Rob van der Linde [Tue, 16 May 2023 00:27:41 +0000 (12:27 +1200)]
netcmd: domain: rename claim tests for consistency
The domain_auth tests are also prefixed with domain, it matches the
cli command "samba-tool domain claim".
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Rob van der Linde [Tue, 16 May 2023 00:22:25 +0000 (12:22 +1200)]
netcmd: domain: tests for auth silo command line tools
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Rob van der Linde [Tue, 16 May 2023 00:15:06 +0000 (12:15 +1200)]
netcmd: domain: add authentication silo commands
Authentication policies:
* samba-tool domain auth policy list
* samba-tool domain auth policy view
* samba-tool domain auth policy create
* samba-tool domain auth policy modify
* samba-tool domain auth policy delete
Authentication silos:
* samba-tool domain auth silo list
* samba-tool domain auth silo view
* samba-tool domain auth silo create
* samba-tool domain auth silo modify
* samba-tool domain auth silo delete
Authentication silo members:
* samba-tool domain auth silo member list
* samba-tool domain auth silo member add
* samba-tool domain auth silo member remove
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Rob van der Linde [Tue, 16 May 2023 00:09:39 +0000 (12:09 +1200)]
netcmd: add domain models and basic model layer
The ORM is somewhat inspired by Django, but it has some key
differences that make it work better with the Ldb database.
A field can be a singular value or a list, so a BooleanField can
either be True, or [True, False, True], or None.
The only thing that many=True does is say that the field "prefers" to
be a list, but really any field can be a list. For example when
creating a new object, it initialises the field as an empty list
rather than None if many=True.
When saving an object, if it is an update operation, only write the
fields that have actually changed.
When updating an object, any fields that are unset (set to None, or an
empty list) will be treated as a REMOVE operation.
Note that silo members should not be saved this way, writing the whole
list can lead to data loss if multiple admins are saving the silo at
the same time. Silo members will need to be handled differently, just
removing one member but not writing the whole list.
Unlike Django, there is no .objects class, instead there are a bunch
of static methods for querying:
* Model.get
* Model.query
* Model.create
* Model.get_or_create
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Rob van der Linde [Tue, 16 May 2023 00:00:56 +0000 (12:00 +1200)]
netcmd: add custom json encoder for object type fields
The custom JSONEncoder class is also capable of encoding Dn objects to
str, and any object that has a __json__ method.
The __json__ method is not an official dunder method, but this has
been used by other frameworks too (like Pyramid).
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Rob van der Linde [Mon, 15 May 2023 23:47:45 +0000 (11:47 +1200)]
netcmd: add optparse validators and Range validator
Add the ability to the add validators to optparse Option fields.
The Option class was already subclassed in `netcmd/__init__.py` so
adding some functionality to this was relatively easy.
Added the ability to add Validator classes to a field so that this can
be used for anything else in the future, but for now there is a Range
validator required by upcoming auto silo commands.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Christof Schmitt [Wed, 31 May 2023 18:29:49 +0000 (11:29 -0700)]
vfs_gpfs: Move call to load GPFS library
Load the GPFS library from the connect function and leave the module
init for only the module registration.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jun 25 16:06:37 UTC 2023 on atb-devel-224
Christof Schmitt [Wed, 31 May 2023 18:16:19 +0000 (11:16 -0700)]
vfs_gpfs: Check error from gpfswrap_lib_init
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Christof Schmitt [Wed, 31 May 2023 18:13:51 +0000 (11:13 -0700)]
vfs_gpfs: Register smbd process with GPFS
Issue API call to tell the file system that this is a Samba process.
This fixed the GPFS handling of Samba since the rename of smbd processes
in commit
5955dc1e4fd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15381
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Christof Schmitt [Wed, 24 May 2023 21:06:36 +0000 (14:06 -0700)]
gpfswrap: Add wrapper for gpfs_register_cifs_export
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15381
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 7 Feb 2022 18:32:08 +0000 (19:32 +0100)]
s4:kdc: translate sdb_entry->old[er]_keys into hdb_add_history_key()
It means that using the old or older password no longer
changes badPwdCount for Kerberos authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 24 07:18:03 UTC 2023 on atb-devel-224
Stefan Metzmacher [Fri, 23 Jun 2023 11:42:31 +0000 (13:42 +0200)]
s4:dsdb/tests: also verify too old, older password interaction with badPwdCount
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 25 Feb 2022 04:16:36 +0000 (05:16 +0100)]
s4:dsdb/tests: Test Kerberos login with old password fails (but badPwdCount=0)
This demonstrates the pre-authentication failures with passwords from
the password history don't incremend badPwdCount, similar to the
NTLMSSP and simple bind cases. But it's still an interactive logon,
which doesn't use 'old password allowed period'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 17 Feb 2022 06:12:10 +0000 (07:12 +0100)]
s4:kdc: handle passwords from the history in hdb_samba4_auth_status()
This is important in order to prevent ACCOUNT_LOCKED_OUT
with cached credentials.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Tue, 20 Jun 2023 10:42:52 +0000 (12:42 +0200)]
vfs: Remove "sbuf" from readdir_fn()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun 23 18:29:40 UTC 2023 on atb-devel-224
Volker Lendecke [Tue, 20 Jun 2023 10:29:29 +0000 (12:29 +0200)]
smbd: Remove unused "sbuf" argument from vfs_readdirname()
The only caller did not use the result.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 20 Jun 2023 10:25:45 +0000 (12:25 +0200)]
smbd: Remove unused "sbuf" argument from ReadDirName()
Nobody used that anymore, most callers had passed in NULL anyway.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 20 Jun 2023 10:19:15 +0000 (12:19 +0200)]
smbd: Remove unused "pst" argument from dptr_ReadDirName()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 20 Jun 2023 10:03:35 +0000 (12:03 +0200)]
smbd: Don't use "sbuf" in smbd_dirptr_get_entry()
openat_pathref_fsp() does not need this anymore.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 22 Jun 2023 07:52:09 +0000 (09:52 +0200)]
smbd: Make sure smb_fname->st is valid in smbd_dirptr_get_entry
This simplifies the two mode_fn()s we have.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 11:31:52 +0000 (13:31 +0200)]
python:samba: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun 23 14:51:14 UTC 2023 on atb-devel-224
Andreas Schneider [Tue, 6 Jun 2023 11:28:13 +0000 (13:28 +0200)]
python:samba:tests: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 11:23:25 +0000 (13:23 +0200)]
python:samba:subunit: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 11:22:56 +0000 (13:22 +0200)]
python:samba:samba3: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 11:22:19 +0000 (13:22 +0200)]
python:samba:provision: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 11:17:58 +0000 (13:17 +0200)]
python:samba:netcmd: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 11:14:39 +0000 (13:14 +0200)]
python:samba:kcc: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 11:13:28 +0000 (13:13 +0200)]
python:samba:gp_parse: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 11:13:15 +0000 (13:13 +0200)]
python:samba:gp: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 11:12:45 +0000 (13:12 +0200)]
python:samba:emulate: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 11:04:46 +0000 (13:04 +0200)]
pidl: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 11:02:02 +0000 (13:02 +0200)]
packaging:systemd: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 11:01:27 +0000 (13:01 +0200)]
nsswitch: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 11:00:06 +0000 (13:00 +0200)]
librpc:rpc: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 10:59:25 +0000 (12:59 +0200)]
librpc:ndr: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 10:58:34 +0000 (12:58 +0200)]
librpc:idl: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 10:54:17 +0000 (12:54 +0200)]
libgpo:admx: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 6 Jun 2023 10:51:39 +0000 (12:51 +0200)]
libcli:smbreadline: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 17 May 2023 09:26:48 +0000 (11:26 +0200)]
testprogs/blackbox: add --recursive tests to test_samba-tool_ntacl.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 22 00:22:47 UTC 2023 on atb-devel-224
Stefan Metzmacher [Wed, 17 May 2023 09:26:48 +0000 (11:26 +0200)]
testprogs/blackbox: move 'ntacl get' out of test_changedomsid() in test_samba-tool_ntacl.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 17 May 2023 09:26:48 +0000 (11:26 +0200)]
testprogs/blackbox: pass $CONFIGURATION to test_samba-tool_ntacl.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 2 May 2023 14:18:51 +0000 (16:18 +0200)]
samba-tool/ntacl: implement set --recursive
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 2 May 2023 14:18:26 +0000 (16:18 +0200)]
samba-tool/ntacl: add set --verbose and print out the file/directory name
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 2 May 2023 14:18:26 +0000 (16:18 +0200)]
samba-tool/ntacl: don't announce -q,--quiet in --help as it's not used at all
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 16 May 2023 11:57:51 +0000 (13:57 +0200)]
samba-tool/ntacl: let changedomsid ignore symlinks
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 2 May 2023 13:15:16 +0000 (15:15 +0200)]
vfs_aio_pthread: don't crash without a pthreadpool
During 'samba-tool ntacl sysvolreset' and similar.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Baumbach [Wed, 21 Jun 2023 18:52:03 +0000 (20:52 +0200)]
samba-tool: print default (domain) for --dns-directory-partition option in help message
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 23:12:47 +0000 (00:12 +0100)]
tests/krb5/s4u_tests.py: add test_constrained_delegation_authtime
This demonstrates that we use the correct authtime
when doing constrained delegation.
The actual fix for the problem is already in place via
commit
75ec66c729faad60fa18b9504ba4053b3e2f47bc
third_party/heimdal: Import lorikeet-heimdal-
202306091507 (commit
7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de)
The related patch is:
006a365a6aa3047a4e685e1607973746a28cc1f1 kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 17 Mar 2022 13:46:55 +0000 (14:46 +0100)]
tests/krb5/s4u_tests.py: add test_constrained_delegation_with_enc_auth_data_[no_]subkey()
This demonstrates that we use the correct key for EncAuthorizationData
together with constrained delegation.
The actual fix for the problem is already in place via
commit
75ec66c729faad60fa18b9504ba4053b3e2f47bc
third_party/heimdal: Import lorikeet-heimdal-
202306091507 (commit
7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de)
The related patches are:
38c47c54f0c78fed5afc1aea9c5f6683e06ec842 kdc: fix memory leak when decryption AuthorizationData
61c0089ea3f5387953818a3ac99fb529244196e6 kdc: decrypt b->enc_authorization_data in tgs_build_reply()
fed5579814108ee90f701ca6bfb5500f7d839bc4 kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the keys from evidence_tkt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 14 Jun 2023 04:14:51 +0000 (16:14 +1200)]
WHATSNEW: Mention new default schema and Functional Level prep
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 21 20:01:06 UTC 2023 on atb-devel-224
Joseph Sutton [Mon, 3 Apr 2023 04:49:50 +0000 (16:49 +1200)]
s4:kdc: Gate claims, auth policies and NTLM restrctions behind 2012/2016 FLs
Samba security features like AD claims, Authentication Policies and
Authentication Silos are enabled once the DC is at the required functional level.
We comment at the callers of of dsdb_dc_functional_level() to explain
why we do this.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 08:21:32 +0000 (10:21 +0200)]
testprogs/blackbox: also raise the levels to 2012_R2/2016 in functionalprep.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 08:21:32 +0000 (10:21 +0200)]
testprogs/blackbox: also prepare for to 2016 (schema=2019) in functionalprep.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 10:07:08 +0000 (12:07 +0200)]
samba-tool: let 'domain level raise' call check_and_update_fl() in a transaction
This makes it possible to raise the levels without starting
'samba' first, which is very useful for blackbox tests.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 10:07:08 +0000 (12:07 +0200)]
samba-tool: move some parts of 'domain level [show|raise]' in to subfunctions
This will make it easier to use transactions in the following changes...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 10:07:08 +0000 (12:07 +0200)]
samba-tool: move some parts of 'domain level [show|raise]' in to try/except
This just adds indentation for now, the following changes will
add transactions...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 09:57:12 +0000 (11:57 +0200)]
samba-tool: let 'domain level raise --domain-level' use the correct crossRef dn
We should not rely on lp.get('workgroup')...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 09:07:17 +0000 (11:07 +0200)]
samba-tool: check for invalid 'domain level' subcommands first
This will simplify further changes...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 20 Jun 2023 23:43:01 +0000 (11:43 +1200)]
samba-tool: Fix missing import for "domain level raise --forest-level=2016"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 08:31:34 +0000 (10:31 +0200)]
docs-xml/smbdotconf: also allow 2012[_R2] for 'ad dc functional level'
We may not jump to 2016 directly...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 9 Jun 2023 03:46:33 +0000 (15:46 +1200)]
s4:kdc: Replace FAST cookie with dummy string
All that uses the FAST cookie is the gss-preauth authentication
mechanism, which is untested in Samba, and disabled by default.
Disabling the FAST cookie code (and sending a dummy string instead)
relieves us of the maintenance and testing burden of this untested code.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 21 13:19:17 UTC 2023 on atb-devel-224
Joseph Sutton [Mon, 12 Jun 2023 00:12:06 +0000 (12:12 +1200)]
third_party/heimdal: Import lorikeet-heimdal-
202306112240 (commit
c7f4ffe1a6e8dafc86ec3357c498d31c97ece386)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 12 Jun 2023 01:06:21 +0000 (13:06 +1200)]
tests/krb5: Test that FX-COOKIE matches cookie returned by Windows
The cookie produced by Windows differs depending on whether FAST was
used.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 20 Jun 2023 07:56:22 +0000 (09:56 +0200)]
smbd: Don't set security_descriptor_hash_v4->time
This prevents de-duplication of xattrs in the backend file system
where otherwise ACLs are often very similar.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jun 21 07:11:56 UTC 2023 on atb-devel-224
Andreas Schneider [Tue, 20 Jun 2023 09:52:12 +0000 (11:52 +0200)]
s3:winbind: Fix talloc parent in find_dc() leading to a segfault
[2023/06/16 16:30:18.677249, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/cmdline/cmdline.c:56(_samba_cmdline_talloc_log)
Bad talloc magic value - unknown value
[2023/06/16 16:30:18.677374, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:173(smb_panic_log)
===============================================================
[2023/06/16 16:30:18.677388, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:177(smb_panic_log)
INTERNAL ERROR: Bad talloc magic value - unknown value in pid 28112 (4.18.3)
[2023/06/16 16:30:18.677398, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:182(smb_panic_log)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
[2023/06/16 16:30:18.677408, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:183(smb_panic_log)
===============================================================
[2023/06/16 16:30:18.677420, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:185(smb_panic_log)
PANIC (pid 28112): Bad talloc magic value - unknown value in 4.18.3
[2023/06/16 16:30:18.677698, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:293(log_stack_trace)
BACKTRACE: 22 stack frames:
#0 /usr/lib64/samba/libgenrand-samba4.so(log_stack_trace+0x34) [0x7fcc04ad35d4]
#1 /usr/lib64/samba/libgenrand-samba4.so(smb_panic+0xd) [0x7fcc04ad382d]
#2 /lib64/libtalloc.so.2(+0x3121) [0x7fcc04650121]
#3 /usr/sbin/winbindd(_wbint_InitConnection+0xe8) [0x55aa1fd79028]
#4 /usr/sbin/winbindd(+0x59488) [0x55aa1fd7e488]
#5 /lib64/libdcerpc-server-core.so.0(dcesrv_call_dispatch_local+0x69) [0x7fcc05890469]
#6 /usr/sbin/winbindd(winbindd_dual_ndrcmd+0x3c5) [0x55aa1fd762d5]
#7 /usr/sbin/winbindd(+0x4d664) [0x55aa1fd72664]
#8 /lib64/libtevent.so.0(tevent_common_invoke_fd_handler+0x97) [0x7fcc03d2e707]
#9 /lib64/libtevent.so.0(+0xef4f) [0x7fcc03d34f4f]
#10 /lib64/libtevent.so.0(+0xcf5b) [0x7fcc03d32f5b]
#11 /lib64/libtevent.so.0(_tevent_loop_once+0x95) [0x7fcc03d2d9b5]
#12 /usr/sbin/winbindd(+0x4fd14) [0x55aa1fd74d14]
#13 /usr/sbin/winbindd(+0x505cd) [0x55aa1fd755cd]
#14 /lib64/libtevent.so.0(tevent_common_invoke_immediate_handler+0x182) [0x7fcc03d2ec72]
#15 /lib64/libtevent.so.0(tevent_common_loop_immediate+0x27) [0x7fcc03d2eca7]
#16 /lib64/libtevent.so.0(+0xed2f) [0x7fcc03d34d2f]
#17 /lib64/libtevent.so.0(+0xcf5b) [0x7fcc03d32f5b]
#18 /lib64/libtevent.so.0(_tevent_loop_once+0x95) [0x7fcc03d2d9b5]
#19 /usr/sbin/winbindd(main+0xd34) [0x55aa1fd402f4]
#20 /lib64/libc.so.6(__libc_start_main+0xe5) [0x7fcc0339dd85]
#21 /usr/sbin/winbindd(_start+0x2e) [0x55aa1fd40e8e]
[2023/06/16 16:30:18.677828, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../source3/lib/dumpcore.c:318(dump_core)
coredump is handled by helper binary specified at /proc/sys/kernel/core_pattern
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15398
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 20 11:07:45 UTC 2023 on atb-devel-224
Björn Baumbach [Thu, 15 Jun 2023 16:24:50 +0000 (18:24 +0200)]
samba-tool: add new --dns-directory-partition option to dns zonecreate command
The new --dns-directory-partition chooses the directory partition for
the new zone - "domain" or "forest". Defaults to the current default
"domain".
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun 16 21:23:28 UTC 2023 on atb-devel-224
Andreas Schneider [Tue, 11 Apr 2023 13:30:23 +0000 (15:30 +0200)]
s3:tests: Do not export UID_WRAPPER_ROOT in test_smbXsrv_client_cross_node.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 11 Apr 2023 13:29:41 +0000 (15:29 +0200)]
s3:tests: Do not export UID_WRAPPER_ROOT in test_smbXsrv_client_dead_rec.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 11 Apr 2023 13:29:01 +0000 (15:29 +0200)]
s3:tests: Do not export UID_WRAPPER_ROOT in test_net_machine_account
Just set it for the test.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 11 Apr 2023 13:27:31 +0000 (15:27 +0200)]
testprogs: Do not export UID_WRAPPER_ROOT in test_net_rpc_oldjoin.sh
This is already set for smbpasswd.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 11 Apr 2023 13:26:52 +0000 (15:26 +0200)]
testprogs: Do not export UID_WRAPPER_ROOT in test_kpasswd_heimdal.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 11 Apr 2023 13:26:21 +0000 (15:26 +0200)]
testprogs: Do not export UID_WRAPPER_ROOT in test_kpasswd_mit.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 27 Mar 2023 08:17:39 +0000 (10:17 +0200)]
testprogs: Do not export UID_WRAPPER_ROOT in test_pdbtest.sh
We already set root for smbpasswd.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 27 Mar 2023 08:16:40 +0000 (10:16 +0200)]
testprogs: Do not export UID_WRAPPER_ROOT in test_net_ads_dns.sh
There is not need for root here.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 27 Mar 2023 08:03:50 +0000 (10:03 +0200)]
testprogs: Do not export UID_WRAPPER_ROOT in test_samba-tool_ntacl.sh
There is not need for root here.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 16 Jun 2023 07:57:00 +0000 (09:57 +0200)]
testprogs:subunit: Fix integer comparisons
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 16 Jun 2023 07:42:07 +0000 (09:42 +0200)]
testprogs:subunit: Fix assigning an array to a string
$@ is an array and we want a string.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Wed, 7 Jun 2023 00:42:16 +0000 (02:42 +0200)]
vfs_default.c: use DBG* macros instead of static log level numbers
Some log levels change because the macros don't cover all the previously used
log levels or because importance was slightly reconsidered.
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Wed, 7 Jun 2023 00:30:32 +0000 (02:30 +0200)]
smbXsrv_tcon.c: use DBG* macros instead of static log level numbers
Some log levels change because the macros don't cover all the previously used
log levels or because importance was slightly reconsidered.
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Wed, 7 Jun 2023 00:23:59 +0000 (02:23 +0200)]
dcesrv_drsuapi.c:use DBG* macros instead of static log level numbers
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Wed, 7 Jun 2023 00:18:21 +0000 (02:18 +0200)]
smb2_service.c: use DBG* macros instread of static log level numbers
Some log levels change because the macros don't cover all the previously used
log levels or because importance was slightly reconsidered.
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Wed, 7 Jun 2023 00:05:57 +0000 (02:05 +0200)]
smbXsrv_session.c: use DBG* macros instead of static log level numbers
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Tue, 6 Jun 2023 23:50:39 +0000 (01:50 +0200)]
dns_update.c: use DBG* macros instead of static log level numbers
Some log levels change because the macros don't cover all the previously used
log levels or because importance was slightly reconsidered.
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Tue, 6 Jun 2023 23:45:47 +0000 (01:45 +0200)]
oplock_linux.c: use DBG macros instead of static log level
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Mon, 12 Jun 2023 15:24:15 +0000 (17:24 +0200)]
nmbd_become_lmb.c: use DBG* macros instead of static log level numbers
Some log levels change because the macros don't cover all the previously used
log levels or because importance was slightly reconsidered.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=4143
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Mon, 12 Jun 2023 15:23:40 +0000 (17:23 +0200)]
nmbd/asyncdns.c: use DBG* macros instead of static log level numbers
Some log levels change because the macros don't cover all the previously used
log levels or because importance was slightly reconsidered.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=4143
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Mon, 12 Jun 2023 15:23:01 +0000 (17:23 +0200)]
nmbd_sendannounce.c: use DBG* macros instead of static log level numbers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=4143
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Tue, 6 Jun 2023 22:16:25 +0000 (00:16 +0200)]
nmbd: use DBG_ macros and raise some log levels
BUG: https://bugzilla.samba.org/show_bug.cgi?id=4143
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Fri, 16 Jun 2023 11:53:25 +0000 (13:53 +0200)]
smbd: smbd_dirptr_lanman2_match_fn(): Remove "exact_match" handling
No caller uses this anymore. The only downside here now is that we
always go directly to mask_match instead of a trying strcasecmp_m
first. I very much doubt this makes a measurable difference because
this would have been called for non-wildcard
readdirs (a.k.a. qpathinfo), and there we do this only once per
complete directory read. Also I don't believe mask_match() is
measurably more expensive than strcasecmp_m() for the usually short
filenames we're looking at here.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun 16 17:07:46 UTC 2023 on atb-devel-224
Volker Lendecke [Fri, 16 Jun 2023 11:45:57 +0000 (13:45 +0200)]
smbd: Remove a smb1-only optimization findfirst/findnext
I don't think this is an effective optimization at all anymore. It was
intended to speed up non-wildcard readdirs after we found the correct
entry. Nowadays we do the non-wildcard readdirs by a direct fstatat,
and after we successfully found the entry dptr_ReadDirName()
immediately returns without any further action. So my very strong
guess is that this never really kicked in anymore. Not using this flag
can't be *that* bad, smb2 never used it.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 16 Jun 2023 11:32:24 +0000 (13:32 +0200)]
smbd: Remove "a heuristic to avoid seeking the dirptr"
-- we don't seek the dirptr anymore
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 9 Mar 2023 15:16:50 +0000 (16:16 +0100)]
libsmb: Test smb1 mknod
Requires O_PATH to work correctly
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 16 Feb 2023 16:20:55 +0000 (17:20 +0100)]
pylibsmb: Add smb1_stat()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 16 Feb 2023 15:43:46 +0000 (16:43 +0100)]
pylibsmb: Add mknod()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 16 Feb 2023 12:41:44 +0000 (13:41 +0100)]
libsmb: Add SMB1 posix cli_mknod
This is a dead horse, but in the future it will make it easier to test
the smb311 unix extension code.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 24 Apr 2023 14:46:17 +0000 (16:46 +0200)]
rpc_server: Fix talloc hierarchy in _srvsvc_NetSrvGetInfo()
Make ->comment a proper talloc child of the right structure.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 31 May 2023 07:48:58 +0000 (09:48 +0200)]
profiling: Factor out functions to read smbprofile.tdb
We don't need all of Samba just to dump contents of this tdb, make
exporting profile information cheaper.
No direct use yet, but it's a good cleanup IMHO
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 14 Jun 2023 05:23:52 +0000 (07:23 +0200)]
WHATSNEW: Mention removed "directory name cache size" parameter
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 30 May 2023 11:27:00 +0000 (13:27 +0200)]
lib: Add a few required #includes
You find them if you try to #include these files directly
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 26 Apr 2023 13:58:51 +0000 (15:58 +0200)]
winbind: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>