Volker Lendecke [Tue, 21 Dec 2021 11:54:56 +0000 (12:54 +0100)]
vfs: Modernize a DEBUG statement
Fix the function name printed
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 19 Dec 2021 10:02:46 +0000 (11:02 +0100)]
smbd: Modernize a DEBUG statement
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 7 Oct 2021 12:52:47 +0000 (14:52 +0200)]
rpc_server3: Inline single-use rpcint_binding_handle_ex()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 6 Oct 2021 10:20:17 +0000 (12:20 +0200)]
rpc_server3: Inline pipes_struct into dcerpc_ncacn_conn
This makes it clear that our internal representation of a rpc client
connection in the source3/ server is struct dcerpc_ncacn_conn and that
struct pipes_struct is only around for API compatibility with the
existing server stubs.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 6 Oct 2021 09:16:21 +0000 (11:16 +0200)]
rpc_server3: Remove dcerpc_ncacn_conn->session_info
This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.
The talloc hierarchy is correctly maintained, dcesrv_endpoint_connect() takes a
talloc_reference() of session_info.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 6 Oct 2021 09:16:21 +0000 (11:16 +0200)]
rpc_server3: Remove dcerpc_ncacn_conn->local_server_addr
This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 6 Oct 2021 09:16:21 +0000 (11:16 +0200)]
rpc_server3: Remove dcerpc_ncacn_conn->remote_client_addr
This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 6 Oct 2021 09:16:21 +0000 (11:16 +0200)]
rpc_server3: Remove dcerpc_ncacn_conn->tstream
This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 6 Oct 2021 09:16:21 +0000 (11:16 +0200)]
rpc_server3: Remove dcerpc_ncacn_conn->dce_ctx
This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 6 Oct 2021 09:16:21 +0000 (11:16 +0200)]
rpc_server3: Remove dcerpc_ncacn_conn->msg_ctx
This was only used inside rpc_worker_new_client(), a leftover from
times where accepting a client was an async process waiting for the
struct named_pipe_auth_req_info4.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 6 Oct 2021 09:14:30 +0000 (11:14 +0200)]
rpc_server3: dcerpc_ncacn_conn->ev_ctx was only set but never used
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 1 Oct 2021 14:28:57 +0000 (16:28 +0200)]
winbind: Don't transfer a pointer that's NULL anyway
ncacn_conn was created by make_internal_ncacn_conn with talloc_zero(),
and that does not set session_info for the purely one-shot connection
state in winbindd_dual_ndrcmd().
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 6 Oct 2021 09:39:21 +0000 (11:39 +0200)]
rpc_server3: No linked list for pipes_struct anymore
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 4 Oct 2021 11:50:02 +0000 (13:50 +0200)]
rpc_server3: Remove pipes_struct->auth
Replace with a call to dcesrv_call_auth_info(p->dce_call)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 4 Oct 2021 11:40:02 +0000 (13:40 +0200)]
rpc_server3: Remove pipes_struct->session_info
This is a big patch, but all it does is replace all "p->session_info"
with "session_info" after introducing a local variable from
dcesrv_call_session_info(p->dce_call).
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 4 Oct 2021 10:49:56 +0000 (12:49 +0200)]
rpc_server3: Remove pipes_struct->pipe_bound
Only used in pipe_access_check(), superseded by dcesrv_call_auth_info()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 4 Oct 2021 10:37:30 +0000 (12:37 +0200)]
rpc_server3: Inline make_base_pipes_struct()
This did not even use all its arguments anymore.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 4 Oct 2021 10:26:18 +0000 (12:26 +0200)]
rpc_server3: Remove pipes_struct->remote_address
Also available via dcesrv_connection_get_remote_address(p->dce_call->conn)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 4 Oct 2021 10:19:57 +0000 (12:19 +0200)]
rpc_server3: Remove pipes_struct->local_address
Also available via dcesrv_connection_get_local_address(p->dce_call->conn)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 4 Oct 2021 10:03:55 +0000 (12:03 +0200)]
rpc_server3: Inline make_base_pipes_struct() into rpc_worker.c
This is the only user, and in winbind_dual_ndr.c's
make_internal_ncacn_conn we have another creator of pipes_struct. So
it seems not necessary to keep this public.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 28 Sep 2021 11:26:18 +0000 (13:26 +0200)]
rpc_server3: Inline make_internal_ncacn_conn() into rpc_worker.c
This was the only user, and as we have another custom version in
winbind with make_internal_ncacn_conn(), I think this is not really
required to keep around as a separate function.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 21 Dec 2021 16:12:55 +0000 (17:12 +0100)]
smbd: Avoid a DEBUGADD statement
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 12 Oct 2021 10:06:20 +0000 (12:06 +0200)]
Remove some unused code
I think that if we want to work on asn1 routines we should use
libtasn1. We already depend on this via gnutls these days.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 27 Dec 2021 10:25:34 +0000 (11:25 +0100)]
lib: Avoid a cast
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 24 Nov 2021 11:28:34 +0000 (12:28 +0100)]
smbd: Avoid some casts
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 26 Nov 2021 15:36:25 +0000 (16:36 +0100)]
smbd: Remove an unneeded anonymous struct declaration
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 26 Nov 2021 15:35:44 +0000 (16:35 +0100)]
smbd: Move fast_string_hash() to mangle_hash.c, the only user
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 25 Nov 2021 15:52:41 +0000 (16:52 +0100)]
smbd: Fix a few typos
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 25 Nov 2021 14:37:00 +0000 (15:37 +0100)]
smbd: Save a few lines by using cp_smb_filename_nostream()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 17 Dec 2021 22:32:28 +0000 (23:32 +0100)]
auth/ntlmssp: make sure we return INVALID_PARAMETER for NTLMv2_RESPONSE parsing errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 4 20:57:41 UTC 2022 on sn-devel-184
Stefan Metzmacher [Fri, 17 Dec 2021 22:23:33 +0000 (23:23 +0100)]
s4:torture/smb2: add smb2.session.ntlmssp_bug14932 test
This demonstrates that an invalid av_pair in NTLMv2_CLIENT_CHALLENGE
should result in NT_STATUS_INVALID_PARAMETER at the NTLMSSP layer.
This is different from the netr_LogonSamLogon*() case, where it is
ignored instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 15 Dec 2021 16:25:06 +0000 (17:25 +0100)]
libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore invalid netapp requests
We should avoid spamming the logs with wellknown messages like:
ndr_pull_error(Buffer Size Error): Pull bytes 39016
They just confuse admins (and developers).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Wed, 15 Dec 2021 16:25:06 +0000 (17:25 +0100)]
libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore BUFFER_TOO_SMALL
Windows doesn't complain about invalid av_pair blobs,
we need to do the same.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 17 Dec 2021 21:28:51 +0000 (22:28 +0100)]
s4:torture/rpc: add test for invalid av_pair content in LogonSamLogonEx
A netapp diag tool uses a NTLMv2_CLIENT_CHALLENGE with invalid bytes
as av_pair blob. Which is supposed to be ignored by DCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Sat, 18 Dec 2021 09:40:36 +0000 (10:40 +0100)]
auth/credentials: cli_credentials_set_ntlm_response() pass session_keys
Otherwise cli_credentials_get_ntlm_response() will return session keys
with a 0 length, which leads to errors in the NTLMSSP code.
This wasn't noticed as cli_credentials_set_ntlm_response() has no
callers yet, but that will change in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
David Mulder [Mon, 3 Jan 2022 15:40:56 +0000 (08:40 -0700)]
Remove stray reference to "ldap ssl ads"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14462
"ldap ssl ads" has been deprecated and removed.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Isaac Boukris <iboukris@gmail.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 4 19:58:24 UTC 2022 on sn-devel-184
Stefan Metzmacher [Sat, 1 Jan 2022 00:31:01 +0000 (01:31 +0100)]
Happy New Year 2022!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 1 01:24:21 UTC 2022 on sn-devel-184
Volker Lendecke [Mon, 27 Dec 2021 10:17:22 +0000 (11:17 +0100)]
smbd: Assert we don't leak fd's in struct fd_handle
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Dec 30 11:54:17 UTC 2021 on sn-devel-184
Volker Lendecke [Tue, 28 Dec 2021 11:25:59 +0000 (12:25 +0100)]
smbd: Replace SMB_VFS_CLOSE() calls with fd_close()
fd_close() mostly wraps SMB_VFS_CLOSE() but also takes care of refcounting
fsp->fh properly and also makes sure that fsp->fh->fd is set to -1 after close.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Tue, 28 Dec 2021 17:42:00 +0000 (18:42 +0100)]
vfs_commit: Reset fsp->fd->fd to -1 after SMB_VFS_CLOSE
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Tue, 28 Dec 2021 17:34:20 +0000 (18:34 +0100)]
pysmbd: Fix file descriptor leaks
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Tue, 28 Dec 2021 11:25:40 +0000 (12:25 +0100)]
smbd: Fix a fd leak when closing a print file
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 21 Dec 2021 10:19:40 +0000 (11:19 +0100)]
s3:libsmb: fix signing regression SMBC_server_internal()
commit
d0062d312cbbf80afd78143ca5c0be68f2d72b03 introduced
SMBC_ENCRYPTLEVEL_DEFAULT as default, but the logic to enforce
signing wasn't adjusted, so we required smb signing by default.
That broke guest authentication for libsmbclient using applications.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec 27 16:38:11 UTC 2021 on sn-devel-184
Stefan Metzmacher [Tue, 21 Dec 2021 11:05:13 +0000 (12:05 +0100)]
s4:selftest: run libsmbclient.noanon_list against maptoguest
This demonstrates the problem with guest access being rejected
by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 21 Dec 2021 11:04:30 +0000 (12:04 +0100)]
s4:torture/libsmbclient: add libsmbclient.noanon_list test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 21 Dec 2021 13:39:25 +0000 (14:39 +0100)]
selftest/Samba3: enable SMB1 for maptoguest
guest authentication is an old school concept,
so we should make sure it also works with SMB1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 23 Dec 2021 17:32:44 +0000 (18:32 +0100)]
s4:rpc_server/netlogon: adjust the valid_flags based on dsdb_dc_functional_level()
This allows us to let DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED through
based on the manual changed msDS-Behavior-Version of our NTDSA object.
We still need to have tests depending on the msDS-Behavior-Version
value if the DSGETDC_VALID_FLAGS is really correct at all.
But for now this allows us to test krb5 FAST from Windows clients.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Fri Dec 24 03:03:50 UTC 2021 on sn-devel-184
Joseph Sutton [Wed, 22 Dec 2021 01:41:50 +0000 (14:41 +1300)]
s4:rpc_server/netlogon: adjust the flags logic to MS-NRPC 3.5.4.3.1 DsrGetDcNameEx2
Note that this doesn't change the logic as we still reject
DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED via the initial DSGETDC_VALID_FLAGS
check. The may change that in future, but may need some tests for it.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Wed, 22 Dec 2021 01:51:08 +0000 (14:51 +1300)]
dsdb/netlogon: Indicate DC functional level support in samlogon response
The DS_SERVER_DS_8 flag is necessary for Windows to detect FAST support.
Note for know we only ever have DS_DOMAIN_FUNCTION_2008_R2 (4) in the
msDS-Behavior-Version attribute of our own NTDSA object. So
for now this is only for manual testing. In future we most likely
want to extend 'samba-tool domain level' to raise the dc level
manually or let 'samba' autoupgrade the value.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 23 Dec 2021 10:40:58 +0000 (11:40 +0100)]
dsdb/netlogon: make use of dsdb_dc_functional_level() in fill_netlogon_samlogon_response()
[MS-ADTS] 6.3.3.2 "Domain Controller Response to an LDAP Ping" indicates
that the resulting flags depend on the server software (behavior)
and not the domain wide functional level.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 22 Dec 2021 01:53:44 +0000 (14:53 +1300)]
dsgetdcname: Display new flags in debug output
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Wed, 22 Dec 2021 21:57:50 +0000 (10:57 +1300)]
netlogon.idl: Add flags for indicating directory service versions
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 23 Dec 2021 10:34:25 +0000 (11:34 +0100)]
s4:rpc_server/dnsserver: make use of dsdb_dc_functional_level()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Stefan Metzmacher [Thu, 23 Dec 2021 10:34:02 +0000 (11:34 +0100)]
dsdb/common: add dsdb_dc_functional_level() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Thu, 16 Dec 2021 06:24:58 +0000 (07:24 +0100)]
python:tests: Don't require an emtpy 'authorization-data' to be present
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Dec 20 17:01:11 UTC 2021 on sn-devel-184
Stefan Metzmacher [Mon, 20 Dec 2021 16:02:12 +0000 (17:02 +0100)]
Revert "python:tests: Don't require an emtpy 'authorization-data' to be present"
This reverts commit
36325f1ee907d38c978229da67de3844f969cd33.
This was not the latest version from:
https://gitlab.com/samba-team/samba/-/merge_requests/2304
The correct version follows...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Anoop C S [Fri, 17 Dec 2021 10:11:25 +0000 (15:41 +0530)]
s3/rpc_server: Remove duplicate dependency listing for RPC_SERVICE
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Dec 20 10:14:53 UTC 2021 on sn-devel-184
Andreas Schneider [Thu, 16 Dec 2021 06:24:58 +0000 (07:24 +0100)]
python:tests: Don't require an emtpy 'authorization-data' to be present
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Mon Dec 20 08:26:45 UTC 2021 on sn-devel-184
Jeremy Allison [Wed, 15 Dec 2021 18:41:39 +0000 (10:41 -0800)]
s3: smbd: In setup_close_full_information(), remove unneeded vfs_stat().
After openat_pathref_fsp() is successful we know we have a VALID_STAT().
It either returns NT_STATUS_OK or we look at the stat
struct for S_ISLNK so we know we have VALID_STAT().
If it's not successful we error out, so we don't need
another vfs_stat() here.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 16 07:33:09 UTC 2021 on sn-devel-184
Günther Deschner [Wed, 17 Nov 2021 08:56:09 +0000 (09:56 +0100)]
pam_winbind: add new pwd_change_prompt option (defaults to off).
This change disables the prompt for the change of an expired password by
default (using the PAM_RADIO_TYPE mechanism if present).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 16 03:05:30 UTC 2021 on sn-devel-184
Andreas Schneider [Tue, 14 Dec 2021 15:27:17 +0000 (16:27 +0100)]
s3:winbind: Fix using normalized name in sam_name_to_sid()
name is never read again, we want lsa_name to be set.
Found by covscan.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec 15 20:22:47 UTC 2021 on sn-devel-184
Andreas Schneider [Tue, 14 Dec 2021 15:13:51 +0000 (16:13 +0100)]
lib:util: Initialize pid
Found by covscan
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Tue, 14 Dec 2021 15:12:43 +0000 (16:12 +0100)]
lib:krb_wrap: Add missing error check in smb_krb5_salt_principal_str()
Found by covscan.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Tue, 14 Dec 2021 14:46:05 +0000 (15:46 +0100)]
s3:winbindd: Remove dead code from sam_rids_to_names()
domain_name is never NULL in this case. Found by covscan.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Tue, 14 Dec 2021 14:42:06 +0000 (15:42 +0100)]
s4:dns_server: Remove less-than-zero comparison of an unsigned value
This will never be true. Found by covscan
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Tue, 14 Dec 2021 14:38:45 +0000 (15:38 +0100)]
ctdb:client: Initialize structs and pointers in ctdb_ctrl_(en|dis)able_node()
Found by covscan.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Fri, 10 Dec 2021 14:10:39 +0000 (15:10 +0100)]
s3:libnet: Initialize struct ODJ_POLICY_DNS_DOMAIN_INFO
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Fri, 10 Dec 2021 14:06:03 +0000 (15:06 +0100)]
lib:util: Check return value of tdb_parse_record()
This makes covscan happy.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Fri, 10 Dec 2021 14:03:20 +0000 (15:03 +0100)]
s3:lib: Do not close fd = -1 on fail in netapi example
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Fri, 10 Dec 2021 13:56:08 +0000 (14:56 +0100)]
s3:lib: Fix memory leak in netapi examples
Found by covscan.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 14 Dec 2021 17:50:12 +0000 (09:50 -0800)]
s3: smbd: In call_trans2qfilepathinfo(), remove unneeded vfs_stat().
We know at this point that we have VALID_STAT(smb_fname->st).
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec 15 19:26:50 UTC 2021 on sn-devel-184
Jeremy Allison [Tue, 14 Dec 2021 17:46:51 +0000 (09:46 -0800)]
s3: smbd: In call_trans2qfilepathinfo(), we must have an existing object in the QPATHINFO case.
qpathinfo must operate on an existing file, so we
can exit early if filename_convert() returned the "new file"
NT_STATUS_OK, !VALID_STAT case.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Jeremy Allison [Tue, 14 Dec 2021 00:54:07 +0000 (16:54 -0800)]
s3: smbd: Inside call_trans2setfilepathinfo(), for the TRANSACT2_SETPATHINFO case, we don't need to re-stat.
If we need a valid filesystem object, and we have a !VALID_STAT()
return from filename_convert(), the previous commit has already
errored out. We don't need a re-stat call here.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Jeremy Allison [Tue, 14 Dec 2021 00:48:14 +0000 (16:48 -0800)]
s3: smbd: Inside call_trans2setfilepathinfo(), for the TRANSACT2_SETPATHINFO case, ensure we have a VALID_STAT return from filename_convert().
Remember, filename_convert() can return NT_STATUS_OK
with !VALID_STAT() if the last component doesn't exist,
as this may be an object create.
For call_trans2setfilepathinfo(), there are only 4 info levels
for the TRANSACT2_SETPATHINFO (pathname) case that don't require
an existing filesystem object (i.e. a VALID_STAT()) in the return
from filename_convert() as they can create an object in the
filesystem.
If we don't get a VALID_STAT() and the info level isn't one of
those 4, error out.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Jeremy Allison [Mon, 13 Dec 2021 22:19:35 +0000 (14:19 -0800)]
s3: smbd: call_trans2setfilepathinfo(), TRANSACT2_SETFILEINFO case, use helper function vfs_stat().
This isn't a change in behavior, even though the
old comment says: "Always do lstat for UNIX calls".
A previous commit enforces POSIX pathname negotiation
before allowing UNIX info levels to be processed here,
so we can guarantee that SMB_FILENAME_POSIX_PATH is set
on smb_fname if we're allowing a UNIX info level.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Jeremy Allison [Mon, 13 Dec 2021 22:13:59 +0000 (14:13 -0800)]
s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QPATHINFO, use helper function vfs_stat().
This isn't a change in behavior, even though the
old comment says: "Always do lstat for UNIX calls".
A previous commit enforces POSIX pathname negotiation
before allowing UNIX info levels to be processed here,
so we can guarantee that SMB_FILENAME_POSIX_PATH is set
on smb_fname if we're allowing a UNIX info level.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Jeremy Allison [Mon, 13 Dec 2021 22:09:33 +0000 (14:09 -0800)]
s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QPATHINFO on a named stream case, use helper function vfs_stat().
This isn't a change in behavior, even though the
old comment says: "Always do lstat for UNIX calls".
A previous commit enforces POSIX pathname negotiation
before allowing UNIX info levels to be processed here,
so we can guarantee that SMB_FILENAME_POSIX_PATH is set
on smb_fname if we're allowing a UNIX info level.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Jeremy Allison [Mon, 13 Dec 2021 22:05:32 +0000 (14:05 -0800)]
s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QFILEINFO case, use helper function vfs_stat().
This isn't a change in behavior, even though the
old comment says: "Always do lstat for UNIX calls".
A previous commit enforces POSIX pathname negotiation
before allowing UNIX info levels to be processed here,
so we can guarantee that SMB_FILENAME_POSIX_PATH is set
on smb_fname if we're allowing a UNIX info level.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Jeremy Allison [Tue, 14 Dec 2021 00:08:14 +0000 (16:08 -0800)]
s3: smbd: In parent_dirname_compatible_open(), use helper function vfs_stat().
This is a change in behavior, but the old behavior was incorrect.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Jeremy Allison [Mon, 13 Dec 2021 22:02:51 +0000 (14:02 -0800)]
s3: smbd: In vfs_stat_smb_basename() use vfs_stat() helper function.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Jeremy Allison [Mon, 13 Dec 2021 21:45:13 +0000 (13:45 -0800)]
s3: smbd: In smbd_smb2_getinfo_send(), use vfs_stat() utility function.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Noel Power [Wed, 15 Dec 2021 15:55:02 +0000 (15:55 +0000)]
s3: smbd: In stat_cache_lookup(), remove unused posix_paths param.
Signed-off-by: Noel Power <npower@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Mon, 13 Dec 2021 21:44:25 +0000 (13:44 -0800)]
s3: smbd: In stat_cache_lookup(), use vfs_stat() utility function.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Noel Power [Wed, 15 Dec 2021 15:36:22 +0000 (15:36 +0000)]
s3: smbd: In setup_close_full_information() the posix_open parameter is not needed anymore.
Signed-off-by: Noel Power <npower@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Mon, 13 Dec 2021 21:43:06 +0000 (13:43 -0800)]
s3: smbd: In setup_close_full_information() use vfs_stat() helper function.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Jeremy Allison [Mon, 13 Dec 2021 21:42:35 +0000 (13:42 -0800)]
s3: smbd: In check_parent_exists() use utility function vfs_stat().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Joseph Sutton [Tue, 14 Dec 2021 06:16:15 +0000 (19:16 +1300)]
tests/krb5: Add tests for AS-REQ to self with FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 15 04:33:11 UTC 2021 on sn-devel-184
Joseph Sutton [Tue, 14 Dec 2021 06:16:00 +0000 (19:16 +1300)]
tests/krb5: Correctly determine whether tickets are service tickets
Previously we expected tickets to contain a ticket checksum if the sname
was not the krbtgt. However, the ticket checksum should not be present
if we are performing an AS-REQ to our own account. Now we determine a
ticket is a service ticket only if the request is also a TGS-REQ.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 14 Dec 2021 06:16:26 +0000 (19:16 +1300)]
tests/krb5: Generate unique UPNs for enterprise tests
This helps to avoid problems with account creation on Windows due to UPN
uniqueness constraints.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 9 Dec 2021 00:18:54 +0000 (13:18 +1300)]
s4:torture: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 9 Dec 2021 00:18:45 +0000 (13:18 +1300)]
s4:torture: Remove comments that are no longer relevant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 10 Dec 2021 01:59:22 +0000 (14:59 +1300)]
kdc: Pad UPN_DNS_INFO PAC buffer
Padding this buffer to a multiple of 8 bytes allows the PAC buffer
padding to match Windows.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 14 Dec 2021 06:19:42 +0000 (19:19 +1300)]
Revert "s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows"
This alignment should be done on the Samba side instead.
This reverts commit
28a5a586c8e9cd155d676dcfcb81a2587ace99d1.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 8 Dec 2021 22:56:55 +0000 (11:56 +1300)]
tests/krb5: Add tests for PAC buffer alignment
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 13 Dec 2021 07:31:49 +0000 (08:31 +0100)]
s4:mitkdc: Call krb5_pac_init() in kdb_samba_db_sign_auth_data()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 7 Oct 2021 13:12:35 +0000 (15:12 +0200)]
s4:mitkdc: Do not allocate the PAC buffer in samba_make_krb5_pac()
This will be allocated by the KDC in MIT KRB5 1.20 and newer.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 13 Dec 2021 14:48:08 +0000 (15:48 +0100)]
s4:mitkdc: Pass NULL to ks_get_pac() as the client_key
This is unused with MIT KRB5 < 1.20 as this is probably not the right key.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 13 Dec 2021 07:33:05 +0000 (08:33 +0100)]
s4:mitkdc: Add support for pac_attrs and requester_sid
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 8 Dec 2021 08:17:32 +0000 (09:17 +0100)]
s4:mitkdc: Reset errno to 0 for com_err messages
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 8 Dec 2021 08:16:57 +0000 (09:16 +0100)]
s4:mitkdc: Use talloc_get_type_abort() in ks_get_context()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>