Stefan Metzmacher [Thu, 12 Nov 2020 15:41:21 +0000 (16:41 +0100)]
dcesrv_core: alter_context logon failures should result in DCERPC_FAULT_ACCESS_DENIED
We should use DCERPC_FAULT_ACCESS_DENIED as default for
gensec status results of e.g. NT_STATUS_LOGON_FAILURE or
NT_STATUS_INVALID_PARAMTER.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 12 Nov 2020 15:41:05 +0000 (16:41 +0100)]
dcesrv_core: a failure from gensec_update results in NAK_REASON_INVALID_CHECKSUM selftest/knownfail.d/dcerpc-auth-pad
Stefan Metzmacher [Thu, 12 Nov 2020 15:41:05 +0000 (16:41 +0100)]
dcesrv_core: a failure from gensec_update results in NAK_REASON_INVALID_CHECKSUM
We already report that for gensec_start_mech_by_authtype() failures,
but we also need to do that for any invalid authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 16:07:54 +0000 (17:07 +0100)]
dcerpc_util: let dcerpc_pull_auth_trailer() ignore data_and_pad for bind, alter, auth3 selftest/knownfail.d/dcerpc-auth-pad
Stefan Metzmacher [Wed, 11 Nov 2020 16:07:54 +0000 (17:07 +0100)]
dcerpc_util: let dcerpc_pull_auth_trailer() ignore data_and_pad for bind, alter, auth3
Sometimes Windows sends 3 presentation contexts (NDR32, NDR64,
BindTimeFeatureNegotiation) in the first BIND of an association.
Binding an additional connection to the association seems to
reuse the BIND buffer and just changes the num_contexts field from
3 to 2 and leaves the BindTimeFeatureNegotiation context as padding
in places.
Note, the auth_pad_length field is send as 0 in that case,
which means we need to ignore it completely, as well as any
padding before the auth header.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 16:59:45 +0000 (17:59 +0100)]
dcerpc_util: let dcerpc_pull_auth_trailer() expose the reject reason selftest/knownfail.d/dcerpc-auth-pad
Stefan Metzmacher [Wed, 11 Nov 2020 16:59:45 +0000 (17:59 +0100)]
dcerpc_util: let dcerpc_pull_auth_trailer() expose the reject reason
If dcerpc_pull_auth_trailer() returns NT_STATUS_RPC_PROTOCOL_ERROR
it will return the BIND reject code in auth->auth_context_id.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 16:05:21 +0000 (17:05 +0100)]
dcerpc_util: let dcerpc_pull_auth_trailer() check that auth_offset is 4 bytes aligned selftest/knownfail.d/dcerpc-auth-pad
Stefan Metzmacher [Wed, 11 Nov 2020 16:05:21 +0000 (17:05 +0100)]
dcerpc_util: let dcerpc_pull_auth_trailer() check that auth_offset is 4 bytes aligned
That what Windows (at least 2012_R2) also asserts.
It also makes sure that ndr_pull_dcerpc_auth() will
start with ndr->offset = 0 and don't tries to eat
possible padding.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 12 Nov 2020 10:10:46 +0000 (11:10 +0100)]
TEST2 TODO test_schannel_invalid_bind selftest/knownfail.d/dcerpc-auth-pad
Stefan Metzmacher [Thu, 12 Nov 2020 10:10:46 +0000 (11:10 +0100)]
TEST2 TODO test_schannel_invalid_bind
Stefan Metzmacher [Thu, 12 Nov 2020 16:22:19 +0000 (17:22 +0100)]
TEST1b test_spnego_connect_bind_auth_align[4|2] selftest/knownfail.d/dcerpc-auth-pad
Stefan Metzmacher [Thu, 12 Nov 2020 16:22:19 +0000 (17:22 +0100)]
TEST1b test_spnego_connect_bind_auth_align[4|2]
Stefan Metzmacher [Wed, 11 Nov 2020 00:19:23 +0000 (01:19 +0100)]
TEST1 python/samba/tests/dcerpc/raw_protocol.py selftest/knownfail.d/dcerpc-auth-pad
Stefan Metzmacher [Wed, 11 Nov 2020 00:19:23 +0000 (01:19 +0100)]
TEST1 python/samba/tests/dcerpc/raw_protocol.py
Stefan Metzmacher [Thu, 12 Nov 2020 15:38:32 +0000 (16:38 +0100)]
dcesrv_core: introduce dcesrv_connection->transport_max_recv_frag
The max fragment size depends on the transport.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 16 Nov 2020 14:01:49 +0000 (15:01 +0100)]
tests/dcerpc/raw_protocol: run test_neg_xmit_ffff_ffff over tcp and smb
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 16 Nov 2020 15:58:35 +0000 (16:58 +0100)]
dcesrv_core: add more verbose debugging for missing association groups
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 11 Nov 2020 15:49:25 +0000 (16:49 +0100)]
RawDCERPCTest: add some more auth_length related asserts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 9 Nov 2020 13:00:43 +0000 (14:00 +0100)]
RawDCERPCTest: split prepare_pdu() and send_pdu_blob() out of send_pdu()
This will make it possible to alter pdus before sending them to the
server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 12 Nov 2020 09:34:38 +0000 (10:34 +0100)]
s4:librpc: provide py_schannel bindings
This will be used in the dcerpc.raw_protocol test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 20 Oct 2021 18:27:12 +0000 (20:27 +0200)]
debug fault
Stefan Metzmacher [Wed, 20 Oct 2021 19:10:28 +0000 (21:10 +0200)]
Revert "debug fault"
This reverts commit
b9cc9004f5d95ac29504b1e4dafe01c6be7c56ee.
Stefan Metzmacher [Wed, 20 Oct 2021 18:27:12 +0000 (20:27 +0200)]
debug fault
Stefan Metzmacher [Tue, 23 Apr 2024 16:16:43 +0000 (18:16 +0200)]
Revert "Revert "s3:rpc_client: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS""
This reverts commit
679fd3c8e2f26cf961e01ca56a39a373b6cf9b30.
Stefan Metzmacher [Tue, 23 Apr 2024 16:16:43 +0000 (18:16 +0200)]
Revert "Revert "s4:librpc/rpc: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS""
This reverts commit
71b7c6a941c978a6aafe2e52da0d2258788a77c2.
Stefan Metzmacher [Tue, 23 Apr 2024 16:16:43 +0000 (18:16 +0200)]
Revert "Revert "s3:rpc_client: implement preauth hashing support""
This reverts commit
75fd726e66ebbd1f73992ecd89d5f976374b3c96.
Stefan Metzmacher [Tue, 23 Apr 2024 16:16:43 +0000 (18:16 +0200)]
Revert "Revert "s4:librpc/rpc: implement preauth hashing support""
This reverts commit
84e4745174378259d9778a113e1ca81ff01db346.
Stefan Metzmacher [Tue, 23 Apr 2024 16:16:42 +0000 (18:16 +0200)]
Revert "Revert "Revert "s4:librpc/rpc: implement preauth hashing support"""
This reverts commit
97516adf4b0d5b68c00a53895e8c304cbca66f8b.
Stefan Metzmacher [Tue, 23 Apr 2024 16:16:42 +0000 (18:16 +0200)]
Revert "Revert "Revert "s3:rpc_client: implement preauth hashing support"""
This reverts commit
dc82612774508354d0b51b239c161840dbba61ef.
Stefan Metzmacher [Tue, 23 Apr 2024 16:16:42 +0000 (18:16 +0200)]
Revert "Revert "Revert "s4:librpc/rpc: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS"""
This reverts commit
721a318edd39838c6f2318df15ce6f24c57fb69b.
Stefan Metzmacher [Tue, 23 Apr 2024 16:16:42 +0000 (18:16 +0200)]
Revert "Revert "Revert "s3:rpc_client: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS"""
This reverts commit
6c0eb5463c735a6d99e3f33b36d7f1069480889c.
Stefan Metzmacher [Tue, 23 Apr 2024 16:16:42 +0000 (18:16 +0200)]
Revert "Revert "dcesrv_core: add support for DCERPC_BIND_TIME_PROTECT_ALL_PDUS""
This reverts commit
f174934098422e5d04b3b5e47ee9384e51405f11.
Stefan Metzmacher [Tue, 23 Apr 2024 16:16:42 +0000 (18:16 +0200)]
Revert "Revert "dcesrv_core: implement preauth hashing support""
This reverts commit
1d112459c0cfdc2d8343954be023fcce46dbc3ee.
Stefan Metzmacher [Fri, 19 Apr 2024 14:14:33 +0000 (16:14 +0200)]
Revert "dcesrv_core: implement preauth hashing support"
This reverts commit
a1982c8c10591e05374eed06388054baa20bc331.
Stefan Metzmacher [Fri, 19 Apr 2024 14:14:33 +0000 (16:14 +0200)]
Revert "dcesrv_core: add support for DCERPC_BIND_TIME_PROTECT_ALL_PDUS"
This reverts commit
075b12cf688df215ca212dd5251d4fa61ea57eb3.
Stefan Metzmacher [Fri, 19 Apr 2024 14:14:16 +0000 (16:14 +0200)]
Revert "Revert "s3:rpc_client: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS""
This reverts commit
679fd3c8e2f26cf961e01ca56a39a373b6cf9b30.
Stefan Metzmacher [Fri, 19 Apr 2024 14:14:16 +0000 (16:14 +0200)]
Revert "Revert "s4:librpc/rpc: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS""
This reverts commit
71b7c6a941c978a6aafe2e52da0d2258788a77c2.
Stefan Metzmacher [Fri, 19 Apr 2024 14:14:16 +0000 (16:14 +0200)]
Revert "Revert "s3:rpc_client: implement preauth hashing support""
This reverts commit
75fd726e66ebbd1f73992ecd89d5f976374b3c96.
Stefan Metzmacher [Fri, 19 Apr 2024 14:14:16 +0000 (16:14 +0200)]
Revert "Revert "s4:librpc/rpc: implement preauth hashing support""
This reverts commit
84e4745174378259d9778a113e1ca81ff01db346.
Stefan Metzmacher [Fri, 19 Apr 2024 14:13:24 +0000 (16:13 +0200)]
Revert "s4:librpc/rpc: implement preauth hashing support"
This reverts commit
bf0bde8fc88782ca1dd82d7397f2ba74c16c155b.
Stefan Metzmacher [Fri, 19 Apr 2024 14:13:24 +0000 (16:13 +0200)]
Revert "s3:rpc_client: implement preauth hashing support"
This reverts commit
1063313bec66f1475ed8d8396398cd50f559b59a.
Stefan Metzmacher [Fri, 19 Apr 2024 14:13:24 +0000 (16:13 +0200)]
Revert "s4:librpc/rpc: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS"
This reverts commit
fc83ab921b1f6048bafa2f67940fc28166ce88b9.
Stefan Metzmacher [Fri, 19 Apr 2024 14:13:24 +0000 (16:13 +0200)]
Revert "s3:rpc_client: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS"
This reverts commit
3047fa7dc31f9df0c9d46c5006e145aa30d28daf.
Stefan Metzmacher [Tue, 13 Oct 2015 13:43:05 +0000 (15:43 +0200)]
dcesrv_core: add support for DCERPC_BIND_TIME_PROTECT_ALL_PDUS
This only works if the client supports header signing.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 18 Apr 2024 23:38:23 +0000 (01:38 +0200)]
s3:rpc_client: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS
We decrypt/verify DCERPC_PKT_FAULT pdus now.
We don't send any DCERPC_PKT_CO_CANCEL nor DCERPC_PKT_ORPHANED
pdus yet...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 13 Oct 2015 13:42:32 +0000 (15:42 +0200)]
s4:librpc/rpc: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS
We decrypt/verify DCERPC_PKT_FAULT pdus now.
We don't send any DCERPC_PKT_CO_CANCEL nor DCERPC_PKT_ORPHANED
pdus yet...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 6 Oct 2015 12:21:57 +0000 (14:21 +0200)]
DISCUSS: dcerpc.idl: add DCERPC_BIND_TIME_PROTECT_ALL_PDUS
This applies to all connection oriented dcerpc, which is
all Samba implements and cares about.
The following pdus are usable for connection oriented dcerpc:
DCERPC_PKT_REQUEST
DCERPC_PKT_RESPONSE
DCERPC_PKT_FAULT
DCERPC_PKT_BIND
DCERPC_PKT_BIND_ACK
DCERPC_PKT_BIND_NAK
DCERPC_PKT_ALTER
DCERPC_PKT_ALTER_RESP
DCERPC_PKT_SHUTDOWN
DCERPC_PKT_CO_CANCEL
DCERPC_PKT_ORPHANED
DCERPC_PKT_AUTH3
DCERPC_PKT_REQUEST and DCERPC_PKT_RESPONSE are already
protected by encryption or signing (including header signing).
The following of them are now implicitly protected
by DCERPC_BIND_TIME_SUPPORT_PREAUTH and
DCERPC_SEC_VT_COMMAND_PREAUTH:
DCERPC_PKT_BIND
DCERPC_PKT_BIND_ACK
DCERPC_PKT_BIND_NAK
DCERPC_PKT_ALTER
DCERPC_PKT_ALTER_RESP
DCERPC_PKT_AUTH3
This assuming that the client starts with a protected
DCERPC_PKT_REQUEST, which includes a dcerpc_sec_verification_trailer.
DCERPC_PKT_SHUTDOWN are not supported by Samba nor
also marked as not used on [MS-RPCE].
Currently DCERPC_PKT_FAULT pdus from the server to the client
are not protected by encryption nor signing. Which
requires application level protocols to invent custom
downgrade detection, for things like DCERPC_NCA_S_OP_RNG_ERROR
or DCERPC_NCA_S_FAULT_INVALID_TAG, when running over unprotected
transports.
DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED from the client
to the server are also not protected by encryption nor signing.
The DCERPC_BIND_TIME_PROTECT_ALL_PDUS feature tells client
and server to also encrypt or sign DCERPC_PKT_FAULT,
DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED pdus.
DCERPC_BIND_TIME_PROTECT_ALL_PDUS is only available together
with DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN being negotiated
at the same time, but that's the case with all recent
Windows and Samba releases.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 6 Oct 2015 12:20:38 +0000 (14:20 +0200)]
dcesrv_core: implement preauth hashing support
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 18 Apr 2024 23:23:14 +0000 (01:23 +0200)]
s3:rpc_client: implement preauth hashing support
For now we just need to send DCERPC_SEC_VT_COMMAND_PREAUTH
as we only support one security and one presenation context.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 6 Oct 2015 12:10:36 +0000 (14:10 +0200)]
s4:librpc/rpc: implement preauth hashing support
For now we just need to send DCERPC_SEC_VT_COMMAND_PREAUTH
once per presentation context, as we only support one security context yet.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 6 Oct 2015 09:50:49 +0000 (11:50 +0200)]
librpc/rpc: pass struct dcerpc_sec_vt_preauth to dcerpc_sec_verification_trailer_check()
This is optional and all callers pass NULL until they implement this correctly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 6 Oct 2015 08:25:28 +0000 (10:25 +0200)]
librpc/rpc: implement dcerpc_sec_vt_preauth_{check,update}()
This verifies the client given dcerpc_sec_vt_preauth structure
against the current server preauth hash based on the client given
salt.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 6 Oct 2015 08:25:28 +0000 (10:25 +0200)]
DISCUSS: dcerpc.idl: add DCERPC_BIND_TIME_SUPPORT_PREAUTH and DCERPC_SEC_VT_COMMAND_PREAUTH
DCERPC_BIND_TIME_SUPPORT_PREAUTH will ask the server to fill the uuid part
of the transfer syntax of the DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK
dcerpc_ack_ctx, with a random value.
DCERPC_SEC_VT_COMMAND_PREAUTH makes it possible to detect downgrade attacks.
Client and server calculate a rolling sha512 hash
over all incoming and outgoing BIND,BIND_ACK,ALTER,ALTER_RESP,AUTH3 PDUs.
This is similar to the SMB3 preauth protection.
Both start with an array of SHA512_DIGEST_LENGTH (64) zero bytes
for CONNECTION->PREAUTH_SHA512.
Each PDU updates the hash in the following way.
CONNECTION->PREAUTH_SHA512 = SHA512(CONNECTION->PREAUTH_SHA512 + PDU_BYTES)
Each dcerpc_sec_vt_preauth structure contains a random SALT
and sha512 hash, it calculated as SHA512(CONNECTION->PREAUTH_SHA512 + SALT).
The server also calculates SHA512(CONNECTION->PREAUTH_SHA512 + SALT) and
compares the result with the client specified value.
The dcerpc_sec_vt_preauth is included once per combination
of presentation context and security context. It contains
16 random bytes from the server (via the uuid part of
DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK) and 16 random bytes
from the client (within the dcerpc_sec_vt_preauth structure itself).
The dcerpc_sec_vt_preauth is included in
dcerpc_sec_verification_trailer, which is added as padding
to the end of the DCERPC_PKT_REQUEST payload, so it's encrypted or signed.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 18 Apr 2024 23:22:17 +0000 (01:22 +0200)]
s3:rpc_client: implement bind time feature negotiation
This is not strictly needed as we don't use any of the
optional features yet.
But it will make it easier to add bind time features we'll
actually use later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 18 Apr 2024 23:17:46 +0000 (01:17 +0200)]
s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context
We should fail if we didn't get DCERPC_BIND_ACK_RESULT_ACCEPTANCE.
It's also not needed to require a single array element.
We already checked above that we have at least one.
The next patch will all bind time feature negotiation
and that means we'll have 2 array elements...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 18 Apr 2024 23:15:52 +0000 (01:15 +0200)]
s3:rpc_client: pass struct rpc_pipe_client to check_bind_response()
This prepares adding bind time feature negotiation in the next commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 13 Oct 2015 13:43:05 +0000 (15:43 +0200)]
dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags()
dcerpc_ncacn_push_auth() already calls dcerpc_set_frag_length().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Martin Schwenke [Thu, 18 Apr 2024 04:13:11 +0000 (14:13 +1000)]
ctdb-scripts: Do not de-duplicate the interfaces list
Using xargs with sort -u to de-duplicate this list was my idea and
causes a couple of things to go wrong. The use of xargs causes
double-quotes to be lost. The resulting $public_ifaces value also
contains newlines. The newlines could be removed with an additional
xargs at the end of the pipeline... but that would add an extra level
of quote stripping.
I have unsuccessfully tried to find an alternative, but still elegant,
command pipeline that de-duplicates the list, while maintaining
quoting.
So, just drop the de-duplication.
This might make interface_ifindex_exists_with_options() slightly less
efficient. However, that function walks the whole list, only
terminating early when a match is found on both interface and options,
so at least it will be correct.
Include an extra testcase.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Apr 18 09:08:34 UTC 2024 on atb-devel-224
Andreas Schneider [Mon, 15 Apr 2024 05:32:02 +0000 (07:32 +0200)]
python: Fix NtVer check for site_dn_for_machine()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15633
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 17 19:32:11 UTC 2024 on atb-devel-224
Volker Lendecke [Tue, 12 Mar 2024 14:06:33 +0000 (15:06 +0100)]
lib: Remove an obsolete comment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr 17 09:01:34 UTC 2024 on atb-devel-224
Volker Lendecke [Tue, 13 Feb 2024 12:05:42 +0000 (13:05 +0100)]
smbd: Remove sconn->using_smb2
We have the same information available via conn_using_smb2()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Tue, 13 Feb 2024 11:28:06 +0000 (12:28 +0100)]
smbd: Add conn_using_smb2()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Tue, 13 Feb 2024 11:56:17 +0000 (12:56 +0100)]
smbd: Change protocol selection to not use "sconn->using_smb2"
To me this is pretty confusing, it seems to overload this struct
element.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Thu, 29 Feb 2024 15:11:16 +0000 (16:11 +0100)]
ctdb: Modernize a few DEBUGs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr 17 00:54:55 UTC 2024 on atb-devel-224
Volker Lendecke [Fri, 1 Mar 2024 20:19:51 +0000 (21:19 +0100)]
ctdb: Remove common/line.[ch]
This was an implementation of getline(3), use that instead.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Fri, 1 Mar 2024 20:16:57 +0000 (21:16 +0100)]
ctdb: Use stdio's getline() in ctdb_connection_list_read()
This is the only user of common/line.[ch], which can go next.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Wed, 10 Apr 2024 11:11:11 +0000 (13:11 +0200)]
lib: Use fdopen_keepfd()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Wed, 10 Apr 2024 11:08:06 +0000 (13:08 +0200)]
rpc_server3: Use fdopen_keepfd()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Wed, 10 Apr 2024 11:07:56 +0000 (13:07 +0200)]
lib: Add fdopen_keepfd()
Capture the dup/fdopen pattern
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Wed, 10 Apr 2024 11:02:39 +0000 (13:02 +0200)]
lib: Give lib/util/util_file.c its own header file
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Vinit Agnihotri [Tue, 30 Jan 2024 09:50:20 +0000 (01:50 -0800)]
ctdb-scripts: Add options to generate smb.conf interfaces include file
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 30 Jan 2024 09:25:37 +0000 (01:25 -0800)]
ctdb-scripts: Rename and relocate function get_all_interfaces()
get_all_interfaces() functions gets all names for all public interfaces.
However name is misleading. Thus renamed it to get_public_ifaces() and
moved it under functions.
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 11:03:25 +0000 (03:03 -0800)]
smbd-server: Process ip add/drop events for options:dynamic only
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 10:32:23 +0000 (02:32 -0800)]
lib-interface: Change API for interface 'options'
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 10:15:11 +0000 (02:15 -0800)]
lib-interface: Add parsing for interface 'options'
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 10:27:04 +0000 (02:27 -0800)]
lib-interface: Add extra parameter 'options' to interface definition
Signed-off-by: Vinit Agnihotri<vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 11:16:49 +0000 (03:16 -0800)]
param: Add additional key 'options' for interfaces
The key 'options' specifies if server should spawn/kill listning sockets
in event of add/dropped ip addresses on specified interface.
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Thu, 29 Feb 2024 08:52:08 +0000 (00:52 -0800)]
smbd-server: Use MSG_SMB_IP_DROPPED
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Thu, 29 Feb 2024 06:22:38 +0000 (22:22 -0800)]
messaging: Add new SMBD message
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Wed, 28 Feb 2024 11:56:23 +0000 (03:56 -0800)]
smbd-server: Handle ip drop event and close listening socket
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Wed, 21 Feb 2024 05:49:34 +0000 (21:49 -0800)]
smbd-server: Open socket for additional ip address
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 20 Feb 2024 10:40:13 +0000 (02:40 -0800)]
lib-interface: Add new API to validate interface info for given interface index
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Thu, 15 Feb 2024 13:23:37 +0000 (05:23 -0800)]
lib-addrchange: Change API to fill up if_index value from netlink msg
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 13 Feb 2024 11:30:50 +0000 (03:30 -0800)]
smbd-server: Set event callback for interface change notification
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Christof Schmitt [Thu, 7 Mar 2024 23:41:11 +0000 (16:41 -0700)]
docs: Document new tdbdump -x option
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Tue Apr 16 18:37:17 UTC 2024 on atb-devel-224
Christof Schmitt [Fri, 12 Apr 2024 22:48:02 +0000 (15:48 -0700)]
tdb: Add test for tdbdump -x
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Christof Schmitt [Thu, 7 Mar 2024 23:38:53 +0000 (16:38 -0700)]
tdb: Add tdbdump option to output all data as hex values
This can be useful for debugging tdb databases, the hex output of the
key can be used for "net tdb" or ctdb commands.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Christof Schmitt [Fri, 12 Apr 2024 22:44:38 +0000 (15:44 -0700)]
tdb: Add test for tdbdump command
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Christof Schmitt [Fri, 12 Apr 2024 22:22:06 +0000 (15:22 -0700)]
tdb: Return failure as exit status from test_tdbbackup.sh
When this test is called from wscript, only the exit code is checked.
Track failures and return as non-zero exit code.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Shaleen Bathla [Wed, 10 Apr 2024 13:01:39 +0000 (18:31 +0530)]
s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs
Add missing free for entry variable and its members : key and principal
Found definite memory leaks via valgrind as shown below.
Leak 1 :
==1686== 76,800 bytes in 2,400 blocks are definitely lost in loss record 432 of 433
==1686== at 0x4C38185: malloc (vg_replace_malloc.c:431)
==1686== by 0x79CBFED: krb5int_c_copy_keyblock_contents (keyblocks.c:101)
==1686== by 0x621CFA3: krb5_mkt_get_next (kt_memory.c:500)
==1686== by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384)
==1686== by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434)
==1686== by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68)
==1686== by 0x127F45: process_request_send (winbindd.c:502)
==1686== by 0x127F45: winbind_client_request_read (winbindd.c:749)
==1686== by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126)
==1686== by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142)
==1686== by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737)
==1686== by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938)
==1686== by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110)
==1686== by 0x66D39B4: _tevent_loop_once (tevent.c:823)
==1686== by 0x1232F3: main (winbindd.c:1718)
Leak 2 :
==1686== at 0x4C38185: malloc (vg_replace_malloc.c:431)
==1686== by 0x62255E4: krb5_copy_principal (copy_princ.c:38)
==1686== by 0x621D003: krb5_mkt_get_next (kt_memory.c:503)
==1686== by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384)
==1686== by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434)
==1686== by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68)
==1686== by 0x127F45: process_request_send (winbindd.c:502)
==1686== by 0x127F45: winbind_client_request_read (winbindd.c:749)
==1686== by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126)
==1686== by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142)
==1686== by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737)
==1686== by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938)
==1686== by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110)
==1686== by 0x66D39B4: _tevent_loop_once (tevent.c:823)
==1686== by 0x1232F3: main (winbindd.c:1718)
Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 16 10:22:51 UTC 2024 on atb-devel-224
Jo Sutton [Tue, 13 Feb 2024 02:45:21 +0000 (15:45 +1300)]
s4:dsdb: Implement msDS-ManagedPassword attribute
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 16 05:02:30 UTC 2024 on atb-devel-224
Jo Sutton [Tue, 9 Apr 2024 04:15:48 +0000 (16:15 +1200)]
s4:dsdb: Add extra attrs to search request even if replacement attribute is NULL
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 02:09:17 +0000 (14:09 +1200)]
python:tests: Catch failures to authenticate with gMSA managed passwords
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 01:55:58 +0000 (13:55 +1200)]
selftest: Expand out knownfails for gMSA getpassword tests
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 5 Apr 2024 00:23:18 +0000 (13:23 +1300)]
s4:dsdb: Set up passwords and password IDs of new gMSAs
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 13 Feb 2024 03:09:57 +0000 (16:09 +1300)]
s4:dsdb: Add functions for Group Managed Service Accounts implementation
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 00:15:00 +0000 (12:15 +1200)]
s4:dsdb: Factor out a function to remove all password related attributes
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 1 Apr 2024 21:33:27 +0000 (10:33 +1300)]
lib:crypto: Reformat source code
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 5 Apr 2024 00:44:08 +0000 (13:44 +1300)]
tests/krb5: Add tests for gMSAs
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>