git.samba.org - martins/samba.git/log

ctdb-tests: Add extra IPv6 socket parsing tests

Add tests to confirm that square brackets are handled and that
IPv4-mapped IPv6 addresses are parsed as expected.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb-protocol: Allow rfc5952 "[2001:db8::1]:80" ipv6 notation

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14934
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-protocol: Save 50 bytes .text segment

Having this as a small static .text is simpler than having to create
this on the stack.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-protocol: rindex->strrchr

According to "man rindex" on debian bullseye rindex() was deprecated
in Posix.1-2001 and removed from Posix.1-2008.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

dsdb/schema: let dsdb_syntax_DN_BINARY_drsuapi_to_ldb return WERR_DS_INVALID_ATTRIBUTE_SYNTAX

When Object(OR-Name) uses dsdb_syntax_DN_BINARY_drsuapi_to_ldb() it
should genrate WERR_DS_INVALID_ATTRIBUTE_SYNTAX if the binary part
is not empty.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 12 03:09:52 UTC 2022 on sn-devel-184

dsdb/schema: add no memory checks for {ldb,dsdb}_dn_get_extended_linearized()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

dsdb/common: dsdb_dn_construct_internal() more strict checking

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

dsdb/schema: fix Object(OR-Name) syntax definition

This is a strange one, it uses DN_BINARY in the drsuapi
representation, while the binary part must be 0 bytes.
and the LDAP/ldb representation is a plain DN (without 'B:').

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

dsdb/schema/tests: let samba4.local.dsdb.syntax call the validate_dn() hook

This demonstrates that our OR-Name syntax is wrong,
which wasn't noticed yet as it's not used in the AD-Schema.

I noticed it by installing the Exchange-Schema on a Samba DC.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s4:rpc_server/netlogon: let CSDVersion="" wipe operatingSystemServicePack

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14936

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 11 22:03:03 UTC 2022 on sn-devel-184

s4:torture/rpc: test how CSDVersion="" wipes operatingSystemServicePack

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14936

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: util: Make nt_time_to_full_timespec() call nt_time_to_unix_timespec_raw() for the conversion.

Cleanup to eliminate duplicate code.

The high check is now done against ret.tv_sec,
not 'd', as after calling nt_time_to_unix_timespec_raw()
this is identical to the previous intermediate 'd'
variable.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 11 01:36:51 UTC 2022 on sn-devel-184

lib: util: Make nt_time_to_unix_timespec() call nt_time_to_unix_timespec_raw() for the conversion.

Cleanup to eliminate duplicate code.

The low/high checks are now done against ret.tv_sec,
not 'd', as after calling nt_time_to_unix_timespec_raw()
this is identical to the previous intermediate 'd'
variable.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

s3:modules: Fix possible dereference of NULL for fio

We do not check consistently for fio being NULL in this file.

Found by covescan.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 11 00:22:09 UTC 2022 on sn-devel-184

s3:libnet: Fix dereference of NULL win7

Found by covscan.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:libnet: Fix dead code in libnet_join.c

Found by covscan.

Pair-programmed-with: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

ctdb:utils: Improve error handling of hex_decode()

This has been found by covscan and make analyzers happy.

Pair-programmed-with: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:rpc_server: Fix possible NULL dereference

Found by covscan.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:smbd: Fix dereferencing null pointer "fsp"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14942

Remove fsp which is always NULL and replace it with smb_fname->fsp.

Found by covscan.

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:smbd: Fix trailing whitespaces in dosmode.c

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:modules: Fix the horrible vfs_crossrename module

It really has to be removed! ;-)

Found by covscan. The code always leaves here as the dst variable

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14940

Pair-programmed-with: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:modules: VFS CAP symlinkat always fails

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14941

Found by covscan.

Since capnew is initialized by NULL, checking it too early makes the
rest of the function a dead code.

Pair-programmed-with: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3: includes: Make the comments describing itime consistent. Always use "invented" time.

It gets confusing if we call it "imaginary" or "instantiation"
in different places.

Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jan 10 18:42:02 UTC 2022 on sn-devel-184

s3: lib: In create_clock_itime(), use timespec_current() -> clock_gettime(CLOCK_REALTIME..).

CLOCK_MONOTONIC (which we previously used) is reset
when the system is rebooted.

CLOCK_REALTIME is a "wall clock" time. It's still affected by NTP
changes (for Linux we should probably use CLOCK_TAI instead
but that is Linux-specific). For most systems CLOCK_REALTIME
will be good enough.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

rpcclient: Fix ncacn_ip_tcp:<ip-address>

inet_pton expects "struct in_addr" or "struct in6_addr" as destination
pointer. It does not fill in a struct
sockaddr_storage. interpret_string_addr() takes care of this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jan 10 11:47:34 UTC 2022 on sn-devel-184

test: Test rpcclient ncacn_ip_tcp:<ip-address>

Right now connecting to an IP address is broken.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3: smbd: Create and use a common function for generating a fileid - create_clock_itime().

This first gets the clock_gettime_mono() value, converts to an NTTIME (as
this is what is stored in the dos attribute EA), then mixes in 8 bits of
randomness shifted up by 55 bits to cope with poor resolution clocks to
avoid duplicate inodes.

Using 8 bits of randomness on top of an NTTIME gives us around 114
years headroom. We can now guarentee returning a itime-based
fileid in a normal share (storing dos attributes in an EA).

Remove knownfail.d/fileid-unique

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jan 8 06:35:22 UTC 2022 on sn-devel-184

lib: util: Add a function nt_time_to_unix_timespec_raw().

Not yet used. Does no checks on the converted values.

A later cleanup will allow us to move nt_time_to_unix_timespec()
and nt_time_to_full_timespec() to use common code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

tests: Add 2 tests for unique fileid's with top bit set (generated from itime) for files and directories.

smb2.fileid_unique.fileid_unique
smb2.fileid_unique.fileid_unique-dir

Create 100 files or directories as fast as we can
against a "normal" share, then read info on them
and ensure (a) top bit is set (generated from itime)
and (b) uniqueness across all generated objects
(checks poor timestamp resolution doesn't create
duplicate fileids).

This shows that even on ext4, this is enough to
cause duplicate fileids to be returned.

Add knownfail.d/fileid-unique

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

s3: smbd: Remove now redundent lock_flav parameter from smbd_do_unlocking().

We already stored this in struct smbd_lock_element.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Thu Jan 6 16:03:28 UTC 2022 on sn-devel-184

s3: smbd: Remove lock_flav argument from smbd_smb1_brl_finish_by_lock().

We lookup the lock array from the state stored in the passed-in req
and all the locks in an array are always the same flavour, so this
isn't needed.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

s3: smbd: Remove lock_flav argument from internal function smbd_smb1_do_locks_check()

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

s3: smbd: Remove lock_flav argument from smbd_smb1_do_locks_send().

And also inside struct smbd_smb1_do_locks_state.
All calls to this always (a) have one or more locks of the same type.
(the setup for smbd_smb1_do_locks_send() ensures there is always
at least one lock) and (b) always set locks[0].lock_flav correctly before calling.

lock_flav is thus a redundent argument. Removing it means
we can never drift out of sync with the lock_flav element
in the passed in locks array.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

s3: smbd: In smbd_smb1_do_locks_send() move access of lock_flav until after we know we have locks in the array.

When we remove the lock_flav parameter this will need to look into the array itself.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

s3: smbd: Remove lock_flav parameter from smbd_do_locks_try().

This is now contained in the struct smbd_lock_element for
each lock.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

s3: smbd: Move implicit call to lp_posix_cifsu_locktype() out of init_strict_lock_struct().

Make it explicit. When we add POSIX handles to SMB2 we will only
look at the handle type. lp_posix_cifsu_locktype() already does this,
but hidden inside init_strict_lock_struct() makes it hard to see.

No logic change.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

s3: smbd: Add "enum brl_flavour" to struct smbd_lock_element.

Initialized correctly but not yet used.
Will allow 'brl_flavour' to be removed from lock calls.
This will allow SMB2 POSIX handles to call with POSIX_LOCK
flavour instead of always using WINDOWS_LOCK (as now).

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

s3: smbclient: In do_host_query(), if we need SMB1, ensure we select NT1 as the client max protocol" before continuing.

Remove knownfail: selftest/knownfail.d/list_servers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14939

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Thu Jan 6 11:50:32 UTC 2022 on sn-devel-184

s3: selftest: Add two tests that show we try and send an SMB1 request over an SMB2 connection to list servers if "-mSMB3" is selected.

Add knownfail: knownfail.d/list_servers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14939

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

lib: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 5 01:02:38 UTC 2022 on sn-devel-184

vfs: Modernize a DEBUG statement

Fix the function name printed

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Modernize a DEBUG statement

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Inline single-use rpcint_binding_handle_ex()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Inline pipes_struct into dcerpc_ncacn_conn

This makes it clear that our internal representation of a rpc client
connection in the source3/ server is struct dcerpc_ncacn_conn and that
struct pipes_struct is only around for API compatibility with the
existing server stubs.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Remove dcerpc_ncacn_conn->session_info

This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.

The talloc hierarchy is correctly maintained, dcesrv_endpoint_connect() takes a
talloc_reference() of session_info.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Remove dcerpc_ncacn_conn->local_server_addr

This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Remove dcerpc_ncacn_conn->remote_client_addr

This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Remove dcerpc_ncacn_conn->tstream

This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Remove dcerpc_ncacn_conn->dce_ctx

This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Remove dcerpc_ncacn_conn->msg_ctx

This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: dcerpc_ncacn_conn->ev_ctx was only set but never used

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

winbind: Don't transfer a pointer that's NULL anyway

ncacn_conn was created by make_internal_ncacn_conn with talloc_zero(),
and that does not set session_info for the purely one-shot connection
state in winbindd_dual_ndrcmd().

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: No linked list for pipes_struct anymore

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Remove pipes_struct->auth

Replace with a call to dcesrv_call_auth_info(p->dce_call)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Remove pipes_struct->session_info

This is a big patch, but all it does is replace all "p->session_info"
with "session_info" after introducing a local variable from
dcesrv_call_session_info(p->dce_call).

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Remove pipes_struct->pipe_bound

Only used in pipe_access_check(), superseded by dcesrv_call_auth_info()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Inline make_base_pipes_struct()

This did not even use all its arguments anymore.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Remove pipes_struct->remote_address

Also available via dcesrv_connection_get_remote_address(p->dce_call->conn)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Remove pipes_struct->local_address

Also available via dcesrv_connection_get_local_address(p->dce_call->conn)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Inline make_base_pipes_struct() into rpc_worker.c

This is the only user, and in winbind_dual_ndr.c's
make_internal_ncacn_conn we have another creator of pipes_struct. So
it seems not necessary to keep this public.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Inline make_internal_ncacn_conn() into rpc_worker.c

This was the only user, and as we have another custom version in
winbind with make_internal_ncacn_conn(), I think this is not really
required to keep around as a separate function.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Avoid a DEBUGADD statement

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Remove some unused code

I think that if we want to work on asn1 routines we should use
libtasn1. We already depend on this via gnutls these days.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Avoid a cast

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Avoid some casts

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Remove an unneeded anonymous struct declaration

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Move fast_string_hash() to mangle_hash.c, the only user

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Fix a few typos

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Save a few lines by using cp_smb_filename_nostream()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

auth/ntlmssp: make sure we return INVALID_PARAMETER for NTLMv2_RESPONSE parsing errors

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 4 20:57:41 UTC 2022 on sn-devel-184

s4:torture/smb2: add smb2.session.ntlmssp_bug14932 test

This demonstrates that an invalid av_pair in NTLMv2_CLIENT_CHALLENGE
should result in NT_STATUS_INVALID_PARAMETER at the NTLMSSP layer.

This is different from the netr_LogonSamLogon*() case, where it is
ignored instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore invalid netapp requests

We should avoid spamming the logs with wellknown messages like:
ndr_pull_error(Buffer Size Error): Pull bytes 39016

They just confuse admins (and developers).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore BUFFER_TOO_SMALL

Windows doesn't complain about invalid av_pair blobs,
we need to do the same.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s4:torture/rpc: add test for invalid av_pair content in LogonSamLogonEx

A netapp diag tool uses a NTLMv2_CLIENT_CHALLENGE with invalid bytes
as av_pair blob. Which is supposed to be ignored by DCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

auth/credentials: cli_credentials_set_ntlm_response() pass session_keys

Otherwise cli_credentials_get_ntlm_response() will return session keys
with a 0 length, which leads to errors in the NTLMSSP code.

This wasn't noticed as cli_credentials_set_ntlm_response() has no
callers yet, but that will change in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Remove stray reference to "ldap ssl ads"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14462

"ldap ssl ads" has been deprecated and removed.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Isaac Boukris <iboukris@gmail.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 4 19:58:24 UTC 2022 on sn-devel-184

Happy New Year 2022!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 1 01:24:21 UTC 2022 on sn-devel-184

smbd: Assert we don't leak fd's in struct fd_handle

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Dec 30 11:54:17 UTC 2021 on sn-devel-184

smbd: Replace SMB_VFS_CLOSE() calls with fd_close()

fd_close() mostly wraps SMB_VFS_CLOSE() but also takes care of refcounting
fsp->fh properly and also makes sure that fsp->fh->fd is set to -1 after close.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

vfs_commit: Reset fsp->fd->fd to -1 after SMB_VFS_CLOSE

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

pysmbd: Fix file descriptor leaks

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Fix a fd leak when closing a print file

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:libsmb: fix signing regression SMBC_server_internal()

commit d0062d312cbbf80afd78143ca5c0be68f2d72b03 introduced
SMBC_ENCRYPTLEVEL_DEFAULT as default, but the logic to enforce
signing wasn't adjusted, so we required smb signing by default.

That broke guest authentication for libsmbclient using applications.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec 27 16:38:11 UTC 2021 on sn-devel-184

s4:selftest: run libsmbclient.noanon_list against maptoguest

This demonstrates the problem with guest access being rejected
by default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:torture/libsmbclient: add libsmbclient.noanon_list test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest/Samba3: enable SMB1 for maptoguest

guest authentication is an old school concept,
so we should make sure it also works with SMB1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:rpc_server/netlogon: adjust the valid_flags based on dsdb_dc_functional_level()

This allows us to let DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED through
based on the manual changed msDS-Behavior-Version of our NTDSA object.

We still need to have tests depending on the msDS-Behavior-Version
value if the DSGETDC_VALID_FLAGS is really correct at all.
But for now this allows us to test krb5 FAST from Windows clients.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Fri Dec 24 03:03:50 UTC 2021 on sn-devel-184

s4:rpc_server/netlogon: adjust the flags logic to MS-NRPC 3.5.4.3.1 DsrGetDcNameEx2

Note that this doesn't change the logic as we still reject
DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED via the initial DSGETDC_VALID_FLAGS
check. The may change that in future, but may need some tests for it.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

dsdb/netlogon: Indicate DC functional level support in samlogon response

The DS_SERVER_DS_8 flag is necessary for Windows to detect FAST support.

Note for know we only ever have DS_DOMAIN_FUNCTION_2008_R2 (4) in the
msDS-Behavior-Version attribute of our own NTDSA object. So
for now this is only for manual testing. In future we most likely
want to extend 'samba-tool domain level' to raise the dc level
manually or let 'samba' autoupgrade the value.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

dsdb/netlogon: make use of dsdb_dc_functional_level() in fill_netlogon_samlogon_response()

[MS-ADTS] 6.3.3.2 "Domain Controller Response to an LDAP Ping" indicates
that the resulting flags depend on the server software (behavior)
and not the domain wide functional level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

dsgetdcname: Display new flags in debug output

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

netlogon.idl: Add flags for indicating directory service versions

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:rpc_server/dnsserver: make use of dsdb_dc_functional_level()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

dsdb/common: add dsdb_dc_functional_level() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

python:tests: Don't require an emtpy 'authorization-data' to be present

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Dec 20 17:01:11 UTC 2021 on sn-devel-184

Revert "python:tests: Don't require an emtpy 'authorization-data' to be present"

This reverts commit 36325f1ee907d38c978229da67de3844f969cd33.

This was not the latest version from:
https://gitlab.com/samba-team/samba/-/merge_requests/2304

The correct version follows...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3/rpc_server: Remove duplicate dependency listing for RPC_SERVICE

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Dec 20 10:14:53 UTC 2021 on sn-devel-184

python:tests: Don't require an emtpy 'authorization-data' to be present

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Mon Dec 20 08:26:45 UTC 2021 on sn-devel-184

s3: smbd: In setup_close_full_information(), remove unneeded vfs_stat().

After openat_pathref_fsp() is successful we know we have a VALID_STAT().

It either returns NT_STATUS_OK or we look at the stat
struct for S_ISLNK so we know we have VALID_STAT().

If it's not successful we error out, so we don't need
another vfs_stat() here.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 16 07:33:09 UTC 2021 on sn-devel-184

pam_winbind: add new pwd_change_prompt option (defaults to off).

This change disables the prompt for the change of an expired password by
default (using the PAM_RADIO_TYPE mechanism if present).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 16 03:05:30 UTC 2021 on sn-devel-184