samba.git
2 days agopytest/source_char: check for mixed direction text master
Douglas Bagnall [Wed, 17 Nov 2021 20:17:53 +0000 (20:17 +0000)]
pytest/source_char: check for mixed direction text

As pointed out in https://lwn.net/Articles/875964, forbidding bidi
marker characters is not always going to be enough to avoid
right-to-left vs left-to-right confusion. Consider this:

$ python -c's = "b = x  # 2 * n * m"; print(s); print(s.replace("x", "א").replace("n", "ח"))'

b = x  # 2 * n * m
b = א  # 2 * ח * m

Those two lines are semantically the same, with the Hebrew letters
"א" and "ח" replacing "x" and "n". But they look like they mean
different things.

It is not enough to say we only allow these scripts (or indeed
non-ascii) in strings and comments, as demonstrated in this example:

$ python -c's = "b = \"x#\"  #  n"; print(s); print(s.replace("x", "א").replace("n", "ח"))'

b = "x#"  #  n
b = "א#"  #  ח

where the second line is visually disordered but looks valid. Any series
of neutral characters between teo RTL characters will be reversed (and
possibly mirrored).

In practice this affects one file, which is a text file for testing
unicode normalisation.

I think, for the reasons shown above, we are unlikely to see legitimate
RTL code outside perhaps of documentation files — but if we do, we can
add those files to the allow-list.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec  3 18:53:43 UTC 2021 on sn-devel-184

2 days agosamba-tool domain backup: backup but do not follow symlinks
Douglas Bagnall [Tue, 30 Nov 2021 21:20:48 +0000 (10:20 +1300)]
samba-tool domain backup: backup but do not follow symlinks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14918

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 days agosamba-tool domain backup: cope better with dangling symlinks
Douglas Bagnall [Wed, 24 Nov 2021 20:26:54 +0000 (09:26 +1300)]
samba-tool domain backup: cope better with dangling symlinks

Our previous behaviour was to try to os.stat() the non-existent
target.

The new code greatly improves efficiency for this little task.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14918

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 days agosmbd: s3-dsgetdcname: handle num_ips == 0
Ralph Boehme [Fri, 26 Nov 2021 10:59:45 +0000 (11:59 +0100)]
smbd: s3-dsgetdcname: handle num_ips == 0

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec  3 12:54:04 UTC 2021 on sn-devel-184

2 days agoCVE-2020-25717: s3-auth: fix MIT Realm regression
Ralph Boehme [Fri, 26 Nov 2021 09:57:17 +0000 (10:57 +0100)]
CVE-2020-25717: s3-auth: fix MIT Realm regression

This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.

As a quick solution it might be possible to use the username map script based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
sure this behaves identical, but it might work in the standalone server case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922

Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2 days agodsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
Andrew Bartlett [Thu, 11 Nov 2021 23:44:44 +0000 (12:44 +1300)]
dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object

This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 days agolibcli:auth: Allow to connect to netlogon server offering only AES
Andreas Schneider [Thu, 18 Nov 2021 12:46:26 +0000 (13:46 +0100)]
libcli:auth: Allow to connect to netlogon server offering only AES

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec  2 14:49:35 UTC 2021 on sn-devel-184

3 days agos3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds()
Günther Deschner [Thu, 18 Nov 2021 10:52:18 +0000 (11:52 +0100)]
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 days agos3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel()
Andreas Schneider [Thu, 18 Nov 2021 10:47:26 +0000 (11:47 +0100)]
s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 days agos3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds()
Günther Deschner [Thu, 18 Nov 2021 10:43:08 +0000 (11:43 +0100)]
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 days agos3:libsmb: Remove trailing white spaces from passchange.c
Andreas Schneider [Wed, 24 Nov 2021 12:21:28 +0000 (13:21 +0100)]
s3:libsmb: Remove trailing white spaces from passchange.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 days agos3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport()
Günther Deschner [Thu, 18 Nov 2021 10:31:00 +0000 (11:31 +0100)]
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 days agos3:libnet: Remove tailing whitespaces in libnet_join.c
Andreas Schneider [Thu, 18 Nov 2021 10:38:42 +0000 (11:38 +0100)]
s3:libnet: Remove tailing whitespaces in libnet_join.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 days agos3:rpcclient: Remove trailing white spaces in rpcclient.c
Andreas Schneider [Thu, 18 Nov 2021 10:32:42 +0000 (11:32 +0100)]
s3:rpcclient: Remove trailing white spaces in rpcclient.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 days agos3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open()
Günther Deschner [Thu, 18 Nov 2021 10:18:59 +0000 (11:18 +0100)]
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 days agos3:rpc_client: Remove trailing white spaces from cli_pipe.c
Andreas Schneider [Thu, 18 Nov 2021 10:14:16 +0000 (11:14 +0100)]
s3:rpc_client: Remove trailing white spaces from cli_pipe.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 days agotestprogs: Add rpcclient schannel tests
Andreas Schneider [Wed, 17 Nov 2021 10:46:04 +0000 (11:46 +0100)]
testprogs: Add rpcclient schannel tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 days agosmb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTE...
Stefan Metzmacher [Wed, 15 Sep 2021 17:29:40 +0000 (19:29 +0200)]
smb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTERFACE_INFO

We should not fail this just because the user doesn't have
permissions on the share root.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Dec  1 11:51:50 UTC 2021 on sn-devel-184

4 days agos4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO should work on noperm share
Stefan Metzmacher [Mon, 29 Nov 2021 18:56:20 +0000 (19:56 +0100)]
s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO should work on noperm share

Demonstrate that smbd fails FSCTL_QUERY_NETWORK_INTERFACE_INFO
only because the user doesn't have permissions on the share root.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 days agosmb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file ids
Stefan Metzmacher [Wed, 15 Sep 2021 18:27:12 +0000 (20:27 +0200)]
smb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file ids

smbd_smb2_request_process_ioctl() already detailed checks for file_ids,
which not reached before.

.allow_invalid_fileid = true was only used for SMB2_OP_IOCTL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 days agos4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO gives INVALID_PARAMETER with...
Stefan Metzmacher [Mon, 29 Nov 2021 18:56:20 +0000 (19:56 +0100)]
s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO gives INVALID_PARAMETER with invalid file ids

An invalid file id for FSCTL_QUERY_NETWORK_INTERFACE_INFO gives
INVALID_PARAMETER instead of FILE_CLOSED.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 days agosmb2_ioctl: return BUFFER_TOO_SMALL in smbd_smb2_request_ioctl_done()
Stefan Metzmacher [Wed, 15 Sep 2021 18:26:58 +0000 (20:26 +0200)]
smb2_ioctl: return BUFFER_TOO_SMALL in smbd_smb2_request_ioctl_done()

We should not send more data than the client requested.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 days agos4:torture/smb2: test FSCTL_QUERY_NETWORK_INTERFACE_INFO with BUFFER_TOO_SMALL
Stefan Metzmacher [Mon, 29 Nov 2021 18:44:12 +0000 (19:44 +0100)]
s4:torture/smb2: test FSCTL_QUERY_NETWORK_INTERFACE_INFO with BUFFER_TOO_SMALL

It seems that we currently don't have BUFFER_TOO_SMALL handling
for FSCTL/IOCTL calls.

FSCTL_QUERY_NETWORK_INTERFACE_INFO is just an easy example
to demonstrate it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 days agosmb2_server: skip tcon check and chdir_current_service() for FSCTL_VALIDATE_NEGOTIATE...
Stefan Metzmacher [Mon, 16 Aug 2021 15:28:05 +0000 (17:28 +0200)]
smb2_server: skip tcon check and chdir_current_service() for FSCTL_VALIDATE_NEGOTIATE_INFO

We should not fail this just because the user doesn't have permissions
on the share root.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 days agosmb2_server: decouple IOCTL check from signing/encryption states
Stefan Metzmacher [Wed, 15 Sep 2021 15:25:53 +0000 (17:25 +0200)]
smb2_server: decouple IOCTL check from signing/encryption states

There's no reason to handle FSCTL_SMBTORTURE_FORCE_UNACKED_TIMEOUT
differently if signing/encryption is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 days agosmb2_server: make sure in_ctl_code = IVAL(body, 0x04); reads valid bytes
Stefan Metzmacher [Wed, 15 Sep 2021 15:22:39 +0000 (17:22 +0200)]
smb2_server: make sure in_ctl_code = IVAL(body, 0x04); reads valid bytes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 days agos4:torture/smb2: add smb2.ioctl.bug14788.VALIDATE_NEGOTIATE
Stefan Metzmacher [Wed, 15 Sep 2021 16:31:06 +0000 (18:31 +0200)]
s4:torture/smb2: add smb2.ioctl.bug14788.VALIDATE_NEGOTIATE

Demonstrate that smbd fails FSCTL_VALIDATE_NEGOTIATE_INFO
only because the user doesn't have permissions on the share root.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 days agolibcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon*
Stefan Metzmacher [Thu, 16 Sep 2021 08:51:43 +0000 (10:51 +0200)]
libcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon*

This will be used in tests in order to separate the tcon from
validate_negotiate_info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
5 days agoheimdal_build: Remove memset_s from roken, already in libreplace
Andrew Bartlett [Thu, 20 Dec 2018 03:24:28 +0000 (16:24 +1300)]
heimdal_build: Remove memset_s from roken, already in libreplace

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Nov 30 19:18:59 UTC 2021 on sn-devel-184

5 days agoheimdal_build: Use HAVE___ATTRIBUTE__ for unused, noreturn and unused_result
Gary Lockyer [Thu, 28 Sep 2017 21:22:20 +0000 (10:22 +1300)]
heimdal_build: Use HAVE___ATTRIBUTE__ for unused, noreturn and unused_result

[abartlet@samba.org Squashed with TODO commit from Gary that provided
 HEIMDAL_UNUSED_ATTRIBUTE etc]

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agoheimdal_build: Do not list hx509 files twice
Andrew Bartlett [Tue, 23 Nov 2021 22:49:37 +0000 (11:49 +1300)]
heimdal_build: Do not list hx509 files twice

This makes maintaining the file lists easier.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
5 days agoAllow overflow in lib/hx509.c and lib/gssapi/mech/gss_inquire_cred.c
Andrew Bartlett [Wed, 7 Jul 2021 03:23:17 +0000 (15:23 +1200)]
Allow overflow in lib/hx509.c and lib/gssapi/mech/gss_inquire_cred.c

This is in preperation for the Heimdal upgrade (which otherwise
can be compiled with stricter flags).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
5 days agoheimdal_build: Allow errors integer overflow errors in gen.c (only)
Andrew Bartlett [Tue, 6 Jul 2021 00:26:17 +0000 (12:26 +1200)]
heimdal_build: Allow errors integer overflow errors in gen.c (only)

This is in preperation for the Heimdal upgrade.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
5 days agoheimdal_build: consistently pass extra_cflags=cflags to HEIMDAL_CFLAGS()
Stefan Metzmacher [Tue, 30 Nov 2021 16:03:06 +0000 (17:03 +0100)]
heimdal_build: consistently pass extra_cflags=cflags to HEIMDAL_CFLAGS()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agos4:samba: split out a samba_service_init() helper function
Stefan Metzmacher [Fri, 27 Aug 2021 11:06:00 +0000 (13:06 +0200)]
s4:samba: split out a samba_service_init() helper function

The loading function should be in the same SAMBA_LIBRARY()
as the modules.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Nov 30 16:44:57 UTC 2021 on sn-devel-184

5 days agovfs_not_implemented: mark all functions with _PUBLIC_
Stefan Metzmacher [Fri, 27 Aug 2021 11:10:41 +0000 (13:10 +0200)]
vfs_not_implemented: mark all functions with _PUBLIC_

These functions are used directly by other modules.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agoscript/autobuild.py: make sure nss, pam and krb5 plugins don't provide unexpected...
Stefan Metzmacher [Mon, 23 Aug 2021 12:56:15 +0000 (12:56 +0000)]
script/autobuild.py: make sure nss, pam and krb5 plugins don't provide unexpected symbols

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agoscript/autobuild.py: make sure nss and pam plugins don't link any samba libraries
Stefan Metzmacher [Mon, 23 Aug 2021 12:56:15 +0000 (12:56 +0000)]
script/autobuild.py: make sure nss and pam plugins don't link any samba libraries

Note that we exclude libtalloc.so.2 in pam_winbind.so as that simulates
a system libtalloc.so.2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agonsswitch: reduce dependecies to private libraries and link static/builtin if possible
Stefan Metzmacher [Thu, 1 Jul 2021 10:08:16 +0000 (12:08 +0200)]
nsswitch: reduce dependecies to private libraries and link static/builtin if possible

Over the last month I got more and more reports,
that it's not possible to use a custom Samba version
on systems with sssd being installed, which depends on some
specific samba libraries installed in the system.

One major problem is that the custom libnss_winbind.so.2
depends on the libreplace-samba4.so of the custom build
and also injects an RPATH into the running process.
When sssd uses any nss library call it will get this,
when it then tries to load some of its plugins via dlopen(),
e.g.

ldd /usr/lib64/sssd/libsss_ad.so| grep samba

   libsamba-util.so.0 => /lib64/libsamba-util.so.0
   libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so
   libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so
   libsamba-errors.so.1 => /lib64/libsamba-errors.so.1
   libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so
   libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so
   libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so
   libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so
   libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so
   libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so

When that loads dlopen() will fail as a soname libreplace-samba4.so is
already loaded, but the symbol version within the other one don't match, as the
contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3.

This is just an example and similar things can happen in all situations
where we provide libraries, which are potentially injected into every
process of the running system. These should only depend on libc.so and
related basic system libraries in order to avoid the problem.

We have the following libraries, which are in the that category:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so
- async_dns_krb5_locator.so

The rules of library loading are really complex and symbol versioning
is not enough to solve it, only the combination of unique soname and
unique symbol version suffix seem to solve the problem, but injecting
an RPATH is still a problem.

In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM()
definitions with 'hide_symbols=True' in order to do some static linking
of selected components, e.g.

   bld.SAMBA_SUBSYSTEM('replace-hidden',
                       source=REPLACE_SOURCE,
                       group='base_libraries',
                       hide_symbols=True,
                       deps='dl attr' + extra_libs)

It's relatively simple to get to the point where the following are
completely static:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so

But 'async_dns_krb5_locator.so' links in almost everything!
It seems we install the krb5 plugins into our own $MODULESDIR/krb5/,
so it may not be so critical, as long it's the admin who created
the desired symlinks into the location the kerberos libraries search
for plugins. Note the at least the locator plugins are always loaded
without any configuration, every .so in a special path are loaded with dlopen().
This is done by every application using kerberos, so we load a lot of samba libraries
into them.

Packagers should not put async_dns_krb5_locator.so (nor a symlink) into
the path that's reachable by libkrb5.so.

As a longterm solution we may want to change async_dns_krb5_locator.so
to use a helper process with posix_spawn() instead of doing everything
within the process.

Note I added hiden_symbols=True to the nss modules for Linux and
FreeBSD only, because these are the only platforms I'm able to test
on. We most likely should do the same on other platforms, but some
with access to the platform should provide a tested patch.

In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with
'-hidden', I added the 'provide_builtin_linking=True' option,
as the logic is very similar to what we already have with the
'--builtin-libraries=BUILTIN_LIBRARIES' configure option.

SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order
to make it more strict that these plugins can't be used as
normal depedency by other subsystems and libraries.

While being there it was easy enough to make libwbclient.so
also standalone without dependecies to other samba libraries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agolib/replace: use dlsym(RTLD_DEFAULT,) for {nss,nss_host,uid,socket}_wrapper_enabled()
Stefan Metzmacher [Thu, 5 Aug 2021 16:03:14 +0000 (18:03 +0200)]
lib/replace: use dlsym(RTLD_DEFAULT,) for {nss,nss_host,uid,socket}_wrapper_enabled()

We should not provide the symbols ourself instead we should just check
if they are already available when we want to check the result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agonsswitch/libwbclient: explicitly mark all wbc* symbols as _PUBLIC_
Stefan Metzmacher [Tue, 12 Oct 2021 12:30:09 +0000 (14:30 +0200)]
nsswitch/libwbclient: explicitly mark all wbc* symbols as _PUBLIC_

Some private functions from wbclient_internal.h already
leaked into the ABI. With hide_symbols=True we make sure
this doesn't happen again.

Having wbcRequestResponse[Priv]() as part of the ABI helps us
in order to hide winbindd_[priv_]request_response() soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agonsswitch: explicitly mark nss_module_register() _PUBLIC_ on FreeBSD
Stefan Metzmacher [Thu, 1 Jul 2021 10:08:16 +0000 (12:08 +0200)]
nsswitch: explicitly mark nss_module_register() _PUBLIC_ on FreeBSD

This is the only symbol which is used via dlopen()/dlsym() and
needs to be exported, in future we'll do hide all other symbols.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agonsswitch: explicitly mark NSS_STATUS _nss_winbind_* symbols as _PUBLIC_ on Linux
Stefan Metzmacher [Thu, 1 Jul 2021 10:08:16 +0000 (12:08 +0200)]
nsswitch: explicitly mark NSS_STATUS _nss_winbind_* symbols as _PUBLIC_ on Linux

The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.

On other platforms, which are implemented as wrappers above the
Linux implementation, we mark the symbols as _PRIVATE_

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agonsswitch: explicitly mark PAM_EXTERN pam_sm_* symbols as _PUBLIC_
Stefan Metzmacher [Thu, 1 Jul 2021 10:08:16 +0000 (12:08 +0200)]
nsswitch: explicitly mark PAM_EXTERN pam_sm_* symbols as _PUBLIC_

The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agonsswitch: explicitly mark magic krb5 plugin symbols as _PUBLIC_
Stefan Metzmacher [Thu, 1 Jul 2021 10:08:16 +0000 (12:08 +0200)]
nsswitch: explicitly mark magic krb5 plugin symbols as _PUBLIC_

The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agonsswitch/wbinfo: use wbcRequestResponse() instead of winbindd_request_response()
Stefan Metzmacher [Mon, 22 Nov 2021 16:59:48 +0000 (17:59 +0100)]
nsswitch/wbinfo: use wbcRequestResponse() instead of winbindd_request_response()

We should try to route everything through libwbclient.so, because we'll
soon don't have a single library providing winbindd_request_response().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agonsswitch: move winbindd_free_response() as inline function to winbind_struct_protocol.h
Stefan Metzmacher [Mon, 22 Nov 2021 17:11:27 +0000 (18:11 +0100)]
nsswitch: move winbindd_free_response() as inline function to winbind_struct_protocol.h

nsswitch/wb_common.c will be made completely internal soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agos4:torture/winbind: use wbcRequestResponse() instead of winbindd_request_response()
Stefan Metzmacher [Mon, 22 Nov 2021 16:59:48 +0000 (17:59 +0100)]
s4:torture/winbind: use wbcRequestResponse() instead of winbindd_request_response()

We should try to route everything through libwbclient.so, because we'll
soon don't have a single library providing winbindd_request_response().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agos3:ntlm_auth: use wbcRequestResponse[Priv]() instead of winbindd_request_response()
Stefan Metzmacher [Mon, 22 Nov 2021 16:59:48 +0000 (17:59 +0100)]
s3:ntlm_auth: use wbcRequestResponse[Priv]() instead of winbindd_request_response()

We should try to route everything through libwbclient.so, because we'll
soon don't have a single library providing winbindd_request_response().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agos3:utils: remove notify_msg.c from smbstatus sources
Stefan Metzmacher [Fri, 26 Nov 2021 00:39:40 +0000 (01:39 +0100)]
s3:utils: remove notify_msg.c from smbstatus sources

This is not needed for smbstatus and the symbols are also available
via 'smbd_base', which already contains notify_msg.c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agolibwbclient: fix strict-overflow warning in wbcSidToString()
Stefan Metzmacher [Wed, 4 Aug 2021 16:03:13 +0000 (18:03 +0200)]
libwbclient: fix strict-overflow warning in wbcSidToString()

../../nsswitch/libwbclient/wbc_sid.c:83:5: error: assuming signed overflow does not occur when simplifying conditional [-Werror=strict-overflow]
  if (len+1 > sizeof(buf)) {
     ^

Even this would fail:
../../nsswitch/libwbclient/wbc_sid.c:83:5: error: assuming signed overflow does not occur when simplifying conditional [-Werror=strict-overflow]
  if (len >= sizeof(buf)) {
     ^

Note that this only seems to happen with gcc 7 and when -O3 and
-fvisibility=hidden are used together. E.g. in the opensuse151-samba-o3
builds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agoheimdal_build: let HEIMDAL_LIBRARY() use SAMBA_LIBRARY()
Stefan Metzmacher [Wed, 18 Aug 2021 15:55:25 +0000 (17:55 +0200)]
heimdal_build: let HEIMDAL_LIBRARY() use SAMBA_LIBRARY()

This simplifies a lot and makes sure we always use the
same rules for private libraries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agoheimdal_build: avoid using hardcoded vnum values passed to HEIMDAL_LIBRARY()
Stefan Metzmacher [Wed, 18 Aug 2021 13:47:33 +0000 (15:47 +0200)]
heimdal_build: avoid using hardcoded vnum values passed to HEIMDAL_LIBRARY()

For private libraries we don't want versioned sonames,
it's also pointless to use the upstream heimdal vnum values
for our private libraries as the soname is different anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agoheimdal_build: remove unused cflags argument of HEIMDAL_LIBRARY()
Stefan Metzmacher [Wed, 18 Aug 2021 13:47:33 +0000 (15:47 +0200)]
heimdal_build: remove unused cflags argument of HEIMDAL_LIBRARY()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agowafsamba: allow SAMBA_LIBRARY() to get and use original 'version-script.map' for...
Stefan Metzmacher [Wed, 18 Aug 2021 15:34:09 +0000 (17:34 +0200)]
wafsamba: allow SAMBA_LIBRARY() to get and use original 'version-script.map' for private libraries

We'll soon use this for the internal Heimdal build and take the raw
version-script.map files in order to create our own .vscript file
with our private version suffix.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agowafsamba: introduce SAMBA[3]_PLUGIN()
Stefan Metzmacher [Fri, 20 Aug 2021 21:05:57 +0000 (23:05 +0200)]
wafsamba: introduce SAMBA[3]_PLUGIN()

This will be used to define plugins we provide to be used
via dbopen/dlsym to external consumers.

SAMBA_PLUGIN() is used instead of SAMBA_LIBRARY() in order
to make it more strict that these plugins can't be used as
normal depedency by other subsystems and libraries.

With require_builtin_deps=True we make sure that only
symbols explicitly marked with _PUBLIC_ are exported
and we only link to system libraries and include all
internal depedencies as builtin subsystems.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agowafsamba: introduce require_builtin_deps/provide_builtin_linking/builtin_cflags to...
Stefan Metzmacher [Thu, 19 Aug 2021 15:31:24 +0000 (17:31 +0200)]
wafsamba: introduce require_builtin_deps/provide_builtin_linking/builtin_cflags to SAMBA_{SUBSYSTEM,LIBRARY}

The 'provide_builtin_linking=True' option that allows wscript files
to specify that a SAMBA_{SUBSYSTEM,LIBRARY} will also create a
builtin version of them in addition.

The logic behind this is very similar to what we already have with the
'--builtin-libraries=BUILTIN_LIBRARIES' configure option.

This avoids the need for manual definitions of SAMBA_SUBSYSTEMS() with
like this:

   bld.SAMBA_SUBSYSTEM('replace-hidden',
                       source=REPLACE_SOURCE,
                       group='base_libraries',
                       hide_symbols=True,
                       deps='dl attr' + extra_libs)

The builtin version will also make sure that it will include all
dependecies (of internal code) also in the builtin variant.
Note that this is also possible if the dependency also
provided 'provide_builtin_linking=True' in order to limit
the scope.

We now imply '-D_PUBLIC_=_PRIVATE_' and 'hide_symbols=True' for
builtin libraries and subsystems in order to avoid exporting
the symbols of them.

With 'require_builtin_deps=True' a library can specify that it
is only able to use libraries/subsystems marked with
provide_builtin_linking=True. As a result it won't
link against any other SAMBA_LIBRARY() dependency,
but link in everything internal. Only system libraries
still get linked dynamically.

Use 'git show -w' to see a reduced diff.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agowafsamba: let reduce_objects() not remove duplicates of BUILTINS even if there are...
Stefan Metzmacher [Fri, 20 Aug 2021 14:25:02 +0000 (16:25 +0200)]
wafsamba: let reduce_objects() not remove duplicates of BUILTINS even if there are more than one

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agowafsamba: add SAMBA_SUBSYSTEM(force_empty=False)
Stefan Metzmacher [Fri, 20 Aug 2021 12:27:17 +0000 (12:27 +0000)]
wafsamba: add SAMBA_SUBSYSTEM(force_empty=False)

We will need to define empty subsystems without any dependency.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agowafsamba: assert for *.sigs source files in abi_build_vscript()
Stefan Metzmacher [Wed, 18 Aug 2021 15:20:12 +0000 (17:20 +0200)]
wafsamba: assert for *.sigs source files in abi_build_vscript()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agowafsamba: the symbol version string of private libraries should be based on the tople...
Stefan Metzmacher [Thu, 1 Jul 2021 13:29:46 +0000 (15:29 +0200)]
wafsamba: the symbol version string of private libraries should be based on the toplevel project

If we build a private library all symbols should be made private based
on a unique suffix.

When we use a unique soname and a unique symbol version suffix it's very unlikely
to hit conflicts due to inherited libraries.

For the abi checking we still use the original vnum as abi_vnum.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agowafsamba: use private extentions also for bundled public libraries
Stefan Metzmacher [Fri, 13 Aug 2021 13:16:59 +0000 (15:16 +0200)]
wafsamba: use private extentions also for bundled public libraries

Playing tricks with redefining libraries, which may also be installed in
the system with the same version, isn't really a good thing.
It may work in some cases, but there are so many things which may go
wrong. So if we build a library as private/bundled library we should
change the soname of the library.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agowafsamba: remove unused private_library argument of PRIVATE_NAME()
Stefan Metzmacher [Fri, 13 Aug 2021 13:14:01 +0000 (15:14 +0200)]
wafsamba: remove unused private_library argument of PRIVATE_NAME()

The only caller asserts that private_library is True.

Use: git show -U5

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agowafsamba: SAMBA_GENERATOR() should not alter the callers dep_vars
Stefan Metzmacher [Wed, 18 Aug 2021 15:54:31 +0000 (17:54 +0200)]
wafsamba: SAMBA_GENERATOR() should not alter the callers dep_vars

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agowafsamba: fix '--private-libraries' option when using 'ALL,!something'
Stefan Metzmacher [Thu, 1 Jul 2021 10:08:11 +0000 (12:08 +0200)]
wafsamba: fix '--private-libraries' option when using 'ALL,!something'

We already had the desired logic in LIB_MUST_BE_BUNDLED(), so we can
just reuse it in LIB_MUST_BE_PRIVATE().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agowafsamba: mark SAMBA_MODULE() with private_library=True
Stefan Metzmacher [Fri, 27 Aug 2021 10:39:01 +0000 (12:39 +0200)]
wafsamba: mark SAMBA_MODULE() with private_library=True

Symbols from modules should have a symbol versioning tag of the
current version.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agoscript/autobuild.py: fix "nondevel" builds of 'samba-libs'
Stefan Metzmacher [Fri, 20 Aug 2021 09:21:13 +0000 (09:21 +0000)]
script/autobuild.py: fix "nondevel" builds of 'samba-libs'

Commit 3e6af7109eb9d49328b426095580e4bfb2338ceb removed environment
variables like PKG_CONFIG_PATH from the configure run, so we no longer
tested a build against the shared libraries we build before.

We also assert that we no longer build private libraries

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
5 days agokdc: Require that PAC_REQUESTER_SID buffer is present for TGTs
Joseph Sutton [Wed, 24 Nov 2021 07:41:54 +0000 (20:41 +1300)]
kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Nov 30 03:33:26 UTC 2021 on sn-devel-184

5 days agoheimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket
Joseph Sutton [Tue, 23 Nov 2021 06:38:35 +0000 (19:38 +1300)]
heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket

Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but
when generating a service ticket for S4U2Self, we want to avoid adding
the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agoselftest: Properly check extra PAC buffers with Heimdal
Joseph Sutton [Wed, 24 Nov 2021 20:29:42 +0000 (09:29 +1300)]
selftest: Properly check extra PAC buffers with Heimdal

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agoheimdal:kdc: Always generate a PAC for S4U2Self
Joseph Sutton [Tue, 23 Nov 2021 04:30:50 +0000 (17:30 +1300)]
heimdal:kdc: Always generate a PAC for S4U2Self

If we decided not to put a PAC into the ticket, mspac would be NULL
here, and the resulting ticket would not contain a PAC. This could
happen if there was a request to omit the PAC or the service did not
require authorization data. Ensure that we always generate a PAC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Add a test for S4U2Self with no authorization data required
Joseph Sutton [Wed, 24 Nov 2021 23:46:40 +0000 (12:46 +1300)]
tests/krb5: Add a test for S4U2Self with no authorization data required

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agokdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets
Joseph Sutton [Wed, 24 Nov 2021 21:53:49 +0000 (10:53 +1300)]
kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets

Windows ignores PAC_TYPE_ATTRIBUTES_INFO and always issues a PAC when
presented with an RODC-issued TGT. By removing this PAC buffer from
RODC-issued tickets, we ensure that an RODC-issued ticket will still
result in a PAC if it is first renewed or validated by the main DC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agokdc: Don't include extra PAC buffers in service tickets
Joseph Sutton [Wed, 24 Nov 2021 07:42:22 +0000 (20:42 +1300)]
kdc: Don't include extra PAC buffers in service tickets

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agoRevert "CVE-2020-25719 s4/torture: Expect additional PAC buffers"
Joseph Sutton [Thu, 25 Nov 2021 00:24:57 +0000 (13:24 +1300)]
Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers"

This reverts commit fa4c9bcefdeed0a7106aab84df20b02435febc1f.

We should not be generating these additional PAC buffers for service
tickets, only for TGTs.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests
Joseph Sutton [Wed, 24 Nov 2021 21:32:44 +0000 (10:32 +1300)]
tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agokdc: Always add the PAC if the header TGT is from an RODC
Joseph Sutton [Tue, 23 Nov 2021 07:15:41 +0000 (20:15 +1300)]
kdc: Always add the PAC if the header TGT is from an RODC

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agokdc: Match Windows error code for mismatching sname
Joseph Sutton [Tue, 23 Nov 2021 07:00:07 +0000 (20:00 +1300)]
kdc: Match Windows error code for mismatching sname

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Add test for S4U2Self with wrong sname
Joseph Sutton [Wed, 24 Nov 2021 21:05:17 +0000 (10:05 +1300)]
tests/krb5: Add test for S4U2Self with wrong sname

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agokdc: Adjust SID mismatch error code to match Windows
Joseph Sutton [Wed, 24 Nov 2021 07:41:45 +0000 (20:41 +1300)]
kdc: Adjust SID mismatch error code to match Windows

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agoheimdal:kdc: Adjust no-PAC error code to match Windows
Joseph Sutton [Wed, 24 Nov 2021 07:41:34 +0000 (20:41 +1300)]
heimdal:kdc: Adjust no-PAC error code to match Windows

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agos4:torture: Fix typo
Joseph Sutton [Thu, 18 Nov 2021 03:22:34 +0000 (16:22 +1300)]
s4:torture: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agoheimdal:kdc: Fix error message for user-to-user
Joseph Sutton [Thu, 18 Nov 2021 00:14:51 +0000 (13:14 +1300)]
heimdal:kdc: Fix error message for user-to-user

We were checking the wrong variable to see whether a PAC was found or not.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Add comments for tests that fail against Windows
Joseph Sutton [Wed, 24 Nov 2021 02:32:32 +0000 (15:32 +1300)]
tests/krb5: Add comments for tests that fail against Windows

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Add tests for validation with requester SID PAC buffer
Joseph Sutton [Wed, 24 Nov 2021 00:10:52 +0000 (13:10 +1300)]
tests/krb5: Add tests for validation with requester SID PAC buffer

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestor...
Joseph Sutton [Tue, 23 Nov 2021 23:37:08 +0000 (12:37 +1300)]
tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2

We set EXPECT_EXTRA_PAC_BUFFERS to 0 for the moment. This signifies that
these checks are currently not enforced, which avoids a lot of test
failures.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Add TGS-REQ tests with FAST
Joseph Sutton [Tue, 23 Nov 2021 23:09:18 +0000 (12:09 +1300)]
tests/krb5: Add TGS-REQ tests with FAST

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Add tests for TGS requests with a non-TGT
Joseph Sutton [Tue, 23 Nov 2021 23:10:45 +0000 (12:10 +1300)]
tests/krb5: Add tests for TGS requests with a non-TGT

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Add tests for invalid TGTs
Joseph Sutton [Mon, 29 Nov 2021 20:26:40 +0000 (09:26 +1300)]
tests/krb5: Add tests for invalid TGTs

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Remove unnecessary expect_pac arguments
Joseph Sutton [Tue, 23 Nov 2021 23:04:36 +0000 (12:04 +1300)]
tests/krb5: Remove unnecessary expect_pac arguments

The value of expect_pac is not considered if we are expecting an error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2
Joseph Sutton [Tue, 23 Nov 2021 22:52:31 +0000 (11:52 +1300)]
tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Split out methods to create renewable or invalid tickets
Joseph Sutton [Tue, 23 Nov 2021 22:40:35 +0000 (11:40 +1300)]
tests/krb5: Split out methods to create renewable or invalid tickets

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Allow PasswordKey_create() to use s2kparams
Joseph Sutton [Tue, 23 Nov 2021 22:37:35 +0000 (11:37 +1300)]
tests/krb5: Allow PasswordKey_create() to use s2kparams

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Run test_rpc against member server
Joseph Sutton [Wed, 24 Nov 2021 03:02:00 +0000 (16:02 +1300)]
tests/krb5: Run test_rpc against member server

We were instead always running against the DC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Deduplicate AS-REQ tests
Joseph Sutton [Tue, 23 Nov 2021 22:34:11 +0000 (11:34 +1300)]
tests/krb5: Deduplicate AS-REQ tests

salt_tests was running the tests defined in the base class as well as
its own tests.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agotests/krb5: Remove unused variable
Joseph Sutton [Tue, 23 Nov 2021 22:53:18 +0000 (11:53 +1300)]
tests/krb5: Remove unused variable

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5 days agoselftest: Check received LDB error code when STRICT_CHECKING=0
Joseph Sutton [Tue, 23 Nov 2021 22:30:38 +0000 (11:30 +1300)]
selftest: Check received LDB error code when STRICT_CHECKING=0

We were instead only checking the expected error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
6 days agos3:winbind: Fix possible NULL pointer dereference
Andreas Schneider [Tue, 23 Nov 2021 14:48:57 +0000 (15:48 +0100)]
s3:winbind: Fix possible NULL pointer dereference

BUG: https://bugzilla.redhat.com/show_bug.cgi?id=2019888

Signed-off-by: Andreas Schneider <asn@samba.org>
Rewiewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 29 19:40:50 UTC 2021 on sn-devel-184

6 days agos4:mit-kdb: Force canonicalization for looking up principals
Isaac Boukris [Sat, 19 Sep 2020 12:16:20 +0000 (14:16 +0200)]
s4:mit-kdb: Force canonicalization for looking up principals

See also
https://github.com/krb5/krb5/commit/ac8865a22138ab0c657208c41be8fd6bc7968148

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Nov 29 09:32:26 UTC 2021 on sn-devel-184

6 days agos4:kdc: Remove trailing spaces in db-glue.c
Andreas Schneider [Tue, 19 Oct 2021 07:59:54 +0000 (09:59 +0200)]
s4:kdc: Remove trailing spaces in db-glue.c

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>