Joseph Sutton [Wed, 8 Nov 2023 03:18:54 +0000 (16:18 +1300)]
librpc:ndr: Check return values of talloc functions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 13 Jul 2023 02:37:27 +0000 (14:37 +1200)]
librpc:ndr: Fix error messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Nov 2023 23:11:24 +0000 (12:11 +1300)]
libcli/security:sddl_decode message offset safety latch
the message offset is largely calculated using the differences
between pointers in many places scattered throughout the code.
If we got one of these wrong, we could easily have a SIZE_MAX-ish
offset, which would be unfortunate if we came decided to display
the offset using spaces.
We can sanely limit the offset to the length of the SDDL.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Nov 2023 22:44:56 +0000 (11:44 +1300)]
libcli/security/test_sddl_conditional_ace: add message tests
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Nov 2023 22:33:56 +0000 (11:33 +1300)]
libcli/security:sddl_parse: add some top level error messages
the way we parse things, we can't really distinguish between complete
nonsense and an ACL that seems to end early because of bad flags. That
is, "D:ZZ(A;;;;;WD)" looks the same as "ZZ" to the parser. But at least
we can point to the right place in the string.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Nov 2023 22:28:57 +0000 (11:28 +1300)]
libcl/security:sddl_decode_acl: expand a comment
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Nov 2023 22:28:35 +0000 (11:28 +1300)]
libcli/security:sddl_decode_ace: fix ';' count message
The wrong number of semicolons is usually one less than count (which
counts sections separated by semicolons), except when count is zero.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Nov 2023 05:45:57 +0000 (18:45 +1300)]
libcl/security:sddl_decode_acl: add a message
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Nov 2023 05:45:19 +0000 (18:45 +1300)]
libcli/security:sddl_decode_ace: add more messages
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Nov 2023 23:51:36 +0000 (12:51 +1300)]
libcli/security: adjust log verbosity in sddl_decode
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Nov 2023 05:43:33 +0000 (18:43 +1300)]
libcli/security:sddl_decode_ace: turn DBG_WARNINGs into messages
This allows the messages to be more reliably presented by client tools
in a useful way.
The messages lose the trailing \n, and some were slightly tweaked (e.g.
s/Resource ACE/Resource Attribute ACE/).
They will still show up in logs for callers of sddl_decode(), but at
NOTICE level rather than WARNING.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Nov 2023 22:47:07 +0000 (11:47 +1300)]
pytest:samba-tool domain auth policy: expect error message detail
The knownfail will stay around for a few commits, because the message
we get is slightly wrong.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 Nov 2023 04:56:48 +0000 (17:56 +1300)]
libcli/security:sddl_decode_err_msg(): don't pretend msg is optional (CID1548624)
Having it optionally NULL just complicates the code, and Coverity
rightly complained.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Christof Schmitt [Thu, 9 Nov 2023 19:44:02 +0000 (12:44 -0700)]
vfs_zfsacl: Call stat CAP_DAC_OVERRIDE functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Wed Nov 15 19:55:07 UTC 2023 on atb-devel-224
Christof Schmitt [Thu, 9 Nov 2023 19:42:13 +0000 (12:42 -0700)]
vfs_aixacl2: Call stat DAC_CAP_OVERRIDE functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Christof Schmitt [Thu, 9 Nov 2023 19:39:57 +0000 (12:39 -0700)]
nfs4_acls: Make fstat_with_cap_dac_override static
No other module is calling this function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Christof Schmitt [Thu, 9 Nov 2023 19:38:46 +0000 (12:38 -0700)]
nfs4_acls: Make stat_with_cap_dac_override static
No other module is calling this function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Christof Schmitt [Thu, 9 Nov 2023 19:37:25 +0000 (12:37 -0700)]
nfs4_acls: Make fstatat_with_cap_dac_override static
No other module is calling this function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Christof Schmitt [Thu, 9 Nov 2023 19:35:21 +0000 (12:35 -0700)]
vfs_gpfs: Move vfs_gpfs_fstatat to nfs4_acls.c and rename function
All stat DAC_CAP_OVERRIDE code is being moved to nfs4_acls.c to allow
reuse. Move the vfs_gpfs_fstatat function and rename it to the more
generic name nfs4_acl_fstat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Christof Schmitt [Thu, 9 Nov 2023 19:30:27 +0000 (12:30 -0700)]
vfs_gpfs: Move vfs_gpfs_lstat to nfs4_acls.c and rename function
All stat CAP_DAC_OVERRIDE code is being moved to nf4_acls.c to allow
reuse. Move the vfs_gpfs_lstat function and rename to the more generic
name nfs4_acl_lstat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Christof Schmitt [Thu, 9 Nov 2023 19:27:58 +0000 (12:27 -0700)]
vfs_gpfs: Move vfs_gpfs_fstat to nfs4_acls.c and rename function
All stat DAC_CAP_OVERRIDE code is moving to nfs4_acls.c to allow reuse.
Move the vfs_gpfs_fstat function and rename to the more generic name
nfs4_acl_fstat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Christof Schmitt [Thu, 9 Nov 2023 19:23:49 +0000 (12:23 -0700)]
vfs_gpfs: Move vfs_gpfs_stat to nfs4_acls.c and rename function
All stat DAC_CAP_OVERRIDE code is moving to nfs4_acls.c to allow reuse
by other file system modules. Also rename the function to the more
generic name nfs4_acl_stat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Christof Schmitt [Thu, 9 Nov 2023 19:20:38 +0000 (12:20 -0700)]
vfs_gpfs: Move stat_with_capability to nfs4_acls.c and rename function
All stat CAP_DAC_OVERRIDE code is moving to nfs4_acls.c to allow reuse
by other filesystem modules. Also rename the function to the slightly
more precise name stat_with_cap_dac_overide.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Christof Schmitt [Thu, 9 Nov 2023 19:17:21 +0000 (12:17 -0700)]
vfs_gpfs: Move fstatat_with_cap_dac_override to nfs4_acls.c
All stat DAC_CAP_OVERRIDE code is being moved to nfs4_acls.c to allow
reuse by other filesystem modules.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Christof Schmitt [Thu, 9 Nov 2023 19:01:56 +0000 (12:01 -0700)]
nfs4_acls: Implement fstat with DAC_CAP_OVERRIDE
AT_EMTPY_PATH does not exist on AIX. Address this by implementing an
override for fstat. Implement the new override function in nfs4_acls.c
since all stat functions with DAC_CAP_OVERRIDE will be moved there to
allow reuse by other filesystems.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Anoop C S [Mon, 13 Nov 2023 06:58:19 +0000 (12:28 +0530)]
docs-xml: Fix a usage for case sensitive parameter
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 15 18:52:16 UTC 2023 on atb-devel-224
Anoop C S [Mon, 13 Nov 2023 07:17:17 +0000 (12:47 +0530)]
vfs_ceph: Replace libceph with libcephfs in comments
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Anoop C S [Mon, 13 Nov 2023 07:13:59 +0000 (12:43 +0530)]
vfs_ceph: Fix the comment quoting module usage
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Anoop C S [Sat, 11 Nov 2023 05:43:15 +0000 (11:13 +0530)]
vfs_ceph: Fix a comment in cephwrap_fchmod()
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Anoop C S [Sat, 11 Nov 2023 05:37:28 +0000 (11:07 +0530)]
vfs_ceph: Add path based fallback mechanism for SMB_VFS_CHOWN
Fallback mechanism was missing in cephwrap_fchown() for path based call.
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 14 Nov 2023 11:12:22 +0000 (12:12 +0100)]
smbd: Get the symlink mode for posix through fdos_mode()
fdos_mode() has special code to deal with symlinks, so we don't have
to replicate that logic here.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Nov 15 06:10:38 UTC 2023 on atb-devel-224
Volker Lendecke [Tue, 14 Nov 2023 11:11:17 +0000 (12:11 +0100)]
smbd: Centralize fdos_mode() in smbd_dirptr_get_entry()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 14 Nov 2023 11:09:54 +0000 (12:09 +0100)]
smbd: Centralize wiping the ".." stat info
Make sure this also happens for symlinks etc.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 13 Nov 2023 12:46:51 +0000 (13:46 +0100)]
smbd: Simplify smbd_dirptr_get_entry()
This uses the much simpler openat_pathef_fsp_lcomp, avoiding
non_widelink_open where we don't need it. The only case where we still
have to call openat_pathref_fsp() in its full capacity is to find out
whether a symlink we found is dangling or not.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 13 Nov 2023 12:48:42 +0000 (13:48 +0100)]
smbd: Remove a pointless NULL check
We've dereferenced smb_fname before, and talloc_move() never fails.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 13 Nov 2023 09:25:58 +0000 (10:25 +0100)]
smbd: Slightly simplify smbd_dirptr_get_entry()
Check for dirptr being toplevel just once.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 12 Nov 2023 10:48:30 +0000 (11:48 +0100)]
smbd: Move mask_match_search() to smb1_reply.c
Only called there.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 12 Nov 2023 10:30:11 +0000 (11:30 +0100)]
smbd: Simplify smbd_dirptr_get_entry()
Both mode_fn's are now the same. Fold them into smbd_dirptr_get_entry()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 11 Nov 2023 18:12:16 +0000 (19:12 +0100)]
smbd: Simplify smbd_dirptr_8_3_mode_fn()
Do the smb1-specific code directly in smb1-code. Don't tunnel it
through generic smb1/smb2 code.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 9 Nov 2023 11:50:07 +0000 (12:50 +0100)]
smbd: Rename "fsp" to "dirfsp" in smbd_smb2_query_directory_state
Makes it clearer to me what we have there.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 14 Nov 2023 09:53:30 +0000 (10:53 +0100)]
smbd: Directly print errno in openat_pathref_fsp_lcomp()
This is where the error came from.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 9 Nov 2023 11:25:32 +0000 (12:25 +0100)]
smbd: Remove a NULL check that became obsolete
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 13 Nov 2023 16:30:22 +0000 (17:30 +0100)]
smbd: Modernize a DEBUG statement
Avoid casts
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Rob van der Linde [Tue, 7 Nov 2023 21:21:02 +0000 (10:21 +1300)]
netcmd: docs: update docs for silo member grant + revoke
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Nov 15 05:00:58 UTC 2023 on atb-devel-224
Rob van der Linde [Tue, 7 Nov 2023 20:44:14 +0000 (09:44 +1300)]
netcmd: tests: update silo member grant and revoke docstings and comments
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 7 Nov 2023 20:42:33 +0000 (09:42 +1300)]
netcmd: tests: rename silo member tests to grant + revoke
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 7 Nov 2023 20:35:13 +0000 (09:35 +1300)]
netcmd: tests: rename add_silo_member and remove_silo_member methods in test
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 7 Nov 2023 20:26:15 +0000 (09:26 +1300)]
netcmd: silo member: update docstrings comments and print statements for grant + revoke
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 7 Nov 2023 20:24:59 +0000 (09:24 +1300)]
netcmd: silo member: update command line options help text for grant + revoke
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 7 Nov 2023 20:20:59 +0000 (09:20 +1300)]
netcmd: silo member: rename add and remove commands to grant and revoke
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 7 Nov 2023 20:13:04 +0000 (09:13 +1300)]
netcmd: silo member: update model docstrings and exception text
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 7 Nov 2023 20:10:14 +0000 (09:10 +1300)]
netcmd: silo member: rename model methods to grant and revoke
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 7 Nov 2023 19:30:22 +0000 (08:30 +1300)]
netcmd: silo member: rename exceptions to grant and revoke
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 8 Nov 2023 11:41:51 +0000 (00:41 +1300)]
netcmd: models: fix incorrect return type should not be User
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 8 Nov 2023 01:06:10 +0000 (14:06 +1300)]
netcmd: models: Model.query method makes use of Query class
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 7 Nov 2023 23:09:22 +0000 (12:09 +1300)]
netcmd: models: add Query class to replace simple generator
This allows other methods to be added on top of the Query class like .first() and .one()
Sometimes it's useful to raise an exception if 0 rows are returned, while other times it's best to return None.
Having a Query class makes it easy to add methods like .one() and .first() to take care of this requirement.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 31 Oct 2023 03:59:31 +0000 (16:59 +1300)]
netcmd: docs: document samba-tool user auth silo and policy commands
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 31 Oct 2023 02:20:25 +0000 (15:20 +1300)]
netcmd: tests: add tests for user auth policy and silo commands
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 31 Oct 2023 02:36:53 +0000 (15:36 +1300)]
netcmd: tests: rename domain_auth_base.py to silo_base.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 31 Oct 2023 02:33:55 +0000 (15:33 +1300)]
netcmd: tests: rename base class to be used by more tests
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Sun, 29 Oct 2023 23:43:57 +0000 (12:43 +1300)]
netcmd: add auth silo and policy sub-commands to samba-tool user
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 7 Nov 2023 05:45:30 +0000 (18:45 +1300)]
netcmd: silo member: Make output consistent with user command
* Use print with file=self.outf
* Show assigned or unassigned silo
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 7 Nov 2023 05:44:20 +0000 (18:44 +1300)]
netcmd: model: User model str method returns username not cn
If the cn is needed then user.cn can be used, this makes it nicer if using {user} in format strings.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 7 Nov 2023 05:06:22 +0000 (18:06 +1300)]
netcmd: tests: make use of unique_name
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 7 Nov 2023 04:49:18 +0000 (17:49 +1300)]
netcmd: silo member uses consistent output with other commands
This also includes always spelling out "authentication silo" or "authentication policy" in full, not just calling it "silo."
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 30 Oct 2023 23:27:56 +0000 (12:27 +1300)]
netcmd: silo member add and remove should not set assigned_silo
The Windows tools don't do this either
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 1 Nov 2023 03:46:44 +0000 (16:46 +1300)]
netcmd: silo member: make use of User.find function
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 1 Nov 2023 03:44:18 +0000 (16:44 +1300)]
netcmd: model: add a find method to User model to avoid repeating code
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 30 Oct 2023 22:31:10 +0000 (11:31 +1300)]
netcmd: model: add missing assigned_policy field on User model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 31 Oct 2023 22:55:01 +0000 (11:55 +1300)]
netcmd: user: PEP8 E303 E305: fix too many or too little blank lines
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 31 Oct 2023 22:43:39 +0000 (11:43 +1300)]
netcmd: user: PEP8 E225: missing whitespace around operator
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 31 Oct 2023 22:42:14 +0000 (11:42 +1300)]
netcmd: user: PEP8 E221: fix multiple spaces before operator
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 31 Oct 2023 22:39:54 +0000 (11:39 +1300)]
netcmd: user: PEP8 E127: fix hanging indent not lining up
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 31 Oct 2023 22:58:26 +0000 (11:58 +1300)]
netcmd: user: PEP8 E502: backslash is redundant between brackets
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 31 Oct 2023 22:28:34 +0000 (11:28 +1300)]
netcmd: user: PEP8 E117: code is overindented
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 2 Sep 2022 11:48:08 +0000 (11:48 +0000)]
python/samba/tests: Add smbcacl tests for save/restore
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Tue, 27 Sep 2022 15:28:28 +0000 (16:28 +0100)]
docs-xml: Update manpages for new -T, --save & --restore options
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Tue, 14 Nov 2023 09:12:01 +0000 (09:12 +0000)]
s3/utils: Add support to smbcacls to restore dacls from file
Allow smbcacls to restore dacls to a directory from file created by
with smbcacls '--save' or icalcs /save
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 12 Aug 2022 10:27:58 +0000 (11:27 +0100)]
s3/utils: Add functionality to smbcacls to save dacl(s) to a restore file
Add similar functionality to 'icacls name /save'
Save dacls for a file/directory to a restore/save file.
When saving dacls associated with a directory, using the 'recusive'
switch '-T' will recursively save the content of the directory.
Note: the save file produced by smbcacls and icacls are interchangeable
as smbcacls produces (and uses) the same file format.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Wed, 17 Aug 2022 14:39:19 +0000 (15:39 +0100)]
s3/utils: Add recursive option to smcacls
Adds new switch (and associated help) note: nothing using it yet
Subsequent following commits will make use of this option with
'save' functionality
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Thu, 11 Aug 2022 14:26:01 +0000 (15:26 +0100)]
s3/utils: Add save and restore config switches (and help output)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Fri, 26 Aug 2022 13:17:07 +0000 (14:17 +0100)]
s3/utils: ensure sddl_encode/sddl_decode both use domain_sid
prior to this patch sddl_decode get_global_sam_sid was using
'get_global_sam_sid()' but the reciprocal call to sddl_encode uses
'get_domain_sid()' using the domain_sid (instead of local machine sid)
is 'correct'
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 15 Nov 2023 00:03:27 +0000 (13:03 +1300)]
pytests: sid_strings: do not fail if epoch ending has zeros
To avoid collisions in random OID strings, we started using the epoch
date modulus 100 million. The trouble is we did not strip out the
leading zeros, so the field might be '
00000123' when it should be
'123', if the date happened not to correspond to an epoch with a zero
in the eighth to last place. This has been the case for most of the
last 1041 days, but fortunately the bug was only introduced earlier
this year.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15520
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Ralph Boehme [Fri, 10 Nov 2023 09:01:46 +0000 (10:01 +0100)]
smbd: remove now unneccessary wrapper vfs_fget_dos_attributes()
Signed-off-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Nov 14 00:10:19 UTC 2023 on atb-devel-224
Volker Lendecke [Fri, 10 Nov 2023 07:39:15 +0000 (08:39 +0100)]
smbd: Alternative fix for smb2.stream.attributes2 test
It confused me that a function that supposedly just retrieves dos
attributes also updates something.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 13 Oct 2023 08:54:44 +0000 (10:54 +0200)]
smbd: fix has_other_nonposix_opens_fn()
Given two opens on a file:
1. Windows open with delete-on-close
2. POSIX open with delete-on-close set
When handle 1 is closed processing in has_other_nonposix_opens_fn() will not
delete the file as (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) is false, so
has_other_nonposix_opens() will return true which is wrong.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15517
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 13 19:34:29 UTC 2023 on atb-devel-224
Ralph Boehme [Thu, 9 Nov 2023 18:53:46 +0000 (19:53 +0100)]
CI/smb3unix: add test_delete_on_close
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15517
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 9 Nov 2023 18:52:55 +0000 (19:52 +0100)]
python: move clean_file() to samba/tests/libsmb.py
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15517
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andrew Bartlett [Tue, 7 Nov 2023 00:44:55 +0000 (13:44 +1300)]
libcli/security: conditional aces: don't allow U+0000 in unicode
Allowing this broke a round-trip decode-encode fuzz test. Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62742
(Comments are from an earlier commit by Douglas Bagnall <douglas.bagnall@catalyst.net.nz>)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 13 02:30:23 UTC 2023 on atb-devel-224
Andrew Bartlett [Sun, 5 Nov 2023 22:11:14 +0000 (11:11 +1300)]
librpc/ndr: Add support for LIBNDR_FLAG_STR_NO_EMBEDDED_NUL
This requires that, other than termination, no NUL (\0) codepoints
exist in the input string, because bytes beyon that will be lost
in the output string.
This in turn causes trouble for round-trip testing, so it is easiest
to reject it upfront (on an opt-in basis).
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Sun, 5 Nov 2023 21:18:47 +0000 (10:18 +1300)]
librpc/ndr: Remove confusing case where returned string pointer "as" could be NULL
The failure to talloc_strdup("") is just an error and all other cases set the
string or given an error.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Volker Lendecke [Thu, 9 Nov 2023 15:23:49 +0000 (16:23 +0100)]
torture3: Correct use of enum client_flavour defines
enum client_flavour does not define LINUX, it defines WINDOWS and
POSIX.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Nov 10 02:33:33 UTC 2023 on atb-devel-224
Volker Lendecke [Thu, 9 Nov 2023 15:18:13 +0000 (16:18 +0100)]
librpc: Fix the build on FreeBSD
ndr_wsp.h included standalone does not find struct timespec on FreeBSD
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 9 Nov 2023 15:17:50 +0000 (16:17 +0100)]
librpc: Fix #define header guard
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Joseph Sutton [Thu, 9 Nov 2023 23:43:03 +0000 (12:43 +1300)]
third_party/heimdal: krb5: Try to decode e-data as KERB-ERROR-DATA (falling back to METHOD-DATA) (Import lorikeet-heimdal-
202311092338 (commit
50996e5f0b0f22a4eb755a6f22cb7b4ecab2aeea))
Previously we tried to decode KERB-ERROR-DATA as METHOD-DATA,
resulting in a confusing error message. Now we just ignore it; but we
could also choose to set an error message containing the NTSTATUS code
in hexadecimal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15514
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov 10 01:35:32 UTC 2023 on atb-devel-224
Joseph Sutton [Tue, 7 Nov 2023 02:44:21 +0000 (15:44 +1300)]
netcmd: Disallow device‐specific attributes and operators for allowed‐to‐authenticate‐from fields
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov 9 09:01:25 UTC 2023 on atb-devel-224
Joseph Sutton [Tue, 7 Nov 2023 02:43:29 +0000 (15:43 +1300)]
netcmd: Add ‘allow_device_in_sddl’ parameter to SDDLField()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 7 Nov 2023 02:42:38 +0000 (15:42 +1300)]
s4:librpc: Add ‘allow_device_in_sddl’ parameter to security.descriptor.from_sddl()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 3 Nov 2023 01:57:02 +0000 (14:57 +1300)]
libcli/security: Optionally disallow device‐specific attributes and operators where they are not applicable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 7 Nov 2023 03:50:49 +0000 (16:50 +1300)]
netcmd:tests: Test authentication policies containing device‐specific attributes and operators
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>