Jeremy Allison [Tue, 17 Jun 2014 05:54:45 +0000 (22:54 -0700)]
s3: auth: Change make_server_info_info3() to take a const struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
make_server_info_info3() only reads from the info3 pointer.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
(cherry picked from commit
527f7b54388713acaaf7b66c718cc0f7114fc368)
Conflicts:
source3/auth/auth_generic.c
source3/auth/proto.h
source3/auth/user_krb5.c
Jeremy Allison [Tue, 17 Jun 2014 05:49:29 +0000 (22:49 -0700)]
s3: auth: Add some const to the struct netr_SamInfo3 * arguments of copy_netr_SamInfo3() and make_server_info_info3()
Both functions only read from the struct netr_SamInfo3 * argument.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
(cherry picked from commit
c2411767adb5ce48a4619349075f6f8faae41aab)
Conflicts:
source3/auth/proto.h
Michael Adam [Sat, 1 Jun 2013 00:14:41 +0000 (02:14 +0200)]
shadow_copy2: implement disk_free
Signed-off-by: Michael Adam <obnox@samba.org>
Michael Adam [Mon, 19 Jan 2015 12:51:55 +0000 (13:51 +0100)]
s3:winbind:grent: don't stop group enumeration when a group has no gid
simply continue with the next group
Note: this patch introduces some code duplication to make it
easier to create minimal backport patch. Subsequent patches
will provide some refactoring to reduce the duplication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8905
Signed-off-by: Michael Adam <obnox@samba.org>
Andreas Schneider [Mon, 2 Mar 2015 10:55:01 +0000 (11:55 +0100)]
doc-xml: Add 'sharesec' reference to 'access based share enum'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11127
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Mar 2 14:33:33 CET 2015 on sn-devel-104
(cherry picked from commit
e2ed224653985afa13e906e2a5f3656a18d622c0)
Christian Ambach [Thu, 7 Apr 2011 12:05:04 +0000 (14:05 +0200)]
s4/libcli: do not use netbios name in NTLMv2 blobs w/o spnego
I have seen domain controllers rejecting NTLMv2 blobs presented to
NetrLogonSamLogonEx with LOGON_FAILURE when the MsvAvNbComputerName
was a FQDN or an IP address
I have not seen this field in NTLMv2 blobs send by Windows clients
when extended security was not available, so omitting the field
makes Samba similar to Windows.
This prevents errors with some smbtorture testcases that disable
spnego and when a target name is specified that is not a valid
netbios name.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Apr 14 02:19:08 CEST 2011 on sn-devel-104
(cherry picked from commit
29c0c37691da10bf061ba90a5b31482bda2fa486)
Stefan Metzmacher [Thu, 21 Jul 2011 19:15:38 +0000 (21:15 +0200)]
s3:libsmb: don't pass cli->called.name to NTLMv2_generate_names_blob()
cli->called.name is never initialized, so this change doesn't change
the behavior. And this behavior seems to be correct, see
commit
29c0c37691da10bf061ba90a5b31482bda2fa486
s4/libcli: do not use netbios name in NTLMv2 blobs w/o spnego.
metze
(cherry picked from commit
392ddf970c8f8486e79eec5214ed49912e344e09)
David Disseldorp [Wed, 6 Aug 2014 12:33:02 +0000 (14:33 +0200)]
printing: reload printer shares on OpenPrinter
The printer share inventory should be reloaded on open _and_
enumeration, as there are some clients, such as cupsaddsmb, that do not
perform an enumeration prior to access.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10652
Signed-off-by: David Disseldorp <ddiss@samba.org>
David Disseldorp [Wed, 23 Jul 2014 12:42:00 +0000 (14:42 +0200)]
smbd: only reprocess printer_list.tdb if it changed
The per-client smbd printer share inventory is currently updated from
printer_list.tdb when a client enumerates printers, via EnumPrinters or
NetShareEnum.
printer_list.tdb is populated by the background print process, based on
the latest printcap values retrieved from the printing backend (e.g.
CUPS) at regular intervals.
This change ensures that per-client smbd processes don't reparse
printer_list.tdb if it hasn't been updated since the last enumeration.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10652
Suggested-by: Volker Lendecke <vl@samba.org>
Signed-off-by: David Disseldorp <ddiss@samba.org>
David Disseldorp [Wed, 23 Jul 2014 10:12:34 +0000 (12:12 +0200)]
printing: return last change time with pcap_cache_loaded()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10652
Signed-off-by: David Disseldorp <ddiss@samba.org>
David Disseldorp [Fri, 25 Jul 2014 10:18:54 +0000 (12:18 +0200)]
printing: remove pcap_cache_add()
All print list updates are now done via pcap_cache_replace(), which can
call into the print_list code directly.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10652
Signed-off-by: David Disseldorp <ddiss@samba.org>
David Disseldorp [Tue, 22 Jul 2014 18:17:38 +0000 (20:17 +0200)]
printing: reload printer_list.tdb from in memory list
This will allow in future for a single atomic printer_list.tdb update.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10652
Signed-off-by: David Disseldorp <ddiss@samba.org>
David Disseldorp [Fri, 11 Jul 2014 15:00:05 +0000 (17:00 +0200)]
printing: only reload printer shares on client enum
Currently, automatic printer share updates are handled in the following
way:
- Background printer process (BPP) forked on startup
- Parent smbd and per-client children await MSG_PRINTER_PCAP messages
- BPP periodically polls the printing backend for printcap data
- printcap data written to printer_list.tdb
- MSG_PRINTER_PCAP sent to all smbd processes following update
- smbd processes all read the latest printer_list.tdb data, and update
their share listings
This procedure is not scalable, as all smbd processes hit
printer_list.tdb in parallel, resulting in a large spike in CPU usage.
This change sees smbd processes only update their printer share lists
only when a client asks for this information, e.g. via NetShareEnum or
EnumPrinters.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10652
Suggested-by: Volker Lendecke <vl@samba.org>
Signed-off-by: David Disseldorp <ddiss@samba.org>
David Disseldorp [Wed, 9 Jul 2014 22:18:10 +0000 (00:18 +0200)]
printing: traverse_read the printer list for share updates
The printcap update procedure involves the background printer process
obtaining the printcap information from the printing backend, writing
this to printer_list.tdb, and then notifying all smbd processes of the
new list. The processes then all attempt to simultaneously traverse
printer_list.tdb, in order to update their local share lists.
With a large number of printers, and a large number of per-client smbd
processes, this traversal results in significant lock contention, mostly
due to the fact that the traversal is unnecessarily done with an
exclusive (write) lock on the printer_list.tdb database.
This commit changes the share update code path to perform a read-only
traversal.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10652
Reported-by: Alex K <korobkin+samba@gmail.com>
Reported-by: Franz Pförtsch <franz.pfoertsch@brose.com>
Signed-off-by: David Disseldorp <ddiss@samba.org>
Matt Rogers [Wed, 12 Nov 2014 16:21:05 +0000 (17:21 +0100)]
s3-keytab: fix keytab array NULL termination.
Signed-off-by: Matt Rogers <mrogers@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
0de6799996955fbf8e19ace8c4b7b61f5a262cb5)
Andreas Schneider [Thu, 18 Dec 2014 15:14:36 +0000 (15:14 +0000)]
spoolss: retrieve published printer GUID if not in registry
When a printer is published, the GUID for the published DN is retrieved
from the domain controller and stored in the registry.
When handling a spoolss GetPrinter(level=7) request, the same GUID is
obtained from the registry and returned to the client.
This change sees the spoolss server query the DC for the published
printer GUID if it is not present in the registry when handling a
spoolss GetPrinter(level=7) request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11018
Pair-Programmed-With: David Disseldorp <ddiss@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Feb 18 12:43:44 CET 2015 on sn-devel-104
(cherry picked from commit
a4157e7c5d75be7003ad0b72fdfe9856a9e5ba8f)
Andreas Schneider [Thu, 18 Dec 2014 15:13:27 +0000 (15:13 +0000)]
printing: rework nt_printer_guid_store to return errors
Callers can now choose whether or not to ignore errors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11018
Pair-programmed-with: David Disseldorp <ddiss@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
6595ced146a53dcef9bbd5d2deb82a44c8ce1a1a)
David Disseldorp [Thu, 18 Dec 2014 17:23:11 +0000 (18:23 +0100)]
printing: add nt_printer_guid_retrieve() helper
This function connects to the domain controller and retrieves the
GUID for the corresponding printer DN.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11018
Pair-programmed-with: Andreas Schneider <asn@samba.org>
Signed-off-by: David Disseldorp <ddiss@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
38dbd054dc331a441b10fdebbdb4bd0fc51cfc0a)
David Disseldorp [Thu, 18 Dec 2014 17:18:21 +0000 (18:18 +0100)]
printing: split out printer DN and GUID retrieval
This functions are used for printer publishing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11018
Pair-programmed-with: Andreas Schneider <asn@samba.org>
Signed-off-by: David Disseldorp <ddiss@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
7cabd89789a50d37fc32735968c493092a37e69f)
Günther Deschner [Sat, 19 Jan 2013 00:37:29 +0000 (01:37 +0100)]
s3-spoolss: Make it easier to manipulate the returned OSVersion at runtime.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Tue, 3 Dec 2013 18:21:16 +0000 (10:21 -0800)]
smbd: Always use UCF_PREP_CREATEFILE for filename_convert calls to resolve a path for open.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10297
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Dec 9 21:02:21 CET 2013 on sn-devel-104
(cherry picked from commit
f98d10af2a05f0261611f4cabdfe274cd9fe91c0)
Jeremy Allison [Tue, 3 Dec 2013 18:19:09 +0000 (10:19 -0800)]
smbd: change flag name from UCF_CREATING_FILE to UCF_PREP_CREATEFILE
In preparation to using it for all open calls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10297
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
874318a97868e08837a1febb1be8e8a167b5ae0f)
Volker Lendecke [Tue, 3 Dec 2013 12:20:17 +0000 (13:20 +0100)]
smbd: Fix regression for the dropbox case.
We need to allow to save a file to a directory with perm -wx.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10297
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
5b49fe24c906cbae12beff7a1b45de6809258cab)
Andreas Schneider [Wed, 20 Aug 2014 13:51:21 +0000 (15:51 +0200)]
: Reset netlogon pipe for interactive samlogon_ex.
Günther Deschner [Tue, 15 Jul 2014 14:22:15 +0000 (16:22 +0200)]
s3-winbindd: prefer to do a rpccli_netlogon_sam_logon_ex if we can.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Günther Deschner [Tue, 15 Jul 2014 14:21:08 +0000 (16:21 +0200)]
s3-rpc_client: add rpccli_netlogon_sam_logon_ex().
This function deals with interactive samlogon and does a dcerpc_netr_SamLogonEx
call (w/o credential chaining).
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Andreas Schneider [Thu, 3 Jul 2014 14:19:42 +0000 (16:19 +0200)]
s3-winbind: Don't set the gecos field to NULL.
The value is loaded from the cache anyway. So it will be set to NULL if
it is not available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Thu, 3 Jul 2014 14:17:46 +0000 (16:17 +0200)]
samlogon_cache: avoid overwriting info3->base.full_name.string.
This field servers as a source for the gecos field. We should not overwrite it
when a info3 struct from a samlogon network level gets saved in which case this
field is always NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Wed, 9 Jul 2014 11:36:06 +0000 (13:36 +0200)]
samlogon_cache: use a talloc_stackframe inside netsamlogon_cache_store.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Mon, 7 Jul 2014 15:16:32 +0000 (17:16 +0200)]
s3-winbindd: use wcache_query_user_fullname after inspecting samlogon cache.
The reason for this followup query is that very often the samlogon cache only
contains a info3 netlogon user structure that has been retrieved during a
netlogon samlogon authentication using "network" logon level. With that logon
level only a few info3 fields are filled in; the user's fullname is never filled
in that case. This is problematic when the cache is used to fill in the user's
gecos field (for NSS queries). When we have retrieved the user's fullname during
other queries, reuse it from the other caches.
Thanks to Matt Rogers <mrogers@redhat.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
Guenther
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Mon, 7 Jul 2014 15:14:37 +0000 (17:14 +0200)]
s3-winbindd: add wcache_query_user_fullname().
This helper function is used to query the full name of a cached user object (for
further gecos processing).
Thanks to Matt Rogers <mrogers@redhat.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
Guenther
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Tue, 15 Jul 2014 12:25:19 +0000 (14:25 +0200)]
s3-winbindd: call interactive samlogon via rpccli_netlogon_password_logon.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Tue, 15 Jul 2014 12:16:56 +0000 (14:16 +0200)]
s3-rpc_client: return info3 in rpccli_netlogon_password_logon().
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Wed, 16 Apr 2014 14:07:14 +0000 (16:07 +0200)]
s3-libads: allow ads_try_connect() to re-use a resolved ip address.
Pass down a struct sockaddr_storage to ads_try_connect.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Apr 17 19:56:16 CEST 2014 on sn-devel-104
Andrew Bartlett [Tue, 26 Apr 2011 07:03:32 +0000 (17:03 +1000)]
s3-libads Pass a struct sockaddr_storage to cldap routines
This avoids these routines doing a DNS lookup that has already been
done, and ensures that the emulated DNS lookup isn't thrown away.
Andrew Bartlett
Günther Deschner [Wed, 2 Apr 2014 17:37:34 +0000 (19:37 +0200)]
s3-kerberos: make ipv6 support for generated krb5 config files more robust.
Older MIT Kerberos libraries will add any secondary ipv6 address as
ipv4 address, defining the (default) krb5 port 88 circumvents that.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Apr 4 16:33:12 CEST 2014 on sn-devel-104
Conflicts:
source3/libads/kerberos.c
Günther Deschner [Fri, 7 Mar 2014 13:47:31 +0000 (14:47 +0100)]
s3-kerberos: remove unused kdc_name from create_local_private_krb5_conf_for_domain().
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Mar 7 18:43:57 CET 2014 on sn-devel-104
Conflicts:
source3/libads/kerberos.c
source3/libads/kerberos_proto.h
source3/libnet/libnet_join.c
source3/winbindd/winbindd_cm.c
Günther Deschner [Mon, 13 Jan 2014 14:59:26 +0000 (15:59 +0100)]
s3-kerberos: remove print_kdc_line() completely.
Just calling print_canonical_sockaddr() is sufficient, as it already deals with
ipv6 as well. The port handling, which was only done for IPv6 (not IPv4), is
removed as well. It was pointless because it always derived the port number from
the provided address which was either a SMB (usually port 445) or LDAP
connection. No KDC will ever run on port 389 or 445 on a Windows/Samba DC.
Finally, the kerberos libraries that we support and build with, can deal with
ipv6 addresses in krb5.conf, so we no longer put the (unnecessary) burden of
resolving the DC name on the kerberos library anymore.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Conflicts:
source3/libads/kerberos.c
Andreas Schneider [Wed, 28 May 2014 14:02:15 +0000 (16:02 +0200)]
s3-libsmbclient: Always initialize globals.
This fixes cases where we dereference NULL pointers of globals which
were not initialized.
Niels de Vos [Fri, 10 Jan 2014 15:26:18 +0000 (16:26 +0100)]
vfs/glusterfs: in case atime is not passed, set it to the current atime
The Linux CIFS client does not pass an updated atime when a write() is
done. This causes the vfs/glusterfs module to set the atime to -1 on the
Gluster backend, resulting in an atime far in the future (year 2106).
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Reviewed-by: Ira Cooper <ira@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 15 21:31:30 CET 2014 on sn-devel-104
Poornima Gurusiddaiah [Sun, 24 Nov 2013 21:37:53 +0000 (21:37 +0000)]
vfs_glusterfs: Enable per client log file
In Samba configuration file, one of the options of gluster type is
log file, the value of this option was not allowed to contain any
variables, as a result all the clients would have a single log file,
which complicated debugging.
In this patch, variable substitution is performed for gluster log file.
Hence allowing user to customise the gluster log file name.
Signed-off-by: Poornima Gurusiddaiah <pgurusid@redhat.com>
Reviewed-by: Ira Cooper <ira@samba.org>
Andreas Schneider [Fri, 15 Nov 2013 16:02:19 +0000 (17:02 +0100)]
s3-vfs: Make glfs_set_preopened() static.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Mon, 4 Nov 2013 11:32:05 +0000 (12:32 +0100)]
vfs: Fix some build warnings in glusterfs.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Christopher R. Hertel [Thu, 29 Aug 2013 16:01:24 +0000 (11:01 -0500)]
vfs_glusterfs: Fix excessive debug output from vfs_gluster_open().
The vfs_gluster_open() function generates a debug message (at level 0)
for every failed attempt to open a pathname. This includes cases in
which attempts are made to open a directory as a file (those attempts
are retried calling vfs_gluster_opendir()). The result is that the log
file fills with messages about failed attempts to open directories,
because they are directories. This patch ensures that failed attempts
to open directories as files are logged at log level 4, not 0. In
addition, other failed open attempts are logged at level 1, not 0.
Signed-off-by: Christopher R. Hertel <crh@redhat.com>
Reviewed-by : Susant Palai <spalai@redhat.com>
Reviewed-by : Raghavendra Talur <rtalur@redhat.com>
Reviewed-by : Jose A. Rivera <jarrpa@redhat.com>
Anand Avati [Mon, 12 Aug 2013 19:59:24 +0000 (14:59 -0500)]
vfs_glusterfs: Implement proper mashalling/unmarshalling of ACLs
Use the primitives available in Samba byteorder.h for implementing
proper (un)marshalling of ACL xattrs.
Signed-off-by: Anand Avati <avati@redhat.com>
Reviewed-by: Raghavendra Talur <rtalur@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Tested-by: "Jose A. Rivera" <jarrpa@redhat.com>
susant [Wed, 7 Aug 2013 06:00:31 +0000 (01:00 -0500)]
vfs_glusterfs: Volume capacity reported to Windows is incorrect
VFS plugin was sending the actual size of the volume instead of the
total number of block units because of which windows was getting the
wrong volume capacity.
Signed-off-by: susant <spalai@redhat.com>
Reviewed-by: Anand Avati <avati@redhat.com>
Raghavendra Talur [Fri, 21 Jun 2013 00:58:15 +0000 (17:58 -0700)]
vfs_glusterfs: New file creation fix.
When a new document is created in explorer, a check for file_exist is made.
vfs_gluster_get_real_filename was returning 0 even when the file did not
exist.
Anand Avati [Wed, 29 May 2013 11:21:46 +0000 (07:21 -0400)]
vfs_glusterfs: Samba VFS module for glusterfs
Implement a Samba VFS plugin for glusterfs based on gluster's gfapi.
This is a "bottom" vfs plugin (not something to be stacked on top of
another module), and translates (most) calls into closest actions
on gfapi.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Signed-off-by: Anand Avati <avati@redhat.com>
Andreas Schneider [Wed, 12 Feb 2014 12:26:02 +0000 (13:26 +0100)]
s3-winbind: Use strlcpy to avoid log entry.
The full_name from Windows can be longer than 255 chars which results in
a warning on log level 0 that we have a string overflow. This will avoid
the warning. However we should fix this sooner or later on the protocol
level to have no limit.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Conflicts:
source3/winbindd/wb_fill_pwent.c
Günther Deschner [Wed, 24 Jan 2018 15:28:52 +0000 (16:28 +0100)]
docs: point out side-effects of global "valid users" setting.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Günther Deschner [Thu, 5 Apr 2012 12:05:00 +0000 (14:05 +0200)]
nsswitch: disable HAVE_PAM_RADIO_TYPE handling until proper PAM_RADIO_TYPE handling is available.
This is needed that gdm doesn't crash.
Guenther
Günther Deschner [Wed, 21 Dec 2011 14:47:35 +0000 (15:47 +0100)]
s3-dns: prevent from potentially doing wrong SRV DNS lookups.
With an empty sitename we asked for e.g.
_ldap._tcp.._sites.dc._msdcs.AD.EXAMPLE.COM
Guenther
Christian Ambach [Fri, 30 Sep 2011 15:07:05 +0000 (17:07 +0200)]
s3-docs: some corrections for wbinfo
Parameters for --group-info and --gid-info were not listed
properly in the SYNOPSIS and the OPTIONS section
Autobuild-User: Christian Ambach <ambi@samba.org>
Autobuild-Date: Fri Sep 30 18:44:34 CEST 2011 on sn-devel-104
Andreas Schneider [Wed, 24 Jan 2018 15:16:41 +0000 (16:16 +0100)]
docs: Document Services for Unix nss_info ldap schema support
Signed-off-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Wed, 24 Jan 2018 15:14:28 +0000 (16:14 +0100)]
docs: Update wbinfo manpage to match options
Signed-off-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Wed, 24 Jan 2018 15:13:03 +0000 (16:13 +0100)]
s3:winbindd: Change log level for idmap module registration
Do not spam the logs with this.
Signed-off-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Wed, 24 Jan 2018 15:11:18 +0000 (16:11 +0100)]
s3:smbd: Detect broken inotify
This works around a SELinux policy bug.
Signed-off-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Wed, 24 Jan 2018 15:09:59 +0000 (16:09 +0100)]
s3:winbindd: Use '*' instead of 'x' in getent group output
Signed-off-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Wed, 24 Jan 2018 15:08:44 +0000 (16:08 +0100)]
nsswitch: Use /var/run/winbindd as socket dir
Signed-off-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Fri, 16 Aug 2013 20:49:39 +0000 (13:49 -0700)]
Add new "timeout" command and -t option to smbclient to set the per-operation timeout.
This is needed as once SMB3 encryption is selected the server
response time can be very slow when requesting large numbers
(256) of large encrypted packets (1MB) from a Windows 2012
virtual machine. This allows clients to tune their allowable
wait time.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
d9c88a56dc451be09e8c9fc9aa8857e312fcb444)
Andreas Schneider [Tue, 8 Jul 2014 08:26:51 +0000 (10:26 +0200)]
s3-auth: Fix support for 'security = share' in passwd_to_SamInfo3().
Signed-off-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Wed, 2 Jul 2014 14:39:22 +0000 (16:39 +0200)]
s3-auth: Do not double free the result.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
3b9d875e184d985b90da0b6578ab4d9428040a01)
Andreas Schneider [Wed, 28 May 2014 13:12:29 +0000 (15:12 +0200)]
Allocate server_info on the correct memory context.
This fixes a talloc double free PANIC when connecting to share.
Andreas Schneider [Tue, 18 Feb 2014 09:19:57 +0000 (10:19 +0100)]
s3-auth: Pass mem_ctx to auth_check_ntlm_password().
Coverity-Id:
1168009
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
Signed-off-by: Andreas Schneider <asn@samba.org>
Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4d792db03f18aa164b565c7fdc7b446c174fba28)
Andreas Schneider [Tue, 18 Feb 2014 09:02:57 +0000 (10:02 +0100)]
s3-auth: Pass mem_ctx to make_server_info_sam().
Coverity-Id:
1168009
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
Signed-off-by: Andreas Schneider <asn@samba.org>
Change-Id: Ie614b0654c3a7eec1ebb10dbb9763696eec795bd
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
3dc72266005e87a291f5bf9847257e8c54314d39)
Andreas Schneider [Fri, 13 Dec 2013 18:19:02 +0000 (19:19 +0100)]
s3-auth: Use passwd_to_SamInfo3().
Correctly lookup users which come from smb.conf. passwd_to_SamInfo3()
tries to contact winbind if the user is a domain user to get
valid information about it. If winbind isn't running it will try to
create everything from the passwd struct. This is not always reliable
but works in most cases. It improves the current situation which doesn't
talk to winbind at all.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 5 01:40:38 CET 2014 on sn-devel-104
Andreas Schneider [Fri, 13 Dec 2013 18:11:01 +0000 (19:11 +0100)]
s3-auth: Pass talloc context to make_server_info_pw().
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 13 Dec 2013 18:08:34 +0000 (19:08 +0100)]
s3-auth: Add passwd_to_SamInfo3().
First this function tries to contacts winbind if the user is a domain
user to get valid information about it. If winbind isn't running it will
try to create everything from the passwd struct. This is not always
reliable but works in most cases. It improves the current situation
which doesn't talk to winbind at all.
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 16 Dec 2013 11:57:20 +0000 (12:57 +0100)]
s3-lib: Add winbind_lookup_usersids().
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jeremy Allison [Mon, 13 Jan 2014 14:23:00 +0000 (15:23 +0100)]
s3-winbind: Move setup_domain_child() into add_trusted_domain().
Ensure it only gets called when a new domain is allocated
and added to the list.
This should fix problems with the previous logic where
setup_domain_child() was called in places where an existing
domain was returned.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10358
Gregor Beck [Thu, 20 Feb 2014 10:25:53 +0000 (11:25 +0100)]
s3:winbindd: avoid directly asking a trusted domain in wb_lookupsids*()
As a domain member we should always use a DC of our own domain.
It would be possible to pass all sids in one single dcerpc_wbint_LookupSids()
call. For now we just fix bug.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10458
Signed-off-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
66fb0ce9557553a4c01607b517e65ac4c93841d0)
Jeremy Allison [Tue, 25 Feb 2014 00:18:31 +0000 (16:18 -0800)]
s3-printing: Fix obvious memory leak in printer_list_get_printer().
https://bugzilla.samba.org/show_bug.cgi?id=9993
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
148bbdd8d04400b5d873f636671dd443952ca04f)
Andreas Schneider [Wed, 27 Nov 2013 16:21:01 +0000 (17:21 +0100)]
s3-lib: Fix %G substitution for domain users in smbd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10286
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>
Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Tue Dec 10 16:39:43 CET 2013 on sn-devel-104
(cherry picked from commit
8eef4ab79ec5fb7e96ad2f2ad6c9bf30db13a50d)
Volker Lendecke [Thu, 16 Jan 2014 15:10:25 +0000 (16:10 +0100)]
s3-winbind: Improve performance of wb_fill_pwent_sid2uid_done().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2191
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jan 16 20:17:24 CET 2014 on sn-devel-104
(cherry picked from commit
1a43778433934530d77791edd1af538de8b1d8a3)
Andreas Schneider [Mon, 18 Nov 2013 13:58:14 +0000 (14:58 +0100)]
s3-winbind: Pass the group name to fillup_pw_field().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2191
Signed-off-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Mon, 18 Nov 2013 13:58:04 +0000 (14:58 +0100)]
s3-lib: Add grpname to talloc_sub_specified().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2191
Signed-off-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
bca2b01b9c12c1a689cd1102c4beb74b11cb6f01)
Günther Deschner [Tue, 4 Feb 2014 15:38:46 +0000 (16:38 +0100)]
librpc/nbt: increase MAX_COMPONENTS limit for nbt_names.
domains with more then 10 subdomains are not so uncommon.
https://bugzilla.samba.org/show_bug.cgi?id=10439
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
4e05bad0d18e351cb2a2db74860e77adea727c79)
Jeremy Allison [Tue, 2 Jan 2018 23:56:03 +0000 (15:56 -0800)]
CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 8 Sep 2017 17:13:14 +0000 (10:13 -0700)]
CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 12 Dec 2016 05:07:56 +0000 (06:07 +0100)]
CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested
With forced encryption or required signing we should also don't fallback.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Backported-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 12 Dec 2016 04:49:46 +0000 (05:49 +0100)]
CVE-2017-12150: libgpo: make use of Required for SMB signing in gpo_connect_server()
It's important that we use a signed connection to get the GPOs!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Backported-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 16:16:43 +0000 (17:16 +0100)]
CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state use Required for smb_encrypt
This is an addition to the fixes for CVE-2015-5296.
It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Backported-by: Andreas Schneider <asn@samba.org>
Daniel Kobras [Fri, 23 Jun 2017 13:39:21 +0000 (15:39 +0200)]
s3: smbd: fix regression with non-wide symlinks to directories
The errno returned by open() is ambiguous when called with flags O_NOFOLLOW and
O_DIRECTORY on a symlink. With ELOOP, we know for certain that we've tried to
open a symlink. With ENOTDIR, we might have hit a symlink, and need to perform
further checks to be sure. Adjust non_widelink_open() accordingly. This fixes
a regression where symlinks to directories within the same share were no
longer followed for some call paths on systems returning ENOTDIR in the above
case.
Also remove the knownfail added in previous commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12860
Signed-off-by: Daniel Kobras <d.kobras@science-computing.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
acc16592b451905dabc093f1d261e93cd3b59520)
Jeremy Allison [Tue, 28 Mar 2017 05:10:29 +0000 (22:10 -0700)]
s3: Test for CVE-2017-2619 regression with "follow symlinks = no" - part 2
Add tests for regular access.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Mar 28 17:05:27 CEST 2017 on sn-devel-144
(cherry picked from commit
4e734fcd1bf82c08aa303ce44e9735acccffcf06)
Jeremy Allison [Tue, 28 Mar 2017 00:09:38 +0000 (17:09 -0700)]
s3: smbd: Fix "follow symlink = no" regression part 2.
Use the cwd_name parameter to reconstruct the original
client name for symlink testing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
e182a4d39e86c9694e255efdf6ee2ea3ccb9af4a)
Jeremy Allison [Tue, 28 Mar 2017 00:04:58 +0000 (17:04 -0700)]
s3: smbd: Fix "follow symlink = no" regression part 2.
Add an extra paramter to cwd_name to check_reduced_name().
If cwd_name == NULL then fname is a client given path relative
to the root path of the share.
If cwd_name != NULL then fname is a client given path relative
to cwd_name. cwd_name is relative to the root path of the share.
Not yet used, logic added in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
83e30cb48859b412b76572b6a3ba84d8fde167af)
Jeremy Allison [Tue, 28 Mar 2017 05:07:50 +0000 (22:07 -0700)]
s3: Fixup test for CVE-2017-2619 regression with "follow symlinks = no"
Use correct bash operators (not string operators).
Add missing "return".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
037297a1c50e90a0092e3b94f472623f41ccc015)
Jeremy Allison [Mon, 27 Mar 2017 18:48:25 +0000 (11:48 -0700)]
s3: Test for CVE-2017-2619 regression with "follow symlinks = no".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Back-ported from commit
782172a9bef0040981d20e49519b13dd744df6a0
Jeremy Allison [Mon, 27 Mar 2017 17:46:47 +0000 (10:46 -0700)]
s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619).
In a UNIX filesystem, the names "." and ".." by definition can *never*
be symlinks - they are already reserved names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
(cherry picked from commit
ae17bebd250bdde5614b2ac17e53512f19fe9b68)
Jeremy Allison [Thu, 15 Dec 2016 21:06:31 +0000 (13:06 -0800)]
s3: smbd: Use the new non_widelink_open() function.
CVE-2017-2619
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Thu, 15 Dec 2016 21:04:46 +0000 (13:04 -0800)]
s3: smbd: Add the core functions to prevent symlink open races.
CVE-2017-2619
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Thu, 15 Dec 2016 20:56:08 +0000 (12:56 -0800)]
s3: smbd: Move special handling of symlink errno's into a utility function.
CVE-2017-2619
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Thu, 15 Dec 2016 20:52:13 +0000 (12:52 -0800)]
s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing.
CVE-2017-2619
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Mon, 19 Dec 2016 20:35:32 +0000 (12:35 -0800)]
s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system.
CVE-2017-2619
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Mon, 19 Dec 2016 20:32:07 +0000 (12:32 -0800)]
s3: smbd: Move the reference counting and destructor setup to just before retuning success.
CVE-2017-2619
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Mon, 19 Dec 2016 20:15:59 +0000 (12:15 -0800)]
s3: smbd: OpenDir_fsp() - Fix memory leak on error.
CVE-2017-2619
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Mon, 19 Dec 2016 20:13:20 +0000 (12:13 -0800)]
s3: smbd: OpenDir_fsp() use early returns.
CVE-2017-2619
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 20 Dec 2016 00:35:00 +0000 (16:35 -0800)]
s3: smbd: Create and use open_dir_safely(). Use from OpenDir().
Hardens OpenDir against TOC/TOU races.
CVE-2017-2619
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 20 Dec 2016 00:25:26 +0000 (16:25 -0800)]
s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed.
CVE-2017-2619
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Mon, 19 Dec 2016 19:55:56 +0000 (11:55 -0800)]
s3: smbd: Create wrapper function for OpenDir in preparation for making robust.
CVE-2017-2619
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>