samba Shared Repository - annotated tag ldb-2.8.0 created
The annotated tag, ldb-2.8.0 has been created at 36364505dcb1edd614a732b93bd6479ac9958da6 (tag) tagging 94f11c3c21bc3b8a34d376ab99becd2c6260af62 (commit) replaces tevent-0.15.0 tagged by Stefan Metzmacher on Fri Jul 28 14:09:13 2023 +0200 - Log - ldb: tag release ldb-2.8.0 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmTDr+kACgkQR5ORYRMI QCWW3wf9HgIHhgkhNfjpcqYtnNUv7YayXZQl7Lw9ZTQzyLZHllfZeydSv67BdUoO XzuZeYLVSxBGQB6B/66MK5Rgpw36uKIGs3+MTGyQ0jvgI33OtujOnvHFHRK01YIB xEXgTdNeQRj7HgG5e5yHA+mhCFcb4aRjegy4abD3IyBmX2Z0V0bzdWI0JS+hSCwm 2uaoMoW3Y7kLSlH7hzavxWAUOuLqwZ2iRTliHaMYRo9FnZqyDXXIXtZnMYJ4wK0r 6OLymDZpX/l3akl2wUksA5P5kyV6b4WYMQAJNnDBZmmPjxw5l6cSPHSQlcFcdIFJ 3+86BARD/dd+TEJw8pLf8WoflOzXPA== =qtS9 -END PGP SIGNATURE- Andreas Schneider (19): s3:param: Rename bLoaded global variable s3:param: Fix code spelling s3:passdb: Fix code spelling s3:printing: Fix trailing white spaces in print_iprint.c s3:printing: Fix code spelling s3:printing: Rename variably to dummy to make codespell happy s3:registry: Fix code spelling s3:rpc_client: Fix code spelling s3:rpc_server: Fix code spelling s3:script: Fix code spelling s3:selftest: Fix code spelling s3:smbd: Fix trailing white spaces in dmapi.c s3:smbd: Fix trailing white spaces in quotas.c s3:smbd: Fix code spelling s3:torture: Fix code spelling s3:utils: Fix code spelling s3:winbindd: Fix code spelling s3:waf: Fix code spelling Revert "s3:winbindd: set TEVENT_DEPRECATED as tevent_thread_call_depth_*() api will change soon" Andrew Bartlett (21): WHATSNEW: Add text on PKINIT Certificate Revocation WHATSNEW: Include info on new samba-tool features WHATSNEW: PKINIT testing WHATSNEW: Expand detail on what of 2012, 2012R2 and 2016 support is implemented WHATSNEW: Mention Heimdal updates WHATSNEW: FAST support, Claims compression, SID compression WHATSNEW: mention KDC auditing WHATSNEW: Mention new unicodePwd only over encrypted LDAP restriction lib/fault: During smb_panic() print process comment and setprocname() title lib/cmdline: Return if the commandline was redacted in samba_cmdline_burn() python: Move PyList_AsStringList to common code so we can reuse python: Remove const from PyList_AsStringList() python: Add glue.burn_commandline() method samba-tool: Use samba.glue.get_burnt_cmdline rather than regex lib/cmdline: Also burn the --password2 parameter if given lib/cmdline: Also redact --newpassword in samba_cmdline_burn() docs-xml: Fix invalid XML in smbcontrol manpage doc-xml: Add entry for reload-certs for new LDAP certificate reload function WHATSNEW: Add TLS cert reload feature dcom: Remove remainder of DCOM test client code librpc/idl: Remove DCOM and WMI IDL Dmitry Antipov (1): s4:param: replace calls to deprecated Python methods Jeremy Allison (2): s3: torture: Add test to show an SMB1 DFS path of "\\x//\\/" crashes smbd. s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove UNIX separators. Joseph Sutton (1): claims.idl: Fix AD claims encoding Jule Anger (9): s4:process_prefork: avoid memory leaks caused by messaging_post_self s4:process: add method called before entering the tevent_loop_wait s4:process_prefork: create new messaging context for the master process s4:tls_tstream: create tstream_tls_params_internal s4:ldap_server: don't store task_server in ldapsrv_service s4:ldap_server: remember dns_host_name in ldap_service s4:ldap_server: reload tls certificates on smbcontrol reload-certs testprogs/blackbox: add test_ldap_tls_reload.sh ldb: release 2.8.0 for use in Samba 4.19.x Martin Schwenke (10): ctdb-utils: Drop unused scsi_io.c source file ctdb-doc: Correct bit-rotted documenation ctdb: Do not use egrep ctdb-recoverd: CID 1509028 - Use of 32-bit time_t (Y2K38_SAFETY) ctdb-scripts: Reformat with "shfmt -w -p -i 0 -fn" ctdb-scripts: Avoid ShellCheck warning SC2162 ctdb-scripts: Support script logging to stderr ctdb-tests: Log to stderr in statd-callout tests ctdb-tools: Always print script output in event status ctdb-tools: Improve printing of multi-line event script output Noel Power (1): python/samba: Adjust tarfile extraction filter Pavel Filipenský (13): s3:winbind: Add callback winbind_call_flow() s3:winbind: Update winbind to tevent 0.15.0 API s3:winbind: Set/unset the winbind_call_flow callback if log level changes s3:winbindd: Change the TALLOC_CTX to fix the tevent call depth tracking docs-xml:manpages: Fix tabs in samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7319c7596ea ldb: change the version to 2.9.0 for Samba 4.20 via 1771ee694f4 WHATSNEW: Start release notes for Samba 4.20.0pre1. via c403201af33 VERSION: Bump version up to 4.20.0pre1... via 4f12024cafa VERSION: Disable GIT_SNAPSHOT for the Samba 4.19.0rc1 release. via 6943c1e3cde WHATSNEW: Up to Samba 4.19.0rc1. via 94f11c3c21b ldb: release 2.8.0 for use in Samba 4.19.x via 7920d2ff627 ctdb-tools: Improve printing of multi-line event script output via e3c0b72c340 ctdb-tools: Always print script output in event status via e36a4149d80 librpc/idl: Remove DCOM and WMI IDL via abc3d58e1cc dcom: Remove remainder of DCOM test client code via 959dc9068d1 librpc:crypto: SAFE_FREE() -> krb5_free_enctypes() via 05056775eae librpc:crypto: SAFE_FREE() -> krb5_free_string() via ec121eb831d auth:credentials: SAFE_FREE() -> krb5_free_string() via cd60e3fdef4 auth:credentials: SAFE_FREE() -> krb5_free_enctypes() via c5778a0fbdd krb5_wrap: add krb5_free_string() via 75139445c20 krb5_wrap: add krb5_free_enctypes() via 9338d1b17c4 smbd: move tevent_req_post() out of smbd_smb2_create_after_exec() from 20df26b9081 s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove UNIX separators. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7319c7596ea93b06c0c8e7b0926ebdbf08851d11 Author: Jule Anger Date: Tue Jul 25 15:56:59 2023 +0200 ldb: change the version to 2.9.0 for Samba 4.20 Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Jul 28 11:49:02 UTC 2023 on atb-devel-224 commit 1771ee694f47db03d24712e75ded55244ffe2418 Author: Stefan Metzmacher Date: Fri Jul 28 11:52:19 2023 +0200 WHATSNEW: Start release notes for Samba 4.20.0pre1. Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher commit c403201af33bc7b5510e2249e1c395a869ed3949 Author: Stefan Metzmacher Date: Fri Jul 28 11:53:50 2023 +0200 VERSION: Bump version up to 4.20.0pre1... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher commit 4f12024cafa0aa50325b390418407419a46423ac Author: Stefan Metzmacher Date: Fri Jul 28 11:49:28 2023 +0200 VERSION: Disable GIT_SNAPSHOT for the Samba 4.19.0rc1 release. Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher commit 6943c1e3cde5359f5c2ebdf90e8985bf97a40ea5 Author: Jule Anger Date: Tue Jul 25 15:59:19 2023 +0200 WHATSNEW: Up to Samba 4.19.0rc1. Signed-off-by: Jule Anger commit 94f11c3c21bc3b8a34d376ab99becd2c6260af62 Author: Jule Anger Date: Tue Jul 18 10:48:57 2023 +0200 ldb: release 2.8.0 for use in Samba 4.19.x * CVE-2023-0614 Not-secret but access controlled LDAP attributes can be discovered (bug 15270) * pyldb: Raise an exception if ldb_dn_get_parent() fails * Implement ldap_whoami in pyldb and add the RFC4532 LDB_EXTENDED_WHOAMI_OID definition * Documentation and spelling fixes * Add ldb_val -> bool,uint64,int64 parsing functions * Split out ldb_val_as_dn() helper function * add LDB_CHANGETYPE_MODRDN support to ldb_ldif_to_pyobject() * add LDB_CHANGETYPE_DELETE support to ldb_ldif_to_pyobject() * let ldb_ldif_parse_modrdn() handle names without 'rdn_name=' prefix * Don't create error string if there is no error * Avoid allocation and memcpy() for every wildcard match candidate * Make ldb_msg_remove_attr O(n) * pyldb: Throw error on invalid controls * pyldb: remove py2 ifdefs * Call tevent_set_max_debug_level(TEVENT_DEBUG_TRACE) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher commit 7920d2ff627c6ef252e59b428236919ed0abb6ba Author: Martin Schwenke Date: Wed Jul 12 10:39:06 2023 +1000 ctdb-tools: Improve printing of multi-line event script output Multi-line output currently prints like this: OUTPUT: aaa bbb ccc This is less beautiful than it could be. Instead, print multi-line output with no inlining and each line indented: OUTPUT: aaa bbb ccc However, continue to inline single line output: OUTPUT: foo Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs commit e3c0b72c340f86b1d6e4fd009d1082c7e477fd04 Author: Martin Schwenke Date: Wed Jul 12 10:39:06 2023 +1000 ctdb-tools: Always print script output in event status When event scripts succeed they generally produce no output. However, when a script succeeds and produces outpu
[SCM] Samba Shared Repository - annotated tag tevent-0.15.0 created
The annotated tag, tevent-0.15.0 has been created at 4d0ff32238d0c395cd4ec3644822726cd2f81f44 (tag) tagging 6a80d170bca0c938f78ab12e37481b52792a9d83 (commit) replaces tdb-1.4.9 tagged by Stefan Metzmacher on Thu Jul 20 12:49:15 2023 +0200 - Log - tevent: tag release tevent-0.15.0 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmS5ESsACgkQR5ORYRMI QCW+HAf/YmdVwBVMpd6tY1cIrbArgeYOfTl1/LYTDnu449tDbx1gFJwhHWliepmo gVBXYih98ApWKxqvtUBdnmFpN2AbYKvdmvAFU7TRQdu4snH8akjYhwymWWpLu6/q be1jgGRWltTURUTsCwNkfDFXjSsLYfyzVv90brO6krNMynmcn1X6avUNAlfDELu3 aDqULU6hT0nXmlOwc/DloATHLOa/xujiUgtDhF+JXuSProQK3ZnX8ggezuQifJQN ZxUBzmtCDD8fK7SdcSZmdy2g5ohVyOw3HY9bzTDIi8OgOdNGGUqnlBgEyLEf4/m0 ti4lhBQx8iGdKZ55mQzFxwWz9p4qSQ== =IplR -END PGP SIGNATURE- Dmitry Antipov (2): lib:replace: rely on epoll_create1() for epoll interface tevent: rely on epoll_create1() for epoll interface Pavel Filipenský (6): tevent: Move definition of _DEPRECATED_ to the top of tevent.h tevent: Deprecate some tevent_thread_call_depth_*() functions tevent: Flow: pass function name to tevent_req_create() tevent: Flow: store callback function name in tevent_req tevent: Flow: store trigger function name in tevent_queue_entry tevent: Flow: add tevent_thread_call_depth_set_callback() Stefan Metzmacher (16): ldb: remove trailing whitespaces from include/dlinklist.h ldb: clarify LGPL scope of include/dlinklist.h lib/util: dlinklist.h sync with LGPL copy from lib/ldb/include/dlinklist.h tevent: add tevent_dlinklist.h as copy from lib/util/dlinklist.h s3:winbindd: set TEVENT_DEPRECATED as tevent_thread_call_depth_*() api will change soon tevent: Flow: store cancel function name in tevent_req tevent: Flow: store cleanup function name in tevent_req tevent: add fd_speed test tevent: introduce tevent_set_max_debug_level() (default TEVENT_DEBUG_WARNING) tevent: add TEVENT_DEBUG() avoid argument overhead when log is not active... tevent: make use of TEVENT_DEBUG() when using TEVENT_DEBUG_TRACE tevent: avoid epoll_check_reopen() overhead unless required tevent: let epoll_check_reopen() clear all events before reopening them tevent: avoid calling epoll_update_event() again if epoll_check_reopen() already did it tevent: add tevent_common_fd_str() helper tevent: version 0.15.0 --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag tdb-1.4.9 created
The annotated tag, tdb-1.4.9 has been created at 95e54247fd93a9172437dabc75d5bf6cd424b049 (tag) tagging b649c7d3c2b1e13e900c80ff7a20959a70b1c528 (commit) replaces talloc-2.4.1 tagged by Stefan Metzmacher on Thu Jul 20 12:48:38 2023 +0200 - Log - tdb: tag release tdb-1.4.9 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmS5EQYACgkQR5ORYRMI QCUKPAf/Yqsy0hBvkvcBemxt/HI5V0DFVRnty8R9ot6grZ46qZ/67EGC93mMRDlK 304V+TW2bjtQkPVfPxp5eErc+FDKRfvRNIsqsVLxaK9qAKsOpw54Ik7+7BnPXQu9 xfMN4hoYvTWKEbjXc0Agsu7hL0hOeLT8dThSFEUspzFOOKlTMNXh6NcZEotsw0aQ +IEWjpe+bPVFjFqg4wtdzMRjlmWX3BQ50LHriRrN4okCZ9oHuefiabp7IzsKYJp6 ndhQAYwvnqPTfsWNjtKlXAmJNkoWnO/JHmzoibw03LXPiSLB9yUBPtUVluypT4kk 6B6mOV6EnGcq7Urh7qRyRrvtAsno1A== =I0wR -END PGP SIGNATURE- Stefan Metzmacher (1): tdb: release 1.4.9 --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag talloc-2.4.1 created
The annotated tag, talloc-2.4.1 has been created at 07be14a36896de8f1a31e768853c3b8e1dcb306e (tag) tagging 791e2817e1318237590313f7e372a27c1d48 (commit) replaces tevent-0.14.1 tagged by Stefan Metzmacher on Thu Jul 20 12:47:51 2023 +0200 - Log - talloc: tag release talloc-2.4.1 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmS5ENcACgkQR5ORYRMI QCWEHAgAtXcN3rjitPAt42/P2i0t1d58H/pK3K+aju6R4a8AEtavzFQCUq0A95jU UQvp1e3xzu2T7MUqC+x8TCbCk7ggmnq7WN+UHtkJrcTJ9xTnnzVQvsI8TEAJ2Ccc UFtuxfLre/MDfHni+HMI5qiRvOuh/0zvYPaMWZZHPT9450kdt2FuxzqS6yl9Al6L TeP32fB+cXy5ZqVh01MmlkSUnfmWYsBtb4mjr4l7tX5aAjO3uyY1n+qvQD3MpVgh 7JiZZLD4UXmoTKjwLf+jvdS8TWDnFhFHr+9zh0QyYYjVIUDncnvT3dwDMWefISxQ ihNjlET+Ct64y73vdvFAmFk7cGNksA== =GEZE -END PGP SIGNATURE- Alexander Bokovoy (2): Add ROLE_IPA_DC into two more places wafsamba: Normalize strings in gdb output when comparing ABI Amir Goldstein (4): s4:torture:basic: fix SET_INFO_* macros in delayed_write_update* lib: add NTTIME_[U|m]SEC macros s4:torture:basic: use milliseconds granularity in delayed_write_update7 torture/smb2: do not use client time in delayed timestamp updates test Andreas Schneider (266): s3:libsmb: Remove unused variable 'i' s3:smbd: Don't assign variable to itself s3:rpcsrv:eventlog: Remove unused variable s3:winbind: Remove unused variable s4:samdb: Remove trailing whitespaces s4:samdb: Remove unused variable nsswitch: Fix getting data out of pam_get_data() lib:ldb-samba: Correctly handle search scope s3:printing: Remove trailing whitespaces in vlp.c s3:printing: Remove unused variable s3:modules: Ignore -Wunused-but-set-variable for autogenerated code s4:modules: Move structs with dynamic arrays to end of struct s3:modules: Initialize pointer with NULL s3:netapi: Remove unused variables s3:utils: Remove unused variable s3:torture: Remove unused variable waf: Add support for MemorySanitizer lib:ldb: Add the location to ldb_kv_parse_data_unpack() debug output lib:ldb: Print a debug message in case we have a corrupted MDB testprogs: Use random usernames for kinit tests testprogs: Use random usernames for export keytab tests testprogs: Use random user names for kpasswd tests python:tests: Correctly escape $ in user_edit.sh python:tests: Use a random username for user_edit.sh tests python:tests: Correctly escape $ in contact_edit.sh python:tests: Use a random username for contact_edit.sh test python:tests: Correctly escape $ in computer_edit.sh python:tests: Use a random machine name for computer_edit.sh test python:tests: Make sure we do not run into issues with already existing users python:tests: Fix domain_backup test with Python 3.11 python:tests: Tell dns.resolver to not read /etc/resolv.conf python:tests: Add missing result checks for samba_tool.gpo tests python:tests: Make sure we delete the OU for movetest s3:utils: Check if the autorid rangesize is a multiple of the range s3:winbind: Improve warning message if we are out of autorid ranges python:netcmd: Decode return value of find_netbios() from bytes into string lib:ldb: Correctly cast pointers for assert_string_equal() ctdb:client: Fix code spelling ctdb:common: Fix code spelling ctdb:include: Remove trailing whitespaces in ctdb_protocol.h ctdb:include: Fix code spelling ctdb:server: Remove trailing whitespaces in ctdb_recover.c ctdb:server: Remove trailing whitespaces in ctdb_server.c ctdb:server: Fix code spelling ctdb:tcp: Fix code spelling ctdb:tests: Fix code spelling ctdb:tool: Fix code spelling ctdb:utils: Remove trailing whitespaces in scsi_io.c ctdb:utils: Fix code spelling s3:utils: Fix grammar in testparm auth: Fix code spelling buildtools: Fix code spelling examples: Remove trailing whitespaces in ol-schema-migrate.pl examples: Remove trailing whitespaces in mklogon.conf examples: Fix code spelling examples: Remove trailing whitespaces in smb.conf.default examples: Improve comment in smb.conf.default s3:libsmb: Remove trailing whitespaces in clientgen.c s3:libsmb: Fix conflicting declaration/implementation s3:waf: Fix One Definition Rule (ODR) violation of libsecrets3 Add .clangd configuration file buildtools: Remove compile_commands.json symlink lib:talloc: Move talloc_get_size() out of the talloc reference group lib:addns: Rename additionals to additional lib:addns: Fix code spelling lib:audit_logging: Fix code spelling lib:cmdline: Fix code spelling lib:compression: Fix code spelling lib:crypto: Improve comment about weak
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dfeabce44fb s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels via d5f1097b622 s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels via 404ce08e908 s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels via 5f87888ed53 netlogon.idl: add support for netr_LogonGetCapabilities response level 2 from 5a5e24e s3:libsmb: Fix code spelling https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9 Author: Stefan Metzmacher Date: Sat Jul 15 16:11:48 2023 +0200 s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels This is important as Windows clients with KB5028166 seem to call netr_LogonGetCapabilities with query_level=2 after a call with query_level=1. An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG for query_level values other than 1. While Samba tries to return NT_STATUS_NOT_SUPPORTED, but later fails to marshall the response, which results in DCERPC_FAULT_BAD_STUB_DATA instead. Because we don't have any documentation for level 2 yet, we just try to behave like an unpatched server and generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of DCERPC_FAULT_BAD_STUB_DATA. Which allows patched Windows clients to keep working against a Samba DC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224 commit d5f1097b6220676d56ed5fc6707acf667b704518 Author: Stefan Metzmacher Date: Sat Jul 15 16:11:48 2023 +0200 s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels This is important as Windows clients with KB5028166 seem to call netr_LogonGetCapabilities with query_level=2 after a call with query_level=1. An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG for query_level values other than 1. While Samba tries to return NT_STATUS_NOT_SUPPORTED, but later fails to marshall the response, which results in DCERPC_FAULT_BAD_STUB_DATA instead. Because we don't have any documentation for level 2 yet, we just try to behave like an unpatched server and generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of DCERPC_FAULT_BAD_STUB_DATA. Which allows patched Windows clients to keep working against a Samba DC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 404ce08e9088968311c714e756f5d58ce2cef715 Author: Stefan Metzmacher Date: Sat Jul 15 17:25:05 2023 +0200 s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG for unsupported query_levels, we allow it to work with servers with or without support for query_level=2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 5f87888ed53320538cf773d64868390d8641a40e Author: Stefan Metzmacher Date: Sat Jul 15 17:20:32 2023 +0200 netlogon.idl: add support for netr_LogonGetCapabilities response level 2 We don't have any documentation about this yet, but tests against a Windows Server 2022 patched with KB5028166 revealed that the response for query_level=2 is exactly the same as for querey_level=1. Until we know the reason for query_level=2 we won't use it as client nor support it in the server, but we want ndrdump to work. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- Summary of changes: librpc/idl/netlogon.idl | 1 + source3/rpc_server/netlogon/srv_netlog_nt.c | 29 -- source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 -- source4/torture/rpc/netlogon.c| 77 ++- 4 files changed, 126 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl index 48a8c8f9310..85dd73ee7e4 100644 --- a/librpc/idl/netlogon.idl +++ b/librpc/idl/netlogon.idl @@ -1236,6 +1236,7 @@ interface netlogon /* Function 0x15 */ typedef [switch_type(uint32)] union { [case(1)] netr_NegotiateFlags server_capabilities
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 083fe1c28c6 smbd: call exit_server_cleanly() to avoid panicking via 50e771c12f8 s3:winbindd: let winbind_samlogon_retry_loop() fallback to NT_STATUS_NO_LOGON_SERVERS via b317b10dffd s3:winbindd: make use of reset_cm_connection_on_error() in winbind_samlogon_retry_loop() via 0cb6de4b1d5 s3:winbindd: let winbind_samlogon_retry_loop() always start with authoritative = 1 via 4ad5a35a3f6 s3:winbindd: make use of reset_cm_connection_on_error() for winbindd_lookup_{names,sids}() via cb59fd43bbf s3:winbindd: call reset_cm_connection_on_error() in wb_cache_query_user_list() from d2940694c6a ctdb-tests: Run ShellCheck on event-script unit test support scripts https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 083fe1c28c6ec69cbd15d8cc2f7f06b1b630f2bc Author: Ralph Boehme Date: Wed Jul 5 11:33:58 2023 +0200 smbd: call exit_server_cleanly() to avoid panicking The parent smdb forwards SIGTERM to its process group in order to kill all children like the scavenger. This happens from a function registered via atexit() which means the signal forwarding is happening very briefly before the main smbd process exits. When exiting the pipe between smbd and scavenger is closed which triggers a file event in the scavenger. However, due to kernel sheduling it is possible that the file descriptor event is received before the signal, where we call exit_server() which call smb_panic() at the end. Change the exit to exit_server_cleanly() and just log this event at level 2 which we already do. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15275 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jul 5 13:14:08 UTC 2023 on atb-devel-224 commit 50e771c12f84f9268c2e9ddeef0965f79f85de3d Author: Stefan Metzmacher Date: Tue Jul 4 14:12:03 2023 +0200 s3:winbindd: let winbind_samlogon_retry_loop() fallback to NT_STATUS_NO_LOGON_SERVERS When we were not able to get a valid response from any DC we should report NT_STATUS_NO_LOGON_SERVERS with authoritative = 1. This matches what windows does. In a chain of transitive trusts the ACCESS_DENIED/authoritative=0 is not propagated, instead NT_STATUS_NO_LOGON_SERVERS/authoritative=1 is passed along the chain if there's no other DC is available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Volker Lendecke commit b317b10dffd99d1add3ff0b85b958edd9639abc8 Author: Stefan Metzmacher Date: Tue Jul 4 13:01:24 2023 +0200 s3:winbindd: make use of reset_cm_connection_on_error() in winbind_samlogon_retry_loop() Note this is more than a simple invalidate_cm_connection() as it may set domain->conn.netlogon_force_reauth = true, which is important in order to recover from NT_STATUS_RPC_SEC_PKG_ERROR errors. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Volker Lendecke commit 0cb6de4b1d5410f3699172952be81c6eb75c2c86 Author: Stefan Metzmacher Date: Wed Feb 16 14:19:16 2022 +0100 s3:winbindd: let winbind_samlogon_retry_loop() always start with authoritative = 1 Otherwise we could treat a local problem as non-authoritative. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Volker Lendecke commit 4ad5a35a3f67860aa7a1345efcfc92fe40578e31 Author: Stefan Metzmacher Date: Tue Jul 4 12:32:34 2023 +0200 s3:winbindd: make use of reset_cm_connection_on_error() for winbindd_lookup_{names,sids}() Note this is more than a simple invalidate_cm_connection() as it may set domain->conn.netlogon_force_reauth = true. This is not strictly needed as the callers call reset_cm_connection_on_error() via reconnect_need_retry(). But it might avoid one roundtrip. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Volker Lendecke commit cb59fd43bbf758e4bad774cfc19ef87b157052c2 Author: Stefan Metzmacher Date: Tue Jul 4 12:32:34 2023 +0200 s3:winbindd: call reset_cm_connection_on_error() in wb_cache_query_user_list() This is mostly for consistency, every remote call should call reset_cm_connection_on_error(). Note this is more than a simple invalidate_cm_connection() as it may set domain->conn.netlogon_force_reauth = true. BUG: https://bugzilla.samba.org/show_bug.cgi
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7b6cedf5385 .gitlab-ci:bootstrap: remove ubuntu1804*, add debian12, upgrade opensuse 15.5 from d720eb2c083 third_party: Update socket_wrapper to version 1.4.2 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7b6cedf5385e0313acc8629c8c9238309fab64c0 Author: Stefan Metzmacher Date: Thu Nov 17 16:14:27 2022 +0100 .gitlab-ci:bootstrap: remove ubuntu1804*, add debian12, upgrade opensuse 15.5 Signed-off-by: Stefan Metzmacher [abart...@samba.org Use Debian 11 for the 32 bit host as the compile currently fails - just exits without information - mid-way on Debian 12] Signed-off-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Jun 30 08:51:17 UTC 2023 on atb-devel-224 --- Summary of changes: .gitlab-ci-main.yml| 34 +++--- bootstrap/.gitlab-ci.yml | 18 +-- bootstrap/config.py| 30 - bootstrap/generated-dists/Vagrantfile | 31 - .../{centos7 => debian11-32bit}/Dockerfile | 2 +- .../{debian11 => debian11-32bit}/bootstrap.sh | 0 .../{f37mit120 => debian11-32bit}/locale.sh| 0 .../{debian11 => debian11-32bit}/packages.yml | 0 .../{centos7 => debian12-32bit}/Dockerfile | 2 +- .../{ubuntu2204 => debian12-32bit}/bootstrap.sh| 1 - .../{fedora37 => debian12-32bit}/locale.sh | 0 .../{ubuntu2204 => debian12-32bit}/packages.yml| 1 - .../{fedora37 => debian12}/Dockerfile | 4 +- .../{ubuntu2204 => debian12}/bootstrap.sh | 1 - .../{opensuse154 => debian12}/locale.sh| 0 .../{ubuntu2204 => debian12}/packages.yml | 1 - bootstrap/generated-dists/f37mit120/bootstrap.sh | 126 - bootstrap/generated-dists/f37mit120/packages.yml | 110 -- bootstrap/generated-dists/fedora37/bootstrap.sh| 123 bootstrap/generated-dists/fedora37/packages.yml| 110 -- bootstrap/generated-dists/opensuse154/Dockerfile | 29 - .../{f37mit120 => opensuse155}/Dockerfile | 4 +- .../{opensuse154 => opensuse155}/bootstrap.sh | 0 .../{centos7 => opensuse155}/locale.sh | 0 .../{opensuse154 => opensuse155}/packages.yml | 0 bootstrap/sha1sum.txt | 2 +- 26 files changed, 85 insertions(+), 544 deletions(-) copy bootstrap/generated-dists/{centos7 => debian11-32bit}/Dockerfile (90%) copy bootstrap/generated-dists/{debian11 => debian11-32bit}/bootstrap.sh (100%) rename bootstrap/generated-dists/{f37mit120 => debian11-32bit}/locale.sh (100%) copy bootstrap/generated-dists/{debian11 => debian11-32bit}/packages.yml (100%) copy bootstrap/generated-dists/{centos7 => debian12-32bit}/Dockerfile (90%) copy bootstrap/generated-dists/{ubuntu2204 => debian12-32bit}/bootstrap.sh (97%) rename bootstrap/generated-dists/{fedora37 => debian12-32bit}/locale.sh (100%) copy bootstrap/generated-dists/{ubuntu2204 => debian12-32bit}/packages.yml (97%) rename bootstrap/generated-dists/{fedora37 => debian12}/Dockerfile (92%) copy bootstrap/generated-dists/{ubuntu2204 => debian12}/bootstrap.sh (97%) rename bootstrap/generated-dists/{opensuse154 => debian12}/locale.sh (100%) copy bootstrap/generated-dists/{ubuntu2204 => debian12}/packages.yml (97%) delete mode 100755 bootstrap/generated-dists/f37mit120/bootstrap.sh delete mode 100644 bootstrap/generated-dists/f37mit120/packages.yml delete mode 100755 bootstrap/generated-dists/fedora37/bootstrap.sh delete mode 100644 bootstrap/generated-dists/fedora37/packages.yml delete mode 100644 bootstrap/generated-dists/opensuse154/Dockerfile rename bootstrap/generated-dists/{f37mit120 => opensuse155}/Dockerfile (91%) rename bootstrap/generated-dists/{opensuse154 => opensuse155}/bootstrap.sh (100%) copy bootstrap/generated-dists/{centos7 => opensuse155}/locale.sh (100%) rename bootstrap/generated-dists/{opensuse154 => opensuse155}/packages.yml (100%) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 798192f9b04..779eedb8255 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -47,7 +47,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: cf0a5476a4f13d449a7542d01d225dc2aef2a333 + SAMBA_CI_CONTAINER_TAG: 190a74ee9628f298961d890ba37fcc7d213daae2 # # We use the ubuntu2204 image as default as # it matches what we have on atb-devel-224 @@ -58,12 +58,12 @@ variables:
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d720eb2c083 third_party: Update socket_wrapper to version 1.4.2 from afbed653526 s3:utils: smbget fix a memory leak https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d720eb2c083f3d162e93011d69c4b742cd03f3aa Author: Andreas Schneider Date: Wed Jun 21 12:40:16 2023 +0200 third_party: Update socket_wrapper to version 1.4.2 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Jun 29 16:06:11 UTC 2023 on atb-devel-224 --- Summary of changes: buildtools/wafsamba/samba_third_party.py| 2 +- third_party/socket_wrapper/socket_wrapper.c | 182 third_party/socket_wrapper/wscript | 7 +- 3 files changed, 189 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_third_party.py b/buildtools/wafsamba/samba_third_party.py index 356b041a2a9..52898486fd9 100644 --- a/buildtools/wafsamba/samba_third_party.py +++ b/buildtools/wafsamba/samba_third_party.py @@ -24,7 +24,7 @@ Build.BuildContext.CHECK_CMOCKA = CHECK_CMOCKA @conf def CHECK_SOCKET_WRAPPER(conf): -return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.4.0') +return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.4.2') Build.BuildContext.CHECK_SOCKET_WRAPPER = CHECK_SOCKET_WRAPPER @conf diff --git a/third_party/socket_wrapper/socket_wrapper.c b/third_party/socket_wrapper/socket_wrapper.c index bf4a976eaee..c759d350fb1 100644 --- a/third_party/socket_wrapper/socket_wrapper.c +++ b/third_party/socket_wrapper/socket_wrapper.c @@ -44,6 +44,12 @@ #include "config.h" +/* + * Make sure we do not redirect (f)open(at)() or fcntl() to their 64bit + * variants + */ +#undef _FILE_OFFSET_BITS + #include #include #include @@ -94,6 +100,10 @@ #include "socket_wrapper.h" +#ifdef __USE_FILE_OFFSET64 +#error -D_FILE_OFFSET_BITS=64 should not be set for socket_wrapper! +#endif + enum swrap_dbglvl_e { SWRAP_LOG_ERROR = 0, SWRAP_LOG_WARN, @@ -507,6 +517,9 @@ typedef int (*__libc_connect)(int sockfd, typedef int (*__libc_dup)(int fd); typedef int (*__libc_dup2)(int oldfd, int newfd); typedef int (*__libc_fcntl)(int fd, int cmd, ...); +#ifdef HAVE_FCNTL64 +typedef int (*__libc_fcntl64)(int fd, int cmd, ...); +#endif typedef FILE *(*__libc_fopen)(const char *name, const char *mode); #ifdef HAVE_FOPEN64 typedef FILE *(*__libc_fopen64)(const char *name, const char *mode); @@ -531,6 +544,9 @@ typedef int (*__libc_open)(const char *pathname, int flags, ...); #ifdef HAVE_OPEN64 typedef int (*__libc_open64)(const char *pathname, int flags, ...); #endif /* HAVE_OPEN64 */ +#ifdef HAVE_OPENAT64 +typedef int (*__libc_openat64)(int dirfd, const char *pathname, int flags, ...); +#endif /* HAVE_OPENAT64 */ typedef int (*__libc_openat)(int dirfd, const char *path, int flags, ...); typedef int (*__libc_pipe)(int pipefd[2]); typedef int (*__libc_read)(int fd, void *buf, size_t count); @@ -612,6 +628,9 @@ struct swrap_libc_symbols { SWRAP_SYMBOL_ENTRY(dup); SWRAP_SYMBOL_ENTRY(dup2); SWRAP_SYMBOL_ENTRY(fcntl); +#ifdef HAVE_FCNTL64 + SWRAP_SYMBOL_ENTRY(fcntl64); +#endif SWRAP_SYMBOL_ENTRY(fopen); #ifdef HAVE_FOPEN64 SWRAP_SYMBOL_ENTRY(fopen64); @@ -627,6 +646,9 @@ struct swrap_libc_symbols { SWRAP_SYMBOL_ENTRY(open); #ifdef HAVE_OPEN64 SWRAP_SYMBOL_ENTRY(open64); +#endif +#ifdef HAVE_OPENAT64 + SWRAP_SYMBOL_ENTRY(openat64); #endif SWRAP_SYMBOL_ENTRY(openat); SWRAP_SYMBOL_ENTRY(pipe); @@ -983,6 +1005,23 @@ static int libc_vfcntl(int fd, int cmd, va_list ap) return rc; } +#ifdef HAVE_FCNTL64 +DO_NOT_SANITIZE_ADDRESS_ATTRIBUTE +static int libc_vfcntl64(int fd, int cmd, va_list ap) +{ + void *arg; + int rc; + + swrap_bind_symbol_all(); + + arg = va_arg(ap, void *); + + rc = swrap.libc.symbols._libc_fcntl64.f(fd, cmd, arg); + + return rc; +} +#endif + static int libc_getpeername(int sockfd, struct sockaddr *addr, socklen_t *addrlen) @@ -1115,6 +1154,29 @@ static int libc_vopen64(const char *pathname, int flags, va_list ap) } #endif /* HAVE_OPEN64 */ +#ifdef HAVE_OPENAT64 +static int +libc_vopenat64(int dirfd, const char *pathname, int flags, va_list ap) +{ + int mode = 0; + int fd; + + swrap_bind_symbol_all(); + + swrap_inject_o_largefile(); + + if (flags & O_CREAT) { + mode = va_arg(ap, int); + } + fd = swrap.libc.symbols._libc_openat64.f(dirfd, +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b0524830aaf s4:kdc: don't log an error if msDS-AllowedToActOnBehalfOfOtherIdentity is missing via e9367887123 s4:kdc: Include default groups in security token via 34760dfc89e s4:kdc: Implement Heimdal hook for resource-based constrained delegation via fc33033bacf tests/krb5: Adjust authentication policy RBCD tests to expect appropriate failure statuses via fcfdb44381f tests/krb5: Be less strict regarding acceptable delegation error codes via 0e43d11e39b s4:kdc: Remove useless sdb → hdb error code translation via 7e76f36d918 s4:kdc: Initialize pointers with NULL via 3784bca73e0 third_party/heimdal: Import lorikeet-heimdal-202306200407 (commit fc2894beeaa71897753975154a5f7fd80b923325) from de2738fb9a7 smbd: Don't mask open error if fstatat() fails https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b0524830aaf0ccf7dc2efbe66d2bf38b509c0143 Author: Stefan Metzmacher Date: Fri Jun 23 11:51:47 2023 +0200 s4:kdc: don't log an error if msDS-AllowedToActOnBehalfOfOtherIdentity is missing We log a warnings if access is not granted from a security descriptor in msDS-AllowedToActOnBehalfOfOtherIdentity, so we should use the same log level if msDS-AllowedToActOnBehalfOfOtherIdentity is not available at all. Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Jun 27 06:39:08 UTC 2023 on atb-devel-224 commit e9367887123ce43c55a7ab436afe659900bdc532 Author: Joseph Sutton Date: Tue Jun 20 16:50:18 2023 +1200 s4:kdc: Include default groups in security token This is consistent with the behaviour of the existing function _authn_policy_access_check() and of Windows. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 34760dfc89e879a889d64b48c606ccbaf10e8ba3 Author: Joseph Sutton Date: Tue Jun 20 14:22:15 2023 +1200 s4:kdc: Implement Heimdal hook for resource-based constrained delegation Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit fc33033bacfe9f800678bd41977d3a20f5072bc0 Author: Joseph Sutton Date: Tue Jun 20 16:48:58 2023 +1200 tests/krb5: Adjust authentication policy RBCD tests to expect appropriate failure statuses Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit fcfdb44381f60007679b5cdcff44b4aaf866b376 Author: Joseph Sutton Date: Tue Jun 20 16:46:03 2023 +1200 tests/krb5: Be less strict regarding acceptable delegation error codes Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 0e43d11e39bf57dccebd661e028a717be2b8803c Author: Joseph Sutton Date: Tue Jun 20 16:41:05 2023 +1200 s4:kdc: Remove useless sdb → hdb error code translation samba_kdc_check_s4u2proxy() is never going to return an SDB_* error code, so these conditions can never be hit. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 7e76f36d91866d4e91aabf38c9b97c3cf78e63e2 Author: Joseph Sutton Date: Tue Jun 20 16:40:03 2023 +1200 s4:kdc: Initialize pointers with NULL Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 3784bca73e0f4c14cfcc7d34ec67f25f193747e7 Author: Joseph Sutton Date: Tue Jun 20 16:33:17 2023 +1200 third_party/heimdal: Import lorikeet-heimdal-202306200407 (commit fc2894beeaa71897753975154a5f7fd80b923325) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- Summary of changes: python/samba/tests/krb5/authn_policy_tests.py | 40 +++- python/samba/tests/krb5/s4u_tests.py | 36 +++ selftest/knownfail_heimdal_kdc| 23 --- source4/kdc/db-glue.c | 12 ++-- source4/kdc/hdb-samba4.c | 50 --- third_party/heimdal/kdc/mssfu.c | 87 +-- third_party/heimdal/lib/hdb/hdb.h | 5 ++ 7 files changed, 171 insertions(+), 82 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py index 5ffdba41e99..b2625cc4013 100755 --- a/python/samba/tests/krb5/authn_policy_tests.py +++ b/python/samba/tests/krb5/authn_policy_tests.py @@ -5382,18 +5382,24 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): self.discardMessages() # Show that obtaining a service
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7828c6535cd s4:kdc: Don’t overwrite error code via 192024e8403 s4:kdc: Add comment to clarify that we fetch the client claims via fcea53584de s4:kdc: clear client and device claims from trusts via 7a4fa2c5643 s4:kdc: Make [client,device]_claims_blob const pointers via ebc27cf32a6 s4:kdc: Remove unnecessary NULL check via c69174c07c4 s4:kdc: pass krbtgt skdc_entries to samba_kdc_update_pac() via 1ffca866c15 s4:kdc: adjust formatting of samba_kdc_update_pac() documentation via b42fbc78395 s4:kdc: Enforce authentication policy service restrictions when getting a PAC via 3240ac4ebef s4:kdc: Check authentication policy server restrictions via 9a9f4799192 s4:kdc: Check authentication policy device restrictions via f3714a3e3a3 s4:kdc: Add comment stating that policies aren’t looked up for S4U clients via 8b1897f02ee tests/krb5: Test that client policies are not enforced with S4U via 8e32075188f tests/krb5: Fix RBCD comments via 456373ac19c tests/krb5: Don’t unnecessarily specify ‘id’ via 620c842da01 s4:kdc: Remove unused ‘server’ parameter in pac_verify() via 67436de3e77 s4:kdc: Handle new KDC_AUTH_EVENT_CLIENT_FOUND audit event via 19f867bc54e s4:kdc: Ensure that we don’t log PREAUTH_REQUIRED errors via 8425ffc8f3b s4:kdc: Update Samba KDC plugin to match new Heimdal version via 95c02a9794b third_party/heimdal: Import lorikeet-heimdal-202306192129 (commit 0096f9c1dc105d8ac9f7dd96d653b05228f7d280) via 1abc2543cd4 tests/krb5: Add test for authenticating with disabled account and wrong password via 9d7f1794937 tests/auth_log_pass_change: Fix flapping test via 539cd516004 netcmd: domain: Fix typo from ecff09d75df Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7828c6535cd61ef9ff64417226fcd8ae9dad23e9 Author: Joseph Sutton Date: Mon Jun 26 17:09:22 2023 +1200 s4:kdc: Don’t overwrite error code Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jun 26 12:11:30 UTC 2023 on atb-devel-224 commit 192024e840333d99cf7028cb1abfcc9da5af335e Author: Joseph Sutton Date: Fri Jun 23 11:55:24 2023 +1200 s4:kdc: Add comment to clarify that we fetch the client claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit fcea53584deadd41ecd5ce47402eee36168bbc24 Author: Stefan Metzmacher Date: Thu Jun 22 09:08:53 2023 +0200 s4:kdc: clear client and device claims from trusts As we don't support the Claims Transformation Algorithm [MS-CTA] we better clear claims as they have no valid meaning in our domain. Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7a4fa2c5643d42bd8caba31e44df94812196fca4 Author: Joseph Sutton Date: Mon Jun 26 11:10:51 2023 +1200 s4:kdc: Make [client,device]_claims_blob const pointers This is so that we can have them point to ‘null_data’ if we so choose. We can’t assign the result of data_blob_talloc() to a const pointer, so we go through an intermediary non-const pointer for the device_claims_blob case. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit ebc27cf32a61d543a1fa2c73ca49e28077904e43 Author: Joseph Sutton Date: Mon Jun 26 11:11:19 2023 +1200 s4:kdc: Remove unnecessary NULL check pac_blobs_add_blob() already checks whether the blob argument is NULL, and skips adding the blob if so. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit c69174c07c49589ed52a67781ed8862ffb47fea3 Author: Stefan Metzmacher Date: Thu Jun 22 09:18:51 2023 +0200 s4:kdc: pass krbtgt skdc_entries to samba_kdc_update_pac() For now we only pass in the krbtgt that verified the client pac and optionally the krbtgt that verified the device pac. These can be different depending on the domain of the related principals. If we want to apply SID filtering in future we may also need to pass in the krbtgt that verified the delegated_proxy_pac, but that needs more research and if not required for the following changes. Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1ffca866c1574f340cd56fd8c90d41a528bc649a Author: Stefan Metzmacher Date: Fri Jun 23 11:20:59 2023 +1200 s4:kdc: adjust formatting of samba_kdc_update_pac
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9f5216912e0 vfs_gpfs: Move call to load GPFS library via 25e1e487a5f vfs_gpfs: Check error from gpfswrap_lib_init via 3b72136f678 vfs_gpfs: Register smbd process with GPFS via 34b9c54ff2f gpfswrap: Add wrapper for gpfs_register_cifs_export from a75378e3542 s4:kdc: translate sdb_entry->old[er]_keys into hdb_add_history_key() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9f5216912e0b2f2d0e74d4dbd10f3fb5017de331 Author: Christof Schmitt Date: Wed May 31 11:29:49 2023 -0700 vfs_gpfs: Move call to load GPFS library Load the GPFS library from the connect function and leave the module init for only the module registration. Signed-off-by: Christof Schmitt Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sun Jun 25 16:06:37 UTC 2023 on atb-devel-224 commit 25e1e487a5f32ec5ae3cd8e9f49535eae0358e88 Author: Christof Schmitt Date: Wed May 31 11:16:19 2023 -0700 vfs_gpfs: Check error from gpfswrap_lib_init Signed-off-by: Christof Schmitt Reviewed-by: Stefan Metzmacher commit 3b72136f6782d9704a197ab7b17201df6ff4d60d Author: Christof Schmitt Date: Wed May 31 11:13:51 2023 -0700 vfs_gpfs: Register smbd process with GPFS Issue API call to tell the file system that this is a Samba process. This fixed the GPFS handling of Samba since the rename of smbd processes in commit 5955dc1e4fd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15381 Signed-off-by: Christof Schmitt Reviewed-by: Stefan Metzmacher commit 34b9c54ff2f089dbffe65bdc69f3024b5d3efd5c Author: Christof Schmitt Date: Wed May 24 14:06:36 2023 -0700 gpfswrap: Add wrapper for gpfs_register_cifs_export BUG: https://bugzilla.samba.org/show_bug.cgi?id=15381 Signed-off-by: Christof Schmitt Reviewed-by: Stefan Metzmacher --- Summary of changes: lib/util/gpfswrap.c| 12 lib/util/gpfswrap.h| 1 + source3/modules/vfs_gpfs.c | 26 ++ 3 files changed, 31 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/util/gpfswrap.c b/lib/util/gpfswrap.c index d05358e141e..2f15bf452cf 100644 --- a/lib/util/gpfswrap.c +++ b/lib/util/gpfswrap.c @@ -28,6 +28,7 @@ static int (*gpfs_putacl_fn)(const char *pathname, int flags, void *acl); static int (*gpfs_get_realfilename_path_fn)(const char *pathname, char *filenamep, int *len); +static int (*gpfs_register_cifs_export_fn)(void); static int (*gpfs_set_winattrs_path_fn)(const char *pathname, int flags, struct gpfs_winattr *attrs); @@ -71,6 +72,7 @@ int gpfswrap_init(void) gpfs_fgetacl_fn = dlsym(l, "gpfs_getacl_fd"); gpfs_putacl_fn= dlsym(l, "gpfs_putacl"); gpfs_get_realfilename_path_fn = dlsym(l, "gpfs_get_realfilename_path"); + gpfs_register_cifs_export_fn = dlsym(l, "gpfs_register_cifs_export"); gpfs_set_winattrs_path_fn = dlsym(l, "gpfs_set_winattrs_path"); gpfs_set_winattrs_fn = dlsym(l, "gpfs_set_winattrs"); gpfs_get_winattrs_fn = dlsym(l, "gpfs_get_winattrs"); @@ -141,6 +143,16 @@ int gpfswrap_get_realfilename_path(const char *pathname, return gpfs_get_realfilename_path_fn(pathname, filenamep, len); } +int gpfswrap_register_cifs_export(void) +{ + if (gpfs_register_cifs_export_fn == NULL) { + errno = ENOSYS; + return -1; + } + + return gpfs_register_cifs_export_fn(); +} + int gpfswrap_set_winattrs_path(const char *pathname, int flags, struct gpfs_winattr *attrs) diff --git a/lib/util/gpfswrap.h b/lib/util/gpfswrap.h index 1e74496c060..e387a56446b 100644 --- a/lib/util/gpfswrap.h +++ b/lib/util/gpfswrap.h @@ -34,6 +34,7 @@ int gpfswrap_putacl(const char *pathname, int flags, void *acl); int gpfswrap_get_realfilename_path(const char *pathname, char *filenamep, int *len); +int gpfswrap_register_cifs_export(void); int gpfswrap_set_winattrs_path(const char *pathname, int flags, struct gpfs_winattr *attrs); diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c index 969e7744fce..3398879c900 100644 --- a/source3/modules/vfs_gpfs.c +++ b/source3/modules/vfs_gpfs.c @@ -2041,7 +2041,24 @@ static int vfs
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ad98643fbd9 s4:kdc: Replace FAST cookie with dummy string via fc4740426d2 third_party/heimdal: Import lorikeet-heimdal-202306112240 (commit c7f4ffe1a6e8dafc86ec3357c498d31c97ece386) via 53caae00b82 tests/krb5: Test that FX-COOKIE matches cookie returned by Windows from c4e27ae4f69 smbd: Don't set security_descriptor_hash_v4->time https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ad98643fbd914b7fb28d43a36bd51eeb1f8e2e06 Author: Joseph Sutton Date: Fri Jun 9 15:46:33 2023 +1200 s4:kdc: Replace FAST cookie with dummy string All that uses the FAST cookie is the gss-preauth authentication mechanism, which is untested in Samba, and disabled by default. Disabling the FAST cookie code (and sending a dummy string instead) relieves us of the maintenance and testing burden of this untested code. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jun 21 13:19:17 UTC 2023 on atb-devel-224 commit fc4740426d2f43ca7703e3e4e6ef71c902ce5cd3 Author: Joseph Sutton Date: Mon Jun 12 12:12:06 2023 +1200 third_party/heimdal: Import lorikeet-heimdal-202306112240 (commit c7f4ffe1a6e8dafc86ec3357c498d31c97ece386) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 53caae00b824e1fe67a67978a5ad604964f10c7a Author: Joseph Sutton Date: Mon Jun 12 13:06:21 2023 +1200 tests/krb5: Test that FX-COOKIE matches cookie returned by Windows The cookie produced by Windows differs depending on whether FAST was used. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- Summary of changes: python/samba/tests/krb5/fast_tests.py| 87 +++ selftest/knownfail_heimdal_kdc | 1 + selftest/knownfail_mit_kdc | 3 + source4/kdc/db-glue.c| 19 - source4/kdc/hdb-samba4.c | 117 +-- source4/kdc/kdc-heimdal.c| 29 source4/kdc/samba_kdc.h | 2 - third_party/heimdal/kdc/default_config.c | 9 +++ third_party/heimdal/kdc/fast.c | 72 ++- third_party/heimdal/kdc/kdc.h| 7 ++ third_party/heimdal/kdc/kerberos5.c | 7 +- third_party/heimdal/lib/krb5/krb5.conf.5 | 3 + 12 files changed, 203 insertions(+), 153 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index e57ea5e1c4b..1c4b5256cef 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -1418,6 +1418,86 @@ class FAST_Tests(KDCBaseTest): } ]) +def test_fx_cookie_fast(self): +"""Test that the FAST cookie is present and that its value is as +expected when FAST is used.""" +kdc_exchange_dict = self._run_test_sequence([ +{ +'rep_type': KRB_AS_REP, +'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, +'use_fast': True, +'fast_armor': FX_FAST_ARMOR_AP_REQUEST, +'gen_armor_tgt_fn': self.get_mach_tgt +}, +]) + +cookie = kdc_exchange_dict.get('fast_cookie') +self.assertEqual(b'Microsoft', cookie) + +def test_fx_cookie_no_fast(self): +"""Test that the FAST cookie is present and that its value is as +expected when FAST is not used.""" +kdc_exchange_dict = self._run_test_sequence([ +{ +'rep_type': KRB_AS_REP, +'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, +'use_fast': False +}, +]) + +cookie = kdc_exchange_dict.get('fast_cookie') +self.assertEqual(b'Microsof\x00', cookie) + +def test_unsolicited_fx_cookie_preauth(self): +"""Test sending an unsolicited FX-COOKIE in an AS-REQ without +pre-authentication data.""" + +# Include a FAST cookie. +fast_cookie = self.create_fast_cookie('Samba-Test') + +kdc_exchange_dict = self._run_test_sequence([ +{ +'rep_type': KRB_AS_REP, +'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, +'use_fast': True, +'fast_armor': FX_FAST_ARMOR_AP_REQUEST, +'gen_armor_tgt_fn': self.get_mach_tgt, +'fast_cookie': fast_cookie, +}, +]) + +got_coo
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fcedf5514b1 smbcacls/smbcquotas: check for valid UNC path via 61f3e16d9f8 bootstrap: Add a note about cleaning bootstrap/ via bb46379845f Configure builtin heimdal to use KEYRING ccache from 198a844ff51 third_party: Fix version of socket_wrapper and uid_wrapper https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fcedf5514b121914483bbc0ffe77580929093ac6 Author: Björn Jacke Date: Tue Jan 10 12:25:35 2023 +0100 smbcacls/smbcquotas: check for valid UNC path we used to strip the first two characters of the path and used that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2312 Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Jun 6 09:33:47 UTC 2023 on atb-devel-224 commit 61f3e16d9f8d6907b0b8576ae0cf4c4e48c0b37e Author: Łukasz Stelmach Date: Thu May 11 13:33:45 2023 +0200 bootstrap: Add a note about cleaning bootstrap/ Signed-off-by: Łukasz Stelmach Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Reviewed-by: Stefan Metzmacher commit bb46379845fb2b3d4e04dca1a8493a8e2126a6fe Author: Łukasz Stelmach Date: Fri Mar 31 19:42:13 2023 +0200 Configure builtin heimdal to use KEYRING ccache Signed-off-by: Łukasz Stelmach Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Reviewed-by: Stefan Metzmacher --- Summary of changes: .gitlab-ci-main.yml | 2 +- bootstrap/README.md | 9 + bootstrap/config.py | 2 +- bootstrap/generated-dists/debian11/bootstrap.sh | 1 + bootstrap/generated-dists/debian11/packages.yml | 1 + bootstrap/generated-dists/ubuntu1804-32bit/bootstrap.sh | 1 + bootstrap/generated-dists/ubuntu1804-32bit/packages.yml | 1 + bootstrap/generated-dists/ubuntu1804/bootstrap.sh | 1 + bootstrap/generated-dists/ubuntu1804/packages.yml | 1 + bootstrap/generated-dists/ubuntu2004/bootstrap.sh | 1 + bootstrap/generated-dists/ubuntu2004/packages.yml | 1 + bootstrap/generated-dists/ubuntu2204/bootstrap.sh | 1 + bootstrap/generated-dists/ubuntu2204/packages.yml | 1 + bootstrap/sha1sum.txt | 2 +- source3/utils/smbcacls.c| 5 + source3/utils/smbcquotas.c | 5 + third_party/heimdal_build/wscript_build | 8 ++-- third_party/heimdal_build/wscript_configure | 10 ++ wscript | 15 +++ 19 files changed, 63 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 4208cbcc104..279c1087789 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -47,7 +47,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: cfddaa8d36c3f512827bd96fe05c30f7f8337f4b + SAMBA_CI_CONTAINER_TAG: 6f4e1c3f1eb3b3236ae793c11def2135386a0ee9 # # We use the ubuntu2204 image as default as # it matches what we have on atb-devel-224 diff --git a/bootstrap/README.md b/bootstrap/README.md index d9a60878f61..6b3de983728 100644 --- a/bootstrap/README.md +++ b/bootstrap/README.md @@ -34,6 +34,15 @@ Just calculate the sha1sum for consistency checks: The checksum needs to be added as `SAMBA_CI_CONTAINER_TAG` in the toplevel .gitlab-ci-main.yml file. +NOTE: Remember to remove any files not tracked by git from the bootstrap +directory before running bootstrap/template.py. + + git clean -dfx bootstrap + +Otherwise the files will affect the checksum but because they are not +checked in and won't be pushed to CI system the checksum calculated there +won't match. + ## User Stories As a gitlab-ci user, I can use this tool to build new CI docker images: diff --git a/bootstrap/config.py b/bootstrap/config.py index fd1753fb3e1..c67ab9184ab 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -181,7 +181,7 @@ PKGS = [ # rpm has no pkg for docbook-xml ('docbook-xml', 'docbook-dtds'), ('docbook-xsl', 'docbook-style-xsl'), -('', 'keyutils-libs-devel'), +('libkeyutils-dev', 'keyutils-libs-devel'), ('', 'which'), ('xz-utils', 'xz') ] diff --git a/bootstrap/generated-dists/debian11/bootstrap.sh b/bootstrap/generated-dists/debian11/bootstrap.sh index 1f9cddfe8ee..1aac852e83e 100755 --- a/bootstrap/generated-dists/debian11/bootstrap.sh +++ b/bootstrap/generated-dists/debian11/bootstrap.sh @@ -57,6 +57,7 @@ apt-get -y
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 22ab42c1007 s3/utils: avoid erronous NO MEMORY detection from 9c24f853a84 smbd: remove comments about deprecated 'write cache size' https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 22ab42c1007775abca0b578744d4c18a85cda627 Author: Noel Power Date: Fri Jun 2 14:27:55 2023 +0100 s3/utils: avoid erronous NO MEMORY detection since 5cc3c1b5f6b0289f91c01b20989558badc28fd61 if we don't have a realm specified either on cmdline or in conf file we try to copy (talloc_strdup) a NULL variable which triggers a NO_MEMORY error when we check the result of the copy BUG: https://bugzilla.samba.org/show_bug.cgi?id=15384 Signed-off-by: Noel Power Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sun Jun 4 12:42:16 UTC 2023 on atb-devel-224 --- Summary of changes: source3/utils/net_ads.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 9a3ee73567e..f0e5e0afe92 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -753,10 +753,12 @@ retry: } else if (ads->auth.realm == NULL) { const char *c_realm = cli_credentials_get_realm(c->creds); - ads->auth.realm = talloc_strdup(ads, c_realm); - if (ads->auth.realm == NULL) { - TALLOC_FREE(ads); - return ADS_ERROR(LDAP_NO_MEMORY); + if (c_realm != NULL) { + ads->auth.realm = talloc_strdup(ads, c_realm); + if (ads->auth.realm == NULL) { + TALLOC_FREE(ads); + return ADS_ERROR(LDAP_NO_MEMORY); + } } } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5303f6f7fd1 s4:torture/smb2: add smb2.bench.read test via 56488363862 s4:torture/smb2: add --option="torture:looplimit=15" to smb2.bench.echo via d01db89d905 s4:torture/smb2: move benchmarking tests to bench.c via e03ccb5b12b smb2_negprot: add CALLGRIND_START_INSTRUMENTATION after SMB2 negprot via 77c925681dc lib/replace: check for valgrind/callgrind.h via bfb1494e818 lib/util: use RUNNING_ON_VALGRIND to check if valgrind is used via be5e4d164df smb2_server: use MSG_DONTWAIT to get non-blocking send/recvmsg via 6e848f9d22f s3:smbd: only do profiling overhead in smbd_tevent_trace_callback() when needed via ff259bd1b70 smbprofile: add smbprofile_active() helper via a08f8b2a2cc smb2_server: optimize SMB2_OP_KEEPALIVE (SMB2 Echo) from 9aa440d52d7 s4-rpc_server: Filter via dsdb_dc_functional_level() before we are returning a lookup directly https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5303f6f7fd1ddccdfa6b752b20f712237850527c Author: Stefan Metzmacher Date: Thu Sep 22 15:49:41 2022 +0200 s4:torture/smb2: add smb2.bench.read test This test opens one file for each loop (for nprocs * qdepth loops) and for each file it loops in read requests for the first io_size bytes. time smbtorture //127.0.0.1/m -Uroot%test smb2.bench.read \ --option="torture:timelimit=600" \ --option="torture:nprocs=1" \ --option="torture:qdepth=4" \ --option="torture:io_size=4096" In order to generate constant load for profiles --option="torture:looplimit=15" can be used to stop after the given number of loops before the timelimit hits. Sometimes the bottleneck is the smbtorture process. In order to bring the smbd process to 100% cpu, you can use '--option="libsmb:client_guid=6112f7d3-9528-4a2a-8861-0ca129aae6c4"' and run multiple instances of the test at the same time, which both talk to the same smbd process. Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Jun 1 08:14:23 UTC 2023 on atb-devel-224 commit 56488363862aeeeacbdd675c09603c5624675d2b Author: Stefan Metzmacher Date: Fri Apr 28 08:02:39 2023 + s4:torture/smb2: add --option="torture:looplimit=15" to smb2.bench.echo Also see the commit message of 23988f19e7cc2823d6c0c0f40af0195d0a3b81bf for other examples... This test calls SMB2_Echo in a loop per connection. time smbtorture //127.0.0.1/m -Uroot%test smb2.bench.echo \ --option="torture:timelimit=600" \ --option="torture:looplimit=15" \ --option="torture:nprocs=1" \ --option="torture:qdepth=1" This is a very useful test to show how many requests are possible at the raw SMB2 layer. In order to do profiling and being able to compare the profiles between runs, it is important to produce the exact same load in each run, which is not possible with the typical --option="torture:timelimit=600". E.g. when the server runs under 'valgrind --tool=callgrind bin/smbd' I typically run without "torture:looplimit" first in order to see, which rate is possible per second, then I'll add a "torture:looplimit" in order to run about half of the timelimit. Then the looplimit should run for some time, but finish before the timelimit. Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke commit d01db89d905eb85b014e2d9b701a507d41cd2dff Author: Stefan Metzmacher Date: Thu Sep 22 15:02:04 2022 +0200 s4:torture/smb2: move benchmarking tests to bench.c I'll add more tests there soon Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke commit e03ccb5b12bca8588baca70c4d45702833c7bdd5 Author: Stefan Metzmacher Date: Tue Apr 25 15:38:30 2023 + smb2_negprot: add CALLGRIND_START_INSTRUMENTATION after SMB2 negprot This allows us to support starting smbd under callgrind and only start the overhead and instrumentation after the SMB2 negprot, this allows us to profile only useful stuff and not all the smbd startup, forking and multichannel handling. This will do the trick: valgrind --tool=callgrind --instr-atstart=no smbd Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke commit 77c925681dc964adc67aa866ae47149dabd576e9 Author: Stefan Metzmacher Date: Wed May 31 12:59:47 2023 +0200 lib/replace: check for valgrind/callgrind.h Signed-off-by: Stefan
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via eafcef18584 s3:locking: fix debug level for NT_STATUS_NOT_FOUND messanges in get_static_share_mode_data from 24dd45613a6 python:tests: Skip the source_chars test if not a git dir https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit eafcef18584c264dc68dd95fbd8aa39218199446 Author: Stefan Metzmacher Date: Mon Apr 24 15:08:42 2023 +0200 s3:locking: fix debug level for NT_STATUS_NOT_FOUND messanges in get_static_share_mode_data BUG: https://bugzilla.samba.org/show_bug.cgi?id=15362 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Apr 24 14:13:35 UTC 2023 on atb-devel-224 --- Summary of changes: source3/locking/share_mode_lock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/locking/share_mode_lock.c b/source3/locking/share_mode_lock.c index 09a02853511..3fc7d56562a 100644 --- a/source3/locking/share_mode_lock.c +++ b/source3/locking/share_mode_lock.c @@ -885,7 +885,7 @@ static NTSTATUS get_static_share_mode_data( return status; } if (!NT_STATUS_IS_OK(state.status)) { - DBG_GET_SHARE_MODE_LOCK(status, + DBG_GET_SHARE_MODE_LOCK(state.status, "get_static_share_mode_data_fn failed: %s\n", nt_errstr(state.status)); return state.status; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 53f0a292f80 selftest:Samba3: use the correct NSS_WRAPPER_HOSTNAME from 2ff55b3da71 selftest: Catch error codes from failing testsuites https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 53f0a292f8057a63ddee951058e380b43b9d2916 Author: Stefan Metzmacher Date: Wed Apr 12 17:22:02 2023 +0200 selftest:Samba3: use the correct NSS_WRAPPER_HOSTNAME The value of NSS_WRAPPER_HOSTNAME needs to match value we put into the NSS_WRAPPER_HOSTS file. We had a mismatch of idmapridmember.samba.example.com vs. idmapridmember.addom.samba.example.com This causes getaddrinfo() in nss_wrapper to fallback to the libc version, which talks to a dns server. It's not clear if recent glibc code will reach resolve/socket wrapper. So it's not unlikely that idmapridmember.samba.example.com will be passed via the internet, which causes delays up to 20 seconds. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15355 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Apr 12 20:29:05 UTC 2023 on atb-devel-224 --- Summary of changes: selftest/target/Samba3.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index ab0b61279ef..717091cc8cf 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -3677,7 +3677,7 @@ jacknomappergroup:x:$gid_jacknomapper:jacknomapper $createuser_env{NSS_WRAPPER_PASSWD} = $nss_wrapper_passwd; $createuser_env{NSS_WRAPPER_GROUP} = $nss_wrapper_group; $createuser_env{NSS_WRAPPER_HOSTS} = $nss_wrapper_hosts; - $createuser_env{NSS_WRAPPER_HOSTNAME} = "${hostname}.samba.example.com"; + $createuser_env{NSS_WRAPPER_HOSTNAME} = "${hostname}.${dns_domain}"; if ($ENV{SAMBA_DNS_FAKING}) { $createuser_env{RESOLV_WRAPPER_HOSTS} = $dns_host_file; } else { @@ -3731,7 +3731,7 @@ jacknomappergroup:x:$gid_jacknomapper:jacknomapper $ret{NSS_WRAPPER_PASSWD} = $nss_wrapper_passwd; $ret{NSS_WRAPPER_GROUP} = $nss_wrapper_group; $ret{NSS_WRAPPER_HOSTS} = $nss_wrapper_hosts; - $ret{NSS_WRAPPER_HOSTNAME} = "${hostname}.samba.example.com"; + $ret{NSS_WRAPPER_HOSTNAME} = "${hostname}.${dns_domain}"; $ret{NSS_WRAPPER_MODULE_SO_PATH} = Samba::nss_wrapper_winbind_so_path($self); $ret{NSS_WRAPPER_MODULE_FN_PREFIX} = "winbind"; if ($ENV{SAMBA_DNS_FAKING}) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 52c78466bdb vfs_fruit: avoid using 'conn->tcon->compat', we can just use 'conn'! via e0e58ed0e24 smbXsrv_tcon: avoid storing temporary (invalid!) records. from d788d3d974a s3-client: Provide more information on protocol negotiation failures https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 52c78466bdb136998fa9d28b46ffbf18cd9b61a7 Author: Stefan Metzmacher Date: Wed Apr 5 16:59:28 2023 +0200 vfs_fruit: avoid using 'conn->tcon->compat', we can just use 'conn'! Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Apr 12 13:51:50 UTC 2023 on atb-devel-224 commit e0e58ed0e2429f01265d544b444bf0e4075549e2 Author: Stefan Metzmacher Date: Wed Apr 5 16:59:44 2023 +0200 smbXsrv_tcon: avoid storing temporary (invalid!) records. We used to store smbXsrv_tcon_global.tdb records in two steps, first we created a record in order to allocate the tcon id. The temporary record had a NULL share_name, which translated into 0 bytes for the string during ndr_push_smbXsrv_tcon_global0. The problem is that ndr_pull_smbXsrv_tcon_global0 fails on this with something like: Invalid record in smbXsrv_tcon_global.tdb:key '2CA0ED4A' ndr_pull_struct_blob(length=85) - Buffer Size Error The blob looks like this: [] 00 00 00 00 01 00 00 00 00 00 00 00 00 00 02 00 [0010] 00 00 00 00 4A ED A0 2C 4A ED A0 2C 00 00 00 00 J.., J.., [0020] F8 4B 00 00 00 00 00 00 00 00 00 00 FF FF FF FF .K.. [0030] 4D 59 9B 9F 83 F4 35 20 36 D2 B0 82 62 68 D9 01 MY5 6...bh.. [0040] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [0050] 00 00 00 00 00 . The reason for having a temporary entry was just based on the fact, that it was easier to keep the logic in make_connection_snum() untouched. But we have all information available in order to store the final record directly. We only need to do the "max connections" check first. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15353 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- Summary of changes: source3/modules/vfs_fruit.c | 4 ++-- source3/smbd/globals.h | 5 source3/smbd/smb1_service.c | 48 +++-- source3/smbd/smb2_service.c | 15 source3/smbd/smb2_tcon.c| 58 ++--- source3/smbd/smbXsrv_tcon.c | 29 +-- 6 files changed, 97 insertions(+), 62 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 4058d4834e7..637e2a1a6ed 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -849,7 +849,7 @@ static NTSTATUS check_aapl(vfs_handle_struct *handle, if (req_bitmap & SMB2_CRTCTX_AAPL_SERVER_CAPS) { if ((client_caps & SMB2_CRTCTX_AAPL_SUPPORTS_READ_DIR_ATTR) && - (handle->conn->tcon->compat->fs_capabilities & FILE_NAMED_STREAMS)) { + (handle->conn->fs_capabilities & FILE_NAMED_STREAMS)) { server_caps |= SMB2_CRTCTX_AAPL_SUPPORTS_READ_DIR_ATTR; config->readdir_attr_enabled = true; } @@ -875,7 +875,7 @@ static NTSTATUS check_aapl(vfs_handle_struct *handle, } if (req_bitmap & SMB2_CRTCTX_AAPL_VOLUME_CAPS) { - int val = lp_case_sensitive(SNUM(handle->conn->tcon->compat)); + int val = lp_case_sensitive(SNUM(handle->conn)); uint64_t caps = 0; switch (val) { diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index ff69d95ddfb..837d3c8acd2 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -645,6 +645,8 @@ NTSTATUS smbXsrv_tcon_update(struct smbXsrv_tcon *tcon); NTSTATUS smbXsrv_tcon_disconnect(struct smbXsrv_tcon *tcon, uint64_t vuid); NTSTATUS smb1srv_tcon_table_init(struct smbXsrv_connection *conn); NTSTATUS smb1srv_tcon_create(struct smbXsrv_connection *conn, +uint32_t session_global_id, +const char *share_name, NTTIME now, struct smbXsrv_tcon **_tcon); NTSTATUS smb1srv_tcon_lookup(struct smbXsrv_connection *conn, @@ -653,6 +655,9 @@ NTSTATUS smb1srv_tcon_lookup(struct smbXsrv_connection *conn, NTSTATUS smb1srv_tcon_disconnect_all(struct smbXsrv_client *cli
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ca7b7bde391 selftest: Use "debug syslog format = always" in selftest via 83fe7a0316d lib/util: Add "debug syslog format = always", which logs to stdout in syslog style via 33effa76d6b s4:torture: Extend smb2 session requested_life_time via e69453fc417 s4:torture: Fix warning messages for smb2.session via 6dc7ae8b143 s4:torture: Fix warning messages for smb.raw.session via 67535ac2259 s4:torture: Remove trailing white spaces via 938cbe07db8 s3:tests: Add exit code with failed tests via d163d1ba7aa s3:tests: Use CONFIGURATION passed down to the test via fa591f52234 s3:tests: Correctly implement tests for forceuser/forcegroup via bfae4262036 s3:tests: Use the CONFIGURATION passed down to the test via d8acec0caf8 s3:selftest: Remove ad_dc_ntvfs for smbclient_machine_auth.plain via e5ef368fb61 lib:ldb:tests: Fix signedness build error via 0ef53b948e1 net_ads: fill ads->auth.realm from c->creds via 3b585f9e8cc testprogs/blackbox: add test_net_ads_search_server.sh from 112faff82f9 dsdb: modify unicodePwd requires encrypted connection https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ca7b7bde3915a821b1b9911abf18d2d441665382 Author: Andrew Bartlett Date: Thu Apr 6 12:28:12 2023 +1200 selftest: Use "debug syslog format = always" in selftest Some of the most difficult to debug issues in Samba development are around timing, so this changes our default logging format in the selftest system to include a high-resolution timestamp to help correlate bad events with what else is going on at the same time. This fits in well with the timestamps already logged into st/subunit and may assist with correlation. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Apr 6 13:44:47 UTC 2023 on atb-devel-224 commit 83fe7a0316d3e5867a56cfdc51ec17f36ea03889 Author: Andrew Bartlett Date: Thu Apr 6 12:26:11 2023 +1200 lib/util: Add "debug syslog format = always", which logs to stdout in syslog style Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 33effa76d6bdb53ecfc1e77c6706d765e34716be Author: Andreas Schneider Date: Wed Apr 5 10:04:57 2023 +0200 s4:torture: Extend smb2 session requested_life_time It also only waits for the required amount of time elapsed. Hopefully this should avoid running into timeouts. Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit e69453fc41767fe99ed95b624d3fb25dc17b1ad6 Author: Andreas Schneider Date: Wed Apr 5 10:04:34 2023 +0200 s4:torture: Fix warning messages for smb2.session Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 6dc7ae8b143bdd9d9573426d7ad6e753e1ff960e Author: Andreas Schneider Date: Wed Apr 5 10:00:15 2023 +0200 s4:torture: Fix warning messages for smb.raw.session Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 67535ac22594b7b7558871b8d582aa768925a144 Author: Andreas Schneider Date: Wed Apr 5 09:59:14 2023 +0200 s4:torture: Remove trailing white spaces Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 938cbe07db8eb4784b40c961857707a31108793e Author: Andreas Schneider Date: Wed Apr 5 09:23:41 2023 +0200 s3:tests: Add exit code with failed tests Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit d163d1ba7aa1c511fadd69c39aa0df155e71b4d0 Author: Andreas Schneider Date: Wed Apr 5 09:21:24 2023 +0200 s3:tests: Use CONFIGURATION passed down to the test Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit fa591f5223434b63429c5505ffbe948b4d6d6847 Author: Andreas Schneider Date: Wed Apr 5 08:48:29 2023 +0200 s3:tests: Correctly implement tests for forceuser/forcegroup They used the tmp share ... Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit bfae42620365e8caf41f181286268e8f18470aaa Author: Andreas Schneider Date: Wed Apr 5 08:47:16 2023 +0200 s3:tests: Use the CONFIGURATION passed down to the test Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit d8acec0caf820429c4e81b8c99b87d26105568e0 Author: Andreas Schneider Date: Wed Apr 5 08:57:49 2023 +0200 s3:selftest: Remove ad_dc_ntvfs for smbclient_machine_auth.plain There is no need to run it against this environment and saves resources. Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit e5ef368fb61dd81dcdbd10dc2009cbbd96c399ca Author: Andreas Sc
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6241380bc52 samba-tool: rewrite dsacl.py to use the new sd_utils helpers via a1109a9bf12 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers via 8411e6d302e python:sd_utils: introduce update_aces_in_dacl() helper via 4627997ddae python/samba/ndr: add ndr_deepcopy() helper via 9ea06aaf9f5 py_security: allow idx argument to descriptor.[s|d]acl_add() via 2c02378029f libcli/security: add security_descriptor_[s|d]acl_insert() helpers via c3cb915a67a libcli/security: prepare security_descriptor_acl_add() to place the ace at a position via 9d8ff0d1e0b replace: add ARRAY_INSERT_ELEMENT() helper via 9053862b892 lib/ldb-samba: let ldif_read_ntSecurityDescriptor() only try sddl if isupper() from be1aae77b76 libcli/security: Reorder SDDL access flags table to match Windows https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6241380bc52e41744d134e31d77ab900e604e0d1 Author: Stefan Metzmacher Date: Thu Mar 16 18:32:49 2023 +0100 samba-tool: rewrite dsacl.py to use the new sd_utils helpers Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Mar 22 15:57:15 UTC 2023 on atb-devel-224 commit a1109a9bf12e020636b8d66fc54984aac58bfe6b Author: Stefan Metzmacher Date: Thu Mar 16 18:03:10 2023 +0100 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers They better represent what they are doing, we keep dacl_add_ace() as wrapper of dacl_prepend_aces() in order to let existing callers work as before. In future it would be good to have a dacl_insert_aces() that would canonicalize the ace order before storing, but that a task for another day. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 8411e6d302e25d10f1035ebbdcbde7308566e930 Author: Stefan Metzmacher Date: Fri Mar 10 18:25:18 2023 +0100 python:sd_utils: introduce update_aces_in_dacl() helper This is a more generic api that can be re-used in other places as well in future. It operates on a security descriptor object instead of SDDL. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 4627997ddae44265ad35b3234232eb74458c6c34 Author: Stefan Metzmacher Date: Fri Mar 17 14:08:34 2023 +0100 python/samba/ndr: add ndr_deepcopy() helper This uses ndr_pack/unpack in order to create a deep copy of the given object. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 9ea06aaf9f57e3c7094553d9ac40fb73057a9b74 Author: Stefan Metzmacher Date: Thu Mar 16 10:11:05 2023 +0100 py_security: allow idx argument to descriptor.[s|d]acl_add() Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 2c02378029fff6636b8f19e45af78b265f2210ed Author: Stefan Metzmacher Date: Thu Mar 16 10:03:44 2023 +0100 libcli/security: add security_descriptor_[s|d]acl_insert() helpers Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit c3cb915a67aff6739b72b86d7d139609df309ada Author: Stefan Metzmacher Date: Thu Mar 16 10:00:11 2023 +0100 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position Often it is important to insert an ace at a specific position in the ACL. As a default we still append by default by using -1, which is the generic version of passing the number of existing aces. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 9d8ff0d1e0b2ba7c84af36e1931f5bc99902a44b Author: Stefan Metzmacher Date: Thu Mar 16 09:57:43 2023 +0100 replace: add ARRAY_INSERT_ELEMENT() helper Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 9053862b89258850c22735cc4123fe5bc0d2e6fa Author: Stefan Metzmacher Date: Mon May 17 17:14:34 2021 +0200 lib/ldb-samba: let ldif_read_ntSecurityDescriptor() only try sddl if isupper() Trying ndr_pull_security_descriptor on SDDL produces just strange debug messages, which can cause confusion. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- Summary of changes: lib/ldb-samba/ldif_handlers.c | 24 -- lib/replace/replace.h | 15 libcli/security/security_descriptor.c | 55 ++-- libcli/security
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via be1aae77b76 libcli/security: Reorder SDDL access flags table to match Windows from 35380fa6a5b gpupdate: Use winbind separator in PAM Access Policies https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit be1aae77b7610933b1121f207e0a4df523c2d278 Author: Joseph Sutton Date: Tue Mar 15 14:01:13 2022 +1300 libcli/security: Reorder SDDL access flags table to match Windows This means that encoding an ACE in string form will now match Windows. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Joseph Sutton Signed-off-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Mar 21 01:19:16 UTC 2023 on atb-devel-224 --- Summary of changes: libcli/security/sddl.c | 18 +- python/samba/tests/upgradeprovision.py | 20 ++-- source4/dsdb/tests/python/sec_descriptor.py | 12 ++-- source4/torture/ldb/ldb.c | 18 +- 4 files changed, 34 insertions(+), 34 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index dad5ce8f413..508ac3e5666 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -258,23 +258,23 @@ static const struct flag_map ace_flags[] = { }; static const struct flag_map ace_access_mask[] = { - { "RP", SEC_ADS_READ_PROP }, - { "WP", SEC_ADS_WRITE_PROP }, - { "CR", SEC_ADS_CONTROL_ACCESS }, { "CC", SEC_ADS_CREATE_CHILD }, { "DC", SEC_ADS_DELETE_CHILD }, { "LC", SEC_ADS_LIST }, + { "SW", SEC_ADS_SELF_WRITE }, + { "RP", SEC_ADS_READ_PROP }, + { "WP", SEC_ADS_WRITE_PROP }, + { "DT", SEC_ADS_DELETE_TREE }, { "LO", SEC_ADS_LIST_OBJECT }, + { "CR", SEC_ADS_CONTROL_ACCESS }, + { "SD", SEC_STD_DELETE }, { "RC", SEC_STD_READ_CONTROL }, - { "WO", SEC_STD_WRITE_OWNER }, { "WD", SEC_STD_WRITE_DAC }, - { "SD", SEC_STD_DELETE }, - { "DT", SEC_ADS_DELETE_TREE }, - { "SW", SEC_ADS_SELF_WRITE }, + { "WO", SEC_STD_WRITE_OWNER }, { "GA", SEC_GENERIC_ALL }, - { "GR", SEC_GENERIC_READ }, - { "GW", SEC_GENERIC_WRITE }, { "GX", SEC_GENERIC_EXECUTE }, + { "GW", SEC_GENERIC_WRITE }, + { "GR", SEC_GENERIC_READ }, { NULL, 0 } }; diff --git a/python/samba/tests/upgradeprovision.py b/python/samba/tests/upgradeprovision.py index 5f77a777fc9..b281ad8722f 100644 --- a/python/samba/tests/upgradeprovision.py +++ b/python/samba/tests/upgradeprovision.py @@ -64,21 +64,21 @@ class UpgradeProvisionTestCase(TestCaseInTempDir): def test_get_diff_sds(self): domsid = security.dom_sid('S-1-5-21') -sddl = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ +sddl = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" -sddl1 = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ +sddl1 = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" -sddl2 = "O:BAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ +sddl2 = "O:BAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" -sddl3 = "O:SAG:BAD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ +sddl3 = "O:SAG:BAD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" -sddl4 = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;BA)\ +sddl4 = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;BA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" -sddl5 = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ +sddl5 = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" -sddl6 = "O:SAG:DUD:AI(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)\ +sddl6 = "O:SAG:DUD:AI(A;CIID;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CIID;RP LCLORC;;;AU)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)\ -(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ +(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)(AU;CIIDSA;WP;;;WD)" self.assertEqual(get_diff_sd
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f3fad5a189f libcli/security: prepare sddl machine/forest_sid handling via bd327f7d7a0 libcli/security: simplify sddl_encode_sid() via 8f4aced3653 libcli/security: simplify rid-based SDDL sid strings via 7d466a913f2 libcli/security: introduce struct sddl_transition_state from 3e2eb1b0236 s4:kdc: Add client claims blob if it is present https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f3fad5a189f73615360510ac61266c9fffa58edc Author: Stefan Metzmacher Date: Thu Jan 14 11:02:10 2016 +0100 libcli/security: prepare sddl machine/forest_sid handling In future we need to pass in 3 sids to sddl_encode() Once we pass in a machine_sid from the caller we need to have a test on a Windows member if the .machine_rid values really belong to the local machine sid. At least [MS-DTYP] 2.4.2.4 Well-Known SID Structures pretents "LA" and "LG" are relative to the local machine sid. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Mar 20 10:53:41 UTC 2023 on atb-devel-224 commit bd327f7d7a0d5f3377129ceb7f74e9dcf40587f3 Author: Stefan Metzmacher Date: Fri Mar 25 14:23:45 2022 +0100 libcli/security: simplify sddl_encode_sid() We should walk the sid_codes array just once. This makes further changes easier... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 8f4aced365381cae70fa33f9f0641f33ab3db1fb Author: Stefan Metzmacher Date: Fri Mar 25 13:28:48 2022 +0100 libcli/security: simplify rid-based SDDL sid strings Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 7d466a913f2c0038b30424403a7355db849fee7a Author: Stefan Metzmacher Date: Thu Apr 30 19:49:12 2020 +0200 libcli/security: introduce struct sddl_transition_state In future we'll need more than 'domain_sid' in order to do the correct transition of SDDL to/from security_descriptor. In the end we most likely add an sddl_transition_{create,encode,decode}() api in order to allow the caller to create an sddl_transition_state once and then pass it to multiple calls to encode/decode. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton --- Summary of changes: libcli/security/sddl.c | 186 + 1 file changed, 127 insertions(+), 59 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index 076f040cfb8..dad5ce8f413 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -25,6 +25,12 @@ #include "librpc/gen_ndr/ndr_misc.h" #include "system/locale.h" +struct sddl_transition_state { + const struct dom_sid *machine_sid; + const struct dom_sid *domain_sid; + const struct dom_sid *forest_sid; +}; + struct flag_map { const char *name; uint32_t flag; @@ -87,7 +93,9 @@ static bool sddl_map_flags(const struct flag_map *map, const char *str, static const struct { const char *code; const char *sid; - uint32_t rid; + uint32_t machine_rid; + uint32_t domain_rid; + uint32_t forest_rid; } sid_codes[] = { { .code = "WD", .sid = SID_WORLD }, @@ -147,28 +155,28 @@ static const struct { { .code = "AS", .sid = SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY }, { .code = "SS", .sid = SID_SERVICE_ASSERTED_IDENTITY }, - { .code = "RO", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS }, + { .code = "RO", .forest_rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS }, - { .code = "LA", .sid = NULL, .rid = DOMAIN_RID_ADMINISTRATOR }, - { .code = "LG", .sid = NULL, .rid = DOMAIN_RID_GUEST }, + { .code = "LA", .machine_rid = DOMAIN_RID_ADMINISTRATOR }, + { .code = "LG", .machine_rid = DOMAIN_RID_GUEST }, - { .code = "DA", .sid = NULL, .rid = DOMAIN_RID_ADMINS }, - { .code = "DU", .sid = NULL, .rid = DOMAIN_RID_USERS }, - { .code = "DG", .sid = NULL, .rid = DOMAIN_RID_GUESTS }, - { .code = "DC", .sid = NULL, .rid = DOMAIN_RID_DOMAIN_MEMBERS }, - { .code = "DD", .sid = NULL, .rid = DOMAIN_RID_DCS }, - { .code = "CA", .sid = NULL, .rid = DOMAIN_RID_CERT_ADMINS }, - { .code = "SA", .sid = NULL, .rid = DOMAIN_RID_SCHEMA_ADMINS }, - { .code = &quo
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7ee725f2860 idmap_hash: remember new domain sids in idmap_hash_sid_to_id() via ee820553fd2 idmap_hash: don't return ID_REQUIRE_TYPE if the domain is known in the netsamlogon cache via ede88d9f83f idmap_hash: only return ID_REQUIRE_TYPE if we don't know about the domain yet via 42dcb3db055 idmap_hash: return ID_REQUIRE_TYPE only if there's a chance to get a mapping later via c158b075b0b idmap_hash: split out a idmap_hash_sid_to_id() helper function via 57150b463fb idmap_hash: split out a idmap_hash_id_to_sid() helper function via 14102b05f37 idmap_hash: mirror the NT_STATUS_NONE_MAPPED/STATUS_SOME_UNMAPPED logic from idmap_autorid via 0da13ab3ad7 idmap_hash: we don't need to call idmap_hash_initialize() over an over again via 2cfcff3101f idmap_hash: remove unused error checks via 0f96c4b419a idmap_hash: fix comments about the algorithm via 9a24570d3d6 idmap_hash: provide ID_TYPE_BOTH mappings also for unixids_to_sids via a9583b5f96f idmap_autorid: fix ID_REQUIRE_TYPE for more than one SID for an unknown domain via ad242a20643 winbindd: don't call set_domain_online_request() in the idmap child from 78635d55fb8 audit_logging: Use `json_int_t` instead of `int` for `json_add_int` value type https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7ee725f2860d835e9619fa594a2ee6faedbc6d21 Author: Stefan Metzmacher Date: Thu Mar 21 16:54:31 2019 +0100 idmap_hash: remember new domain sids in idmap_hash_sid_to_id() This change means that idmap_hash_id_to_sid() can return mappings for new domains learned in idmap_hash_sid_to_id(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Mar 10 11:35:06 UTC 2023 on atb-devel-224 commit ee820553fd2c6ada966a0160cbb0240049f9d9f7 Author: Stefan Metzmacher Date: Thu Mar 21 16:54:31 2019 +0100 idmap_hash: don't return ID_REQUIRE_TYPE if the domain is known in the netsamlogon cache BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit ede88d9f83fb77fa8eff226fb6a85ac71e415098 Author: Stefan Metzmacher Date: Thu Mar 21 16:54:31 2019 +0100 idmap_hash: only return ID_REQUIRE_TYPE if we don't know about the domain yet BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 42dcb3db05530179a991fe58e7b96b52bbbcc607 Author: Stefan Metzmacher Date: Thu Mar 21 16:54:31 2019 +0100 idmap_hash: return ID_REQUIRE_TYPE only if there's a chance to get a mapping later If we are going to return ID_UNMAPPED later anyway, there's no need to defer that decision by returning ID_REQUIRE_TYPE first. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit c158b075b0b5035615fa8848f1f3d8ef27696861 Author: Stefan Metzmacher Date: Thu Mar 21 14:05:13 2019 +0100 idmap_hash: split out a idmap_hash_sid_to_id() helper function BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 57150b463fb8e27c048670f7b4902bd091ee3ae9 Author: Stefan Metzmacher Date: Thu Mar 21 14:05:13 2019 +0100 idmap_hash: split out a idmap_hash_id_to_sid() helper function BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 14102b05f3744c67178bd719d41e67fc3e049ee4 Author: Stefan Metzmacher Date: Thu Mar 21 14:00:16 2019 +0100 idmap_hash: mirror the NT_STATUS_NONE_MAPPED/STATUS_SOME_UNMAPPED logic from idmap_autorid BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 0da13ab3ad7278eafdcd988f39e891242eb46d37 Author: Stefan Metzmacher Date: Thu Mar 21 10:54:49 2019 +0100 idmap_hash: we don't need to call idmap_hash_initialize() over an over again It's always the first function that's called from idmap_methods. This also demonstrates that we currently always return NT_STATUS_OK, even if we haven't mapped all map entries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 2cfcff3101fce94b365eccde114432dfa980bbd0 Author: Stefan Metzmacher Date: Thu Mar 21 13:54:10 2019 +0100 idmap_hash: remove unused error checks id_map_ptrs_init() is used in the callers in order
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cc4e11d0282 smbd: Remove smbXsrv_open_global0->db_rec via 1bd16bc6d45 smbd: Use dbwrap_do_locked() in smb2srv_open_recreate() via fede6b9f465 smbd: rename 'op' into 'global' in smbXsrv_open_cleanup_fn() via ca872ad6ba1 smbd: let smbXsrv_open_cleanup() delete broken records via a69950db4a7 smbd: Use dbwrap_do_locked() in smbXsrv_open_cleanup() via 62a66331934 smbd: Use dbwrap_do_locked() in smbXsrv_open_close() via 26b29ecbb9d smbd: Use dbwrap_do_locked() in smbXsrv_open_update() via bfede670bd4 smbd: Use dbwrap_do_locked() in smbXsrv_open_global_allocate() via 84d22dc5f57 smbd: Make smbXsrv_open_global_allocate() store the record via 95e3ad7e437 smbd: Simplify smbXsrv_open_global_store() via fafebc46c8b smbd: Move smbXsrv_open_global_verify_record() down in smbXsrv_open.c via a93d93a97df smbd: Use generate_nonce_buffer() in smbXsrv_open_global_allocate() from e8abe52df2d s3: smbd: Fix log spam. Change a normal error message from DBG_ERR (level 0) to DBG_INFO (level 5). https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cc4e11d02826526e61e85e1a939c515d01323dcb Author: Volker Lendecke Date: Wed Jan 11 11:02:11 2023 +0100 smbd: Remove smbXsrv_open_global0->db_rec The only user by now was net serverid wipedbs, and there it was easy to replace Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Feb 13 10:49:43 UTC 2023 on atb-devel-224 commit 1bd16bc6d451e810dc215e7638de483a6e2d04a6 Author: Volker Lendecke Date: Wed Jan 11 10:54:37 2023 +0100 smbd: Use dbwrap_do_locked() in smb2srv_open_recreate() Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit fede6b9f4652588825fdd4b458fcf23250339e79 Author: Stefan Metzmacher Date: Tue Jan 31 12:39:06 2023 +0100 smbd: rename 'op' into 'global' in smbXsrv_open_cleanup_fn() Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke commit ca872ad6ba1c7f84af5a9be89de5d2973d2cd87e Author: Volker Lendecke Date: Tue Jan 10 12:29:18 2023 +0100 smbd: let smbXsrv_open_cleanup() delete broken records Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Volker Lendecke Signed-off-by: Stefan Metzmacher commit a69950db4a7344ee1bec8fc7b66a402597f578a2 Author: Volker Lendecke Date: Tue Jan 10 12:29:18 2023 +0100 smbd: Use dbwrap_do_locked() in smbXsrv_open_cleanup() Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 62a66331934b298f9df1e661b61cb4c193d1a5a0 Author: Volker Lendecke Date: Tue Jan 10 11:59:07 2023 +0100 smbd: Use dbwrap_do_locked() in smbXsrv_open_close() Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 26b29ecbb9dbc518856cd59629e1d291540e4ba7 Author: Volker Lendecke Date: Sun Jan 8 21:04:25 2023 +0100 smbd: Use dbwrap_do_locked() in smbXsrv_open_update() Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit bfede670bd4152d22897ee52a176dd6e620974e6 Author: Volker Lendecke Date: Thu Jan 26 09:08:27 2023 +0100 smbd: Use dbwrap_do_locked() in smbXsrv_open_global_allocate() Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 84d22dc5f57393baf5a914815eedd9536e398026 Author: Volker Lendecke Date: Fri Jan 6 17:12:23 2023 +0100 smbd: Make smbXsrv_open_global_allocate() store the record Micro-step towards using dbwrap_do_locked() Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 95e3ad7e4378e1d82da8eb745147539a96a28f8c Author: Volker Lendecke Date: Thu Jan 5 16:18:37 2023 +0100 smbd: Simplify smbXsrv_open_global_store() Avoid the dependency on global->db_rec. This makes the callers more verbose, but it makes the data dependencies much more obvious. This will enable removing smbXsrv_open_global0->db_rec at some point. Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit fafebc46c8bf624736995f3a87819b3c075cb383 Author: Volker Lendecke Date: Thu Jan 26 08:46:31 2023 +0100 smbd: Move smbXsrv_open_global_verify_record() down in smbXsrv_open.c Avoid prototypes Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit a93d93a97df9ffb1c76c9923e147743d6865ff6a Author: Volker Lendecke Date: Fri Jan 6 16:46:11 2023 +0100 smbd: Use generate_nonce_buffer() in smbXsrv_open_global_allocate() We don't need anything cryptographic for persistent file handle ids Signed-off-by: Volker Lendecke Reviewed-by: Stefa
[SCM] Samba Shared Repository - annotated tag ldb-2.7.1 created
The annotated tag, ldb-2.7.1 has been created at 342e0820c0507e07d404ee53e26c1a00b40321d3 (tag) tagging 550faa99fc81520ada220fe1fd972984522c14f2 (commit) replaces samba-4.18.0rc2 tagged by Stefan Metzmacher on Mon Feb 6 16:54:23 2023 +0100 - Log - ldb: tag release ldb-2.7.1 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmPhIq8ACgkQR5ORYRMI QCVfQQf9Hped34JEx+8OVlnZ5MlUk+cP0N+LwqY6A0riBU9zQdirIceUwfcJlUXp dkdkrhfzHhDRpLI0IJD7bhxcdPiCR7VK2Q/g+hPoFiyOZwy18lqLYFaEqWgrTmKV ibqAvkypFStKBotjUx6KdI3Quow8HCLmlbNNWZgEn+u/m8/SYyNozQ95uAyswl+O i00fy29F7KQRDfqJYjHOyNdGwQY1FyJEBDll53/S6aetB5SU52xjyszee+QODWnA UncwOQWcDS17tkK2I/EBqJWYaSQLMzIXQVrSD82wGAYRw5DdjaUT+MLXTXU9zoT3 k/u+EnwrWXTeI1G7ixX+4a/++XKw8A== =BQLB -END PGP SIGNATURE- Jule Anger (2): VERSION: Bump version up to Samba 4.18.0rc3... WHATSNEW: fix typo Samuel Thibault (1): replace: provide PIPE_BUF on GNU/Hurd Stefan Metzmacher (4): replace: remove unused configure checks for port_create() tevent: remove the already removed tevent_port.c also from the build tevent: version 0.14.1 ldb: version 2.7.1 --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag tevent-0.14.1 created
The annotated tag, tevent-0.14.1 has been created at bc0ca553a4abf1fc1ca9d994d9450d71c6cc82f0 (tag) tagging d80f28b081e515e32a480daf80b42cf782447a9c (commit) replaces samba-4.18.0rc1 tagged by Stefan Metzmacher on Fri Feb 3 10:52:00 2023 +0100 - Log - tevent: tag release tevent-0.14.1 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmPc2UAACgkQR5ORYRMI QCWcxAf/cQttDdJ4KbAoufU5dVBHHBjA2C33vP2wShpYp9/HFtXAoUY0v+XRc2Tf k5vFhiYiftzgxPSF9u2MUDj2xDXnTd39/5Gt52F6RoP8COqQ4CNpP9NINDtK3NhI 5UimpCuHqZRswl8tFcvC564InGYu8ui4EdqWB830qq1hSJDEkmEpVhbHmCqQ3YIa UgRZZBfDZVvwdwxDTwhxPyFy+r1ALnssBJIIN9+sbFsxiGR+xce5Oq+ValTmLeSr awqN1hSUi/uubOP7GRpXAmzDxXgFPp+Z4MD/hd8jtLVJGmweCOLoirqLpSVk7hbf zLXmSVEc0U3EX7ReA25Pq1SRHS9pNw== =xqkS -END PGP SIGNATURE- Andreas Schneider (10): python: Don't use deprecated escape sequences lib:util: Remove trailing whitespaces from time.c lib:util: Print data in ISO 8601 format lib:param: Remove trailing whitespaces from loadparm.c param: Use a higher time resolution for lp_file_list_changed() python:tests: Avoid exceptions in cleanup code if a test fails in smb3unix.py selftest: Only run samba.tests.smb3unix in developer mode s3:tests: Add support for SMBD_DONT_LOG_STDOUT=1 in test_chdir_cache.sh selftest: Update devel_env.sh for SAMBA_DCERPCD_DONT_LOG_STDOUT=1 script:autobuild: Make sure we can send a failure mail Andrew Bartlett (22): s4-dsdb: Rework dsdb_find_dn_by_guid() to use GUID_buf_string() s4-dsdb: Add tests of SamDB.get_nc_root() s4-selftest/drs Add test of expected return code for invaid DNs in GetNCChanges s4-selftest/drs Allow some DRS tests to operate against an IP s4-selftest/drs Allow re-run of DRS tests after failed cleanup s4-selftest/drs: Confirm GetNCChanges REPL_OBJ works with a DummyDN and real GUID s4-selftest/drs: Confirm GetNCChanges full replication works with a DummyDN and real GUID s4-selftest/drs: Confirm GetNCChanges REPL_SECRET works with a DummyDN and real GUID s4-dsdb: Schedule SD propegation only after successful rename s4-dsdb: Make dsdb_find_nc_root() first try and use DSDB_CONTROL_CURRENT_PARTITION_OID s4-dsdb: Add better debugging to dsdb_objects_have_same_nc() s4-dsdb: Add dsdb_normalise_dn_and_find_nc_root() around dsdb_find_nc_root() s4-rpc_server/drsuapi: Use dsdb_normalise_dn_and_find_nc_root() s4-dsdb: rework drs_ObjectIdentifier_to_dn() into drs_ObjectIdentifier_to_dn_and_nc_root() s4-drs: Make drs_ObjectIdentifier_to_dn() safer and able to cope with DummyDN values s4-rpc_server/drsuapi: Return correct error code for an invalid DN to EXOP_REPL_OBJ/EXOP_REPL_OBJ s4-dsdb: Split samdb_get_ntds_obj_by_guid() out of samdb_is_rodc() s4-dsdb: Require that the NTDS object is an nTDSDSA objectclass s4-drsuapi: Use samdb_get_ntds_obj_by_guid() to find RODC in REPL_SECRET s4-rpc_server: Pre-check destination_dsa_guid in GetNCChanges for validity s4-drsuapi: Clarify role of drs_security_access_check_nc_root() s4-drsuapi: Give an error that matches windows on destination_dsa_guid lookup failure David Mulder (14): samba-tool: gpo show command list policies samba-tool: Move create_directory_hier to a common file samba-tool: Move smb_connection to a common file samba-tool: gpo load/remove commands samba-tool: Test gpo load/remove commands samba-tool: gpo load/remove bytes samba-tool: gpo load/remove increment GPT.INI samba-tool: gpo load extension names samba-tool: gpo load add Registry ext by default samba-tool: gpo load set ntacl with SYSVOL file creation samba-tool: gpo load provide option for replace vs merge samba-tool: gpo show/load handle utf-16-le strings samba-tool: Test gpo show/load handling of utf-16-le strings samba-tool: Use ntstatus constants in gpo commands Jeremy Allison (1): s3:lib: Change file_modtime() to return an error code and a struct timespec. Joseph Sutton (1): python: Replace calls to deprecated methods Jule Anger (2): VERSION: Bump version up to 4.19.0pre1... WHATSNEW: Start release notes for Samba 4.19.0pre1. Michael Tokarev (1): spelling fixes for 4.18 (errror implemenation proces Controler) Noel Power (1): s3/lib: Prevent use after free of messaging_ctdb_fde_ev structs Pavel Filipenský (10): debug: Fix whitespaces in debug.c debug: Call depth: Interface debug: Call depth: Print ", depth=..." in the debug header debug: Call depth: Indent the debug text s3:winbind: Activate the call depth tracking in main winbindd s3:winbind: Deactivate call depth tracking in child winbindd s3:winbind: Move tevent_req_create() before debug macr
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0f2978bbc0e s4-drsuapi: Give an error that matches windows on destination_dsa_guid lookup failure via 1838f349c94 s4-drsuapi: Clarify role of drs_security_access_check_nc_root() via 115a3a10440 s4-rpc_server: Pre-check destination_dsa_guid in GetNCChanges for validity via 09ec6a1db2d s4-drsuapi: Use samdb_get_ntds_obj_by_guid() to find RODC in REPL_SECRET via adb776149e5 s4-dsdb: Require that the NTDS object is an nTDSDSA objectclass via d5a2af3feae s4-dsdb: Split samdb_get_ntds_obj_by_guid() out of samdb_is_rodc() via cbe18353d8d s4-rpc_server/drsuapi: Return correct error code for an invalid DN to EXOP_REPL_OBJ/EXOP_REPL_OBJ via 73f3ece8b2b s4-drs: Make drs_ObjectIdentifier_to_dn() safer and able to cope with DummyDN values via aee2039e63c s4-dsdb: rework drs_ObjectIdentifier_to_dn() into drs_ObjectIdentifier_to_dn_and_nc_root() via e96dfc74b3e s4-rpc_server/drsuapi: Use dsdb_normalise_dn_and_find_nc_root() via 8e1122420ef s4-dsdb: Add dsdb_normalise_dn_and_find_nc_root() around dsdb_find_nc_root() via 0f501b2316a s4-dsdb: Add better debugging to dsdb_objects_have_same_nc() via d0444be4b74 s4-dsdb: Make dsdb_find_nc_root() first try and use DSDB_CONTROL_CURRENT_PARTITION_OID via 7032b86cd5c s4-dsdb: Schedule SD propegation only after successful rename via 7c43388576f s4-selftest/drs: Confirm GetNCChanges REPL_SECRET works with a DummyDN and real GUID via 539221dda33 s4-selftest/drs: Confirm GetNCChanges full replication works with a DummyDN and real GUID via 70faccae6d5 s4-selftest/drs: Confirm GetNCChanges REPL_OBJ works with a DummyDN and real GUID via 3204d1350b2 s4-selftest/drs Allow re-run of DRS tests after failed cleanup via a150a2dcb1f s4-selftest/drs Allow some DRS tests to operate against an IP via bee45e6b29b s4-selftest/drs Add test of expected return code for invaid DNs in GetNCChanges via 2c7bb58703c s4-dsdb: Add tests of SamDB.get_nc_root() via d43adae8559 s4-dsdb: Rework dsdb_find_dn_by_guid() to use GUID_buf_string() from f6712c70986 script:autobuild: Make sure we can send a failure mail https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0f2978bbc0ed5b65d75c20472650a749643312e7 Author: Andrew Bartlett Date: Wed Jan 25 15:24:57 2023 +1300 s4-drsuapi: Give an error that matches windows on destination_dsa_guid lookup failure BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Jan 31 13:43:54 UTC 2023 on atb-devel-224 commit 1838f349c94b878de1740af35351a2e8e0c8cffb Author: Andrew Bartlett Date: Wed Jan 25 16:01:48 2023 +1300 s4-drsuapi: Clarify role of drs_security_access_check_nc_root() BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 115a3a10440f44ba11029be5ae3a05534a7b98c0 Author: Andrew Bartlett Date: Wed Jan 25 14:18:11 2023 +1300 s4-rpc_server: Pre-check destination_dsa_guid in GetNCChanges for validity This allows our new tests to pass as these need to be checked first. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 09ec6a1db2d3b831548bf7d66475c486be29b1d1 Author: Andrew Bartlett Date: Wed Jan 25 15:24:01 2023 +1300 s4-drsuapi: Use samdb_get_ntds_obj_by_guid() to find RODC in REPL_SECRET We need to find the RODC per the destination_dsa_guid to mark the secrets as having been replicated, and by using samdb_get_ntds_obj_by_guid() we are stricter in the checks, as the RODC has to be the right objectClass (nTDSDSA) and under the CN=Configuration partition. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit adb776149e5ac0eb346992775610627106e1a986 Author: Andrew Bartlett Date: Wed Jan 25 15:18:47 2023 +1300 s4-dsdb: Require that the NTDS object is an nTDSDSA objectclass This should avoid a user being able to specify the GUID of a different type of object. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit d5a2af3feae98057ba29de444d308d499d633941 Author: Andrew Bartlett Date: Wed Jan 25 15:17:44 2023 +1300 s4-dsdb: Split samdb_get_ntds_obj_by_guid() out of samdb_is_rodc() This will allow the logic here to be tighened up and shared in the next few commits. BUG: https://bugzilla.samba.org
Re: [SCM] Samba Shared Repository - branch master updated
Am 24.01.23 um 10:16 schrieb Volker Lendecke: The branch, master has been updated via f7b50bc059d smbd: Use smbXsrv_open_global_parse_record() in .._verify_record() via 132b83d0659 smbd: Simplify smbXsrv_open_global_parse_record() via 2f6776741dc smbd: Move smbXsrv_open_global_parse_record() up in smbXsrv_open.c via 3c779de8cf9 smbd: Simplify smbXsrv_open_global_verify_record() via f1a66267bcf smbd: Save a few lines in smb2srv_open_lookup_replay_cache() via 35a32171b50 smbd: Fix a typo from 253891032ee python: Don't use deprecated escape sequences https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f7b50bc059d1b5c7e40cdc4e88ef5ee16f7db670 Author: Volker Lendecke Date: Thu Jan 19 12:29:20 2023 +0100 smbd: Use smbXsrv_open_global_parse_record() in .._verify_record() Signed-off-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Tue Jan 24 09:15:26 UTC 2023 on atb-devel-224 commit 132b83d0659ddc25a96327edc1c7dd23b17a56fd Author: Volker Lendecke Date: Thu Jan 19 12:25:21 2023 +0100 smbd: Simplify smbXsrv_open_global_parse_record() It does not need a db_record. Signed-off-by: Volker Lendecke commit 2f6776741dc6469d78b94da22d75f26a5fc9 Author: Volker Lendecke Date: Thu Jan 19 12:22:33 2023 +0100 smbd: Move smbXsrv_open_global_parse_record() up in smbXsrv_open.c Avoid a prototype in the next patches Signed-off-by: Volker Lendecke commit 3c779de8cf99d0936956a12484fd726d5be46c7e Author: Volker Lendecke Date: Fri Jan 6 16:25:03 2023 +0100 smbd: Simplify smbXsrv_open_global_verify_record() Don't depend on the record to be passed in, return NTSTATUS. The two flags were a bit confusing to me, now NT_STATUS_OK means "found a valid record with a live process", and NT_STATUS_FATAL_APP_EXIT means we found a stale record from a crashed smbd Signed-off-by: Volker Lendecke commit f1a66267bcfcd48f3c7ca2ada3f62d40209163e3 Author: Volker Lendecke Date: Wed Jan 11 11:44:29 2023 +0100 smbd: Save a few lines in smb2srv_open_lookup_replay_cache() Directly initialize variables, don't leave dangling pointers in TDB_DATA Signed-off-by: Volker Lendecke commit 35a32171b5067d5b80acffc99f8d43cdc7f5f9a7 Author: Volker Lendecke Date: Wed Jan 11 08:18:35 2023 +0100 smbd: Fix a typo Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher These were all reviewd by me... metze
[SCM] Samba Shared Repository - branch v4-18-test updated
The branch, v4-18-test has been updated via 1886a72d966 VERSION: Bump version up to 4.18.0rc2... from fbba9a24796 VERSION: Disable GIT_SNAPSHOT for the Samba 4.18.0rc1 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test - Log - commit 1886a72d966dba78246fff8ee465b02384214b01 Author: Stefan Metzmacher Date: Thu Jan 19 13:43:44 2023 +0100 VERSION: Bump version up to 4.18.0rc2... and re-enable GIT_SNAPSHOT. Signed-off-by: Stefan Metzmacher Autobuild-User(v4-18-test): Stefan Metzmacher Autobuild-Date(v4-18-test): Thu Jan 19 14:33:06 UTC 2023 on atb-devel-224 --- Summary of changes: VERSION | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 97e56c10a35..e7078e58136 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=1 +SAMBA_VERSION_RC_RELEASE=2 # To mark SVN snapshots this should be set to 'yes'# @@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=1 # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # -SAMBA_VERSION_IS_GIT_SNAPSHOT=no +SAMBA_VERSION_IS_GIT_SNAPSHOT=yes # This is for specifying a release nickname# -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 84f56f2b98b ldb: change the version to 2.8.0 for Samba 4.19 via 6c4775021b5 WHATSNEW: Start release notes for Samba 4.19.0pre1. via d6634f29632 VERSION: Bump version up to 4.19.0pre1... via fbba9a24796 VERSION: Disable GIT_SNAPSHOT for the Samba 4.18.0rc1 release. via 0c9b310e239 WHATSNEW: Up to Samba 4.18.0rc1. via f972b1ea061 ldb: version 2.7.0 via 3c6d28ebae2 tevent: version 0.14.0 via c5d5ebb60d4 tevent: Call depth tracking via 07251f562c6 tevent: expose tevent_find_ops_byname() to callers via ab49d9ee4ee tevent: allow the "standard" backend to be overloaded via 147a317b7b9 tevent: remove solaris port backend via 620ad8af466 tevent: remove unused register_backend() from python bindings via eb05fe87bf7 tevent: remove unused tevent_liboop.c via 77c828e1248 tevent: Fix trailing whitespaces in tevent.c via f6a6d917e10 tevent: use samba_tevent_set_debug() in testsuite.c via 96e4be0a799 lib/util: install a tevent_abort callback using smb_panic() via a92150ed0ef s4:lib/events: let s4_event_context_init() use samba_tevent_context_init() via eab796a4f91 tdb: version 1.4.8 via 5224ed98eeb talloc: version 2.4.0 from 7105554cb05 bootstrap: Update to Ubuntu 22.04 as base default OS https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 84f56f2b98b99d6a03f26e53896298461ef66da6 Author: Stefan Metzmacher Date: Wed Jan 18 11:53:33 2023 +0100 ldb: change the version to 2.8.0 for Samba 4.19 Signed-off-by: Stefan Metzmacher Signed-off-by: Jule Anger Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jan 18 17:25:51 UTC 2023 on atb-devel-224 commit 6c4775021b583517143f731314f07b2f011c8421 Author: Jule Anger Date: Wed Jan 18 16:50:10 2023 +0100 WHATSNEW: Start release notes for Samba 4.19.0pre1. Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher commit d6634f296329fff11d3f0fe8bfff19719dd4c2dd Author: Jule Anger Date: Wed Jan 18 16:47:32 2023 +0100 VERSION: Bump version up to 4.19.0pre1... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher commit fbba9a24796c4887d42667a7bedeb4d7f2a428e5 Author: Jule Anger Date: Wed Jan 18 16:44:14 2023 +0100 VERSION: Disable GIT_SNAPSHOT for the Samba 4.18.0rc1 release. Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher commit 0c9b310e239fa886c7f56bc052133f8492dc6e5f Author: Jule Anger Date: Wed Jan 18 16:43:03 2023 +0100 WHATSNEW: Up to Samba 4.18.0rc1. Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher commit f972b1ea061ca451d269df9a2b0ab53c7651d908 Author: Stefan Metzmacher Date: Wed Jan 18 15:53:46 2023 +0100 ldb: version 2.7.0 * Support python 3.12 * Have python functions operating on DNs raise LdbError * don't call comparison() directly in LDB_TYPESAFE_QSORT * Use ldb_ascii_toupper() for case folding to support tr_TR.UTF-8 and other dotless i locales, see https://bugzilla.samba.org/show_bug.cgi?id=15248 Signed-off-by: Stefan Metzmacher Signed-off-by: Jule Anger commit 3c6d28ebae27dba8e40558ae37ae8138ea0b4bdc Author: Stefan Metzmacher Date: Wed Nov 9 13:32:04 2022 +0100 tevent: version 0.14.0 - Support python 3.12 - remove solaris port backend (it's not maintainable) - make tevent_find_ops_byname() available for callers. - allow the "standard" backend to be overloaded - add interface for request/subrequest call depth tracking: - tevent_thread_call_depth_activate - tevent_thread_call_depth_deactivate - tevent_thread_call_depth_start - tevent_thread_call_depth_stop - tevent_thread_call_depth_reset_from_req Note the changes to ABI/tevent-0.13.0.sigs only revert the temporary changes made there... Signed-off-by: Stefan Metzmacher Reviewed-by: Pavel Filipenský Reviewed-by: Volker Lendecke commit c5d5ebb60d46d7b4717d23ca8d2cf1b14c7ff7e5 Author: Pavel Filipenský Date: Thu Jun 16 16:23:22 2022 +0200 tevent: Call depth tracking The change to lib/tevent/ABI/tevent-0.13.0.sigs will be reverted in the commit for the 0.14.0 release... Signed-off-by: Pavel Filipenský Reviewed-by: Stefan Metzmacher Reviewed-by: Volker Lendecke commit 07251f562c6cd777394b3ffa29525a69f5ceffc4 Author: Stefan Metzmacher Date: Fri Oct 28 14:10:15 2022 +0200 tevent: expose tevent_find_ops_byname() to callers This makes it more flexible and allow a caller to overload a tevent backend. Which will be used by Samba in order to glue in io_uring support. Signed-off-by: Stefan Metz
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7105554cb05 bootstrap: Update to Ubuntu 22.04 as base default OS from 25aa870fed5 third_party: Update uid_wrapper to version 1.3.0 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7105554cb05224373c296f8063498c9366b7f285 Author: Stefan Metzmacher Date: Wed Nov 2 16:56:31 2022 +0100 bootstrap: Update to Ubuntu 22.04 as base default OS We'll try to move autobuild to ubuntu 22.04 soon. Note we leave ubuntu 18.04 for the coverage and 32bit builds for now. As well as 20.04 for samba-fuzz. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jan 18 14:17:23 UTC 2023 on atb-devel-224 --- Summary of changes: .gitlab-ci-main.yml | 15 +++ bootstrap/.gitlab-ci.yml | 3 +++ bootstrap/config.py | 7 +++ bootstrap/generated-dists/Vagrantfile | 7 +++ .../generated-dists/{debian11 => ubuntu2204}/Dockerfile | 2 +- .../{ubuntu1804 => ubuntu2204}/bootstrap.sh | 2 +- .../generated-dists/{centos7 => ubuntu2204}/locale.sh | 0 .../{ubuntu2004 => ubuntu2204}/packages.yml | 2 +- bootstrap/sha1sum.txt | 2 +- 9 files changed, 32 insertions(+), 8 deletions(-) copy bootstrap/generated-dists/{debian11 => ubuntu2204}/Dockerfile (93%) copy bootstrap/generated-dists/{ubuntu1804 => ubuntu2204}/bootstrap.sh (97%) copy bootstrap/generated-dists/{centos7 => ubuntu2204}/locale.sh (100%) copy bootstrap/generated-dists/{ubuntu2004 => ubuntu2204}/packages.yml (97%) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 8bc33ecfc4d..e725bfd0775 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -47,12 +47,12 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: ae284a5a64fcff65729bf50b5b0cfdba16afc682 + SAMBA_CI_CONTAINER_TAG: 790c229c42a67336099420d137fa9dc9974a133a # - # We use the ubuntu1804 image as default as - # it matches what we have on sn-devel-184. + # We use the ubuntu2204 image as default as + # it matches what we have on atb-devel-224 # - SAMBA_CI_CONTAINER_IMAGE: ubuntu1804 + SAMBA_CI_CONTAINER_IMAGE: ubuntu2204 # # The following images are available # Please see the samba-o3 sections at the end of this file! @@ -61,6 +61,7 @@ variables: SAMBA_CI_CONTAINER_IMAGE_ubuntu1804: ubuntu1804 SAMBA_CI_CONTAINER_IMAGE_ubuntu1804_32bit: ubuntu1804-32bit SAMBA_CI_CONTAINER_IMAGE_ubuntu2004: ubuntu2004 + SAMBA_CI_CONTAINER_IMAGE_ubuntu2204: ubuntu2204 SAMBA_CI_CONTAINER_IMAGE_debian11: debian11 SAMBA_CI_CONTAINER_IMAGE_opensuse154: opensuse154 SAMBA_CI_CONTAINER_IMAGE_fedora37: fedora37 @@ -375,6 +376,7 @@ samba-libs: samba-fuzz: extends: .shared_template variables: +# We match what Google is running over at oss-fuzz SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu2004} ctdb: @@ -631,6 +633,11 @@ ubuntu2004-samba-o3: variables: SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu2004} +ubuntu2204-samba-o3: + extends: .samba-o3-template + variables: +SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu2204} + debian11-samba-o3: extends: .samba-o3-template variables: diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index fee2861e6ea..be1e14b4b14 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -99,6 +99,9 @@ ubuntu1804-32bit: ubuntu2004: extends: .build_image_template +ubuntu2204: + extends: .build_image_template + debian11: extends: .build_image_template diff --git a/bootstrap/config.py b/bootstrap/config.py index bbcd45a044c..d2ad4503430 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -441,6 +441,13 @@ DEB_DISTS = { 'liburing-dev': '', # not available } }, +'ubuntu2204': { +'docker_image': 'ubuntu:22.04', +'vagrant_box': 'ubuntu/jammy64', +'replace': { +'libtracker-sparql-2.0-dev': '', # only tracker 3.x is available +}, +} } diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile index 64ab54d2682..d67db745c8d 100644 --- a/bootstrap/generated-dists/Vagrantfile +++ b/bootstrap/generated-dists/Vagrantfile @@ -73,5 +73,12 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "ubuntu2004/locale.sh" end +config.vm.define "ubuntu2204" do |v| +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 25aa870fed5 third_party: Update uid_wrapper to version 1.3.0 via 77110bc9e8a third_party: Update socket_wrapper to version 1.4.0 via 35ee3e0231a ctdb: Fix the build on FreeBSD via 99de0cf6ff0 smbd: Modernize DBG statements in smbXsrv_open_global_store() via c6f1e3a6a20 smbd: Make smbXsrv_open_global_id_to_key() a bit more type-safe via 824b54174d8 smbd: Directly initialize key in smbXsrv_open_global_fetch_locked() via 6deee159f1d smbd: Remove unused smbXsrv_open_global_key_to_id() via a39a3400ba6 smbd: Slightly simplify smbXsrv_open_create() via b88db811db9 smbd: Remove smbXsrv_open_global_destructor() via d55880d93dc smbd: Slightly simplify smb2srv_open_recreate() from 8fbadada8c0 lib/tsocket: fix a typo in the tsocket guide doc https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 25aa870fed548805a8cf64037a01ce0c87c6a01f Author: Stefan Metzmacher Date: Mon Jan 16 22:14:03 2023 +0100 third_party: Update uid_wrapper to version 1.3.0 This is mainly needed in order to have some interaction with socket_wrapper 1.4.0 regarding the implementation of syscall(). Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jan 18 12:47:48 UTC 2023 on sn-devel-184 commit 77110bc9e8a09ebefaa42eb4fd3a7449373fec9a Author: Stefan Metzmacher Date: Mon Jan 16 22:13:35 2023 +0100 third_party: Update socket_wrapper to version 1.4.0 The key feature is support for sendmmsg and recvmmsg, which is required by modern libuv versions, e.g. nsupdate -g makes use of libuv, so we need this for samba. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 35ee3e0231ac95cc81dee32eb8efd97e0c3016f9 Author: Volker Lendecke Date: Wed Jan 18 08:59:17 2023 +0100 ctdb: Fix the build on FreeBSD "basename" is define in libgen.h included from system/dir.h Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 99de0cf6ff085476191d6f3e63327c5068a233f8 Author: Volker Lendecke Date: Thu Jan 5 16:06:40 2023 +0100 smbd: Modernize DBG statements in smbXsrv_open_global_store() Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit c6f1e3a6a201429e1c9abf027b7abd7eb8fe2f1b Author: Volker Lendecke Date: Wed Jan 4 20:09:32 2023 +0100 smbd: Make smbXsrv_open_global_id_to_key() a bit more type-safe Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 824b54174d842a2e9e7a0f5f60998b478b6d82f2 Author: Volker Lendecke Date: Wed Jan 11 14:07:42 2023 +0100 smbd: Directly initialize key in smbXsrv_open_global_fetch_locked() Don't leave the key.dptr pointer uninitialized Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 6deee159f1d7fd4876f774d435998d16b89da37d Author: Volker Lendecke Date: Wed Jan 4 16:50:01 2023 +0100 smbd: Remove unused smbXsrv_open_global_key_to_id() This isn't exactly rocket science we would need to keep around Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit a39a3400ba65b4357d3608d2e423576d2b6ed1e3 Author: Volker Lendecke Date: Wed Jan 4 14:30:28 2023 +0100 smbd: Slightly simplify smbXsrv_open_create() Move allocation of smbXsrv_open_global0 out of smbXsrv_open_global_allocate() Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit b88db811db9d2c12838e7ca33352b68abf7c64ad Author: Volker Lendecke Date: Wed Jan 11 14:01:29 2023 +0100 smbd: Remove smbXsrv_open_global_destructor() This did not do much. Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit d55880d93dc46bf09b4de1a848a1c46e5de2302d Author: Volker Lendecke Date: Wed Jan 4 14:05:55 2023 +0100 smbd: Slightly simplify smb2srv_open_recreate() This moves the bit-fiddling right next to the check we do, "global_zeros" was only used for this one purpose and its assignment was a few lines away. Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher --- Summary of changes: ctdb/server/ctdb_mutex_fcntl_helper.c | 1 + source3/smbd/smbXsrv_open.c | 120 ++-- third_party/socket_wrapper/socket_wrapper.c | 887 +++- third_party/socket_wrapper/wscript | 14 + third_party/uid_wrapper/uid_wrapper.c | 600 --- 5 files changed, 1454 insertions(+), 168 deletions(-) Changeset truncated at 500 lines: diff --git a/ctdb/server/ctdb_mutex_fcntl_helper.c b/ctdb/server/ctdb_mutex_
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7545e2c77b6 nsswitch: avoid calling pthread_getspecific() on an uninitialized key via 0d096931196 s4:lib/messaging: fix interaction between imessaging_context_destructor and irpc_destructor via c29c487c5ab third_party: Update waf to version 2.0.25 from dd86376294f smbd: Fix indentation https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7545e2c77b69fc57e436e3ed298fdb68033ce49f Author: Ralph Boehme Date: Thu Jan 5 16:25:11 2023 +0100 nsswitch: avoid calling pthread_getspecific() on an uninitialized key Found by ASAN: $ bin/stress-nss-libwbclient ... ==1639426==ERROR: AddressSanitizer: unknown-crash on address 0x7f3907d85000 at pc 0x7f3907d649fb bp 0x7ffc6545f5b0 sp 0x7ffc6545f5a8 READ of size 4 at 0x7f3907d85000 thread T0 #0 0x7f3907d649fa in winbind_close_sock ../../nsswitch/wb_common.c:220 #1 0x7f3907d65866 in winbind_destructor ../../nsswitch/wb_common.c:246 #2 0x7f3907da5d3d in _dl_fini /usr/src/debug/glibc-2.35-20.fc36.x86_64/elf/dl-fini.c:142 #3 0x7f3907241044 in __run_exit_handlers (/lib64/libc.so.6+0x41044) #4 0x7f39072411bf in exit (/lib64/libc.so.6+0x411bf) #5 0x7f3907229516 in __libc_start_call_main (/lib64/libc.so.6+0x29516) #6 0x7f39072295c8 in __libc_start_main_impl (/lib64/libc.so.6+0x295c8) #7 0x56236a2042b4 in _start (/data/git/samba/scratch3/bin/default/nsswitch/stress-nss-libwbclient+0x22b4) Address 0x7f3907d85000 is a wild pointer inside of access range of size 0x0004. SUMMARY: AddressSanitizer: unknown-crash ../../nsswitch/wb_common.c:220 in winbind_close_sock The pthread key in wb_global_ctx.key is only initialized if wb_thread_ctx_initialize() is called via get_wb_global_ctx() -> get_wb_thread_ctx(). Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Jan 6 15:04:46 UTC 2023 on sn-devel-184 commit 0d096931196524a2d1bf59470bc629dc9231131e Author: Stefan Metzmacher Date: Sat Dec 31 01:24:57 2022 +0100 s4:lib/messaging: fix interaction between imessaging_context_destructor and irpc_destructor BUG: https://bugzilla.samba.org/show_bug.cgi?id=15280 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme commit c29c487c5ab68560a73012a2dddad78009b08eef Author: Andreas Schneider Date: Wed Jan 4 09:39:45 2023 +0100 third_party: Update waf to version 2.0.25 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher --- Summary of changes: buildtools/bin/waf | 2 +- buildtools/wafsamba/wafsamba.py| 2 +- nsswitch/wb_common.c | 22 +++- source4/lib/messaging/messaging.c | 13 +++ source4/lib/messaging/messaging_internal.h | 3 + third_party/waf/waflib/Configure.py| 2 +- third_party/waf/waflib/Context.py | 6 +- third_party/waf/waflib/TaskGen.py | 2 +- third_party/waf/waflib/Tools/msvc.py | 2 +- third_party/waf/waflib/Tools/python.py | 62 ++- third_party/waf/waflib/Utils.py| 15 +++ third_party/waf/waflib/extras/cpplint.py | 2 +- .../waflib/extras/{fc_nfort.py => fc_fujitsu.py} | 26 ++--- third_party/waf/waflib/extras/gccdeps.py | 2 +- third_party/waf/waflib/extras/pyqt5.py | 18 +-- third_party/waf/waflib/extras/sphinx.py| 55 + third_party/waf/waflib/extras/wafcache.py | 123 - 17 files changed, 243 insertions(+), 114 deletions(-) copy third_party/waf/waflib/extras/{fc_nfort.py => fc_fujitsu.py} (60%) Changeset truncated at 500 lines: diff --git a/buildtools/bin/waf b/buildtools/bin/waf index d9cba343623..f754b52a7bc 100755 --- a/buildtools/bin/waf +++ b/buildtools/bin/waf @@ -32,7 +32,7 @@ POSSIBILITY OF SUCH DAMAGE. import os, sys, inspect -VERSION="2.0.24" +VERSION="2.0.25" REVISION="x" GIT="x" INSTALL="x" diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py index 79f352878a8..17a188f5036 100644 --- a/buildtools/wafsamba/wafsamba.py +++ b/buildtools/wafsamba/wafsamba.py @@ -38,7 +38,7 @@ LIB_PATH="shared" os.environ['PYTHONUNBUFFERED'] = '1' -if Context.HEXVERSION not in (0x2001800,): +if Context.HEXVERSION not in (0x2001900,): Logs.error(''' Please use the version of waf that comes with Samba, not a system installed version. See http://wiki.samba.org/index.php/Waf diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c i
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a6136b88174 Happy New Year 2023! from f28553105be s3:rpc_server/srvsvc: make sure we (re-)load all shares as root. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a6136b8817414176fd79575ce85b95f142f3c980 Author: Stefan Metzmacher Date: Sat Dec 31 23:24:28 2022 + Happy New Year 2023! Signed-off-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sun Jan 1 00:24:02 UTC 2023 on sn-devel-184 --- Summary of changes: source3/include/smb.h | 2 +- source4/samba/server.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/include/smb.h b/source3/include/smb.h index cfaf922b461..67694cb3bc9 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -30,7 +30,7 @@ #include "libds/common/roles.h" /* logged when starting the various Samba daemons */ -#define COPYRIGHT_STARTUP_MESSAGE "Copyright Andrew Tridgell and the Samba Team 1992-2022" +#define COPYRIGHT_STARTUP_MESSAGE "Copyright Andrew Tridgell and the Samba Team 1992-2023" #define SAFETY_MARGIN 1024 #define LARGE_WRITEX_HDR_SIZE 65 diff --git a/source4/samba/server.c b/source4/samba/server.c index aeb441c21a0..1c80da0baba 100644 --- a/source4/samba/server.c +++ b/source4/samba/server.c @@ -622,7 +622,7 @@ static int binary_smbd_main(TALLOC_CTX *mem_ctx, binary_name, SAMBA_VERSION_STRING)); DEBUGADD(0,("Copyright Andrew Tridgell and the Samba Team" - " 1992-2022\n")); + " 1992-2023\n")); if (sizeof(uint16_t) < 2 || sizeof(uint32_t) < 4 || -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f28553105be s3:rpc_server/srvsvc: make sure we (re-)load all shares as root. via a00c7395fbc selftest: add samba3.blackbox.registry_share from 08be04bb930 s4:setup:tests: Use system ldbdump if we build with system ldb https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f28553105be7465026bcc0fcbbed6a1a8c2133dd Author: Stefan Metzmacher Date: Wed Dec 28 13:50:45 2022 +0100 s3:rpc_server/srvsvc: make sure we (re-)load all shares as root. This fixes a regression in commit f03665bb7e8ea97699062630f2aa1bac4c5dfc7f The use of reload_services() has a lot of side effects, e.g. reopen of log files and other things, which are only useful in smbd, but not in rpcd_classic. It was also unloading the user and registry shares we loaded a few lines above. We need to do all (re-)loading as root, otherwise we won't be able to read root only smb.conf files, access registry shares, ... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Walker Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Dec 29 21:14:02 UTC 2022 on sn-devel-184 commit a00c7395fbc7974a61a70ae54ea6ae6349933de2 Author: Stefan Metzmacher Date: Wed Dec 28 16:18:40 2022 +0100 selftest: add samba3.blackbox.registry_share This demonstrates the regression introduced by f03665bb7e8ea97699062630f2aa1bac4c5dfc7f, where registry shares are no longer listed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Walker --- Summary of changes: selftest/target/Samba3.pm | 30 ++ source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 28 - source3/script/tests/test_registry_share.sh | 39 + source3/selftest/tests.py | 4 +++ 4 files changed, 89 insertions(+), 12 deletions(-) create mode 100755 source3/script/tests/test_registry_share.sh Changeset truncated at 500 lines: diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index a20f2fa3365..917c2957b97 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -532,6 +532,36 @@ sub setup_clusteredmember return undef; } + my $registry_share_template = "$node_ret->{SERVERCONFFILE}.registry_share_template"; + unless (open(REGISTRYCONF, ">$registry_share_template")) { + warn("Unable to open $registry_share_template"); + teardown_env($self, $node_ret); + teardown_env($self, $ctdb_data); + return undef; + } + + print REGISTRYCONF " +[registry_share] + copy = tmp + comment = smb username is [%U] +"; + + close(REGISTRYCONF); + + my $net = Samba::bindir_path($self, "net"); + my $cmd = ""; + + $cmd .= "UID_WRAPPER_ROOT=1 "; + $cmd .= "$net conf import $node_ret->{CONFIGURATION} ${registry_share_template}"; + + my $net_ret = system($cmd); + if ($net_ret != 0) { + warn("net conf import failed: $net_ret\n$cmd"); + teardown_env($self, $node_ret); + teardown_env($self, $ctdb_data); + return undef; + } + my $nmblookup = Samba::bindir_path($self, "nmblookup"); do { print "Waiting for the LOGON SERVER registration ...\n"; diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c index 8a0c63fd50e..7ca35856d96 100644 --- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c +++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c @@ -644,30 +644,34 @@ static WERROR init_srv_share_info_ctr(struct pipes_struct *p, union srvsvc_NetShareCtr ctr; uint32_t resume_handle = resume_handle_p ? *resume_handle_p : 0; const char *unix_name = session_info->unix_info->unix_name; - int existing_home = lp_servicenumber(unix_name); + int existing_home = -1; int added_home = -1; WERROR ret = WERR_OK; DEBUG(5,("init_srv_share_info_ctr\n")); - /* Ensure all the usershares are loaded. */ + /* +* We need to make sure to reload the services for the c
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 87fddbad78d smbd/locking: make use of the same tdb hash_size and flags for all SMB related tdb's from 07617a344e1 s4-auth: fix sam test binary ntstatus include path https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 87fddbad78d9a9f6fe922efb7a87ded01996d6ec Author: Stefan Metzmacher Date: Mon Jun 17 07:36:01 2019 -0700 smbd/locking: make use of the same tdb hash_size and flags for all SMB related tdb's It's good to have a consistent set of hash_size/flags for all aspects of an open file handle. Currently we're using 4 databases: smbXsrv_open_global.tdb, leases.tdb, locking.tdb and brlock.tdb. While at it also crank up the hashsize if the smbXsrv_tcon and smbXsrv_session TDBs. The default TDB hash size is insanely small and disk space is cheap these days, by going with the much larger hash size we get O(1) lookup instead of O(n) for moderate to large loads with a few thousand objects. Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Dec 19 16:40:15 UTC 2022 on sn-devel-184 --- Summary of changes: source3/include/local.h | 8 ++-- source3/locking/brlock.c | 9 ++--- source3/locking/leases_db.c | 10 -- source3/locking/share_mode_lock.c | 7 ++- source3/smbd/smbXsrv_open.c | 7 ++- source3/smbd/smbXsrv_session.c| 7 ++- source3/smbd/smbXsrv_tcon.c | 7 ++- 7 files changed, 20 insertions(+), 35 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/include/local.h b/source3/include/local.h index 297e5572fdb..db53698ec44 100644 --- a/source3/include/local.h +++ b/source3/include/local.h @@ -173,8 +173,12 @@ #define MAX_LDAP_REPLICATION_SLEEP_TIME 5000 /* In milliseconds. */ -/* tdb hash size for the open database. */ -#define SMB_OPEN_DATABASE_TDB_HASH_SIZE 10007 +/* tdb hash size for the databases having one entry per open file. */ +#define SMBD_VOLATILE_TDB_HASH_SIZE 10007 + +/* tdb flags for the databases having one entry per open file. */ +#define SMBD_VOLATILE_TDB_FLAGS \ + (TDB_DEFAULT|TDB_VOLATILE|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH) /* Characters we disallow in sharenames. */ #define INVALID_SHARENAME_CHARS "%<>*?|/\\+=;:\"," diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c index d2e4abf48d7..d065c7fe03e 100644 --- a/source3/locking/brlock.c +++ b/source3/locking/brlock.c @@ -369,12 +369,7 @@ void brl_init(bool read_only) return; } - tdb_flags = - TDB_DEFAULT| - TDB_VOLATILE| - TDB_CLEAR_IF_FIRST| - TDB_INCOMPATIBLE_HASH| - TDB_SEQNUM; + tdb_flags = SMBD_VOLATILE_TDB_FLAGS | TDB_SEQNUM; db_path = lock_path(talloc_tos(), "brlock.tdb"); if (db_path == NULL) { @@ -383,7 +378,7 @@ void brl_init(bool read_only) } brlock_db = db_open(NULL, db_path, - SMB_OPEN_DATABASE_TDB_HASH_SIZE, tdb_flags, + SMBD_VOLATILE_TDB_HASH_SIZE, tdb_flags, read_only?O_RDONLY:(O_RDWR|O_CREAT), 0644, DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE); if (!brlock_db) { diff --git a/source3/locking/leases_db.c b/source3/locking/leases_db.c index 855d6143ad7..eae58f5fc82 100644 --- a/source3/locking/leases_db.c +++ b/source3/locking/leases_db.c @@ -46,12 +46,10 @@ bool leases_db_init(bool read_only) return false; } - leases_db = db_open(NULL, db_path, 0, - TDB_DEFAULT| - TDB_VOLATILE| - TDB_CLEAR_IF_FIRST| - TDB_SEQNUM| - TDB_INCOMPATIBLE_HASH, + leases_db = db_open(NULL, db_path, + SMBD_VOLATILE_TDB_HASH_SIZE, + SMBD_VOLATILE_TDB_FLAGS | + TDB_SEQNUM, read_only ? O_RDONLY : O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_4, DBWRAP_FLAG_NONE); TALLOC_FREE(db_path); diff --git a/source3/locking/share_mode_lock.c b/source3/locking/share_mode_lock.c index 909bfdfbcce..e123084677d 100644 --- a/source3/locking/share_mode_lock.c +++ b/source3/locking/share_mode_lock.c @@ -125,11 +125,8 @@ static bool locking_init_internal(bool read_only) } backend = db_open(NULL, db_path, - SMB_OPEN_DATABASE_TDB_HASH_SIZE, - TDB_DEFAULT| - TDB_VOLATILE| -
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via 2620bea3af8 kdc: avoid re-encoding KDC-REQ-BODY via ff5d6ada80e tests/krb5: Add test requesting a TGT expiring post-2038 via fd3cdcc1800 tests/krb5: Add test requesting a service ticket expiring post-2038 from d1cfdcf3a3d CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit 2620bea3af8d9e4e1db195deba414a46e8c66b3d Author: Luke Howard Date: Thu Oct 20 13:27:31 2022 +1300 kdc: avoid re-encoding KDC-REQ-BODY Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT. [abart...@samba.org adapted from Heimdal commit ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e by removing references to FAST and GSS-pre-auth. This fixes the Windows 11 22H2 issue with TGS-REQ as seen at https://github.com/heimdal/heimdal/issues/1011 and so removes the knownfail file for this test] BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher [me...@samba.org private autobuild passed] commit ff5d6ada80e90e5fd67086e52f7e82f91bbafcc0 Author: Joseph Sutton Date: Thu Oct 20 12:36:44 2022 +1300 tests/krb5: Add test requesting a TGT expiring post-2038 This demonstrates the behaviour of Windows 11 22H2 over Kerberos, which changed to use a year date for a forever timetime in tickets. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184 (backported from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2) [abart...@samba.org Adapted from 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2 as the kerberos tests have changed parameters in newer versions breaking the context] commit fd3cdcc1800a4185857494626de9ba1c368dbcdb Author: Joseph Sutton Date: Tue Oct 4 12:25:08 2022 +1300 tests/krb5: Add test requesting a service ticket expiring post-2038 Windows 11 22H2 performs such requests, with year . The test fails with KDC_ERR_BAD_INTEGRITY on older Heimdal versions, which are unable to verify a checksum over the modified request body (due to a re-encoding failure). REF: https://github.com/heimdal/heimdal/issues/1011 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 [abart...@samba.org Add knownfail for backport - as Samba 4.15 and earlier fail this test, adapted commit 67811e121fbef08337675d473390160793544719 to test paraemters in 4.15] Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall (backported from commit 67811e121fbef08337675d473390160793544719) --- Summary of changes: python/samba/tests/krb5/as_req_tests.py | 13 +++-- python/samba/tests/krb5/kdc_tgs_tests.py | 14 ++ source4/heimdal/kdc/krb5tgs.c| 24 ++-- source4/heimdal/kdc/pkinit.c | 16 ++-- source4/heimdal/lib/asn1/krb5.opt| 1 + 5 files changed, 30 insertions(+), 38 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index da2c0b9d097..0d9a771b80d 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -42,7 +42,7 @@ global_hexdump = False class AsReqBaseTest(KDCBaseTest): def _run_as_req_enc_timestamp(self, client_creds, sname=None, - expected_error=None, + expected_error=None, till=None, expected_pa_error=None, expect_pa_edata=None): client_account = client_creds.get_username() client_as_etypes = self.get_default_enctypes() @@ -63,7 +63,8 @@ class AsReqBaseTest(KDCBaseTest): expected_sname = sname expected_salt = client_creds.get_salt() -till = self.get_KerberosTime(offset=36000) +if till is None: +till = self.get_KerberosTime(offset=36000) initial_etypes = client_as_etypes initial_kdc_options = krb5_asn1.KDCOptions('forwardable') @@ -252,6 +253,14 @@ class AsReqKerberosTests(AsReqBaseTest): sname=wrong_krbtgt_princ, expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) +# Test that we can make a request for a ticket expiring post-2038. +def test_future_till(self): +client_creds = self.get_client_creds() + +
[SCM] Samba Shared Repository - branch v4-17-test updated
The branch, v4-17-test has been updated via 1c7d60ee090 s4:libnet: correctly handle gnutls_pbkdf2() errors via 77fb5b47621 s4:libnet: fix error string for failing samr_ChangePasswordUser4() from 5048d63c92e CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test - Log - commit 1c7d60ee090155e084e937dd553d1eccc929 Author: Stefan Metzmacher Date: Wed Dec 14 10:37:41 2022 +0100 s4:libnet: correctly handle gnutls_pbkdf2() errors We should not ignore the error nor should we map GNUTLS_E_UNWANTED_ALGORITHM to NT_STATUS_WRONG_PASSWORD, instead we use NT_STATUS_CRYPTO_SYSTEM_INVALID as in most other places in the same file. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Baumbach Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Dec 14 13:35:20 UTC 2022 on sn-devel-184 (cherry picked from commit eb5df255faea7326a7b85c1e7ce5a66119a27c3a) Autobuild-User(v4-17-test): Stefan Metzmacher Autobuild-Date(v4-17-test): Wed Dec 14 14:46:02 UTC 2022 on sn-devel-184 commit 77fb5b4762198d7fa1727b6e0b35cb172de1d627 Author: Stefan Metzmacher Date: Wed Dec 14 10:32:31 2022 +0100 s4:libnet: fix error string for failing samr_ChangePasswordUser4() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Baumbach (cherry picked from commit 53d558365161be1793dad78ebcce877c732f2419) --- Summary of changes: source4/libnet/libnet_passwd.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c index 8fc4715a209..d7e9400b559 100644 --- a/source4/libnet/libnet_passwd.c +++ b/source4/libnet/libnet_passwd.c @@ -81,7 +81,10 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx, cek.length); BURN_DATA(old_nt_key_data); if (rc < 0) { - status = gnutls_error_to_ntstatus(rc, NT_STATUS_WRONG_PASSWORD); + status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } } status = init_samr_CryptPasswordAES(mem_ctx, @@ -105,13 +108,13 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx, goto done; } if (!NT_STATUS_IS_OK(r.out.result)) { + status = r.out.result; *error_string = talloc_asprintf(mem_ctx, "samr_ChangePasswordUser4 for " "'%s\\%s' failed: %s", server->string, account->string, nt_errstr(status)); - status = r.out.result; goto done; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via eb5df255fae s4:libnet: correctly handle gnutls_pbkdf2() errors via 53d55836516 s4:libnet: fix error string for failing samr_ChangePasswordUser4() from ac78cb71d69 libads: Save intermediate NULL checks with talloc_asprintf_addbuf() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit eb5df255faea7326a7b85c1e7ce5a66119a27c3a Author: Stefan Metzmacher Date: Wed Dec 14 10:37:41 2022 +0100 s4:libnet: correctly handle gnutls_pbkdf2() errors We should not ignore the error nor should we map GNUTLS_E_UNWANTED_ALGORITHM to NT_STATUS_WRONG_PASSWORD, instead we use NT_STATUS_CRYPTO_SYSTEM_INVALID as in most other places in the same file. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Baumbach Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Dec 14 13:35:20 UTC 2022 on sn-devel-184 commit 53d558365161be1793dad78ebcce877c732f2419 Author: Stefan Metzmacher Date: Wed Dec 14 10:32:31 2022 +0100 s4:libnet: fix error string for failing samr_ChangePasswordUser4() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Baumbach --- Summary of changes: source4/libnet/libnet_passwd.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c index 8fc4715a209..d7e9400b559 100644 --- a/source4/libnet/libnet_passwd.c +++ b/source4/libnet/libnet_passwd.c @@ -81,7 +81,10 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx, cek.length); BURN_DATA(old_nt_key_data); if (rc < 0) { - status = gnutls_error_to_ntstatus(rc, NT_STATUS_WRONG_PASSWORD); + status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } } status = init_samr_CryptPasswordAES(mem_ctx, @@ -105,13 +108,13 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx, goto done; } if (!NT_STATUS_IS_OK(r.out.result)) { + status = r.out.result; *error_string = talloc_asprintf(mem_ctx, "samr_ChangePasswordUser4 for " "'%s\\%s' failed: %s", server->string, account->string, nt_errstr(status)); - status = r.out.result; goto done; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-17-test updated
6 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy" via 9fa6585a4cc CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy' via d08d54c944d CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used via fea5bde53c4 CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038 via c5eda69a10b CVE-2022-37966 s3:utils: Fix old-style function definition via 9166254b4bb CVE-2022-37966 s3:client: Fix old-style function definition via 523f9aa70a8 CVE-2022-37966 s3:param: Fix old-style function definition via f4d487bda53 CVE-2022-38023 testparm: warn about unsecure schannel related options via 0d4f8c70446 CVE-2022-38023 testparm: warn about server/client schannel != yes via e5e03583f19 CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]" via 8f7d77ecb52 CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel() via 65d8624cd21 CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options via de639278eb1 CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() via cf649bf2772 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function via ff1c42ee451 CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no' via f0cdff380b8 CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations via 1d2e938ab67 CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT" via 2cb10f9648e CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no" via 277bd2c6d31 CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes' via c919351058b CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM via f69766398ef CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes via eb1f1c37548 CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled via 07518e76dc9 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade() via 84d53540268 CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default via a656f2a3d66 CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto' via 4d143e92adf CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages via a31898e1769 CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check() via 911874a9582 CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check() via 93566433316 CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check() via b04f9cd924e CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind via 15253c4da88 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes via ff5f2c81e97 CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN" via 6c7aa761f3b CVE-2022-38023 s3:net: add and use net_warn_member_options() helper via 285ecad0a84 CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options() via d39c37292f9 CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db() via 810b57b19dd CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden" via 121c471b5ee CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides" via fd50943b2a4 selftest: make filter-subunit much more efficient for large knownfail lists from 8578a24c288 CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test - Log - commit 5048d63c92ea2a8ccdb1a5a25ac19b2a423ca09d Author: Stefan Metzmacher Date: Tue Nov 29 14:14:32 2022 +0100 CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports This allows the tests to be executed without an explicit PYTHONPATH="bin/python". BUG: https://bugzill
[SCM] Samba Shared Repository - branch v4-16-test updated
via 05206c09237 CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used via a65fc1fa476 CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038 via 397a390aa86 CVE-2022-37966 s3:utils: Fix old-style function definition via a89385f2ab7 CVE-2022-37966 s3:client: Fix old-style function definition via 130c4877b38 CVE-2022-37966 s3:param: Fix old-style function definition via 0fee9c469c0 CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys() via 3dec660ae2b CVE-2022-37966 s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys() via c09df344f0e CVE-2022-38023 testparm: warn about unsecure schannel related options via 587ff282a9d CVE-2022-38023 testparm: warn about server/client schannel != yes via 03730459feb CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]" via 1d9c939ebaa CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel() via d04da3d7008 CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options via 9f809e2dd39 CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() via abba8c4579f CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function via 3f7cd285b79 CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no' via 729e905776c CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations via 80d0238679f CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT" via 3075f65e5d5 CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no" via d2dc3622d45 CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes' via c25546926f5 CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM via bc78864cb5f CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes via 852763adc22 CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled via 35ff1221013 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade() via 3f4c9c13b1f CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default via 066dafb07a1 CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto' via 82af786a36b CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages via 88018634c78 CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check() via 0c32166174b CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check() via a5996700ade CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check() via 2139565c2fe CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind via 08e2a933933 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes via a2388a06cba CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN" via 8a7df0920b7 CVE-2022-38023 s3:net: add and use net_warn_member_options() helper via 1fe8857b4d9 CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options() via b0dbc395510 CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db() via 421398ce5eb CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden" via af08dd3e25a CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides" via 4d099f8f678 selftest: make filter-subunit much more efficient for large knownfail lists from a1136ed2e05 CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log - commit d5a8e41313d6645898bca3771131da92860b715b Author: Stefan Metzmacher Date: Tue Nov 29 14:14:32 2022 +0100 CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports This allows the tests to be executed without an explicit PYTHONPATH="bin/python". BUG: https://b
[SCM] Samba Shared Repository - branch v4-15-test updated
: make filter-subunit much more efficient for large knownfail lists from 2ea3f2db808 CVE-2022-45141 source4/heimdal: Fix check-des https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit d1cfdcf3a3dd44be993f3c543eaf65c53ecdf7a9 Author: Stefan Metzmacher Date: Tue Nov 29 14:14:32 2022 +0100 CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports This allows the tests to be executed without an explicit PYTHONPATH="bin/python". BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184 (similar to commit 987cba90573f955fe9c781830daec85ad4d5bf92) [jsut...@samba.org Fixed conflicts; removed changes to non-existent tests] [jsut...@samba.org Fixed conflicts; removed changes to non-existent tests] [me...@samba.org private autobuild and a pipeline passes] commit 48d6042dddff6790a87039a095ae7489e3596bf2 Author: Stefan Metzmacher Date: Tue Dec 6 12:55:45 2022 +0100 CVE-2022-37966 samba-tool: add 'domain trust modify' command For now it only allows the admin to modify the msDS-SupportedEncryptionTypes values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Reviewed-by: Joseph Sutton (cherry picked from commit d1999c152acdf939b4cd7eb446dd9921d3edae29) commit 89b1c78b520f32e54e8a025511908b06158deef0 Author: Stefan Metzmacher Date: Wed Nov 30 09:39:19 2022 +0100 CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit cca3c024fc514bee79bb60a686e470605cc98d6f) commit 18996e9971224210aa50cff9796c805dc594c296 Author: Stefan Metzmacher Date: Tue Nov 29 14:13:36 2022 +0100 CVE-2022-37966 param: Add support for new option "kdc supported enctypes" This allows admins to disable enctypes completely if required. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 36d0a495159f72633f1f41deec979095417a1727) commit 34fc0da78699827674245ea5f00282107054ba9c Author: Stefan Metzmacher Date: Wed Nov 30 09:05:51 2022 +0100 CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default In order to allow better upgrades we need the default value for smb.conf to the same even if the effective default value of the software changes in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad) [jsut...@samba.org Fixed conflicts] commit 693a247d3b270677ec6f42189002c647a1e20e19 Author: Stefan Metzmacher Date: Wed Nov 30 09:02:41 2022 +0100 CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no" This is not squashed in order to allow easier backports... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 7504a4d6fee7805aac7657b9dab88c48353d6db4) commit ee9ffe50e99d2778d0d17fb65d6b27911d211f91 Author: Stefan Metzmacher Date: Thu Mar 24 15:44:40 2022 +0100 CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows. We need to take the value from the msDS-SupportedEncryptionTypes attribute and only take the default if there's no value or if the value is 0. For krbtgt and DC accounts we need to force support for ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is completely ignored the hardcoded value is the default, so there's no AES256-SK for krbtgt). For UF_USE_DES_KEY_ONLY on the account we reset the value to 0, these accounts are in fact disabled completely, as they always result in KRB5KDC_ERR_ETYPE_NOSUPP. Then we try to get all encryption keys marked in supported_enctypes, and the available_enctypes is a reduced set depending on what keys are actually stored in the database. We select the supported session key enctypes by the available keys and in addition based
[SCM] Samba Shared Repository - branch master updated
li/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy" via c0c25cc0217 CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy' via a4f6f51cbed CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used via 4d540473c3d CVE-2022-38023 testparm: warn about unsecure schannel related options via f964c0c3572 CVE-2022-38023 testparm: warn about server/client schannel != yes via b3ed90a0541 CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]" via 3c57608e110 CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel() via 7732a4b0bde CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options via 689507457f5 CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() via f43dc4f0bd6 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function via 7ae3735810c CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no' via 43df4be3595 CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations via 2ad302b4225 CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT" via bd429d02598 CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no" via 69b36541606 CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes' via b09f51eefc3 CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM via c8e53394b98 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes via 4c7f84798ac CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled via b6339fd1dcb CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade() via cfd55a22cda CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default via 63c96ea6c02 CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto' via 16ee03efc19 CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages via ec62151a2fb CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check() via 0e6a2ba83ef CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check() via 7baabbe9819 CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check() via e060ea5b3ed CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind via 1c6c1129905 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes via d60828f6391 CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN" via 1fdf1d55a5d CVE-2022-38023 s3:net: add and use net_warn_member_options() helper via 7e7adf86e59 CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options() via 992f39a2c8a CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db() via 830e865ba56 CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden" via 8ec62694a94 CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides" via 22128c718ca selftest: make filter-subunit much more efficient for large knownfail lists from 5259926de71 s4/torture/smb2: avoid possibly closing undefined handle https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 987cba90573f955fe9c781830daec85ad4d5bf92 Author: Stefan Metzmacher Date: Tue Nov 29 14:14:32 2022 +0100 CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports This allows the tests to be executed without an explicit PYTHONPATH="bin/python". BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184 commit d1999c152acdf939b4cd7eb446dd9921d3edae29 Author: Stefan Metzmacher Date: Tue Dec 6 12:55:45 2022 +0100
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated via a1136ed2e05 CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting() from 2736d267aa9 CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log - commit a1136ed2e05a2adca83a57a0402a165de631be58 Author: Stefan Metzmacher Date: Mon Nov 7 17:21:44 2022 +0100 CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting() This fixes a use after free problem introduced by commit 7b8e32efc336fb728e0c7e3dd6fbe2ed54122124, which has msg = current; which means the lifetime of the 'msg' memory is no longer in the scope of th caller. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 1414269dccfd7cb831889cc92df35920b034457c) Autobuild-User(v4-16-test): Stefan Metzmacher Autobuild-Date(v4-16-test): Mon Dec 12 15:52:22 UTC 2022 on sn-devel-184 --- Summary of changes: source4/auth/ntlm/auth_sam.c | 1 + source4/auth/ntlm/auth_winbind.c | 2 +- source4/auth/sam.c | 9 - source4/auth/tests/sam.c | 24 source4/kdc/hdb-samba4.c | 2 +- source4/kdc/mit_samba.c | 4 ++-- 6 files changed, 25 insertions(+), 17 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 9c4790c7c3f..384f98a5b40 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -589,6 +589,7 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, nt_status = authsam_logon_success_accounting(auth_context->sam_ctx, msg, domain_dn, interactive, +tmp_ctx, _to_sam); if (send_to_sam != NULL) { diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c index 6381f87..719d877a170 100644 --- a/source4/auth/ntlm/auth_winbind.c +++ b/source4/auth/ntlm/auth_winbind.c @@ -256,7 +256,7 @@ static void winbind_check_password_done(struct tevent_req *subreq) ctx->auth_ctx->sam_ctx, msg, domain_dn, user_info->flags & USER_INFO_INTERACTIVE_LOGON, - NULL); + NULL, NULL); if (tevent_req_nterror(req, status)) { return; } diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 8b575a9bc51..8b8ae319c3f 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -1396,6 +1396,7 @@ NTSTATUS authsam_logon_success_accounting(struct ldb_context *sam_ctx, const struct ldb_message *msg, struct ldb_dn *domain_dn, bool interactive_or_kerberos, + TALLOC_CTX *send_to_sam_mem_ctx, struct netr_SendToSamBase **send_to_sam) { int ret; @@ -1612,7 +1613,13 @@ get_transaction: if (dbBadPwdCount != 0 && send_to_sam != NULL) { struct netr_SendToSamBase *base_msg; struct GUID guid = samdb_result_guid(msg, "objectGUID"); - base_msg = talloc_zero(msg, struct netr_SendToSamBase); + + base_msg = talloc_zero(send_to_sam_mem_ctx, + struct netr_SendToSamBase); + if (base_msg == NULL) { + status = NT_STATUS_NO_MEMORY; + goto error; + } base_msg->message_type = SendToSamResetBadPasswordCount; base_msg->message_size = 16; diff --git a/source4/auth/tests/sam.c b/source4/auth/tests/sam.c index b39408c3699..e1e2c69b863 100644 --- a/source4/auth/tests/sam.c +++ b/source4/auth/tests/sam.c @@ -1446,7 +1446,7 @@ static void test_success_accounting_start_txn_failed(void **state) { ldb_transaction_start_ret = LDB_ERR_OPERATIONS_ERROR; status = authsam_logon_success_accounting( - ldb, msg, domain_dn, true, NULL); + ldb, msg, domain_dn, true, NULL, NULL); assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_
[SCM] Samba Shared Repository - branch v4-17-test updated
The branch, v4-17-test has been updated via 8578a24c288 CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting() from 7bb1180c5ad CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test - Log - commit 8578a24c288a95619f1a74c4aecc8753b96e149b Author: Stefan Metzmacher Date: Mon Nov 7 17:21:44 2022 +0100 CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting() This fixes a use after free problem introduced by commit 7b8e32efc336fb728e0c7e3dd6fbe2ed54122124, which has msg = current; which means the lifetime of the 'msg' memory is no longer in the scope of th caller. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 1414269dccfd7cb831889cc92df35920b034457c) Autobuild-User(v4-17-test): Stefan Metzmacher Autobuild-Date(v4-17-test): Mon Dec 12 13:39:00 UTC 2022 on sn-devel-184 --- Summary of changes: source4/auth/ntlm/auth_sam.c | 1 + source4/auth/ntlm/auth_winbind.c | 2 +- source4/auth/sam.c | 9 - source4/auth/tests/sam.c | 24 source4/kdc/hdb-samba4.c | 2 +- source4/kdc/mit_samba.c | 4 ++-- 6 files changed, 25 insertions(+), 17 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 882d92e26ed..0d5043124aa 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -787,6 +787,7 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, nt_status = authsam_logon_success_accounting(auth_context->sam_ctx, msg, domain_dn, interactive, +tmp_ctx, _to_sam); if (send_to_sam != NULL) { diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c index 6381f87..719d877a170 100644 --- a/source4/auth/ntlm/auth_winbind.c +++ b/source4/auth/ntlm/auth_winbind.c @@ -256,7 +256,7 @@ static void winbind_check_password_done(struct tevent_req *subreq) ctx->auth_ctx->sam_ctx, msg, domain_dn, user_info->flags & USER_INFO_INTERACTIVE_LOGON, - NULL); + NULL, NULL); if (tevent_req_nterror(req, status)) { return; } diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 219ee10d5bd..f2e5ced6caf 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -1396,6 +1396,7 @@ NTSTATUS authsam_logon_success_accounting(struct ldb_context *sam_ctx, const struct ldb_message *msg, struct ldb_dn *domain_dn, bool interactive_or_kerberos, + TALLOC_CTX *send_to_sam_mem_ctx, struct netr_SendToSamBase **send_to_sam) { int ret; @@ -1612,7 +1613,13 @@ get_transaction: if (dbBadPwdCount != 0 && send_to_sam != NULL) { struct netr_SendToSamBase *base_msg; struct GUID guid = samdb_result_guid(msg, "objectGUID"); - base_msg = talloc_zero(msg, struct netr_SendToSamBase); + + base_msg = talloc_zero(send_to_sam_mem_ctx, + struct netr_SendToSamBase); + if (base_msg == NULL) { + status = NT_STATUS_NO_MEMORY; + goto error; + } base_msg->message_type = SendToSamResetBadPasswordCount; base_msg->message_size = 16; diff --git a/source4/auth/tests/sam.c b/source4/auth/tests/sam.c index b39408c3699..e1e2c69b863 100644 --- a/source4/auth/tests/sam.c +++ b/source4/auth/tests/sam.c @@ -1446,7 +1446,7 @@ static void test_success_accounting_start_txn_failed(void **state) { ldb_transaction_start_ret = LDB_ERR_OPERATIONS_ERROR; status = authsam_logon_success_accounting( - ldb, msg, domain_dn, true, NULL); + ldb, msg, domain_dn, true, NULL, NULL); assert_true(NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via 2ea3f2db808 CVE-2022-45141 source4/heimdal: Fix check-des via 2be27ec1d7f CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part key selection via 73c7c6ec9bc CVE-2022-44640 source4/heimdal: Fix use-after-free when decoding PA-ENC-TS-ENC via b4c3ce6fb9b CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1 codec from f3672577a8e CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit 2ea3f2db8087e0a2c4a18c633b039c722cb6f829 Author: Nicolas Williams Date: Wed Oct 12 01:15:13 2011 -0500 CVE-2022-45141 source4/heimdal: Fix check-des The previous fix was incomplete. But it also finally uncovered an old check-des problem that I'd had once and which may have gotten papered over by changing the default of one of the *strongest* KDC parameters. The old problem is that we were passing the wrong enctype to _kdc_encode_reply(): we were passing the session key enctype where the ticket enc-part key's enctype was expected. The whole enctype being passed in is superfluous anyways. Let's clean that up next. (cherry picked from Heimdal commit 4c6976a6bdf8a76c6f3c650ae970d46c931e5c71) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 2be27ec1d7f3bfcdcac65bca1db53772535fe7bf Author: Nicolas Williams Date: Tue Oct 11 23:57:58 2011 -0500 CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part key selection When I added support for configuring how the KDC selects session, reply, and ticket enc-part keys I accidentally had the KDC use the session key selection algorithm for selecting the ticket enc-part key. This becomes a problem when using a Heimdal KDC with an MIT KDB as the HDB backend and when the krbtgt keys are not in strongest-to-weakest order, in which case forwardable tickets minted by the Heimdal KDC will not be accepted by MIT KDCs with the same KDB. (cherry picked from Heimdal commit 12cd2c9cbd1ca027a3ef9ac7ab3e79526b1348ae) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 73c7c6ec9bc3a1993e766f119e9e29905ded5e28 Author: Joseph Sutton Date: Wed Dec 7 20:13:25 2022 +1300 CVE-2022-44640 source4/heimdal: Fix use-after-free when decoding PA-ENC-TS-ENC Upstream Heimdal fixed this in commit 7151d4e66c07b42c15187becd61fb20e0666458a (partial handling of ENC-CHALLANGE). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit b4c3ce6fb9b2aebbbe7d802ce48c691a9cabcf4f Author: Nicolas Williams Date: Wed Mar 10 16:49:04 2021 -0600 CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1 codec This is a 10.0 on the Common Vulnerability Scoring System (CVSS) v3. Heimdal's ASN.1 compiler generates code that allows specially crafted DER encodings of CHOICEs to invoke the wrong free function on the decoded structure upon decode error. This is known to impact the Heimdal KDC, leading to an invalid free() of an address partly or wholly under the control of the attacker, in turn leading to a potential remote code execution (RCE) vulnerability. This error affects the DER codec for all CHOICE types used in Heimdal, though not all cases will be exploitable. We have not completed a thorough analysis of all the Heimdal components affected, thus the Kerberos client, the X.509 library, and other parts, may be affected as well. This bug has been in Heimdal since 2005. It was first reported by Douglas Bagnall, though it had been found independently by the Heimdal maintainers via fuzzing a few weeks earlier. While no zero-day exploit is known, such an exploit will likely be available soon after public disclosure. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 [abart...@samba.org Adapted from Heimdal commit ea5ec8f174920cb80ce2b168b49195378420449e for older Heimdal in Samba 4.15 by dropping fuzz-inputs file and EXPORTS entry for fuzzing] Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- Summary of changes: source4/heimdal/kdc/kerberos5.c | 3 ++- source4/heimdal/kdc/krb5tgs.c | 14 ++ source4/heimdal/lib/asn1/gen_decode.c | 12
[SCM] Samba Shared Repository - branch v4-17-test updated
The branch, v4-17-test has been updated via 7bb1180c5ad CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec via 7b90f5c8296 CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars test from c258b48da9f s3:utils: Fix stack smashing in net offlinejoin https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test - Log - commit 7bb1180c5adf98220962ee23938dc708ebd7bd02 Author: Nicolas Williams Date: Wed Mar 10 16:49:04 2021 -0600 CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec Heimdal's ASN.1 compiler generates code that allows specially crafted DER encodings of CHOICEs to invoke the wrong free function on the decoded structure upon decode error. This is known to impact the Heimdal KDC, leading to an invalid free() of an address partly or wholly under the control of the attacker, in turn leading to a potential remote code execution (RCE) vulnerability. This error affects the DER codec for all CHOICE types used in Heimdal, though not all cases will be exploitable. We have not completed a thorough analysis of all the Heimdal components affected, thus the Kerberos client, the X.509 library, and other parts, may be affected as well. This bug has been in Heimdal since 2005. It was first reported by Douglas Bagnall, though it had been found independently by the Heimdal maintainers via fuzzing a few weeks earlier. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 (cherry-picked from Heimdal commit 9c9dac2b169255bad9071eea99fa90b980dde767) Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Dec 6 13:41:05 UTC 2022 on sn-devel-184 (cherry picked from commit 68fc909a7f4d69c254d34bec85cf8431bcb6e72f) Autobuild-User(v4-17-test): Stefan Metzmacher Autobuild-Date(v4-17-test): Tue Dec 6 16:03:55 UTC 2022 on sn-devel-184 commit 7b90f5c8296eebed5c2f969a96e78708d848 Author: Andrew Bartlett Date: Tue Dec 6 15:11:05 2022 +1300 CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars test A new file will shorlty fail as it is binary input BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 5a02915913a2410904886e186ada90a36492571f) --- Summary of changes: python/samba/tests/source_chars.py | 1 + third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq | Bin 0 -> 55 bytes third_party/heimdal/lib/asn1/gen_decode.c | 12 ++-- third_party/heimdal/lib/asn1/gen_free.c| 7 +++ third_party/heimdal/lib/asn1/gen_template.c| 1 + third_party/heimdal/lib/asn1/krb5.asn1 | 1 + 6 files changed, 16 insertions(+), 6 deletions(-) create mode 100644 third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq Changeset truncated at 500 lines: diff --git a/python/samba/tests/source_chars.py b/python/samba/tests/source_chars.py index 856a27b0d1a..c0e57cafb42 100644 --- a/python/samba/tests/source_chars.py +++ b/python/samba/tests/source_chars.py @@ -70,6 +70,7 @@ IGNORED_RE = ( r'^third_party/heimdal/lib/hx509/data/', r'^third_party/heimdal/po', r'^third_party/heimdal/tests/kdc/hdb-mitdb', +r'^third_party/heimdal/lib/asn1/fuzz-inputs/', ) IGNORED_EXTENSIONS = { diff --git a/third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq b/third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq new file mode 100644 index 000..21ac3601bcc Binary files /dev/null and b/third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq differ diff --git a/third_party/heimdal/lib/asn1/gen_decode.c b/third_party/heimdal/lib/asn1/gen_decode.c index 93d412f6335..fa9d79a8ae5 100644 --- a/third_party/heimdal/lib/asn1/gen_decode.c +++ b/third_party/heimdal/lib/asn1/gen_decode.c @@ -694,14 +694,14 @@ decode_type(const char *name, const Type *t, int optional, struct value *defval, classname(cl), ty ? "CONS" : "PRIM", valuename(cl, tag)); + fprintf(codefile, + "(%s)->element = %s;\n", + name, m->label); if (asprintf (, "%s(%s)->u.%s", m->optional ? "" : "&", name, m->gen_name) < 0 || s == NULL) errx(1, "malloc"); decode_type(s, m->type, m->optional, NULL, forwstr, m->gen_name, NULL, depth + 1); - fprintf(codefile, -
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated via 2736d267aa9 CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec via d7eccdbb028 CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars test from 994464eee20 s3:utils: Fix stack smashing in net offlinejoin https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log - commit 2736d267aa9cfd49bd1c9a934d4788a2b9c49809 Author: Nicolas Williams Date: Wed Mar 10 16:49:04 2021 -0600 CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec Heimdal's ASN.1 compiler generates code that allows specially crafted DER encodings of CHOICEs to invoke the wrong free function on the decoded structure upon decode error. This is known to impact the Heimdal KDC, leading to an invalid free() of an address partly or wholly under the control of the attacker, in turn leading to a potential remote code execution (RCE) vulnerability. This error affects the DER codec for all CHOICE types used in Heimdal, though not all cases will be exploitable. We have not completed a thorough analysis of all the Heimdal components affected, thus the Kerberos client, the X.509 library, and other parts, may be affected as well. This bug has been in Heimdal since 2005. It was first reported by Douglas Bagnall, though it had been found independently by the Heimdal maintainers via fuzzing a few weeks earlier. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 (cherry-picked from Heimdal commit 9c9dac2b169255bad9071eea99fa90b980dde767) Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Dec 6 13:41:05 UTC 2022 on sn-devel-184 (cherry picked from commit 68fc909a7f4d69c254d34bec85cf8431bcb6e72f) Autobuild-User(v4-16-test): Stefan Metzmacher Autobuild-Date(v4-16-test): Tue Dec 6 15:28:49 UTC 2022 on sn-devel-184 commit d7eccdbb0285ee2c1b07377471215692e9c7f3d0 Author: Andrew Bartlett Date: Tue Dec 6 15:11:05 2022 +1300 CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars test A new file will shorlty fail as it is binary input BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 5a02915913a2410904886e186ada90a36492571f) --- Summary of changes: python/samba/tests/source_chars.py | 1 + third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq | Bin 0 -> 55 bytes third_party/heimdal/lib/asn1/gen_decode.c | 12 ++-- third_party/heimdal/lib/asn1/gen_free.c| 7 +++ third_party/heimdal/lib/asn1/gen_template.c| 1 + third_party/heimdal/lib/asn1/krb5.asn1 | 1 + 6 files changed, 16 insertions(+), 6 deletions(-) create mode 100644 third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq Changeset truncated at 500 lines: diff --git a/python/samba/tests/source_chars.py b/python/samba/tests/source_chars.py index 856a27b0d1a..c0e57cafb42 100644 --- a/python/samba/tests/source_chars.py +++ b/python/samba/tests/source_chars.py @@ -70,6 +70,7 @@ IGNORED_RE = ( r'^third_party/heimdal/lib/hx509/data/', r'^third_party/heimdal/po', r'^third_party/heimdal/tests/kdc/hdb-mitdb', +r'^third_party/heimdal/lib/asn1/fuzz-inputs/', ) IGNORED_EXTENSIONS = { diff --git a/third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq b/third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq new file mode 100644 index 000..21ac3601bcc Binary files /dev/null and b/third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq differ diff --git a/third_party/heimdal/lib/asn1/gen_decode.c b/third_party/heimdal/lib/asn1/gen_decode.c index 93d412f6335..fa9d79a8ae5 100644 --- a/third_party/heimdal/lib/asn1/gen_decode.c +++ b/third_party/heimdal/lib/asn1/gen_decode.c @@ -694,14 +694,14 @@ decode_type(const char *name, const Type *t, int optional, struct value *defval, classname(cl), ty ? "CONS" : "PRIM", valuename(cl, tag)); + fprintf(codefile, + "(%s)->element = %s;\n", + name, m->label); if (asprintf (, "%s(%s)->u.%s", m->optional ? "" : "&", name, m->gen_name) < 0 || s == NULL) errx(1, "malloc"); decode_type(s, m->type, m->optional, NULL, forwstr, m->gen_name, NULL, depth + 1); - fprintf(codefile, -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 68fc909a7f4 CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec via 5a02915913a CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars test from 0c2146eb00c lib/compression: Include missing stat header file https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 68fc909a7f4d69c254d34bec85cf8431bcb6e72f Author: Nicolas Williams Date: Wed Mar 10 16:49:04 2021 -0600 CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec Heimdal's ASN.1 compiler generates code that allows specially crafted DER encodings of CHOICEs to invoke the wrong free function on the decoded structure upon decode error. This is known to impact the Heimdal KDC, leading to an invalid free() of an address partly or wholly under the control of the attacker, in turn leading to a potential remote code execution (RCE) vulnerability. This error affects the DER codec for all CHOICE types used in Heimdal, though not all cases will be exploitable. We have not completed a thorough analysis of all the Heimdal components affected, thus the Kerberos client, the X.509 library, and other parts, may be affected as well. This bug has been in Heimdal since 2005. It was first reported by Douglas Bagnall, though it had been found independently by the Heimdal maintainers via fuzzing a few weeks earlier. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 (cherry-picked from Heimdal commit 9c9dac2b169255bad9071eea99fa90b980dde767) Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Dec 6 13:41:05 UTC 2022 on sn-devel-184 commit 5a02915913a2410904886e186ada90a36492571f Author: Andrew Bartlett Date: Tue Dec 6 15:11:05 2022 +1300 CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars test A new file will shorlty fail as it is binary input BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- Summary of changes: python/samba/tests/source_chars.py | 1 + third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq | Bin 0 -> 55 bytes third_party/heimdal/lib/asn1/gen_decode.c | 12 ++-- third_party/heimdal/lib/asn1/gen_free.c| 7 +++ third_party/heimdal/lib/asn1/gen_template.c| 1 + third_party/heimdal/lib/asn1/krb5.asn1 | 1 + 6 files changed, 16 insertions(+), 6 deletions(-) create mode 100644 third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq Changeset truncated at 500 lines: diff --git a/python/samba/tests/source_chars.py b/python/samba/tests/source_chars.py index ac02cf9586c..49733968e43 100644 --- a/python/samba/tests/source_chars.py +++ b/python/samba/tests/source_chars.py @@ -71,6 +71,7 @@ IGNORED_RE = ( r'^third_party/heimdal/po', r'^third_party/heimdal/tests/kdc/hdb-mitdb', r'^testdata/compression/', +r'^third_party/heimdal/lib/asn1/fuzz-inputs/', ) IGNORED_EXTENSIONS = { diff --git a/third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq b/third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq new file mode 100644 index 000..21ac3601bcc Binary files /dev/null and b/third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq differ diff --git a/third_party/heimdal/lib/asn1/gen_decode.c b/third_party/heimdal/lib/asn1/gen_decode.c index 93d412f6335..fa9d79a8ae5 100644 --- a/third_party/heimdal/lib/asn1/gen_decode.c +++ b/third_party/heimdal/lib/asn1/gen_decode.c @@ -694,14 +694,14 @@ decode_type(const char *name, const Type *t, int optional, struct value *defval, classname(cl), ty ? "CONS" : "PRIM", valuename(cl, tag)); + fprintf(codefile, + "(%s)->element = %s;\n", + name, m->label); if (asprintf (, "%s(%s)->u.%s", m->optional ? "" : "&", name, m->gen_name) < 0 || s == NULL) errx(1, "malloc"); decode_type(s, m->type, m->optional, NULL, forwstr, m->gen_name, NULL, depth + 1); - fprintf(codefile, - "(%s)->element = %s;\n", - name, m->label); free(s); fprintf(codefile, "}\n"); @@ -710,23 +710,23 @@ decode_type(const char *name, const Type *t, int optional, struct value *defval, if (have_ellipsis) {
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 95676825adb gitlab-ci: do some basic testing on ubuntu1804-32bit via 98c1e357a7f selftest: add --default-ldb-backend option via 9ba10b97d3a selftest: samba-ktest-mit also needs $ENV{KRB5RCACHETYPE} = "none" via dce639f8bd7 CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit via 838f6207879 third_party: Update socket_wrapper to version 1.3.5 via 6dddb268df0 lib/replace: let rep_openat2() inject O_LARGEFILE as needed via 4c2e1d6259c s3:locking: relax __SHARE_MODE_LOCK_SPACE check for 32bit platforms via 44192d5f2ca s4:kdc: make sure reset_bad_password_netlogon() stops subreq before return via 73ec7253139 s4:messaging: add irpc_bh_do_ndr_print() in order to debug irpc calls via 1414269dccf CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting() via 2dcd8369fe7 bootstrap: Remove duplicate line from CentOS 8 powertools install via 3dbe8fd66ca bootstrap: Spelling fix in bootstrap from Michael Tokarev via f738842adba tests: Replace OpenSSL MD4 invocation with a python3 call from 09f8d4ac81a tests: Start testing smb2 symlink error returns https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 95676825adbb13ab2a0e24983780125218c17265 Author: Stefan Metzmacher Date: Tue Nov 22 10:41:39 2022 +0100 gitlab-ci: do some basic testing on ubuntu1804-32bit For now we allow build warnings and only do some basic testing. We also ignore timestamp related problems, as well as some charset failures. Over time we should try to address the situation by not allowing warnings and verify if expected failures are harmless or not. But it's already much better then having no 32bit testing at all! Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Nov 24 12:05:26 UTC 2022 on sn-devel-184 commit 98c1e357a7fd25b6706b4341b3407c03369501fc Author: Stefan Metzmacher Date: Tue Nov 22 10:31:19 2022 +0100 selftest: add --default-ldb-backend option Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 9ba10b97d3aa50f89f01bb038d98a8086d409c3e Author: Stefan Metzmacher Date: Fri Nov 4 10:23:07 2022 + selftest: samba-ktest-mit also needs $ENV{KRB5RCACHETYPE} = "none" We need to pass --mitkrb5 to selftest.pl in all cases we use system mit kerberos not only when we also test the kdc. We can't use a replay cache in selftest verifies the stat.st_uid against getuid(). BTW: while debugging this on ubuntu 22.04 I exported KRB5_TRACE="/dev/stderr", which means we get tracing into the servers log file and into selftest_prefix/subunit for the client... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit dce639f8bd75ecdca261d1dc8b97ce6a8ebb4eb0 Author: Stefan Metzmacher Date: Wed Nov 16 12:08:45 2022 +0100 CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Reviewed-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 838f62078795150bb7ec9ec1b4690a1d6a8991ae Author: Stefan Metzmacher Date: Wed Nov 23 12:14:12 2022 +0100 third_party: Update socket_wrapper to version 1.3.5 This injects O_LARGEFILE as needed. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 6dddb268df08fd91f8e0f189f948ad76e5805dca Author: Stefan Metzmacher Date: Wed Nov 23 11:38:20 2022 +0100 lib/replace: let rep_openat2() inject O_LARGEFILE as needed BUG: https://bugzilla.samba.org/show_bug.cgi?id=15251 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme commit 4c2e1d6259c4c06fce5d1333553b611ffd8f0ef4 Author: Stefan Metzmacher Date: Tue Nov 22 10:47:33 2022 +0100 s3:locking: relax __SHARE_MODE_LOCK_SPACE check for 32bit platforms sizeof(struct share_mode_lock) is only 28 bytes instead of 32 bytes on 32bit systems... Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke commit 44192d5f2cae2350d7de109690799dea1a2a2e16 Author: Stefan Metzmacher Date: Mon Nov 7 17:40:07 2022 +0100 s4:kdc: make sure reset_bad_password_netlogon() stops subreq before return We pass the stack variable 'req' to dcerpc_winbind_SendToSam_r_send(), so we need to make sure the runtime of the subreq in not longer than the stack variable. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253 Signed-off-by: S
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via eb2f3526032 s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit the time via e232ba946f0 lib/tsocket: avoid endless cpu-spinning in tstream_bsd_fde_handler() via 4c7e2b9b60d lib/tsocket: remember the first error as tstream_bsd->error via 29a65da63d7 lib/tsocket: check for errors indicated by poll() before getsockopt(fd, SOL_SOCKET, SO_ERROR) via 9950efd83e1 lib/tsocket: split out tsocket_bsd_error() from tsocket_bsd_pending() via f0fb8b95083 lib/tsocket: Add tests for loop on EAGAIN from fd0c01da1c7 s3: libsmbclient: Fix smbc_stat() to return ENOENT on a non-existent file. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit eb2f3526032803f34c88ef1619a832a741f71910 Author: Stefan Metzmacher Date: Thu Oct 13 10:17:25 2022 +0200 s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit the time If the client is not able to receive the results within connections idle time, then we should treat it as dead. It's value is 15 minutes (900 s) by default. In order to limit that further an admin can use 'socket options' and set TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL and/or TCP_USER_TIMEOUT to useful values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Oct 19 17:13:39 UTC 2022 on sn-devel-184 commit e232ba946f00aac39d67197d9939bc923814479c Author: Stefan Metzmacher Date: Wed Oct 12 17:26:16 2022 +0200 lib/tsocket: avoid endless cpu-spinning in tstream_bsd_fde_handler() There were some reports that strace output an LDAP server socket is in CLOSE_WAIT state, returning EAGAIN for writev over and over (after a call to epoll() each time). In the tstream_bsd code the problem happens when we have a pending writev_send, while there's no readv_send pending. In that case we still ask for TEVENT_FD_READ in order to notice connection errors early, so we try to call writev even if the socket doesn't report TEVENT_FD_WRITE. And there are situations where we do that over and over again. It happens like this with a Linux kernel: tcp_fin() has this: struct tcp_sock *tp = tcp_sk(sk); inet_csk_schedule_ack(sk); sk->sk_shutdown |= RCV_SHUTDOWN; sock_set_flag(sk, SOCK_DONE); switch (sk->sk_state) { case TCP_SYN_RECV: case TCP_ESTABLISHED: /* Move to CLOSE_WAIT */ tcp_set_state(sk, TCP_CLOSE_WAIT); inet_csk_enter_pingpong_mode(sk); break; It means RCV_SHUTDOWN gets set as well as TCP_CLOSE_WAIT, but sk->sk_err is not changed to indicate an error. tcp_sendmsg_locked has this: ... err = -EPIPE; if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN)) goto do_error; while (msg_data_left(msg)) { int copy = 0; skb = tcp_write_queue_tail(sk); if (skb) copy = size_goal - skb->len; if (copy <= 0 || !tcp_skb_can_collapse_to(skb)) { bool first_skb; new_segment: if (!sk_stream_memory_free(sk)) goto wait_for_space; ... wait_for_space: set_bit(SOCK_NOSPACE, >sk_socket->flags); if (copied) tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH, size_goal); err = sk_stream_wait_memory(sk, ); if (err != 0) goto do_error; It means if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN)) doesn't hit as we only have RCV_SHUTDOWN and sk_stream_wait_memory returns -EAGAIN. tcp_poll has this: if (sk->sk_shutdown & RCV_SHUTDOWN) mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP; So we'll get EPOLLIN | EPOLLRDNORM | EPOLLRDHUP triggering TEVENT_FD_READ and writev/sendmsg keeps getting EAGAIN. So we need to always clear TEVENT_FD_READ if we don't have readable handler in order to avoid burning cpu. But we turn it on again after a timeout of 1 second in order to monitor the error state of the connection. And now that our tsocket_bsd_error() helper checks for POLLRDHUP, we can check if the socket is in an e
s4:kdc: Set kerberos debug class for kdc service (Re: [SCM] Samba Shared Repository - branch master updated)
Hi Andreas, - Log - commit 761ce8cfe41139ab5656dec5cc05f2f576095216 Author: Andreas Schneider Date: Tue Sep 6 10:19:54 2022 +0200 s4:kdc: Set kerberos debug class for kdc service Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Can we please do this for all files under source4/kdc ? metze
[SCM] Samba Shared Repository - branch v4-17-test updated
The branch, v4-17-test has been updated via 229d55eff3a WHATSNEW: Document new Protected Users group via 8a7551c4ac6 WHATSNEW: add more added/updated parameters via b3e04327601 WHATSNEW: Make MIT Kerberos 1.20 updates clearer from e9c554c0a6a s3/winbindd: Fix bad access to sid array (with debug level >= info) https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test - Log - commit 229d55eff3ad5e99b16f7c79737ab3760d169d22 Author: Joseph Sutton Date: Thu Aug 25 16:58:06 2022 +1200 WHATSNEW: Document new Protected Users group Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 8a7551c4ac6037327f3c9be907b0889a509c6258 Author: Stefan Metzmacher Date: Mon Sep 5 14:26:06 2022 +0200 WHATSNEW: add more added/updated parameters Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke commit b3e043276017c6323afa681df9154df9a4292bd1 Author: Stefan Metzmacher Date: Mon Sep 5 14:20:46 2022 +0200 WHATSNEW: Make MIT Kerberos 1.20 updates clearer Make it clearer what also applies to Heimdal and what not. Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke --- Summary of changes: WHATSNEW.txt | 61 +++- 1 file changed, 56 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 3591b8a4306..b634beca0a8 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -68,8 +68,8 @@ even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers. -Bronze bit and S4U support with MIT Kerberos 1.20 -- +Bronze bit and S4U support now also with MIT Kerberos 1.20 +-- In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, @@ -87,17 +87,24 @@ but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20. In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions. +Note the default (Heimdal-based) KDC was already fixed in 2021, +see https://bugzilla.samba.org/show_bug.cgi?id=14642 + Resource Based Constrained Delegation (RBCD) support Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite. -Note that samba-tool lacks support for setting this up yet! + +samba-tool delegation got the 'add-principal' and 'del-principal' subcommands +in order to manage RBCD. To complete RBCD support and make it useful to Administrators we added the Asserted Identity [1] SID into the PAC for constrained delegation. This is available for Samba AD compiled with MIT Kerberos 1.20. +Note the default (Heimdal-based) KDC does not support RBCD yet. + [1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview Customizable DNS listening port @@ -187,6 +194,45 @@ covers all the existing text output including sessions, connections, open files, byte-range locks, notifies and profile data with all low-level information maintained by Samba in the respective databases. +Protected Users security group +-- + +Samba AD DC now includes support for the Protected Users security +group introduced in Windows Server 2012 R2. The feature reduces the +attack surface of user accounts by preventing the use of weak +encryption types. It also mitigates the effects of credential theft by +limiting credential lifetime and scope. + +The protections are intended for user accounts only, and service or +computer accounts should not be added to the Protected Users +group. User accounts added to the group are granted the following +security protections: + + * NTLM authentication is disabled. + * Kerberos ticket-granting tickets (TGTs) encrypted with RC4 are + not issued to or accepted from affected principals. Tickets + encrypted with AES, and service tickets encrypted with RC4, are + not affected by this restriction. + * The lifetime of Kerberos TGTs is restricted to a maximum of four + hours. + * Kerberos constrained and unconstrained delegation is disabled. + +If the Protected Users group is not already present in the domain, it +can be created with 'samba-tool group add'. The new '--special' +parameter must be specified, with 'Protected Users' as the name of the +group. An example command invocation is: + +samba-tool group add 'Protected Users' --special + +or against a remote server: + +samba-tool group
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 75e03ea021a libcli/smb: Set error status if 'iov' pointer is NULL via 40d4912d841 libcli/smb: Ensure we call tevent_req_nterror() on failure via 968a5ae89f0 smbd: directly pass fsp to SMB_VFS_FGETXATTR() in fget_ea_dos_attribute() via 3f7d8db9945 smbd: add and use vfs_fget_dos_attributes() via e74b10e17ee smbtorture: add test smb2.stream.attributes2 via b5848d391be smbtorture: rename smb2.streams.attributes to smb2.streams.attributes1 from d4f18f99d3a s3:smbd: let delay_for_oplock_fn() only call leases_db_get() once https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 75e03ea021afa66842b6e0dea21072b1b8026d58 Author: Joseph Sutton Date: Mon Aug 22 16:56:46 2022 +1200 libcli/smb: Set error status if 'iov' pointer is NULL BUG: https://bugzilla.samba.org/show_bug.cgi?id=15152 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Aug 22 09:03:29 UTC 2022 on sn-devel-184 commit 40d4912d841e6bcd7cd37810ef101d5f89268ee7 Author: Joseph Sutton Date: Mon Aug 22 15:50:02 2022 +1200 libcli/smb: Ensure we call tevent_req_nterror() on failure Commit 3594c3ae202688fd8aae5f7f5e20464cb23feea9 added a NULL check for 'inhdr', but it meant we didn't always call tevent_req_nterror() when we should. Now we handle connection errors. We now also set an error status if the NULL check fails. I noticed this when an ECONNRESET error from a server refusing SMB1 wasn't handled, and the client subsequently hung in epoll_wait(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15152 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 968a5ae89f0d0da219e7dd05dd1f7f7c96dbb910 Author: Ralph Boehme Date: Sun Aug 14 16:39:37 2022 +0200 smbd: directly pass fsp to SMB_VFS_FGETXATTR() in fget_ea_dos_attribute() We're now consistently passing the base_fsp to SMB_VFS_FSET_DOS_ATTRIBUTES(), so we don't need to check for a stream_fsp here anymore. Additionally vfs_default will assert a non-stream fsp inside vfswrap_fgetxattr(), so in case any caller wrongly passes a stream fsp, this is caught in vfs_default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126 MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit 3f7d8db9945a325020e4d1574289dea9e8331c29 Author: Ralph Boehme Date: Thu Aug 11 17:18:13 2022 +0200 smbd: add and use vfs_fget_dos_attributes() Commit d71ef1365cdde47aeb3465699181656b0655fa04 caused a regression where the creation date on streams wasn't updated anymore on the stream fsp. By adding a simple wrapper vfs_fget_dos_attributes() that takes care of - passing only the base_fsp to the VFS, so the VFS can be completely agnostic of all the streams related complexity like fake fds, - propagating any updated btime from the base_fsp->fsp_name to the stream_fsp->fsp_name BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126 MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit e74b10e17ee5df0f77ac5349242841be8d71c4e8 Author: Ralph Boehme Date: Sat Aug 13 16:13:07 2022 +0200 smbtorture: add test smb2.stream.attributes2 Specifically torture the creation date is the same for the file and its streams. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126 MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit b5848d391be4f7633745d9c36e432ac8b1c9dba2 Author: Ralph Boehme Date: Sat Aug 13 17:04:50 2022 +0200 smbtorture: rename smb2.streams.attributes to smb2.streams.attributes1 A subsequent commit adds another streams test named "attributes2", this change avoids matching the new testname with the existing knownfail entries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126 MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher --- Summary of changes: libcli/smb/smbXcli_base.c | 12 +- selftest/knownfail | 4 +- source3/include/proto.h| 3 + source3/smbd/dosmode.c | 7 +- source3/smbd/open.c| 3 +- source3/smbd/vfs.c | 39 + source4/torture/smb2/streams.c | 361 - 7 files changed, 416 insertions(+), 13 deletions(-) Cha
[SCM] Samba Shared Repository - branch v4-17-test updated
61-0ca129aae6c4" support... via 691d0fad1c3 s3:g_lock: use TDB_VOLATILE to avoid fcntl locks via c12a8d50837 smbd: avoid calling SMB_VFS_FGET_NT_ACL() if do_not_check_mask already covers all via 851d7768c30 s3:include: remove unused update_stat_ex_file_id() prototype via f82ef749180 smbstatus: Fix the 32-bit build on FreeBSD via 7b338dc6f57 smbd: Use dirfsp where we have it via d6c44a93f08 s3:tests: let smbstatus json tests fail if jq is not installed from fd61f48e0c1 manpages: add smbstatus option --json with sample output https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test - Log - commit 8b6cea8105c8e8f3f5279b0ee62d36fa467e316d Author: Stefan Metzmacher Date: Tue Aug 16 14:17:50 2022 +0200 WHATSNEW: SMB Server performance improvements Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(v4-17-test): Stefan Metzmacher Autobuild-Date(v4-17-test): Tue Aug 16 19:37:17 UTC 2022 on sn-devel-184 commit c027512a6128f40ba9f533b624535ccfdba1260b Author: Stefan Metzmacher Date: Tue Aug 16 09:35:16 2022 +0200 s3:vfs.h: add comment about VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS BUG: https://bugzilla.samba.org/show_bug.cgi?id=15146 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 5adf051228b56c05fe1205e7a865a497b58e81d9) commit ff46ee6ad51be64264f706cf7965ad178033ddd2 Author: Jeremy Allison Date: Thu Aug 11 10:03:58 2022 -0700 s3: smbd: Add IS_VETO_PATH checks to openat_pathref_fsp_case_insensitive(). Returns NT_STATUS_OBJECT_NAME_NOT_FOUND for final component. Note we have to call the check before each call to openat_pathref_fsp(), as each call may be using a different filesystem name. The first name is the one passed into openat_pathref_fsp_case_insensitive() by the caller, the second one is a name retrieved from get_real_filename_cache_key(), and the third one is the name retrieved from get_real_filename_at(). The last two calls may have demangled the client given name into a veto'ed path on the filesystem. Remove knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 Signed-off-by: Jeremy Allison Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Aug 16 08:26:54 UTC 2022 on sn-devel-184 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15146 (cherry picked from commit 1654eae11b9c13308b2b78f70309eb3a56960619) commit 9e32b03e1eec07485582c6c0ea67f2f3a7ea89fd Author: Jeremy Allison Date: Thu Aug 11 09:55:56 2022 -0700 s3: smbd: Add IS_VETO_PATH check to openat_pathref_dirfsp_nosymlink(). Returns NT_STATUS_OBJECT_PATH_NOT_FOUND for directory component. Note IS_VETO_PATH only looks at the last component, so we must do it during the directory walk on each component. Note, we also have to check after a call to get_real_filename_at() as it may have demangled the client sent name into a filesystem name that matches the "veto files" parameter. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 Signed-off-by: Jeremy Allison Reviewed-by: Stefan Metzmacher BUG: https://bugzilla.samba.org/show_bug.cgi?id=15146 (cherry picked from commit 1c293060204d96bf94427f91eb20eb9decc29a41) commit 80c090c87b2898af7f793e1289efd66b279a0e5c Author: Jeremy Allison Date: Thu Aug 11 09:51:11 2022 -0700 s3: tests: Add samba3.blackbox.test_veto_files. Shows we currently don't look at smb.conf veto files parameter when opening a file or directory. Checks multi-component paths. Also checks veto files that might be hidden behind a mangled name. Add knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 Signed-off-by: Jeremy Allison Reviewed-by: Stefan Metzmacher BUG: https://bugzilla.samba.org/show_bug.cgi?id=15146 (cherry picked from commit c6933673222ea9ae2eb74d5586c9495269f51ea0) commit 912ee2c92d410167f8a01afd26517ca5763bb617 Author: Stefan Metzmacher Date: Fri Aug 12 10:55:42 2022 +0200 selftest/Samba3: let nt4_dc* use vfs_default:VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS=no We should always test the code path without openat2 being available, even if the kernel supports it. Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Mon Aug 15 16:00:26 UTC 2022 on sn-devel-184 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15146 (cherry picked from commit 076c22fbd7ecbf22dbfeb1711609f07fd42f88b0) commit 783e6e7520cee485b89122a45ea7782090088f67 Author: Volker Lendecke Date: Fri Jun 17 17:41:52 2022 +0200
[SCM] Samba Shared Repository - branch v4-17-test updated
The branch, v4-17-test has been updated via fd61f48e0c1 manpages: add smbstatus option --json with sample output via d6afd0d9417 WHATSNEW: announce new smbstatus json support via a8ddc56e71c WHATSNEW: add section for new smbconf python api from 4cbef001b52 VERSION: Bump version up to 4.17.0rc2... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test - Log - commit fd61f48e0c195a4c73f8da50868922bd581623d3 Author: Jule Anger Date: Mon Aug 15 15:27:55 2022 +0200 manpages: add smbstatus option --json with sample output BUG: https://bugzilla.samba.org/show_bug.cgi?id=15147 Signed-off-by: Jule Anger Reviewed-by: Ralph Boehme (cherry picked from commit ddbf1b29eee140b3112eb238852bfdc8285eb04f) Autobuild-User(v4-17-test): Stefan Metzmacher Autobuild-Date(v4-17-test): Tue Aug 16 17:37:28 UTC 2022 on sn-devel-184 commit d6afd0d9417e504cee7d82ebee1d221a89801651 Author: Jule Anger Date: Tue Aug 16 17:02:51 2022 +0200 WHATSNEW: announce new smbstatus json support Signed-off-by: Jule Anger Reviewed-by: Ralph Boehme commit a8ddc56e71c3e178146a7ac203ac225deb4f92e9 Author: John Mulligan Date: Thu Aug 11 14:04:27 2022 -0400 WHATSNEW: add section for new smbconf python api Signed-off-by: John Mulligan --- Summary of changes: WHATSNEW.txt | 19 +++ docs-xml/manpages/smbstatus.1.xml | 264 ++ 2 files changed, 283 insertions(+) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index d39748f0587..006220f0d4c 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -147,6 +147,25 @@ can cause the Kerberos password salt to change. This means that after *both* an account rename and a password change, only the current password will be recognised for password history purposes. +Python API for smbconf +-- + +Samba's smbconf library provides a generic frontend to various +configuration backends (plain text file, registry) as a C library. A +new Python wrapper, importable as 'samba.smbconf' is available. An +additional module, 'samba.samba3.smbconf', is also available to enable +registry backend support. These libraries allow Python programs to +read, and optionally write, Samba configuration natively. + +JSON support for smbstatus +-- + +It is now possible to print detailed information in JSON format in +the smbstatus program using the new option --json. The JSON output +covers all the existing text output including sessions, connections, +open files, byte-range locks, notifies and profile data with all +low-level information maintained by Samba in the respective databases. + REMOVED FEATURES diff --git a/docs-xml/manpages/smbstatus.1.xml b/docs-xml/manpages/smbstatus.1.xml index e0945761b28..63ae4641bf1 100644 --- a/docs-xml/manpages/smbstatus.1.xml +++ b/docs-xml/manpages/smbstatus.1.xml @@ -31,6 +31,7 @@ -B|--byterange -n|--numeric -f|--fast + -j|--json --resolve-uids -?|--help --usage @@ -136,6 +137,269 @@ + + -j|--json + Output more detailed information in JSON format instead + of human readable. + The output has the following format: + +{ + "timestamp": "2022-04-15T18:25:15.364891+0200", + "version": "4.17.0pre1-GIT-a0f12b9c80b", + "smb_conf": "/opt/samba/etc/smb.conf", + "sessions": { +"3639217376": { + "session_id": "3639217376", + "server_id": { +"pid": "69650", +"task_id": "0", +"vnn": "4294967295", +"unique_id": "10756714984493602300" + }, + "uid": 1000, + "gid": 1000, + "username": "johndoe", + "groupname": "johndoe", + "remote_machine": "127.0.0.1", + "hostname": "ipv4:127.0.0.1:59944", + "session_dialect": "SMB3_11", + "encryption": { +"cipher": "", +"degree": "none" + }, + "signing": { +"cipher": "AES-128-GMAC", +"degree": "partial" + } +} + }, + "tcons": { +"3813255619": { + "service": "sharename", + "serv
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 55b3bcc30b4 s3:vfs.h: change SMB_VFS_INTERFACE_VERSION to 48 for 4.18 via 5adf051228b s3:vfs.h: add comment about VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS from 1654eae11b9 s3: smbd: Add IS_VETO_PATH checks to openat_pathref_fsp_case_insensitive(). https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 55b3bcc30b4ffb026798f3a2626322d13c96ba24 Author: Stefan Metzmacher Date: Tue Aug 16 09:36:09 2022 +0200 s3:vfs.h: change SMB_VFS_INTERFACE_VERSION to 48 for 4.18 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Aug 16 11:51:36 UTC 2022 on sn-devel-184 commit 5adf051228b56c05fe1205e7a865a497b58e81d9 Author: Stefan Metzmacher Date: Tue Aug 16 09:35:16 2022 +0200 s3:vfs.h: add comment about VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS BUG: https://bugzilla.samba.org/show_bug.cgi?id=15146 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- Summary of changes: source3/include/vfs.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/include/vfs.h b/source3/include/vfs.h index 2fd8d1cdd06..33623969ef3 100644 --- a/source3/include/vfs.h +++ b/source3/include/vfs.h @@ -374,9 +374,11 @@ * Version 47 - Re-add dirfsp to CREATE_FILE * Version 47 - Add fsp flag fstat_before_close * Version 47 - Change SMB_VFS_OPENAT() to match the Linux openat2 prototype, add vfs_open_how + * Version 47 - Add VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS for SMB_VFS_OPENAT() + * Change to Version 48 - will ship with 4.18 */ -#define SMB_VFS_INTERFACE_VERSION 47 +#define SMB_VFS_INTERFACE_VERSION 48 /* All intercepted VFS operations must be declared as static functions inside module source -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 1654eae11b9 s3: smbd: Add IS_VETO_PATH checks to openat_pathref_fsp_case_insensitive(). via 1c293060204 s3: smbd: Add IS_VETO_PATH check to openat_pathref_dirfsp_nosymlink(). via c6933673222 s3: tests: Add samba3.blackbox.test_veto_files. from 076c22fbd7e selftest/Samba3: let nt4_dc* use vfs_default:VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS=no https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1654eae11b9c13308b2b78f70309eb3a56960619 Author: Jeremy Allison Date: Thu Aug 11 10:03:58 2022 -0700 s3: smbd: Add IS_VETO_PATH checks to openat_pathref_fsp_case_insensitive(). Returns NT_STATUS_OBJECT_NAME_NOT_FOUND for final component. Note we have to call the check before each call to openat_pathref_fsp(), as each call may be using a different filesystem name. The first name is the one passed into openat_pathref_fsp_case_insensitive() by the caller, the second one is a name retrieved from get_real_filename_cache_key(), and the third one is the name retrieved from get_real_filename_at(). The last two calls may have demangled the client given name into a veto'ed path on the filesystem. Remove knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 Signed-off-by: Jeremy Allison Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Aug 16 08:26:54 UTC 2022 on sn-devel-184 commit 1c293060204d96bf94427f91eb20eb9decc29a41 Author: Jeremy Allison Date: Thu Aug 11 09:55:56 2022 -0700 s3: smbd: Add IS_VETO_PATH check to openat_pathref_dirfsp_nosymlink(). Returns NT_STATUS_OBJECT_PATH_NOT_FOUND for directory component. Note IS_VETO_PATH only looks at the last component, so we must do it during the directory walk on each component. Note, we also have to check after a call to get_real_filename_at() as it may have demangled the client sent name into a filesystem name that matches the "veto files" parameter. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 Signed-off-by: Jeremy Allison Reviewed-by: Stefan Metzmacher commit c6933673222ea9ae2eb74d5586c9495269f51ea0 Author: Jeremy Allison Date: Thu Aug 11 09:51:11 2022 -0700 s3: tests: Add samba3.blackbox.test_veto_files. Shows we currently don't look at smb.conf veto files parameter when opening a file or directory. Checks multi-component paths. Also checks veto files that might be hidden behind a mangled name. Add knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 Signed-off-by: Jeremy Allison Reviewed-by: Stefan Metzmacher --- Summary of changes: selftest/target/Samba3.pm | 4 + source3/script/tests/test_veto_files.sh | 201 source3/selftest/tests.py | 4 + source3/smbd/filename.c | 20 source3/smbd/files.c| 18 +++ 5 files changed, 247 insertions(+) create mode 100755 source3/script/tests/test_veto_files.sh Changeset truncated at 500 lines: diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 387856e07a0..88898807428 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1916,6 +1916,10 @@ sub setup_fileserver path = $veto_sharedir delete veto files = yes +[veto_files] + path = $veto_sharedir + veto files = /veto_name*/ + [delete_yes_unwrite] read only = no path = $delete_unwrite_sharedir diff --git a/source3/script/tests/test_veto_files.sh b/source3/script/tests/test_veto_files.sh new file mode 100755 index 000..9f0526bd54c --- /dev/null +++ b/source3/script/tests/test_veto_files.sh @@ -0,0 +1,201 @@ +#!/bin/sh +# +# Check smbclient cannot get a file that matches a veto files +# parameter, or inside a directory that matches a veto files +# parameter. +# +# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143 +# + +if [ $# -lt 6 ]; then + cat <"$tmpfile" <st); + /* Check veto files - only looks at last component. */ + if (IS_VETO_PATH(dirfsp->conn, smb_fname_rel->base_name)) { + DBG_DEBUG("veto files rejecting last component %s\n", + smb_fname_str_dbg(smb_fname_rel)); + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + status = openat_pathref_fsp(dirfsp, smb_fname_rel); if (NT_STATUS_IS_OK(status)) { @@ -895,6 +902,13 @@ static NTSTATUS openat_pathref_fsp_case_insensitive( return NT_STATUS_NO_MEMORY; } + if (IS_VETO_PATH(dirfsp->conn, smb_fname_rel->base_
[SCM] Samba Shared Repository - branch v4-17-stable updated
The branch, v4-17-stable has been updated via 3ddc9344c2f CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro. via a60863458dc CVE-2022-32742: s4: torture: Add raw.write.bad-write test. via 3029d9bf350 CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust via 958f2bce695 CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets via 0d8995910f9 CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT via 6a10e890a08 CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info via fc03cf9f454 CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd via 52dd9f8f835 CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx() via 484c6980bef CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal via 2d3bd2d9ab1 s4:kdc: Remove kadmin mode from HDB plugin via 827dc6a61e6 CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name via 09e54a7b1d1 CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components via be239c71687 CVE-2022-2031 tests/krb5: Test truncated forms of server principals via bbad8f1de43 CVE-2022-32744 s4:kdc: Don't allow HDB keytab iteration via ffb599050ae CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life via 018bdbc29db CVE-2022-2031 third_party/heimdal: Add function to get current KDC time via 3e773a3954f CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less via c0282bbbc13 CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal via 186f0c6e486 CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal() via c6d93504911 CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function via 23a03911a7f CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function via a8068e32a02 CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd via d6580f35724 s4:kpasswd: Restructure code for clarity via ce3b7b27a37 CVE-2022-2031 s4:kpasswd: Require an initial ticket via bbfbbb9f648 CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket via e0c135e6c14 CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR via 4e2e767a78b CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error() via f89e5eff5f5 CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure via 1f7d94b5fce CVE-2022-2031 s4:kpasswd: Correctly generate error strings via 86698b313e7 CVE-2022-2031 tests/krb5: Add tests for kpasswd service via 192d597c2f2 CVE-2022-2031 tests/krb5: Consider kadmin/* principals as TGS for MIT KRB5 >= 1.20 via 4212037a6a3 CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests via 6a2ec50bfdb CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method via 332fd6032a8 CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm via 1e80767c1d2 tests/krb5: Add option for creating accounts with expired passwords via 2bb1f40b9a4 tests/krb5: Fix enum typo via 18bd6dafb57 CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages via 888d58f4334 CVE-2022-2031 tests/krb5: Add 'port' parameter to connect() via a5a2fc4259c CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures via 48eb3354c5f CVE-2022-2031 tests/krb5: Add new definitions for kpasswd via ebccd0440aa CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts via a118881f4fb CVE-2022-2031 tests/krb5: Split out _make_tgs_request() via f152afa74e8 CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno via 714cadfc404 CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure via b423c370b9b CVE-2022-2031 s4:kpasswd: Account for missing target principal via 2872ccc931c CVE-2022-2031 third_party/heimdal: Check generate_pac() return code via 9881491023e CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element via aa728dfcc96 CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer via 4a31c48057e CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit via 4ec784e0a91 CVE-2022-32745 s4/dsdb/samldb: Check for empty values array via f4eb4e6478d CVE-2022-32746 ldb: Release LDB 2.6.1 via 0a3aa5f908e CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message via df487eb2d71 CVE-2022-32746 ldb: Add functions for appending to an ldb_message via a2bb5beee82 CVE-2022-32746 ldb: Ensure shallow copy modifications do
[SCM] Samba Shared Repository - branch v4-17-test updated
The branch, v4-17-test has been updated via 3ddc9344c2f CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro. via a60863458dc CVE-2022-32742: s4: torture: Add raw.write.bad-write test. via 3029d9bf350 CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust via 958f2bce695 CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets via 0d8995910f9 CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT via 6a10e890a08 CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info via fc03cf9f454 CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd via 52dd9f8f835 CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx() via 484c6980bef CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal via 2d3bd2d9ab1 s4:kdc: Remove kadmin mode from HDB plugin via 827dc6a61e6 CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name via 09e54a7b1d1 CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components via be239c71687 CVE-2022-2031 tests/krb5: Test truncated forms of server principals via bbad8f1de43 CVE-2022-32744 s4:kdc: Don't allow HDB keytab iteration via ffb599050ae CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life via 018bdbc29db CVE-2022-2031 third_party/heimdal: Add function to get current KDC time via 3e773a3954f CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less via c0282bbbc13 CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal via 186f0c6e486 CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal() via c6d93504911 CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function via 23a03911a7f CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function via a8068e32a02 CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd via d6580f35724 s4:kpasswd: Restructure code for clarity via ce3b7b27a37 CVE-2022-2031 s4:kpasswd: Require an initial ticket via bbfbbb9f648 CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket via e0c135e6c14 CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR via 4e2e767a78b CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error() via f89e5eff5f5 CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure via 1f7d94b5fce CVE-2022-2031 s4:kpasswd: Correctly generate error strings via 86698b313e7 CVE-2022-2031 tests/krb5: Add tests for kpasswd service via 192d597c2f2 CVE-2022-2031 tests/krb5: Consider kadmin/* principals as TGS for MIT KRB5 >= 1.20 via 4212037a6a3 CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests via 6a2ec50bfdb CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method via 332fd6032a8 CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm via 1e80767c1d2 tests/krb5: Add option for creating accounts with expired passwords via 2bb1f40b9a4 tests/krb5: Fix enum typo via 18bd6dafb57 CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages via 888d58f4334 CVE-2022-2031 tests/krb5: Add 'port' parameter to connect() via a5a2fc4259c CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures via 48eb3354c5f CVE-2022-2031 tests/krb5: Add new definitions for kpasswd via ebccd0440aa CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts via a118881f4fb CVE-2022-2031 tests/krb5: Split out _make_tgs_request() via f152afa74e8 CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno via 714cadfc404 CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure via b423c370b9b CVE-2022-2031 s4:kpasswd: Account for missing target principal via 2872ccc931c CVE-2022-2031 third_party/heimdal: Check generate_pac() return code via 9881491023e CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element via aa728dfcc96 CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer via 4a31c48057e CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit via 4ec784e0a91 CVE-2022-32745 s4/dsdb/samldb: Check for empty values array via f4eb4e6478d CVE-2022-32746 ldb: Release LDB 2.6.1 via 0a3aa5f908e CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message via df487eb2d71 CVE-2022-32746 ldb: Add functions for appending to an ldb_message via a2bb5beee82 CVE-2022-32746 ldb: Ensure shallow copy modifications do
[SCM] Samba Shared Repository - annotated tag ldb-2.6.1 created
The annotated tag, ldb-2.6.1 has been created at 6c21717513fd56a450fdd0b5a21186a1eb555a4d (tag) tagging f4eb4e6478db2b41acf426a7a6ba2e7130b69b29 (commit) replaces tevent-0.13.0 tagged by Stefan Metzmacher on Wed Jul 27 15:03:41 2022 +0200 - Log - ldb: tag release ldb-2.6.1 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmLhN60ACgkQR5ORYRMI QCUctwgAu3K3K4N4Y1e6bDS7+b653se+gSRcE1/yOMvJHOe+8/vQ35X3t0n5GC0Y lM+OawGlHtfNvWhFPaOuFNijKeynEoz6Ev8vPZ3nxDkfxIkGdhsBimYvMBx+JlvV obqqDAPCIhNQY4MvKIHpxKyoY9HZVyBsqeBGZUpP4bkkGplDcf2Dppje1iTwylQK tHhTzA5Ev+gUa8t9M6mFqP3XkFNJQgKq8SC6/J4Uu7VnXB3GHQHWUby2/ZmxfwF/ 9xd2BHgP5axDy+29Pmeey6tGaJ9WcvUnJ5fHzrnvYdT6Y1s7xcb9UZBruQiGf9O/ cEH5Y532P4YQiS2pgz8oEbil7WWskg== =hkoF -END PGP SIGNATURE- Andrew Bartlett (1): CVE-2022-32746 ldb: Release LDB 2.6.1 Joseph Sutton (13): CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo CVE-2022-32746 s4:dsdb:tests: Add test for deleting a disallowed SPN CVE-2022-32746 s4/dsdb/partition: Fix LDB flags comparison CVE-2022-32746 s4:torture: Fix LDB flags comparison CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() for flags equality check CVE-2022-32746 s4/dsdb/repl_meta_data: Use LDB_FLAG_MOD_TYPE() for flags equality check CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use LDB_FLAG_MOD_TYPE() for flags equality check CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for flags equality check CVE-2022-32746 ldb: Add flag to mark message element values as shared CVE-2022-32746 ldb: Ensure shallow copy modifications do not affect original message CVE-2022-32746 ldb: Add functions for appending to an ldb_message CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message Stefan Metzmacher (46): lib/messaging: s/getpid/tevent_cached_getpid s3:lib/messages*: s/getpid/tevent_cached_getpid lib/util: make use of tevent_cached_getpid() in performance critical code s3:profile: make use of tevent_cached_getpid() in performance critical code smbd: split out smbd_check_access_rights_fname and call it before SMB_VFS_FGET_NT_ACL s3:dbwrap_watch: let dbwrap_watched_watch_state_destructor() use DBG_WARNING() s3:dbwrap_watch: use value_valid = false during dbwrap_watched_do_locked_fn() s3:dbwrap_watch: s/db_watched_subrec/db_watched_record s3:dbwrap_watch: s/dbwrap_watched_subrec/dbwrap_watched_record s3:dbwrap_watch: rename struct dbwrap_watched_record variables to 'wrec' s3:dbwrap_watch: move wakeup_value to struct db_watched_record s3:dbwrap_watch: use dbwrap_record_get_db(rec) instead of state->db s3:dbwrap_watch: use struct db_watched_record as rec->private_data for do_locked too s3:dbwrap_watch: move 'wrec' from dbwrap_watched_do_locked_state to dbwrap_watched_do_locked_fn s3:dbwrap_watch: use dbwrap_record_get_key() to access the key s3:dbwrap_watch: only pass struct db_watched_record to dbwrap_watched_record_*() functions s3:dbwrap_watch: use backend.{rec,initial_value} instead of subrec[_value] s3:dbwrap_watch: add db_record_get_watched_record() helper s3:dbwrap_watch: move the do_locked optimization to dbwrap_watched_record_wakeup() s3:dbwrap_watch: remove unused dbwrap_watched_do_locked_{storev,delete}() s3:dbwrap_watch: split out a db_watched_record_init() helper function s3:dbwrap_watch: split out db_watched_record_fini() from db_watched_record_destructor() s3:dbwrap_watch: also the fetch_locked case only needs to wake waiters just once s3:dbwrap_watch: remove dbwrap_watched_record_wakeup_fn() indirection s3:dbwrap_watch: split out a dbwrap_watched_watch_add_instance() helper s3:dbwrap_watch: move db_record and db_watched_record to dbwrap_watched_do_locked() s3:dbwrap_watch: don't use talloc_tos() for messaging_filtered_read_recv() s3:dbwrap_watch: let dbwrap_watched_watch_recv() use tevent_req_received() s3:dbwrap_watch: remove unused dbwrap_watched_do_locked_state.status s3:dbwrap_watch: define/use DBWRAP_MAX_WATCHERS s3:dbwrap_watch: prepare dbwrap_watched_record_storev() to store watchers if requested s3:dbwrap_watch: filter out records with empty payload during traverse s3:dbwrap_watch: let dbwrap_watched_delete() call dbwrap_watched_record_storev(num_dbufs=0) s3:dbwrap_watch: use dbwrap_watched_record_storev() to add a new watcher s3:dbwrap_watch: remove a watcher via db_watched_record_fini() s3:dbwrap_watch: allow callers of dbwrap_watched_watch_send/recv() to manage the watcher instances s3:g_lock: avoid calling g_lock_store() from g_lock_cleanup_dead() s3:g_lock: always call g_lock_cleanup_shared() before getting
[SCM] Samba Shared Repository - annotated tag ldb-2.6.0 created
The annotated tag, ldb-2.6.0 has been created at 1a5e0f46dca87122985fd3b91663cb2c3f7c57be (tag) tagging d844bc6cbdbaafec5e82a259ec5ae341b77f35c8 (commit) replaces samba-4.16.0rc1 tagged by Stefan Metzmacher on Wed Jul 27 15:03:18 2022 +0200 - Log - ldb: tag release ldb-2.6.0 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmLhN5YACgkQR5ORYRMI QCV+AAf7BtZ7zx6Edg5vemxjVWz3oWtm3ew8EtjyemEqbuzY9gq8WGjD9Osyfm1M sPilbv7CdzBaNFE8bEhKF/Pqd3vA3dsMNfx9et2YL+ACirxUPC3mkCsK3BTlCPfj 3NVC3CIMVUxb+XsY/zYxbg7nuElnC7lgDAzeucqoSCIu9eAWqnhupRgTNIQDIdhj OpZmPAzXZOJEhJY844Y+Dn8hu2UCV0aiJOhn5oIDHDeDgAphC5A+RhfyCoNAHWNT FCE9ZAS+Y4qlt7SQelOTwLuKWuIUG4OIomVYi6gRQVEvZZVJzlfhJTaon4FvsmxT ljzZaUsUuJmj59l6qcu3TtV526LE1w== =BmpT -END PGP SIGNATURE- Jule Anger (1): VERSION: Bump version up to 4.17.0pre1... Stefan Metzmacher (1): ldb: bump version to 2.6.0 for Samba 4.17.x releases --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag tevent-0.13.0 created
The annotated tag, tevent-0.13.0 has been created at afbf4cc88bb8db74f4001b9a6dbe73b3e929476b (tag) tagging 63d4db63feda920c8020f8484a8b31065b7f1380 (commit) replaces tdb-1.4.7 tagged by Stefan Metzmacher on Tue Jul 26 17:04:24 2022 +0200 - Log - tevent: tag release tevent-0.13.0 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmLgAngACgkQR5ORYRMI QCV4AQgAm2LKizbT4NGwfkQqEb73jNcEgzTVlzN9hGDKw44RyM9/ncN0bNKaHIJv qYVU/z5xZT3ogoZ9vK7wU0A+whsqq8xeVdj9xh9+iXuRLDTHOqAnV7RRDyIC+z3f saIVVJ+ED1tDKK5Q/PCxZ3vWSNgiOyEMTkLHeBPz8pHzBSG0trRlRaRnYb0dGpWg +GLJh6KrngArcKMVi2NlbubJB0kOoP3Q8OOLhhWhc84rPF/OBSr7wfKhaGXQIJCk uVNTuQ3A7FQnaDIubUU8z+4GTU5Dc+YzJK8VWzQgWreIf2D3GMY811cWxia6eyvM +tB3oODCzpr0wrSjsA76ieOWkh+KPQ== =Skod -END PGP SIGNATURE- Andreas Schneider (90): s3:tests: Reformat test_sacl_set_get.sh s3:tests: Reformat test_shadow_copy_torture.sh s3:tests: Reformat test_shareenum.sh s3:tests: Reformat test_sharesec.sh s3:tests: Reformat test_smb1_shadow_copy_torture.sh s3:tests: Reformat test_smb1_system_security.sh s3:tests: Reformat test_smb2_not_casesensitive.sh s3:tests: Reformat test_smbXsrv_client_dead_rec.sh s3:tests: Reformat test_smbclient_auth.sh s3:tests: Reformat test_smbclient_basic.sh s3:tests: Reformat test_smbclient_encryption.sh s3:tests: Reformat test_smbclient_encryption_off.sh s3:tests: Reformat test_smbclient_iconv.sh s3:tests: Reformat test_smbclient_kerberos.sh s3:tests: Reformat test_smbclient_krb5.sh s3:tests: Reformat test_smbclient_large_file.sh s3:tests: Reformat test_smbclient_list_servers.sh s3:tests: Reformat test_smbclient_log_basename.sh s3:tests: Reformat test_smbclient_machine_auth.sh s3:tests: Reformat test_smbclient_mget.sh s3:tests: Reformat test_smbclient_netbios_aliases.sh s3:tests: Reformat test_smbclient_ntlm.sh s3:tests: Reformat test_smbclient_s3.sh s3:tests: Reformat test_smbclient_tarmode.sh s3:tests: Reformat test_smbcquota.sh s3:tests: Reformat test_smbd_error.sh s3:tests: Reformat test_smbd_no_krb5.sh s3:tests: Reformat test_smbget.sh s3:tests: Reformat test_smbpasswd.sh s3:tests: Reformat test_smbspool.sh s3:tests: Reformat test_smbstatus.sh s3:tests: Reformat test_smbtorture_s3.sh s3:tests: Reformat test_substitutions.sh s3:tests: Reformat test_success.sh s3:tests: Reformat test_symlink_rename_smb1_posix.sh s3:tests: Reformat test_symlink_traversal_smb1.sh s3:tests: Reformat test_symlink_traversal_smb1_posix.sh s3:tests: Reformat test_symlink_traversal_smb2.sh s3:tests: Reformat test_testparm_s3.sh s3:tests: Reformat test_tevent_glib_glue.sh s3:tests: Reformat test_timestamps.sh s3:tests: Reformat test_usernamemap.sh s3:tests: Reformat test_valid_users.sh s3:tests: Reformat test_veto_rmdir.sh s3:tests: Reformat test_virus_scanner.sh s3:tests: Reformat test_wbinfo_lookuprids_cache.sh s3:tests: Reformat test_wbinfo_sids2xids.sh s3:tests: Reformat test_winbind_ignore_domains.sh s3:tests: Reformat test_zero_data.sh s3:tests: Reformat wb_pad.sh s3:tests: Reformat full_audit_segfault/run.sh s3:tests: Reformat stream-depot/run.sh s3:tests: Reformat vfstest-acl/run.sh s3:tests: Reformat vfstest-catia/run.sh s3:tests: Reformat xattr-tdb-1/run.sh testprogs: Fix auth with smbclient and krb5 ccache lib:cmdline: Fix error handling of --use-kerberos=desired|required|off lib:cmdline: Fix error handling of --use-krb5-ccache=CCACHE lib:cmdline: Fix error handling of --client-protection=sign|encrypt|off s3:waf: Fix version number of public libsmbconf third_party: Update nss_wraper to version 1.1.12 bootstrap: Use quay.io to download fedora images s4:libads: Fix trailing whitespaces in ldap.c s3:libads: Check if we have a valid sockaddr s3:printing: Do not clear the printer-list.tdb s4:client: Reformat shell scripts s4:librpc: Reformat shell scripts s4:script: Reformat shell scripts s4:scripting: Reformat shell scripts s4:torture: Reformat shell scripts s4:utils: Reformat shell scripts s4:selftest: Reformat shell scripts s4:setup: Reformat shell scripts testprogs: Reformat bogus.sh s3:selftest: Reformat rpc array s4:selftest: Reformat slow_ncacn_np_tests list s4:selftest: Reformat rpc.samr.passwords plansmbtorture4testsuite s4:torture: Rename rpc.samr.passwords tests selftest: Do not skip working tests s3:winbind: Fix pointer access in wb_lookupusergroups_recv() s3:winbind: Add additional debug level check to wb_lookupusergroups_recv() s3:winbind: Fix pointer access
[SCM] Samba Shared Repository - annotated tag ldb-2.4.3 created
The annotated tag, ldb-2.4.3 has been created at 613ebcd9199736e0c991714bf4786e3e02872589 (tag) tagging 604f94704f30e90ef960aa2be62a14d2e614a002 (commit) replaces samba-4.15.7 tagged by Stefan Metzmacher on Thu Jun 9 17:35:25 2022 +0200 - Log - ldb: tag release ldb-2.4.3 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmKiEz0ACgkQR5ORYRMI QCUdOgf/UYQ74dDs/8IeaPEvmAYLPKKnHo4S5Drx6Lmc4nWULPGA+RAUuajJ4HG+ 6ybX2+BwSYHluKqiakHueMT06+aOk1/N2FKF9bNUiFBsbmbwaX9x6aRj4LxuRY9I 1HbnxSuqpFxBM7zo6DGPV/1AZXR8maf1VQZb/ZMBbvlwQwRB0w+/qGZuAw89/LA2 aMXxABM3XGBCQb0B3ng4zglkkNNF08TT4z2lUwUOqOvAEt7o3b/ABVN7W5Jj/P0Y 1y1KfPWyIQEll8LJ49MhavFqUmKq8iJ08zBHDB2HYF2YEKwEl7keQuXovMIgxCHO GM1ysULaZ4zXduGXhbfTW5azFyu3Sg== =KWhM -END PGP SIGNATURE- Andreas Schneider (11): s3:passdb: Remove trailing spaces in lookup_sid.c s3:passdb: Add support to handle UPNs in lookup_name() s3:passdb: Use already defined pointer in lookup_name_smbconf() s3:passdb: Refactor lookup_name_smbconf() s3:passdb: Also allow to handle UPNs in lookup_name_smbconf() third_party: Add a script to update waf third_party: Update waf to version 2.0.22 third_party:waf: Print the version of waf at the end of the update script third_party: Update waf to verison 2.0.23 third_party: Update waf to version 2.0.24 s3:utils: Fix format error Christof Schmitt (1): vfs_gpfs: Ignore pathref fds for gpfs:recalls check Jeremy Allison (2): s4: torture: Add a new test - samba3.smb2.durable-open.stat-open. s3: smbd: Allow a durable handle on a leased stat-open. Jule Anger (1): VERSION: Bump version up to Samba 4.15.8... Ralph Boehme (12): vfs_gpfs: indentation and README.Coding fixes vfs_gpfs: pass fsp to gpfsacl_emu_chmod() vfs_gpfs: pass fsp to gpfs_get_nfs4_acl() vfs_gpfs: pass fsp to gpfsacl_get_posix_acl() vfs_gpfs: use fsp in gpfsacl_get_posix_acl() vfs_gpfs: pass fsp to vfs_gpfs_getacl() vfs_gpfs: pass fsp to gpfs_getacl_with_capability() lib/util/gpfswrap: add gpfswrap_fgetacl() vfs_gpfs: finally: use gpfswrap_fgetacl() instead of gpfswrap_getacl() lib/util/gpfswrap: remove unused gpfswrap_getacl() vfs_gpfs: use handle based gpfswrap_get_winattrs() lib/util/gpfswrap: remove unused gpfswrap_get_winattrs_path() Samuel Cabrero (1): s3:libads: Clear previous CLDAP ping flags when reusing the ADS_STRUCT Stefan Metzmacher (1): ldb: version 2.3.4 --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via 604f94704f3 ldb: version 2.3.4 via f3879b3f09d s3:utils: Fix format error from a9e40509704 lib/util/gpfswrap: remove unused gpfswrap_get_winattrs_path() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit 604f94704f30e90ef960aa2be62a14d2e614a002 Author: Stefan Metzmacher Date: Thu Jun 9 06:48:14 2022 +0200 ldb: version 2.3.4 * Fix build problems BUG: https://bugzilla.samba.org/show_bug.cgi?id=15071 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(v4-15-test): Stefan Metzmacher Autobuild-Date(v4-15-test): Thu Jun 9 15:02:57 UTC 2022 on sn-devel-184 commit f3879b3f09d288170fb742ef90d52c582e44a58a Author: Andreas Schneider Date: Fri Oct 1 10:46:09 2021 +0200 s3:utils: Fix format error regedit_hexedit.c:166:39: error: format ‘%X’ expects argument of type ‘unsigned int’, but argument 3 has type ‘size_t’ {aka ‘long unsigned int’} 166 | wprintw(buf->win, "%08X ", off); |~~~^ ~~~ | | | | | size_t {aka long unsigned int} | unsigned int |%08lX Signed-off-by: Andreas Schneider Reviewed-by: Uri Simchoni (cherry picked from commit cc3081cebfb65181cd291702cb6a2e727dc999b2) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15091 Reviewed-by: Stefan Metzmacher --- Summary of changes: lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.4.3.sigs} | 0 lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.4.3.sigs} | 0 lib/ldb/wscript | 2 +- source3/utils/regedit_hexedit.c | 2 +- 4 files changed, 2 insertions(+), 2 deletions(-) copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.4.3.sigs} (100%) copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.4.3.sigs} (100%) Changeset truncated at 500 lines: diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.4.3.sigs similarity index 100% copy from lib/ldb/ABI/ldb-2.0.5.sigs copy to lib/ldb/ABI/ldb-2.4.3.sigs diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs b/lib/ldb/ABI/pyldb-util-2.4.3.sigs similarity index 100% copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs copy to lib/ldb/ABI/pyldb-util-2.4.3.sigs diff --git a/lib/ldb/wscript b/lib/ldb/wscript index c470f854b99..312879449e1 100644 --- a/lib/ldb/wscript +++ b/lib/ldb/wscript @@ -2,7 +2,7 @@ APPNAME = 'ldb' # For Samba 4.15.x -VERSION = '2.4.2' +VERSION = '2.4.3' import sys, os diff --git a/source3/utils/regedit_hexedit.c b/source3/utils/regedit_hexedit.c index 383736ae2bc..413e563f653 100644 --- a/source3/utils/regedit_hexedit.c +++ b/source3/utils/regedit_hexedit.c @@ -163,7 +163,7 @@ void hexedit_refresh(struct hexedit *buf) size_t i, endline; wmove(buf->win, lineno, 0); - wprintw(buf->win, "%08X ", off); + wprintw(buf->win, "%08zX ", off); endline = BYTES_PER_LINE; -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag ldb-2.5.1 created
The annotated tag, ldb-2.5.1 has been created at f67c0845ffde6ad7d9e8e9520657bf7b427550fb (tag) tagging 56eca407415dd7c69cde7e66f02f0c95d419721a (commit) replaces samba-4.16.1 tagged by Stefan Metzmacher on Thu Jun 9 16:16:15 2022 +0200 - Log - ldb: tag release ldb-2.5.1 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmKiAK8ACgkQR5ORYRMI QCWS/ggAt8E0vhvwM/qtPCusznRMQNDtORTzOj6H5NqjGUNP+5Q4R3rDrvMDSneN KLlE0zciNIR4UI+NsdCiOspAsvJ/qGgI42yJUGgywvwFPwEbuw4hsjn1VUZv734T 3xYEdmThmzciqYNzSpwxlMoQS5dNf/tXqZr/Eb82k3p7qMrINmUCI56xgB5HWW1a yLtLBRn7ahkDC8Rn48B4hlK/hcGk1lneNwRc1pIg3+83LBXVrr3mU9RZYW1g0pcu 5G8GponQBYE7x811vTbB5pEc+ddp5e+oJQc1Wo8whr7vGUfbuIutKaANzBqVBYSa MaKu5SnSI/qMhx9EgtZVNYJ4CxisQg== =Jpcg -END PGP SIGNATURE- Andreas Schneider (5): third_party:waf: Print the version of waf at the end of the update script third_party: Update waf to verison 2.0.23 third_party: Update waf to version 2.0.24 s3:printing: Initialize the printcap cache as soon as the bgqd starts s3:printing: Start samba-bgqd as soon as possible Jeremy Allison (2): s4: torture: Add a new test - samba3.smb2.durable-open.stat-open. s3: smbd: Allow a durable handle on a leased stat-open. Jule Anger (1): VERSION: Bump version up to Samba 4.16.2... Noel Power (2): s3/script/tests: Test smbclient -E redirects output to stderr s3/client: Restore '-E' handling Ralph Boehme (12): vfs_gpfs: indentation and README.Coding fixes vfs_gpfs: pass fsp to gpfsacl_emu_chmod() vfs_gpfs: pass fsp to gpfs_get_nfs4_acl() vfs_gpfs: pass fsp to gpfsacl_get_posix_acl() vfs_gpfs: use fsp in gpfsacl_get_posix_acl() vfs_gpfs: pass fsp to vfs_gpfs_getacl() vfs_gpfs: pass fsp to gpfs_getacl_with_capability() lib/util/gpfswrap: add gpfswrap_fgetacl() vfs_gpfs: finally: use gpfswrap_fgetacl() instead of gpfswrap_getacl() lib/util/gpfswrap: remove unused gpfswrap_getacl() vfs_gpfs: use handle based gpfswrap_get_winattrs() lib/util/gpfswrap: remove unused gpfswrap_get_winattrs_path() Robert Sprowson (1): s3:smbd: Out-by-4 error in smbd read reply max_send clamp Samuel Cabrero (1): s3:libads: Clear previous CLDAP ping flags when reusing the ADS_STRUCT Stefan Metzmacher (1): ldb: version 2.5.1 Volker Lendecke (3): selftest: Test for bug 15062 -- list "username" in netshareenum srvsvc: Add a central return point to init_srv_share_info_ctr() srvsvc: Announce [username] in NetShareEnum --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated via 56eca407415 ldb: version 2.5.1 from bb60c85153b s3:smbd: Out-by-4 error in smbd read reply max_send clamp https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log - commit 56eca407415dd7c69cde7e66f02f0c95d419721a Author: Stefan Metzmacher Date: Thu Jun 9 06:49:31 2022 +0200 ldb: version 2.5.1 * Fix build problems BUG: https://bugzilla.samba.org/show_bug.cgi?id=15071 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(v4-16-test): Stefan Metzmacher Autobuild-Date(v4-16-test): Thu Jun 9 12:14:04 UTC 2022 on sn-devel-184 --- Summary of changes: lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.5.1.sigs} | 0 lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.5.1.sigs} | 0 lib/ldb/wscript | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.5.1.sigs} (100%) copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.5.1.sigs} (100%) Changeset truncated at 500 lines: diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.5.1.sigs similarity index 100% copy from lib/ldb/ABI/ldb-2.0.5.sigs copy to lib/ldb/ABI/ldb-2.5.1.sigs diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs b/lib/ldb/ABI/pyldb-util-2.5.1.sigs similarity index 100% copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs copy to lib/ldb/ABI/pyldb-util-2.5.1.sigs diff --git a/lib/ldb/wscript b/lib/ldb/wscript index b811b68861f..f483dd54748 100644 --- a/lib/ldb/wscript +++ b/lib/ldb/wscript @@ -2,7 +2,7 @@ APPNAME = 'ldb' # For Samba 4.16.x -VERSION = '2.5.0' +VERSION = '2.5.1' import sys, os -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag tevent-0.12.1 created
The annotated tag, tevent-0.12.1 has been created at 8d0b4b728854c66158dc0650e7001edbd12c (tag) tagging 53692735c733d01acbd953641f831a1f5e0cf6c5 (commit) replaces talloc-2.3.4 tagged by Stefan Metzmacher on Thu Jun 9 06:26:25 2022 +0200 - Log - tevent: tag release tevent-0.12.1 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmKhdnEACgkQR5ORYRMI QCXr7ggAwZ384/Knfxrxhq43TO761G1FJnRmgWcaK59dHx3RqSjCTxqOvMmkbEjP GlXvQlLfrSq1x0ARJbuFrDbvU9JLm7ocLCwJhms//ITdcHjsghmWruCm//bU6I7S J1YEK9LIFGBPZx8yBlqwnF3f2SXoyLeh9LPMSY6agIHa+/aEsHz7AWZzC7vTmYmB pKxpAyHATmSccj4sYUdM/dLXkrk5EZeLlm7yp/XR7x+S0cddR6zAq9imnXVagUcB dFilp6KdqxDbuR09/C3Emf96+T61rmxpCvwNs+7tFoLPzaw/wRHc5+vkXSGy8Yi6 651BdZFamxQ4pKPuPP921ctVm6tdvw== =FQHQ -END PGP SIGNATURE- Stefan Metzmacher (1): tevent: version 0.12.1 --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag tdb-1.4.7 created
The annotated tag, tdb-1.4.7 has been created at c9429738a68570cefe3e3268551f280df6840f0a (tag) tagging 27ceb1c3ad786386e746a5e2968780d791393b9e (commit) replaces talloc-2.3.4 tagged by Stefan Metzmacher on Thu Jun 9 06:25:19 2022 +0200 - Log - tdb: tag release tdb-1.4.7 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmKhdi8ACgkQR5ORYRMI QCXURwf+OcY8j1TAyMQRm2ki6nK2jhbRSGnHdX6H04ce4OVMkMaaMVPxV3aG5Yij OhOrpM/KjVF9Y26gsELb4AjFGRtwSu6tOTwiimxcP6jv6+1Q84X1Xy+SVGMecNcU JLsH8UdepM1KDpDXHmrhCWvMnqp0ooga5+XUdRjNrZjMbG1cBDVFUncg6HT9pAeM hkQxzKSArwzTTuTrB6UsNnOhMkc0a3fdIUO/r0Jb8LuUeRzENKKFn9auHoilXdru OqPf5uZQSj/3LooRwmN1En7/tnwu9xWU9C46YpcicqD5tpqXXSNT5571dcgYqsEt k3M23KjF1kS3QmZOKa4bvapLkf85Sw== =8PBU -END PGP SIGNATURE- Stefan Metzmacher (2): tevent: version 0.12.1 tdb: version 1.4.7 --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag talloc-2.3.4 created
The annotated tag, talloc-2.3.4 has been created at 5fba8f7ddfd1631bde8a2c1fa6a4be4752a1ac5a (tag) tagging 0189ccf9fc3d2a77cc83cffe180e307bcdccebb4 (commit) replaces tevent-0.12.0 tagged by Stefan Metzmacher on Thu Jun 9 06:24:42 2022 +0200 - Log - talloc: tag release talloc-2.3.4 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmKhdgoACgkQR5ORYRMI QCVXtAf/ekxWEWcwIsm1QDsdLkn8Iqrizuh2G3ERuxITVc4/P2Vl+wzKedqJ0ser awdLX4jE58C2NEcgAlqdGLZjgmSjHoOPNGUWAauK+wRcGQT2x8OHTZQ7zKrBM/Y5 mLhjWI62PkIQ945i4WqNDImmJimAffNHAbehmq1BNYVA5vSIk6l6q/HnaAcqj7B3 jaiVfUChVYl2PCSjnrtGJlvrIQOFsgLwdo1LJKYkKRHSQvpyURjTQe1HhsNl0Gw7 WmciaAfyLSaiPnNpGSEVwdgKN/jIMCZqP0CV6028Cxay0a+kUBKmUlzz96isVMTJ tbPzJjcSIBh+jusVtPjNqwJwgFi5mw== =E8GQ -END PGP SIGNATURE- Andreas Schneider (85): s4:kdc: Set debug class for pac-glue python:tests: Check code error code in test_s4u2self_rodc_revealed s4:mit-samba: Pass flags to ks_get_pac() s4:mit-samba: Pass flags to mit_samba_get_pac() s4:kdc: pass down SAMBA_KDC_FLAG_PROTOCOL_TRANSITION to samba_kdc_update_pac() s4:kdc: Fix S4U2Proxy in RODC case to return an error python:tests: Add support for expected groups in krb5 tests python:tests: Add support for unexpected groups in krb5 tests python:tests: Add krb5 tests for asserted identity s4:torture: let remote_pac test for asserted identity sids s4:selftest: Do not print the env twice s4:dsdb:tests: Also pass tests if asserted identity is present s4:kdc: Add asserted identity SID to identify whether S4U2Self has occurred s3:passdb: Remove trailing spaces in lookup_sid.c s3:passdb: Add support to handle UPNs in lookup_name() s3:passdb: Use already defined pointer in lookup_name_smbconf() s3:passdb: Refactor lookup_name_smbconf() s3:passdb: Also allow to handle UPNs in lookup_name_smbconf() s3:tests: Reformat dlopen.sh s3:tests: Reformat printing_var_exp_lpr_cmd.sh s3:tests: Reformat test_acl_xattr.sh s3:tests: Reformat test_aio_outstanding.sh s3:tests: Reformat test_async_req.sh s3:tests: Reformat test_chdir_cache.sh s3:tests: Reformat test_close_denied_share.sh s3:tests: Reformat test_deadtime.sh s3:tests: Reformat test_delete_veto_files_only_rmdir.sh s3:tests: Reformat test_dfree_command.sh s3:tests: Reformat test_dfree_quota.sh s3:tests: Reformat test_dropbox.sh s3:tests: Reformat test_durable_handle_reconnect.sh s3:tests: Reformat test_failure.sh s3:tests: Reformat test_fifo.sh s3:tests: Reformat test_force_close_share.sh s3:tests: Reformat test_force_create_mode.sh s3:tests: Reformat test_force_group_change.sh s3:tests: Reformat test_force_user_unlink.sh s3:tests: Reformat test_forceuser_validusers.sh gitignore: Add .ropeproject for pylsp-rope plugin s3:tests: Reformat test_give_owner.sh s3:tests: Reformat test_groupmap.sh s3:tests: Reformat test_guest_auth.sh s3:tests: Reformat test_homes.sh s3:tests: Reformat test_inherit_owner.sh s3:tests: Reformat test_large_acl.sh s3:tests: Reformat test_libwbclient_threads.sh s3:tests: Reformat test_local_s3.sh gitlab-ci: Use openSUSE 15.3 for coverity lib:util: Do not error for array-bounds warning gitlab-ci: Update Fedora to version 36 third_party: Update waf to version 2.0.24 s3:printing: Initialize the printcap cache as soon as the bgqd starts s3:printing: Start samba-bgqd as soon as possible s3:tests: Reformat test_net_cache_samlogon.sh s3:tests: Reformat test_net_conf.sh s3:tests: Reformat test_net_cred_change.sh s3:tests: Reformat test_net_dom_join_fail_dc.sh s3:tests: Reformat test_net_lookup.sh s3:tests: Reformat test_net_machine_account.sh s3:tests: Reformat test_net_misc.sh s3:tests: Reformat test_net_registry.sh s3:tests: Reformat test_net_registry_check.sh s3:tests: Reformat test_net_registry_import.sh s3:tests: Reformat test_net_registry_roundtrip.sh s3:tests: Reformat test_net_rpc_join.sh s3:tests: Reformat test_net_rpc_join_creds.sh s3:tests: Reformat test_net_rpc_oldjoin.sh s3:tests: Reformat test_net_rpc_share_allowedusers.sh s3:tests: Reformat test_net_tdb.sh s3:tests: Reformat test_net_usershare.sh s3:tests: Reformat test_netfileenum.sh s3:tests: Reformat test_offline.sh s3:tests: Reformat test_open_eintr.sh s3:tests: Reformat test_preserve_case.sh s3:tests: Reformat test_printing_var_exp.sh s3:tests: Reformat test_pthreadpool.sh s3:tests: Reformat test_registry_upgrade.sh s3:tests: Reformat test_resolvconf.sh s3:tests: Reformat test_rpcclient.sh s3:tests: Reformat test_rpcclient_dfs.sh
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated via 82d86282ca6 s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos from 6cbaa31fe0a s3:passdb: Also allow to handle UPNs in lookup_name_smbconf() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log - commit 82d86282ca64177fe65cb5ab017a475a95d67cf3 Author: Stefan Metzmacher Date: Wed Feb 16 14:11:10 2022 +0100 s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos Even if the msDS-KeyVersionNumber of the main krbtgt account if larger than 65535, we need to have the 16 upper bits all zero in order to avoid mixing the keys with an RODC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14951 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit ab0946a75d51b8f4826d98c61c3ad503615009fe) Autobuild-User(v4-16-test): Stefan Metzmacher Autobuild-Date(v4-16-test): Thu Apr 28 15:42:38 UTC 2022 on sn-devel-184 --- Summary of changes: source4/kdc/db-glue.c | 51 +++ 1 file changed, 43 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index bdadc1278c3..3e1f7a6b4dc 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -45,6 +45,9 @@ #define SAMBA_KVNO_GET_KRBTGT(kvno) \ ((uint16_t)(((uint32_t)kvno) >> 16)) +#define SAMBA_KVNO_GET_VALUE(kvno) \ + ((uint16_t)(((uint32_t)kvno) & 0x)) + #define SAMBA_KVNO_AND_KRBTGT(kvno, krbtgt) \ ((krb5_kvno)uint32_t)kvno) & 0x) | \ uint32_t)krbtgt) << 16) & 0x))) @@ -427,6 +430,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, struct sdb_entry_ex *entry_ex, uint32_t *supported_enctypes_out) { + struct sdb_entry *entry = _ex->entry; krb5_error_code ret = 0; enum ndr_err_code ndr_err; struct samr_Password *hash; @@ -437,10 +441,12 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, struct package_PrimaryKerberosBlob _pkb; struct package_PrimaryKerberosCtr3 *pkb3 = NULL; struct package_PrimaryKerberosCtr4 *pkb4 = NULL; + bool is_krbtgt = false; + int krbtgt_number = 0; + uint32_t current_kvno; + uint32_t returned_kvno = 0; uint16_t i; uint16_t allocated_keys = 0; - int rodc_krbtgt_number = 0; - int kvno = 0; uint32_t supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes", @@ -452,6 +458,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, /* KDCs (and KDCs on RODCs) use AES */ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; + is_krbtgt = true; enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx); if (enable_fast) { @@ -481,9 +488,12 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, /* Is this the krbtgt or a RODC krbtgt */ if (is_rodc) { - rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1); + krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1); - if (rodc_krbtgt_number == -1) { + if (krbtgt_number == -1) { + return EINVAL; + } + if (krbtgt_number == 0) { return EINVAL; } } @@ -503,11 +513,20 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, goto out; } - kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0); - if (is_rodc) { - kvno = SAMBA_KVNO_AND_KRBTGT(kvno, rodc_krbtgt_number); + current_kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0); + if (is_krbtgt) { + /* +* Even for the main krbtgt account +* we have to strictly split the kvno into +* two 16-bit parts and the upper 16-bit +* need to be all zero, even if +* the msDS-KeyVersionNumber has a value +* larger than 65535. +* +* See https://bugzilla.samba.org/show_bug.cgi?id=14951 +*/ + current_kvno = SAMBA_KVNO_GET_VALUE(current_kvno); } - entry_ex->entry.kvno = kvno; /* Get keys from th