samba.git
2 years agonamed_pipe_auth: Rename client -> remote_client and server -> local_server
Gary Lockyer [Thu, 9 Mar 2017 22:37:56 +0000 (11:37 +1300)]
named_pipe_auth: Rename client -> remote_client and server -> local_server

While these names may have been clear, much of Samba uses
remote_address and local_address, and this difference has hidden bugs.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoselftest: Turn on auth event notification and so allow tests to pass
Andrew Bartlett [Fri, 24 Mar 2017 02:19:32 +0000 (15:19 +1300)]
selftest: Turn on auth event notification and so allow tests to pass

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth: Add hooks for notification of authentication events over the message bus
Andrew Bartlett [Fri, 24 Mar 2017 02:18:46 +0000 (15:18 +1300)]
auth: Add hooks for notification of authentication events over the message bus

This will allow tests to be written to confirm the correct events are triggered.

We pass in a messaging context from the callers

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth_log: Improve comment
Andrew Bartlett [Fri, 24 Mar 2017 02:16:34 +0000 (15:16 +1300)]
auth_log: Improve comment

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth_log: Prepared to allow logging JSON events to a server over the message bus
Andrew Bartlett [Tue, 7 Mar 2017 03:50:38 +0000 (16:50 +1300)]
auth_log: Prepared to allow logging JSON events to a server over the message bus

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos4-messaging: split up messaging into a smaller library for send only
Andrew Bartlett [Fri, 24 Mar 2017 02:11:35 +0000 (15:11 +1300)]
s4-messaging: split up messaging into a smaller library for send only

This will help avoid a dep loop when the low-level auth code relies on the message
code to deliver authentication messages

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth_log: Add JSON logging of Authorisation and Authentications
Gary Lockyer [Mon, 6 Mar 2017 03:16:51 +0000 (16:16 +1300)]
auth_log: Add JSON logging of Authorisation and Authentications

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Pair-Programmed: Andrew Bartlett <abartlet@samba.org>

2 years agoauth: Log the transport connection for the authorization
Andrew Bartlett [Mon, 6 Mar 2017 01:10:17 +0000 (14:10 +1300)]
auth: Log the transport connection for the authorization

We also log if a simple bind was over TLS, as this particular case matters to a lot of folks

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agoldap_server: Log access without a bind
Andrew Bartlett [Thu, 2 Mar 2017 23:53:06 +0000 (12:53 +1300)]
ldap_server: Log access without a bind

This can be over the privileged ldapi socket, or just as the implicit anonymous access

However, do not log for setting up StartTLS, or a rootDSE search.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoauth_log: Split up auth/authz logging levels and handle anonymous better
Andrew Bartlett [Thu, 2 Mar 2017 23:40:04 +0000 (12:40 +1300)]
auth_log: Split up auth/authz logging levels and handle anonymous better

We typically do not want a lot of logging of anonymous access, as this is often
simple a preperation for authenticated access, so we make that level 5.

Bad passwords remain at level 2, successful password authentication is level 3
and successful authorization (eg kerberos login to SMB) is level 4.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos3-rpc_server: Log authorization to DCE/RPC for anonymous and ncacn_np pass-though
Andrew Bartlett [Thu, 2 Mar 2017 23:03:04 +0000 (12:03 +1300)]
s3-rpc_server: Log authorization to DCE/RPC for anonymous and ncacn_np pass-though

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos4-rpc_server: Log authorization to DCE/RPC for anonymous and ncacn_np pass-though
Andrew Bartlett [Thu, 2 Mar 2017 22:49:43 +0000 (11:49 +1300)]
s4-rpc_server: Log authorization to DCE/RPC for anonymous and ncacn_np pass-though

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoldap_server: Log authorization for simple binds
Andrew Bartlett [Wed, 1 Mar 2017 03:49:01 +0000 (16:49 +1300)]
ldap_server: Log authorization for simple binds

Existing comment is no longer relevant.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos4-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)
Andrew Bartlett [Wed, 1 Mar 2017 03:28:06 +0000 (16:28 +1300)]
s4-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)

gensec_session_info() is not called for bare NTLM, so we have to log manually

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos3-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)
Andrew Bartlett [Wed, 1 Mar 2017 03:27:51 +0000 (16:27 +1300)]
s3-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)

gensec_session_info() is not called for bare NTLM, so we have to log manually

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoauth_log: Also log the final type of authentication (ntlmssp,krb5)
Andrew Bartlett [Wed, 1 Mar 2017 03:00:03 +0000 (16:00 +1300)]
auth_log: Also log the final type of authentication (ntlmssp,krb5)

Administrators really care about how their users were authenticated, so make
this clear.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoauth_log: Expand to include the type of password used (eg ntlmv2)
Andrew Bartlett [Wed, 1 Mar 2017 02:06:25 +0000 (15:06 +1300)]
auth_log: Expand to include the type of password used (eg ntlmv2)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agodns: Provide local and remote socket address to GENSEC
Andrew Bartlett [Wed, 1 Mar 2017 01:19:50 +0000 (14:19 +1300)]
dns: Provide local and remote socket address to GENSEC

This can be used for logging and for Kerberos channel bindings

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoauth: Add logging of service authorization
Andrew Bartlett [Tue, 28 Feb 2017 23:18:49 +0000 (12:18 +1300)]
auth: Add logging of service authorization

In ntlm_auth.c and authdata.c, the session info will be incomplete

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agorpc: Always supply both the remote and local address to the auth subsystem
Gary Lockyer [Fri, 24 Feb 2017 00:29:12 +0000 (13:29 +1300)]
rpc: Always supply both the remote and local address to the auth subsystem

This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.

The local address allows us to know which interface an authentication is on

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoauth: Always supply both the remote and local address to the auth subsystem
Andrew Bartlett [Thu, 23 Feb 2017 01:31:52 +0000 (14:31 +1300)]
auth: Always supply both the remote and local address to the auth subsystem

This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.

The local address allows us to know which interface an authentication is on

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos3-auth: Clarify the role and purpose of the auth_serversupplied_info->security_token
Andrew Bartlett [Tue, 28 Feb 2017 22:23:28 +0000 (11:23 +1300)]
s3-auth: Clarify the role and purpose of the auth_serversupplied_info->security_token

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoauth: Generate a human readable Authentication log message.
Gary Lockyer [Thu, 23 Feb 2017 00:50:14 +0000 (13:50 +1300)]
auth: Generate a human readable Authentication log message.

Add a human readable authentication log line, to allow
verification that all required details are being passed.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agodebug: Add debug class for auth_audit
Andrew Bartlett [Sun, 19 Feb 2017 22:39:17 +0000 (11:39 +1300)]
debug: Add debug class for auth_audit

This will be an audit stream of authentication and connection-level authorization

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos3-auth: Split out get_user_sid_info3_and_extra() from create_local_nt_token_from_info3()
Andrew Bartlett [Tue, 28 Feb 2017 22:22:43 +0000 (11:22 +1300)]
s3-auth: Split out get_user_sid_info3_and_extra() from create_local_nt_token_from_info3()

This will allow us to get the SID in another location for logging

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agolib/util: Add functions to escape log lines but not break all non-ascii
Gary Lockyer [Tue, 28 Feb 2017 22:10:29 +0000 (11:10 +1300)]
lib/util: Add functions to escape log lines but not break all non-ascii

We do not want to turn every non-ascii username into a pile of hex, so we instead focus
on avoding newline insertion attacks and other low control chars

Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4-rpc_server: Correct comment about where the current iface can be found
Andrew Bartlett [Tue, 21 Feb 2017 03:22:07 +0000 (16:22 +1300)]
s4-rpc_server: Correct comment about where the current iface can be found

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agowinbindd: Clarify that we do not pre-hash the password for rpccli_netlogon_password_l...
Andrew Bartlett [Mon, 20 Feb 2017 23:14:12 +0000 (12:14 +1300)]
winbindd: Clarify that we do not pre-hash the password for rpccli_netlogon_password_logon()

rpccli_netlogon_password_logon() is called in winbind_samlogon_retry_loop() if interactive
is set, and does not use the hashed passwords.

This is only needed for winbindd_dual_auth_passdb(), and by moving the call we both
avoid the extra work and allow it to also be removed in this code path

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoauth: Add "auth_description" to allow logs to distinguish simple bind (etc)
Andrew Bartlett [Mon, 20 Feb 2017 22:57:57 +0000 (11:57 +1300)]
auth: Add "auth_description" to allow logs to distinguish simple bind (etc)

This will allow the authentication log to indicate clearly how the password was
supplied to the server.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoldap_server: Move code into authenticate_ldap_simple_bind()
Andrew Bartlett [Mon, 20 Feb 2017 02:57:03 +0000 (15:57 +1300)]
ldap_server: Move code into authenticate_ldap_simple_bind()

This function is only called for simple binds, and by moving the mapping into
the function call we allow the unmapped values to be included in the
user_info and so logged.

We also include the local address and the remote address of the client
for future logging

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoauth: Add a reminder about the strings currently used for auditing
Andrew Bartlett [Mon, 20 Feb 2017 02:55:34 +0000 (15:55 +1300)]
auth: Add a reminder about the strings currently used for auditing

We will soon have a much better replacement, but a note here may help some in the transition

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos4-ldap_server: Do not set conn->session_info to NULL, keep valid at all times
Andrew Bartlett [Thu, 9 Mar 2017 02:10:14 +0000 (15:10 +1300)]
s4-ldap_server: Do not set conn->session_info to NULL, keep valid at all times

We need this to be valid, right up until a new session_info is created and
it is replaced.

We need this to have a valid value at all times, and we are still anonymous
until the new bind completes

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos4-ldap_server: Set remote and local address values into GENSEC
Andrew Bartlett [Tue, 21 Feb 2017 01:15:05 +0000 (14:15 +1300)]
s4-ldap_server: Set remote and local address values into GENSEC

This will allow channel bindings and logging of the address values used during
authentication

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos4-ldap_server: Split gensec setup into a helper function
Andrew Bartlett [Mon, 20 Feb 2017 02:54:47 +0000 (15:54 +1300)]
s4-ldap_server: Split gensec setup into a helper function

This makes the error handling simpler when we set more
details onto the gensec context.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoauth: Fill in user_info->service_description from all callers
Andrew Bartlett [Mon, 20 Feb 2017 01:52:07 +0000 (14:52 +1300)]
auth: Fill in user_info->service_description from all callers

This will allow the logging code to make clear which protocol an authentication was for.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agontlm_auth: Set ntlm_auth as the service_description into gensec
Andrew Bartlett [Mon, 20 Feb 2017 01:18:57 +0000 (14:18 +1300)]
ntlm_auth: Set ntlm_auth as the service_description into gensec

This allows this use case to be clearly found when logged.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos3-auth: Pass service_description into gensec via auth_generic_prepare()
Andrew Bartlett [Mon, 20 Feb 2017 01:17:34 +0000 (14:17 +1300)]
s3-auth: Pass service_description into gensec via auth_generic_prepare()

This allows the GENSEC service description to be set from the various callers
that go via this function.

The RPC service description is the name of the interface from the IDL.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agogensec: Pass service_description into auth_usersuppliedinfo during NTLMSSP
Andrew Bartlett [Mon, 20 Feb 2017 01:15:46 +0000 (14:15 +1300)]
gensec: Pass service_description into auth_usersuppliedinfo during NTLMSSP

This allows the GENSEC service description to be read at authentication time
for logging, eg that the user authenticated to the SAMR server

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agogensec: Add gensec_{get,set}_target_service_description()
Andrew Bartlett [Mon, 20 Feb 2017 00:32:47 +0000 (13:32 +1300)]
gensec: Add gensec_{get,set}_target_service_description()

This allows a free text description of what the server-side service is for logging
purposes where the various services may be using the same Kerberos service or not
use Kerberos.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos4-netlogon: Remember many more details in the auth_usersupplied info for future...
Andrew Bartlett [Sun, 19 Feb 2017 23:04:52 +0000 (12:04 +1300)]
s4-netlogon: Remember many more details in the auth_usersupplied info for future logs

This will allow a very verbose JSON line to be logged that others can audit from in the future

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos4-smbd: Remember the original client and server IPs from the SMB connection
Andrew Bartlett [Sun, 19 Feb 2017 23:01:37 +0000 (12:01 +1300)]
s4-smbd: Remember the original client and server IPs from the SMB connection

We need to know in the RPC server the original address the client came from
so that we can log this with the authentication audit information

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoauth_log: Add tests by listening for JSON messages over the message bus
Andrew Bartlett [Tue, 14 Mar 2017 03:43:06 +0000 (16:43 +1300)]
auth_log: Add tests by listening for JSON messages over the message bus

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Pair-programmed-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoTestBase: move insta_creds from password_lockout.py
Gary Lockyer [Thu, 16 Mar 2017 03:24:20 +0000 (16:24 +1300)]
TestBase: move insta_creds from password_lockout.py

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agopython net: add username, oldpassword and domain to change_password
Gary Lockyer [Mon, 20 Mar 2017 20:58:18 +0000 (09:58 +1300)]
python net: add username, oldpassword and domain to change_password

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agopysmb: Check for credentials using same method as pyrpc
Gary Lockyer [Tue, 21 Mar 2017 03:00:38 +0000 (16:00 +1300)]
pysmb: Check for credentials using same method as pyrpc

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agopysmb: Extend py_smb_new to allow use_ntlmv2 and use_spnego to be set by callers
Andrew Bartlett [Tue, 21 Mar 2017 22:07:49 +0000 (11:07 +1300)]
pysmb: Extend py_smb_new to allow use_ntlmv2 and use_spnego to be set by callers

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3/smbd: make copy chunk asynchronous
Ralph Boehme [Sun, 12 Mar 2017 17:13:48 +0000 (18:13 +0100)]
s3/smbd: make copy chunk asynchronous

Just use SMB_VFS_PREAD_SEND/RECV and SMB_VFS_PWRITE_SEND/RECV in a
sensible loop.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 28 21:36:18 CEST 2017 on sn-devel-144

2 years agovfs_default: move check for fsp->op validity
Ralph Boehme [Sun, 12 Mar 2017 16:23:09 +0000 (17:23 +0100)]
vfs_default: move check for fsp->op validity

Move the check whether fsp->of is valid out of the copy loop in
vfswrap_copy_chunk_send().

It's sufficient to check src_fsp->op and dest_fsp->op once before the
copy loop. fsp->op can only be NULL for internal opens (cf file_new()),
it's not expected to become NULL behind our backs.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3/smbd: optimize copy-chunk by merging chunks if possible
Ralph Boehme [Tue, 21 Mar 2017 17:34:22 +0000 (18:34 +0100)]
s3/smbd: optimize copy-chunk by merging chunks if possible

Merge chunks with adjacent ranges. This results in fewer IO requests for
the typical server-side file copy usecase: just one 16 MB copy instead
of sixteen 1 MB.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3/smbd: implement a serializing async copy-chunk loop
Ralph Boehme [Tue, 21 Mar 2017 08:17:03 +0000 (09:17 +0100)]
s3/smbd: implement a serializing async copy-chunk loop

Later commits will make the low level copy-chunk implementation async
using a thread pool. That means the individual chunks may be scheduled
and copied out-of-order at the low level.

According to conversation with MS Dochelp, a server implementation
must process individual chunks in order.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3/smbd: move cc_copy into fsctl_srv_copychunk_state
Ralph Boehme [Tue, 21 Mar 2017 07:26:37 +0000 (08:26 +0100)]
s3/smbd: move cc_copy into fsctl_srv_copychunk_state

No change, in behaviour, just preperational stuff to unroll the core
copy loop.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agovfs_default: let copy_chunk_send use const from IDL
Ralph Boehme [Sun, 12 Mar 2017 16:18:39 +0000 (17:18 +0100)]
vfs_default: let copy_chunk_send use const from IDL

This also increases the buffer size from 8 MB to the current value of
COPYCHUNK_MAX_TOTAL_LEN which is 16 MB.

For the typical case when vfswrap_copy_chunk_send is called from the SMB
layer for an copy_chunk ioctl() the parameter "num" is guaranteed to be
at most 1 MB though.

It will only be larger for special callers like vfs_fruit for their
special implementation of copyfile where num will be the size of a file
to copy.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3/smbd: move copychunk ioctl limits to IDL
Ralph Boehme [Wed, 8 Mar 2017 14:07:06 +0000 (15:07 +0100)]
s3/smbd: move copychunk ioctl limits to IDL

This will be needed in the next commit in vfs_default.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agotdb/tools: add documentation for the tdbbackup -n option
Björn Baumbach [Mon, 27 Mar 2017 15:43:07 +0000 (17:43 +0200)]
tdb/tools: add documentation for the tdbbackup -n option

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org
2 years agos3-libsmb: support rename and replace for SMB1
Uri Simchoni [Sun, 26 Mar 2017 09:02:09 +0000 (12:02 +0300)]
s3-libsmb: support rename and replace for SMB1

Add cli_smb1_rename_send() which renames a file via
setting FileRenameInformation.

Curretly this path is invoked only if replacing
an existing file is requested. This is because as far
as I can see, Windows uses CIFS rename for anything below
SMB2.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3-libsmb: fail rename and replace inside cifs variant
Uri Simchoni [Sun, 26 Mar 2017 06:14:43 +0000 (09:14 +0300)]
s3-libsmb: fail rename and replace inside cifs variant

Another refactoring step - fail request to rename and
replace existing file from within the CIFS version,
allowing the soon-to-be-added SMB version to succeed.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3-libsmb: cli_cifs_rename_send()
Uri Simchoni [Sun, 26 Mar 2017 05:54:42 +0000 (08:54 +0300)]
s3-libsmb: cli_cifs_rename_send()

Pure refactoring - current rename is [MS-CIFS] - style
rename. In later patch we'll introduce [MS-SMB] rename.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolibcli: introduce smbXcli_conn_support_passthrough()
Uri Simchoni [Sun, 26 Mar 2017 05:10:34 +0000 (08:10 +0300)]
libcli: introduce smbXcli_conn_support_passthrough()

This routine queries the client connenction whether
it supports query/set InfoLevels beyond 1000 (which,
in Windows OS, is a pass-through mechanism to the
file system).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agomanpages: update smbclient manpage with rename -f option
Uri Simchoni [Tue, 21 Mar 2017 21:56:35 +0000 (23:56 +0200)]
manpages: update smbclient manpage with rename -f option

Document the -f option of the rename command.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agosmbclient: add -f option to rename command
Uri Simchoni [Tue, 21 Mar 2017 21:26:05 +0000 (23:26 +0200)]
smbclient: add -f option to rename command

This option causes the rename to request that the
destination file / directory be replaced if it exists.

Supported only in SMB2 and higher protocol.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3: libsmb: add replace support to cli_rename()
Uri Simchoni [Tue, 21 Mar 2017 21:13:07 +0000 (23:13 +0200)]
s3: libsmb: add replace support to cli_rename()

Adds support for replacing the destination file at
the higher-level cli_rename(). This is actually supported
only by SMB2, and fails with invalid parameter with SMB1.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3: libsmb: add replace support to SMB2 rename
Uri Simchoni [Tue, 21 Mar 2017 21:02:48 +0000 (23:02 +0200)]
s3: libsmb: add replace support to SMB2 rename

SMB2 rename operation supports replacing the
destination file if it exists.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolib: Avoid an includes.h
Volker Lendecke [Sun, 8 Jan 2017 19:52:47 +0000 (19:52 +0000)]
lib: Avoid an includes.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolib: Avoid an includes.h
Volker Lendecke [Sun, 8 Jan 2017 19:52:47 +0000 (19:52 +0000)]
lib: Avoid an includes.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolib: Avoid an includes.h
Volker Lendecke [Sun, 8 Jan 2017 19:52:47 +0000 (19:52 +0000)]
lib: Avoid an includes.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolib: Avoid an includes.h
Volker Lendecke [Sun, 8 Jan 2017 19:52:47 +0000 (19:52 +0000)]
lib: Avoid an includes.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolib: Avoid an includes.h
Volker Lendecke [Sun, 8 Jan 2017 19:52:47 +0000 (19:52 +0000)]
lib: Avoid an includes.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolib: Avoid an includes.h
Volker Lendecke [Sun, 8 Jan 2017 19:52:47 +0000 (19:52 +0000)]
lib: Avoid an includes.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolib: Remove an unnecessary include
Volker Lendecke [Sun, 8 Jan 2017 19:46:17 +0000 (19:46 +0000)]
lib: Remove an unnecessary include

This comes in via samba_util.h already

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolib: Remove unused winbind_get_groups and _get_sid_aliases
Volker Lendecke [Tue, 3 Jan 2017 14:05:51 +0000 (14:05 +0000)]
lib: Remove unused winbind_get_groups and _get_sid_aliases

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3: Test for CVE-2017-2619 regression with "follow symlinks = no" - part 2
Jeremy Allison [Tue, 28 Mar 2017 05:10:29 +0000 (22:10 -0700)]
s3: Test for CVE-2017-2619 regression with "follow symlinks = no" - part 2

Add tests for regular access.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Mar 28 17:05:27 CEST 2017 on sn-devel-144

2 years agos3: smbd: Fix "follow symlink = no" regression part 2.
Jeremy Allison [Tue, 28 Mar 2017 00:09:38 +0000 (17:09 -0700)]
s3: smbd: Fix "follow symlink = no" regression part 2.

Use the cwd_name parameter to reconstruct the original
client name for symlink testing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos3: smbd: Fix "follow symlink = no" regression part 2.
Jeremy Allison [Tue, 28 Mar 2017 00:04:58 +0000 (17:04 -0700)]
s3: smbd: Fix "follow symlink = no" regression part 2.

Add an extra paramter to cwd_name to check_reduced_name().

If cwd_name == NULL then fname is a client given path relative
to the root path of the share.

If cwd_name != NULL then fname is a client given path relative
to cwd_name. cwd_name is relative to the root path of the share.

Not yet used, logic added in the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos3: Fixup test for CVE-2017-2619 regression with "follow symlinks = no"
Jeremy Allison [Tue, 28 Mar 2017 05:07:50 +0000 (22:07 -0700)]
s3: Fixup test for CVE-2017-2619 regression with "follow symlinks = no"

Use correct bash operators (not string operators).
Add missing "return".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agopython: Provide Python bindings for messaging.idl
Andrew Bartlett [Tue, 14 Mar 2017 00:09:02 +0000 (13:09 +1300)]
python: Provide Python bindings for messaging.idl

This will allow AUTH_EVENT_NAME and MSG_AUTH_LOG to be accessed from python

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 28 13:19:03 CEST 2017 on sn-devel-144

2 years agomessaging: Declare well known server name auth_events as AUTH_EVENT_NAME in IDL
Andrew Bartlett [Mon, 13 Mar 2017 23:37:15 +0000 (12:37 +1300)]
messaging: Declare well known server name auth_events as AUTH_EVENT_NAME in IDL

This makes it easy to ensure we use the same name in the python and the C

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agomessaging.idl: Register a message type for authentication log messages
Andrew Bartlett [Tue, 7 Mar 2017 02:09:38 +0000 (15:09 +1300)]
messaging.idl: Register a message type for authentication log messages

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agopymessaging: add single element tupple form of the server_id
Gary Lockyer [Thu, 16 Mar 2017 03:26:01 +0000 (16:26 +1300)]
pymessaging: add single element tupple form of the server_id

This avoids the python code needing to call getpid() internally,
while declaring a stable task_id.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agopymessaging: Add a hook to run the event loop, make callbacks practical
Andrew Bartlett [Mon, 13 Mar 2017 23:39:13 +0000 (12:39 +1300)]
pymessaging: Add a hook to run the event loop, make callbacks practical

These change allow us to write a messaging server in python.

The previous ping_speed test did not actually test anything, so
we use .loop_once() to make it actually work.  To enable practial use
a context is supplied in the tuple with the callback, and the server_id
for the reply is not placed inside an additional tuple.

In order to get at the internal event context on which to loop, we
expose imessaging_context in messaging_internal.h and allow the python
bindings to use that header.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoserver_id_db: Protect against non-0-terminated data records
Volker Lendecke [Thu, 23 Mar 2017 14:48:25 +0000 (15:48 +0100)]
server_id_db: Protect against non-0-terminated data records

Remove the failing test from knownfail.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705

2 years agoselftest: Test server_id database add and removal
Andrew Bartlett [Tue, 14 Mar 2017 03:07:46 +0000 (16:07 +1300)]
selftest: Test server_id database add and removal

This tests indirectly server_id_db_lookup() and
server_id_db_prune_name(), as well as the imessaging
and the imessaging python bindings.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705

2 years agopymessaging: Add irpc_remove_name
Andrew Bartlett [Tue, 14 Mar 2017 00:39:00 +0000 (13:39 +1300)]
pymessaging: Add irpc_remove_name

This allows tests to be indirectly added for server_id_db_lookup()
and server_id_db_prune_name()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705

2 years agopymessaging: Add support for irpc_add_name
Andrew Bartlett [Wed, 8 Mar 2017 01:53:26 +0000 (14:53 +1300)]
pymessaging: Add support for irpc_add_name

This allows tests to be indirectly added for server_id_db_lookup()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705

2 years agosamba-tool: Ensure that samba-tool processes --name=not-existing does not error
Andrew Bartlett [Fri, 24 Mar 2017 00:07:06 +0000 (13:07 +1300)]
samba-tool: Ensure that samba-tool processes --name=not-existing does not error

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705

2 years agoselftest: Add more tests for "samba-tool processes"
Andrew Bartlett [Fri, 24 Mar 2017 00:07:23 +0000 (13:07 +1300)]
selftest: Add more tests for "samba-tool processes"

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705

2 years agos3: Test for CVE-2017-2619 regression with "follow symlinks = no".
Jeremy Allison [Mon, 27 Mar 2017 18:48:25 +0000 (11:48 -0700)]
s3: Test for CVE-2017-2619 regression with "follow symlinks = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Tue Mar 28 07:00:46 CEST 2017 on sn-devel-144

2 years agos3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017...
Jeremy Allison [Mon, 27 Mar 2017 17:46:47 +0000 (10:46 -0700)]
s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619).

In a UNIX filesystem, the names "." and ".." by definition can *never*
be symlinks - they are already reserved names.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agosamba_dnsupdate: Add additional debugging
Garming Sam [Sun, 26 Feb 2017 22:39:51 +0000 (11:39 +1300)]
samba_dnsupdate: Add additional debugging

Tests are still flapping, because it claims it needs a cache rebuild.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 28 00:04:54 CEST 2017 on sn-devel-144

2 years agowhitespace: remove in rootdse
Douglas Bagnall [Tue, 25 Oct 2016 20:19:13 +0000 (09:19 +1300)]
whitespace: remove in rootdse

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoselftest/target/Samba.pm: Remove whitespace
Douglas Bagnall [Wed, 12 Oct 2016 05:00:34 +0000 (18:00 +1300)]
selftest/target/Samba.pm: Remove whitespace

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agogetncchanges: remove whitespace
Douglas Bagnall [Mon, 10 Oct 2016 21:12:55 +0000 (10:12 +1300)]
getncchanges: remove whitespace

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agowbinfo: Prevent client segfault with given EOF
Garming Sam [Mon, 27 Mar 2017 02:49:25 +0000 (15:49 +1300)]
wbinfo: Prevent client segfault with given EOF

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoselftest: Check that LDAP is available during RODC startup
Garming Sam [Mon, 27 Mar 2017 02:26:48 +0000 (15:26 +1300)]
selftest: Check that LDAP is available during RODC startup

Because the check was for RID Set, this was never done. However, this caused breakages that we've likely seen before.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agorepl_secret: Error condition should sound harmless
Garming Sam [Mon, 27 Mar 2017 01:30:19 +0000 (14:30 +1300)]
repl_secret: Error condition should sound harmless

In the case it is not in the replication group, it it correct to deny
the replication to succeed.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoselftest: Add more RODC tests to avoid regressions here
Andrew Bartlett [Thu, 23 Mar 2017 23:12:43 +0000 (12:12 +1300)]
selftest: Add more RODC tests to avoid regressions here

This ensures that the RODC can authenticatate users over wbinfo, normal services and SamLogon
including in particular the important need-to-be-forwarded case

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agorepl_secret: Prevent null deref on DEBUG
Garming Sam [Tue, 21 Mar 2017 02:02:50 +0000 (15:02 +1300)]
repl_secret: Prevent null deref on DEBUG

Code path with has_get_all_changes could not be exercised until
recently.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth/sam: Remove lastLogonTimestamp from RODC success accounting
Garming Sam [Thu, 23 Mar 2017 03:04:04 +0000 (16:04 +1300)]
auth/sam: Remove lastLogonTimestamp from RODC success accounting

This is because it cannot be updated here (only SendToSAM) and prevents
RODC from resetting the badPwdCount (as well as lockoutTime, which needs
to be fixed to allow RODC local modification).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoheimdal: Add initializer for stack pointers
Andrew Bartlett [Mon, 20 Mar 2017 02:15:39 +0000 (15:15 +1300)]
heimdal: Add initializer for stack pointers

This helps ensure we know these are NULL until set

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoauth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM auth
Andrew Bartlett [Sun, 5 Mar 2017 23:11:18 +0000 (12:11 +1300)]
auth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM auth

So far this is only on the AD DC

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoselftest: tests for vfs_fruite file-id behavior
Uri Simchoni [Thu, 23 Mar 2017 19:32:04 +0000 (21:32 +0200)]
selftest: tests for vfs_fruite file-id behavior

The test is in its own suite because it validates
our hackish workaround rather than some reference
implementation behavior.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sun Mar 26 23:31:08 CEST 2017 on sn-devel-144