Stefan Metzmacher [Fri, 12 Jan 2018 13:52:45 +0000 (14:52 +0100)]
s4:torture/samba_tool_drs: demote the test dc at the end of test_samba_tool_replicate_local()
Otherwise this taints other tests which might follow.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 11 Jan 2018 11:46:24 +0000 (12:46 +0100)]
WHATSNEW: document some more new options
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Sat Jan 13 17:12:38 CET 2018 on sn-devel-144
Stefan Metzmacher [Wed, 29 Nov 2017 15:02:28 +0000 (16:02 +0100)]
winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Wed, 13 Dec 2017 07:53:16 +0000 (08:53 +0100)]
winbindd: add more trust types to get_trust_type_string
Add support for the following trust types: "Local", "Workstation",
"RWDC", "RODC"´and "Routed (via ...)".
Where we previously returned "None" this now returns "Routed (via ...)",
otherwise (hopefully) no change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Wed, 13 Dec 2017 15:01:50 +0000 (16:01 +0100)]
libwbclient: add more trust types
Prepare libwbclient for additional trust types and trust routing.
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Wed, 13 Dec 2017 15:02:22 +0000 (16:02 +0100)]
wbinfo: support for local, workstation and routed trust types
Prepare wbinfo for additional trust types and trust routing.
This also modifies the output line for a "None" trust type by skipping
the transitivity and direction -- that just doesn't make sense without a
trust.
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Tue, 19 Dec 2017 16:26:46 +0000 (17:26 +0100)]
libwbclient: add trust routing and more trust-types
This adds the struct member and the defines, the implementation comes
later.
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Tue, 28 Nov 2017 16:46:03 +0000 (17:46 +0100)]
winbindd: fix trust_is_oubound()
A trust is only inbound if NETR_TRUST_FLAG_OUTBOUND is set. Trust flags = 0x0
does not imply an outbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Tue, 28 Nov 2017 16:44:41 +0000 (17:44 +0100)]
winbindd: fix trust_is_inbound()
A trust is only inbound if NETR_TRUST_FLAG_INBOUND is set. Trust flags = 0x0
does not imply an inbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Tue, 28 Nov 2017 16:32:59 +0000 (17:32 +0100)]
winbindd: transitive trust logic in trust_is_transitive()
trust_is_transitive() currently defaults to transitive=true, unless
LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE, LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN or
LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL trust attribute is set.
This is not correct, for the trust to be transative,
LSA_TRUST_ATTRIBUTE_WITHIN_FOREST or LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE must
be set.
Logic taken from dsdb_trust_routing_by_name().
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Wed, 29 Nov 2017 09:55:25 +0000 (10:55 +0100)]
winbindd: use add_trusted_domain_from_auth
After a successfully authentication, ensure we have the users domain in our
domain list and the TDC.
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Wed, 29 Nov 2017 09:10:38 +0000 (10:10 +0100)]
winbindd: add add_trusted_domain_from_auth
Function to add a new trusted domain to the domain list and TDC after an
successfull authentication. On Member servers only, not on DCs though.
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Wed, 13 Dec 2017 16:11:25 +0000 (17:11 +0100)]
winbindd: add set_routing_domain()
Ralph Boehme [Wed, 13 Dec 2017 16:08:10 +0000 (17:08 +0100)]
winbindd: add find_default_route_domain()
On a member server this is just our primary domain. The logic for DCs is
not yet implemented, on a DC of a child-domain in a forrest this would
be the parent domain.
Signed-off-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 29 Nov 2017 15:02:28 +0000 (16:02 +0100)]
winbindd: avoid automatic enumerating trusts on DCs
We have a static list of trust based on our configuration.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 29 Nov 2017 14:55:12 +0000 (15:55 +0100)]
winbindd: load the trusted domains on a DC already in init_domain_list()
We should do that in the parent as early as possible.
Similar to our primary domain, which is also a direct trust.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Tue, 19 Dec 2017 22:44:00 +0000 (23:44 +0100)]
pdb_samba_dsdb: set PDB_CAP_TRUSTED_DOMAINS_EX
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Mon, 11 Dec 2017 06:57:27 +0000 (07:57 +0100)]
pdb_samba_dsdb: implement pdb_samba_dsdb_del_trusted_domain
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Sun, 10 Dec 2017 19:03:37 +0000 (20:03 +0100)]
pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusted_domain
Signed-off-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 1 Dec 2017 07:41:29 +0000 (08:41 +0100)]
pdb_samba_dsdb: implement PDB_CAP_TRUSTED_DOMAINS_EX related functions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 1 Dec 2017 06:59:59 +0000 (07:59 +0100)]
pdb_samba_dsdb: implement pdb_samba_dsdb_enum_trusteddoms()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 1 Dec 2017 07:33:51 +0000 (08:33 +0100)]
s4:dsdb: add dsdb_trust_search_tdo_by_sid() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Mon, 11 Dec 2017 06:56:40 +0000 (07:56 +0100)]
s3/torture/pdbtest: delete trusted domain at test end
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Mon, 11 Dec 2017 06:56:02 +0000 (07:56 +0100)]
s3/torture/pdbtest: creating a trusted domain requires a valid SID
Signed-off-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 30 Nov 2017 12:04:56 +0000 (13:04 +0100)]
winbindd: use find_trust_from_name_noinit when we require a direct trust
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 29 Nov 2017 14:23:36 +0000 (15:23 +0100)]
winbindd: add find_trust_from_{name,sid}_noinit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 29 Nov 2017 14:10:38 +0000 (15:10 +0100)]
winbindd: remember the secure_channel_type in winbindd_domain
This way we have an indication of non direct trusts with
SEC_CHAN_NULL.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Sat, 16 Dec 2017 10:34:23 +0000 (11:34 +0100)]
winbindd: rework add_trusted_domain(), replacing add_trusted_domain_from_tdc()
This extends add_trusted_domain() to be a the one true one-stop function
to add winbindd domain.
add_trusted_domain_from_tdc() used a struct winbindd_tdc_domain to fill
in the winbindd domain which made it hard to track which attributes
would be required and which are optional.
Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 10 Jan 2018 11:14:57 +0000 (12:14 +0100)]
winbindd: initialize some stack pointers to NULL
This reduces the diff in the following commit.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 10 Jan 2018 11:14:57 +0000 (12:14 +0100)]
winbindd: rename alternative_name to dns_name
This reduces the diff in the following commit.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Fri, 15 Dec 2017 20:13:52 +0000 (21:13 +0100)]
winbindd: only use NetBIOS name when searching domain list in add_trusted_domain_from_tdc()
Unique key for domains is the NetBIOS name, period. If the the caller
passes a domain name that matches a different domains DNS name or vice
versa, that is an error. The same applies to SIDs.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 15 Dec 2017 20:09:15 +0000 (21:09 +0100)]
winbindd: enforce valid SID in add_trusted_domain_from_tdc()
It's the callers responsibility to ensure we get a valid SID. Adding
half-baked domains with only partially valid data is a recipe for
desaster.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Sat, 2 Dec 2017 09:34:28 +0000 (10:34 +0100)]
winbindd: set info6 data in append_info3_as_txt
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Jan 13 12:53:59 CET 2018 on sn-devel-144
Ralph Boehme [Fri, 1 Dec 2017 22:26:33 +0000 (23:26 +0100)]
nsswitch: fill out wbcAuthUserInfo user_principal and dns_domain_name from info6
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Wed, 10 Jan 2018 09:20:46 +0000 (10:20 +0100)]
nsswitch: add "validation_level" and "info6" to winbindd_response
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Sat, 2 Dec 2017 09:34:15 +0000 (10:34 +0100)]
winbindd: pass validation in append_info3_as_txt
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Sat, 2 Dec 2017 09:27:12 +0000 (10:27 +0100)]
winbindd: pass down validation to append_auth_data()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 9 Jan 2018 17:57:53 +0000 (18:57 +0100)]
winbindd: simplify an if condition in winbindd_dual_pam_auth
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 11 Dec 2017 15:25:35 +0000 (16:25 +0100)]
winbindd: let winbind_dual_SamLogon return validation
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 1 Dec 2017 22:11:44 +0000 (23:11 +0100)]
winbindd: remove a space in winbind_dual_SamLogon
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 11 Dec 2017 14:54:36 +0000 (15:54 +0100)]
winbindd: let winbindd_dual_pam_auth_samlogon() return validation info
Pass up validation info instead of info3. No change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 11 Dec 2017 22:26:38 +0000 (23:26 +0100)]
winbindd: let winbind_samlogon_retry_loop return validation info
Return the validation info instead of the already mapped info3. Higher
layers need info6 if available, this is the first step in passing the
unmapped info up to callers.
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Tue, 9 Jan 2018 15:58:06 +0000 (16:58 +0100)]
winbindd: remove a redundant check from winbindd_dual_pam_auth_samlogon
result is already checked a few lines above.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 30 Nov 2017 22:35:40 +0000 (23:35 +0100)]
s3/rpc_client: return validation from rpccli_netlogon functions
Return the validation info instead of the already mapped info3. Higher
layers need info6 if available, this is the first step in passing the
unmapped info up to callers.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 11 Dec 2017 14:18:58 +0000 (15:18 +0100)]
s3/rpc_client: add map_info3_to_validation()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 30 Nov 2017 22:19:07 +0000 (23:19 +0100)]
s3/rpc_client: make map_validation_to_info3() public and move to util_netlogon
Will be needed in the next commit.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Sat, 2 Dec 2017 21:04:47 +0000 (22:04 +0100)]
s3/rpc_client: in map_validation_to_info3() make a deep copy
In later commits we want to map a validation to info3 without modifying
the validation data. Otherwise no change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Sat, 2 Dec 2017 21:35:36 +0000 (22:35 +0100)]
s3/rpc_client: move copy_netr_SamInfo3() to util_netlogon
The next commit will add an additional caller that in rpc_client and I
don't want to pull in AUTH_COMMON. The natural place to consolidate
netlogon related helper functions seems to be util_netlogon.c which
already has copy_netr_SamBaseInfo().
No change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 1 Dec 2017 07:26:59 +0000 (08:26 +0100)]
winbindd: prevent long lines in a later commit
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 1 Dec 2017 11:23:50 +0000 (12:23 +0100)]
winbindd: simplify if condition in find_domain_from_name_noinit()
No change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 1 Dec 2017 10:40:47 +0000 (11:40 +0100)]
winbindd: remove an else branch
No change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 1 Dec 2017 09:32:41 +0000 (10:32 +0100)]
winbindd: remove a space
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 1 Dec 2017 06:59:50 +0000 (07:59 +0100)]
winbindd: fix overly long lines
Just another long lines cleanup. Best viewed with git show -w.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 1 Dec 2017 06:58:07 +0000 (07:58 +0100)]
s3/rpc_client: fix overly long lines
Just long lines cleanup, no further changes. Best viewed with git show -w.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Sat, 9 Dec 2017 18:27:22 +0000 (19:27 +0100)]
s3/torture: fix an error message
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 4 Dec 2017 14:21:50 +0000 (15:21 +0100)]
s3:vfs: remove unused smb_vfs_call_{is,set}_offline() prototypes
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Björn Jacke [Wed, 10 Jan 2018 15:17:30 +0000 (16:17 +0100)]
params: mark "ldap ssl ads" as deprecated
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Björn Jacke [Wed, 10 Jan 2018 15:05:39 +0000 (16:05 +0100)]
params: mark "unicode" parameter as deprecated
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Justin Maggard via samba-technical [Tue, 9 Jan 2018 20:04:16 +0000 (12:04 -0800)]
s3/smbd: Fix error code for unsupported SET_INFO requests
FileValidDataLengthInformation and FileShortNameInformation are both
valid FileInfoClasses that we don't support. According to [MS-SMB2]
3.3.5.21.1, we should be returning STATUS_NOT_SUPPORTED instead of
NT_STATUS_INVALID_LEVEL for these.
Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jan 13 07:25:42 CET 2018 on sn-devel-144
Justin Maggard via samba-technical [Tue, 9 Jan 2018 20:04:15 +0000 (12:04 -0800)]
s3/smbd: Add new file information classes
Add definitions for missing file information classes documented in
[MS-FSCC] section 2.4.
Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
David Disseldorp [Wed, 10 Jan 2018 13:03:09 +0000 (14:03 +0100)]
vfs_default: use VFS statvfs macro in fs_capabilities
Currently the vfs_default fs_capabilities handler calls statvfs
directly, rather than calling the vfs macro. This behaviour may cause
issues for VFS modules that delegate fs_capabilities handling to
vfs_default but offer their own statvfs hook.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13208
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
David Disseldorp [Wed, 10 Jan 2018 00:37:14 +0000 (01:37 +0100)]
vfs_ceph: add fs_capabilities hook to avoid local statvfs
Adding the fs_capabilities() hook to the CephFS VFS module avoids
fallback to the vfs_default code-path, which calls statvfs() against the
share path on the *local* filesystem.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13208
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Douglas Bagnall [Fri, 12 Jan 2018 01:39:49 +0000 (14:39 +1300)]
Mark wbinfo test flapping
please fix and revert
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 13 03:01:10 CET 2018 on sn-devel-144
Douglas Bagnall [Fri, 12 Jan 2018 01:39:28 +0000 (14:39 +1300)]
Mark whoami test flapping
please fix and revert!
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 12 Jan 2018 01:38:45 +0000 (14:38 +1300)]
Mark rfc2307 test flapping
Please fix and revert
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 10 Jan 2018 22:43:05 +0000 (23:43 +0100)]
ldb: version 1.3.1
* Intersect the index from SCOPE_ONELEVEL with the index for the search expression
(bug #13191)
* smaller/greater comparison tests
* Show the last successful DN when failing to parse LDIF
* ldb_index: Add an attriubute flag to require a unique value.
* silence some clang warnings in picky developer mode
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 12 Jan 2018 14:08:14 +0000 (15:08 +0100)]
tevent: version 0.9.35
* Minor cleanup. wakeup_fd can always be gotten from the event context.
* Use smb_set_close_on_exec() in example code.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 12 Jan 2018 06:45:09 +0000 (07:45 +0100)]
talloc: version 2.1.11
* disable-python - fix talloc wscript if bundling disabled
* Do not disclose the random talloc magic in free()'ed memory
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 8 Jan 2018 04:34:31 +0000 (17:34 +1300)]
talloc: Do not disclose the random talloc magic in free()'ed memory
This may help us avoid exploits via memory read attacks on Samba by ensuring that if the read
is on an invalid chunk that the talloc magic disclosed there is not useful
to create a valid chunk and so set a destructor.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13211
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Thu, 11 Jan 2018 22:17:09 +0000 (11:17 +1300)]
talloc: Add tests to require use-after-free to give the correct talloc_abort() string
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13210
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 8 Jan 2018 04:29:19 +0000 (17:29 +1300)]
talloc: Remove talloc_abort_magic()
The check required for talloc_abort_magic() prevents the 'access after free error'
from being printed.
It is also no longer possible to determine the difference between invalid memory
and a talloc version mismatch as the magic is now random on many platforms.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13210
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Andreas Schneider [Wed, 10 Jan 2018 08:32:49 +0000 (09:32 +0100)]
s3:tests: Fix test_net_tdb.sh with system tdb-tools
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jan 10 18:30:56 CET 2018 on sn-devel-144
Andreas Schneider [Thu, 6 Apr 2017 06:50:06 +0000 (08:50 +0200)]
selftest: Use the ad_dc with smbfs for ad_member env
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Tue, 9 Jan 2018 09:46:40 +0000 (10:46 +0100)]
selftest: split a large system invocation line
Small cleanup for better code readability, no change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jan 10 05:19:26 CET 2018 on sn-devel-144
Ralph Boehme [Tue, 9 Jan 2018 09:45:59 +0000 (10:45 +0100)]
selftest: split a large system invocation line
Small cleanup for better code readability, no change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Ralph Boehme [Tue, 9 Jan 2018 09:40:41 +0000 (10:40 +0100)]
selftest: split a large system invocation line
Small cleanup for better code readability, no change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Ralph Boehme [Mon, 8 Jan 2018 13:28:40 +0000 (14:28 +0100)]
selftest: set wrapper env variables when running net groupmap
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Ralph Boehme [Mon, 8 Jan 2018 17:45:01 +0000 (18:45 +0100)]
selftest: remove second loop waiting for winbindd from wait_for_start()
A few lines above we already checked that winbindd is running.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Ralph Boehme [Mon, 8 Jan 2018 17:38:08 +0000 (18:38 +0100)]
selftest: fix creation of builtin users in wait_for_start
If "BUILTIN\Users" already exists, attempting to create it would fail,
so we should check for the existence prior to the creation.
It is unclear *why* the mapping sometimes already exist and sometime
not. There are two places where they would have been created:
1. libnet_join_add_dom_rids_to_builtins tries to add the mapping when
joining a domain, but at that point winbindd isn't running
2. when a user is authenticated in smbd, which clearly can't have
happended when in the function wait_for_start
Go figure...
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 11 Nov 2016 07:48:04 +0000 (08:48 +0100)]
s4:dns_server: avoid debug noise on successful updates
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12423
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 14 Mar 2017 16:11:19 +0000 (17:11 +0100)]
s4:lib/tls: fix the developer build without gnutls support
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 7 Dec 2017 12:42:06 +0000 (13:42 +0100)]
WHATSNEW: document the changes/deprecation of 'client schannel' and 'server schannel'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 7 Dec 2017 12:22:22 +0000 (13:22 +0100)]
docs-xml: deprecate "server schannel" and change the default to "yes"
No client should use the old protocol without DCERPC level integrity/privacy,
but Maybe there're some lagacy OEM file servers, which require this.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 13 Dec 2017 12:09:47 +0000 (13:09 +0100)]
selftest: explicitly configure some dcs with 'server schannel = auto'
This is required for some tests.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 7 Dec 2017 12:22:22 +0000 (13:22 +0100)]
docs-xml: deprecate "client schannel" and change the default to "yes"
This is already the default, because "require strong key = yes" is
the default.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 7 Dec 2017 10:35:26 +0000 (11:35 +0100)]
WHATSNEW: document removal of 'use spnego" option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 7 Dec 2017 10:35:26 +0000 (11:35 +0100)]
docs-xml: remove deprecated 'use spnego" option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 7 Dec 2017 10:35:26 +0000 (11:35 +0100)]
s4:smb_server: remove deprecated 'use spnego = no" handling
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 7 Dec 2017 10:35:26 +0000 (11:35 +0100)]
s3:smbd: remove deprecated 'use spnego = no" handling
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 7 Dec 2017 12:00:10 +0000 (13:00 +0100)]
s4:selftest: replace --option=usespnego= with --option=clientusespnego=
I guess that's what we try to test here, as 'use spnego' was only evaluated
on in the smb server part.
The basically tests the 'raw NTLMv2 auth' option, we set it to yes on
some environments, but keep a knownfail for the ad_member.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 7 Dec 2017 10:17:20 +0000 (11:17 +0100)]
WHATSNEW: document removal 'winbind trusted domains only' option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 7 Dec 2017 10:10:42 +0000 (11:10 +0100)]
docs-xml: remove deprecated of 'winbind trusted domains only' option
This parameter is already deprecated in favor of the newer idmap_nss backend.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 7 Dec 2017 09:54:21 +0000 (10:54 +0100)]
winbindd: remove 'winbind trusted domains only' handling
This parameter is already deprecated in favor of the newer idmap_nss backend.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 20 Dec 2017 07:41:09 +0000 (08:41 +0100)]
s3:g_lock: keep old mylock on error and don't store new mylock on error
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Ralph Boehme [Wed, 20 Dec 2017 16:42:45 +0000 (17:42 +0100)]
winbindd: use setproctitle
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Douglas Bagnall [Tue, 9 Jan 2018 11:08:01 +0000 (00:08 +1300)]
vfs_fruit: initialise bandsize to please a compiler
GCC on a Ubuntu 16.04 instance said:
[3174/4240] Compiling source3/modules/vfs_cap.c
In file included from ../source3/include/includes.h:301:0,
from ../source3/modules/vfs_fruit.c:20:
../source3/modules/vfs_fruit.c: In function
‘fruit_disk_free’:
../source3/../lib/util/debug.h:217:7: error: ‘bandsize’ may be used
uninitialized in this function [-Werror=maybe-uninitialized]
&& (dbgtext body) )
^
../source3/modules/vfs_fruit.c:6302:9: note: ‘bandsize’ was
declared here
size_t bandsize;
^
[3175/4240] Compiling source3/modules/vfs_expand_msdfs.c
[3176/4240] Compiling source3/modules/vfs_shadow_copy.c
[3177/4240] Compiling source3/modules/vfs_shadow_copy2.c
cc1: all warnings being treated as errors
Waf: Leaving directory
/home/ubuntu/autobuild/b17854/samba-o3/bin'
Build failed: -> task failed (err #1):
{task: cc vfs_fruit.c -> vfs_fruit_25.o}
make: *** [all] Error 1
As far as I can tell, it is wrong, and the bandsize variable never
gets passed uninititalised to DEBUG.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Tue, 9 Jan 2018 11:41:01 +0000 (12:41 +0100)]
python: Print the finddcs error message
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jan 9 22:41:28 CET 2018 on sn-devel-144
Volker Lendecke [Tue, 9 Jan 2018 09:23:35 +0000 (10:23 +0100)]
libnet: Add NULL checks to py_net_finddc
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Wed, 6 Dec 2017 21:09:52 +0000 (22:09 +0100)]
vfs_fruit: set delete-on-close for empty finderinfo
We previously removed the stream from the underlying filesystem stream
backing store when the client zeroes out FinderInfo in the AFP_AfpInfo
stream, but this causes certain operations to fail (eg stat) when trying
to access the stream over any file-handle open on that stream.
So instead of deleting, set delete-on-close on the stream. The previous
commit already implemented not to list list streams with delete-on-close
set which is necessary to implemenent correct macOS semantics for this
particular stream.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jan 9 17:09:12 CET 2018 on sn-devel-144
Ralph Boehme [Thu, 7 Dec 2017 16:32:35 +0000 (17:32 +0100)]
vfs_fruit: filter out AFP_AfpInfo streams with pending delete-on-close
This is in preperation of fixing the implementation of removing the
AFP_AfpInfo stream by zeroing the FinderInfo out.
We currently remove the stream blob from the underyling filesystem
backing store, but that results in certain operations to fail on any
still open file-handle.
The fix comes in the next commit which will convert to backing store
delete operation to a set delete-on-close on the stream.
This commit adds filtering on streams that have the delete-on-close
set. It is only needed for the fruit:metadata=stream case, as with
fruit:metadata=netatalk the filtering is already done in
fruit_streaminfo_meta_netatalk().
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
git.samba.org / metze / samba / wip.git / log