Jeremy Allison [Mon, 27 Mar 2017 18:48:25 +0000 (11:48 -0700)]
s3: Test for CVE-2017-2619 regression with "follow symlinks = no".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Tue Mar 28 07:00:46 CEST 2017 on sn-devel-144
Jeremy Allison [Mon, 27 Mar 2017 17:46:47 +0000 (10:46 -0700)]
s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619).
In a UNIX filesystem, the names "." and ".." by definition can *never*
be symlinks - they are already reserved names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Garming Sam [Sun, 26 Feb 2017 22:39:51 +0000 (11:39 +1300)]
samba_dnsupdate: Add additional debugging
Tests are still flapping, because it claims it needs a cache rebuild.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 28 00:04:54 CEST 2017 on sn-devel-144
Douglas Bagnall [Tue, 25 Oct 2016 20:19:13 +0000 (09:19 +1300)]
whitespace: remove in rootdse
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Douglas Bagnall [Wed, 12 Oct 2016 05:00:34 +0000 (18:00 +1300)]
selftest/target/Samba.pm: Remove whitespace
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Douglas Bagnall [Mon, 10 Oct 2016 21:12:55 +0000 (10:12 +1300)]
getncchanges: remove whitespace
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Mon, 27 Mar 2017 02:49:25 +0000 (15:49 +1300)]
wbinfo: Prevent client segfault with given EOF
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Mon, 27 Mar 2017 02:26:48 +0000 (15:26 +1300)]
selftest: Check that LDAP is available during RODC startup
Because the check was for RID Set, this was never done. However, this caused breakages that we've likely seen before.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Mon, 27 Mar 2017 01:30:19 +0000 (14:30 +1300)]
repl_secret: Error condition should sound harmless
In the case it is not in the replication group, it it correct to deny
the replication to succeed.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 23 Mar 2017 23:12:43 +0000 (12:12 +1300)]
selftest: Add more RODC tests to avoid regressions here
This ensures that the RODC can authenticatate users over wbinfo, normal services and SamLogon
including in particular the important need-to-be-forwarded case
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Tue, 21 Mar 2017 02:02:50 +0000 (15:02 +1300)]
repl_secret: Prevent null deref on DEBUG
Code path with has_get_all_changes could not be exercised until
recently.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 23 Mar 2017 03:04:04 +0000 (16:04 +1300)]
auth/sam: Remove lastLogonTimestamp from RODC success accounting
This is because it cannot be updated here (only SendToSAM) and prevents
RODC from resetting the badPwdCount (as well as lockoutTime, which needs
to be fixed to allow RODC local modification).
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 20 Mar 2017 02:15:39 +0000 (15:15 +1300)]
heimdal: Add initializer for stack pointers
This helps ensure we know these are NULL until set
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Sun, 5 Mar 2017 23:11:18 +0000 (12:11 +1300)]
auth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM auth
So far this is only on the AD DC
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Uri Simchoni [Thu, 23 Mar 2017 19:32:04 +0000 (21:32 +0200)]
selftest: tests for vfs_fruite file-id behavior
The test is in its own suite because it validates
our hackish workaround rather than some reference
implementation behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sun Mar 26 23:31:08 CEST 2017 on sn-devel-144
Uri Simchoni [Thu, 23 Mar 2017 19:30:50 +0000 (21:30 +0200)]
torture: add torture_assert_mem_not_equal_goto()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Uri Simchoni [Thu, 23 Mar 2017 12:51:32 +0000 (14:51 +0200)]
vfs_fruit: document added zero_file_id parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Uri Simchoni [Thu, 23 Mar 2017 12:08:45 +0000 (14:08 +0200)]
vfs_fruit: enable zero file id
Enable zero_file_id if both conditions are met:
- AAPL negotiated
- fruit:zero_file_id is set
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Uri Simchoni [Thu, 23 Mar 2017 12:08:26 +0000 (14:08 +0200)]
smbd: add zero_file_id flag
This flag instructs the SMB layer to report a zero on-disk
file identifier.
According to [MS-SMB2] 3.3.5.9.9, the reported on-disk file ID
SHOULD be unique. However, macOS clients seem to expect it to be
unique over time as well, like the HFS+ CNID. Reporting a file ID
of 0 seems to instruct the Mac client not to trust the server-reported
file ID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Thu, 23 Mar 2017 16:06:27 +0000 (09:06 -0700)]
WHATSNEW: Document "strict sync" default change.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar 25 04:41:19 CET 2017 on sn-devel-144
Jeremy Allison [Thu, 23 Mar 2017 02:22:31 +0000 (19:22 -0700)]
s3: smbd: Change "strict sync" paramter from "no" to "yes" for 4.7.0.
Document change and modify in loadparm.c.
Safer default for new installs and vendors.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Stefan Metzmacher [Thu, 23 Mar 2017 14:19:20 +0000 (15:19 +0100)]
Revert "selftest: temporary skip samba.blackbox.pdbtest.s4winbind"
This works again now...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 24 15:50:22 CET 2017 on sn-devel-144
Stefan Metzmacher [Thu, 23 Mar 2017 14:13:54 +0000 (15:13 +0100)]
s4:selftest: specify auth methods of pdbtests without 'samba4:' prefix
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 22 Mar 2017 08:50:13 +0000 (09:50 +0100)]
auth4: implement the deprecated 'auth methods' in auth_methods_from_lp()
This might be used to explicitly configure the old auth methods list
from Samba 4.6 and older, if required:
"auth methods = anonymous sam_ignoredomain"
But this option will be removed again in future releases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 23 Mar 2017 11:54:40 +0000 (12:54 +0100)]
auth3: handle ROLE_ACTIVE_DIRECTORY_DC before lp_auth_methods() in make_auth_context_subsystem()
"auth methods" never works as AD DC at all, so there's not really a change.
This allows us to implement "auth methods" (temporary) for the auth4 stack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 23 Mar 2017 14:15:45 +0000 (15:15 +0100)]
selftest: temporary skip samba.blackbox.pdbtest.s4winbind
This will reenabled in a few commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 13:54:16 +0000 (14:54 +0100)]
auth4: reflect the reality and use "winbind_rodc" instead of "winbind" for the auth methods as AD_DC
Currently we always map any incoming domain to our own domain
in map_user_info_cracknames(), so that the winbind module is never
used at all, e.g. we're DC of W4EDOM-L4.BASE with a forest trust to W2012R2-L4.BASE:
[2017/03/22 10:09:54.268472, 3, pid=4724, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user [W2012R2-L4]\[administrator]@[UB1404-163]
[2017/03/22 10:09:54.268496, 5, pid=4724, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth_util.c:57(map_user_info_cracknames)
map_user_info_cracknames: Mapping user [W2012R2-L4]\[administrator] from workstation [UB1404-163]
auth_check_password_send: mapped user is: [W4EDOM-L4]\[administrator]@[UB1404-163]
That means the only condition in which "sam_ignoredomain" returns
NT_STATUS_NOT_IMPLEMENTED is the RODC case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 23 Mar 2017 10:57:49 +0000 (11:57 +0100)]
auth4: add a "winbind_rodc" backend
This is only active on a RODC.
The background for this is that we currently only ever
call the "winbind" module when we're an RODC,
otherwise everything is catched by "sam_ignoredomain" before.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 21 Mar 2017 07:32:27 +0000 (08:32 +0100)]
auth: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM defines
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 21 Mar 2017 07:32:27 +0000 (08:32 +0100)]
auth4: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 21 Mar 2017 07:32:27 +0000 (08:32 +0100)]
auth3: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 21 Mar 2017 07:31:29 +0000 (08:31 +0100)]
winbindd: no longer use USER_INFO_LOCAL_SAM_ONLY
make_auth3_context_for_winbind() restricts the used auth backends now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 15:46:38 +0000 (16:46 +0100)]
auth3: only use "[samba4:]sam" in make_auth3_context_for_winbind()
This makes the USER_INFO_LOCAL_SAM_ONLY and AUTH_METHOD_LOCAL_SAM
interaction obsolete.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 16 Mar 2017 15:47:15 +0000 (16:47 +0100)]
auth4: debug if method->ops->check_password() gives NOT_IMPLEMENTED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 10:52:51 +0000 (11:52 +0100)]
auth: let auth4_context->check_ntlm_password() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 10:49:40 +0000 (11:49 +0100)]
ntlm_auth3: let contact_winbind_auth_crap() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 10:16:36 +0000 (11:16 +0100)]
auth4: let auth_check_password* return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 08:43:59 +0000 (09:43 +0100)]
auth3: let auth_check_ntlm_password() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 08:42:38 +0000 (09:42 +0100)]
winbindd: let winbindd_dual_auth_passdb() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Thu, 2 Mar 2017 10:28:18 +0000 (11:28 +0100)]
winbindd: NT_STATUS_CANT_ACCESS_DOMAIN_INFO means "Dunno"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 11:15:13 +0000 (12:15 +0100)]
netlogon4: make use of auth_context_create_for_netlogon()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 11:08:59 +0000 (12:08 +0100)]
auth4: add auth_context_create_for_netlogon()
For now it's the same as auth_context_create(), but this will
change the in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 10:41:04 +0000 (11:41 +0100)]
auth4: make auth_check_password_wrapper() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 11:31:01 +0000 (12:31 +0100)]
auth3: make make_auth_context_subsystem() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 08:18:41 +0000 (09:18 +0100)]
winbindd: make use of make_auth3_context_for_winbind()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 08:18:25 +0000 (09:18 +0100)]
netlogond3: make use of make_auth3_context_for_netlogon()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 11:29:26 +0000 (12:29 +0100)]
pdbtest: make use of make_auth3_context_for_ntlm()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 08:17:45 +0000 (09:17 +0100)]
auth3: make use of make_auth3_context_for_ntlm()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 08:13:02 +0000 (09:13 +0100)]
auth3: add make_auth3_context_for_{ntlm,netlogon,winbind}
For now they'll all do the same, but that will change in the following commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 13 Mar 2017 07:22:27 +0000 (08:22 +0100)]
auth3: Remove unused make_auth_context_fixed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 13 Mar 2017 07:19:41 +0000 (08:19 +0100)]
pdbtest: Call make_auth_context_subsystem directly
Last caller of make_auth_context_fixed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 16 Mar 2017 14:54:18 +0000 (15:54 +0100)]
netlogond3: only call make_auth_context_subsystem() in one place
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 13 Mar 2017 07:14:00 +0000 (08:14 +0100)]
netlogond3: Call make_auth_context_subsystem directly
Soon we'll call specific methods here
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Thu, 9 Mar 2017 14:19:06 +0000 (15:19 +0100)]
netlogond3: "authorititative" is a uint8
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 13 Mar 2017 07:14:00 +0000 (08:14 +0100)]
winbindd: Call make_auth_context_subsystem directly
Soon we'll call specific methods here
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 13 Mar 2017 07:08:44 +0000 (08:08 +0100)]
auth3: Introduce auth3_context_set_challenge
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Sat, 11 Feb 2017 14:44:01 +0000 (15:44 +0100)]
auth3: Simplify the logic in auth_check_ntlm_password
Move everything but the strict loop logic outside. This makes the
loop exit condition clearer to me: Anything but NOT_IMPLEMENTED breaks
the loop.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Sat, 11 Feb 2017 14:05:52 +0000 (15:05 +0100)]
auth3: Don't try other auth modules on any error
So far if any kind of error has happened, we just tried further auth
modules. An auth module should have the chance to definitely say "no,
this is a valid error, no further attempts anywhere else". The protocol
so far was for an auth module to return NT_STATUS_NOT_IMPLEMENTED if it
wanted to pass on to other modules, but any error led to the next auth
modules also being given a try.
This patch makes any auth module return code except NOT_IMPLEMENTED to
terminate the loop, such that every module has to explicitly request to
pass on to the next module via NOT_IMPLEMENTED.
All modules we reference in make_auth_context_subsystem() have code to
explicitly say "not for me please" with NOT_IMPLEMENTED.
This *might* break existing setups which fail in for example "guest" or
"winbind" due to other reasons. I prefer it this way though, because
adding another parameter like "This is a real authoritative failure,
don't go looking somewhere else" will only add to the mess.
But it's more a theoretical than a practical change with the
default auth backends.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 13 Mar 2017 07:58:43 +0000 (08:58 +0100)]
auth3: Introduce make_auth_context_specific
Take a string instead of a string list. Simplifies
make_auth_context_subsystem and later similar callers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 13 Mar 2017 07:43:06 +0000 (08:43 +0100)]
auth3: Slightly simplify make_auth_context_subsystem() step2
Use "git show -b" to see the simple diff.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 13 Mar 2017 07:43:06 +0000 (08:43 +0100)]
auth3: Slightly simplify make_auth_context_subsystem() step1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 6 Mar 2017 13:32:18 +0000 (14:32 +0100)]
wbinfo: Add "authoritative" to wbinfo -a output
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 23 Mar 2017 08:37:22 +0000 (09:37 +0100)]
auth4: add TODO comment on the auth_sam_trigger_repl_secret msDS-NeverRevealGroup interaction
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jeremy Allison [Thu, 15 Dec 2016 21:06:31 +0000 (13:06 -0800)]
CVE-2017-2619: s3: smbd: Use the new non_widelink_open() function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Mar 23 22:55:04 CET 2017 on sn-devel-144
Jeremy Allison [Thu, 15 Dec 2016 21:04:46 +0000 (13:04 -0800)]
CVE-2017-2619: s3: smbd: Add the core functions to prevent symlink open races.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Jeremy Allison [Thu, 15 Dec 2016 20:56:08 +0000 (12:56 -0800)]
CVE-2017-2619: s3: smbd: Move special handling of symlink errno's into a utility function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Jeremy Allison [Thu, 15 Dec 2016 20:52:13 +0000 (12:52 -0800)]
CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Jeremy Allison [Mon, 19 Dec 2016 20:35:32 +0000 (12:35 -0800)]
CVE-2017-2619: s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Jeremy Allison [Mon, 19 Dec 2016 20:32:07 +0000 (12:32 -0800)]
CVE-2017-2619: s3: smbd: Move the reference counting and destructor setup to just before retuning success.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Jeremy Allison [Mon, 19 Dec 2016 20:15:59 +0000 (12:15 -0800)]
CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory leak on error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Jeremy Allison [Mon, 19 Dec 2016 20:13:20 +0000 (12:13 -0800)]
CVE-2017-2619: s3: smbd: OpenDir_fsp() use early returns.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Jeremy Allison [Tue, 20 Dec 2016 00:35:00 +0000 (16:35 -0800)]
CVE-2017-2619: s3: smbd: Create and use open_dir_safely(). Use from OpenDir().
Hardens OpenDir against TOC/TOU races.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Jeremy Allison [Tue, 20 Dec 2016 00:25:26 +0000 (16:25 -0800)]
CVE-2017-2619: s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Jeremy Allison [Mon, 19 Dec 2016 19:55:56 +0000 (11:55 -0800)]
CVE-2017-2619: s3: smbd: Create wrapper function for OpenDir in preparation for making robust.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Ralph Boehme [Sun, 19 Mar 2017 17:52:10 +0000 (18:52 +0100)]
CVE-2017-2619: s4/torture: add SMB2_FIND tests with SMB2_CONTINUE_FLAG_REOPEN flag
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Ralph Boehme [Sun, 19 Mar 2017 14:58:17 +0000 (15:58 +0100)]
CVE-2017-2619: s3/smbd: re-open directory after dptr_CloseDir()
dptr_CloseDir() will close and invalidate the fsp's file descriptor, we
have to reopen it.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Stefan Metzmacher [Mon, 20 Mar 2017 12:56:03 +0000 (13:56 +0100)]
libwbclient: add WBC_SID_NAME_LABEL
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 23 12:55:26 CET 2017 on sn-devel-144
Stefan Metzmacher [Mon, 20 Mar 2017 12:50:59 +0000 (13:50 +0100)]
libcli/security: add SID_NAME_LABEL to sid_type_lookup()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Mon, 20 Mar 2017 12:50:36 +0000 (13:50 +0100)]
lsa.idl: add SID_NAME_LABEL
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 18:28:16 +0000 (19:28 +0100)]
netlogon.idl: make netr_LogonInfoClass public
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 22 Mar 2017 14:41:47 +0000 (15:41 +0100)]
net: Don't crash if lsa_LookupPrivDisplayName returns NULL
lsa_LookupPrivDisplayName on Windows 2012R2 can return success and still return
a NULL name:
rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK
rpc_api_pipe: host 172.18.103.80 returned 12 bytes.
lsa_LookupPrivDisplayName: struct lsa_LookupPrivDisplayName
out: struct lsa_LookupPrivDisplayName
disp_name : *
disp_name : NULL
returned_language_id : *
returned_language_id : 0x0000 (0)
result : NT_STATUS_OK
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 23 07:43:57 CET 2017 on sn-devel-144
Andreas Schneider [Mon, 20 Mar 2017 11:22:44 +0000 (12:22 +0100)]
nsswtich: Add negative tests for authentication with wbinfo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Wed Mar 22 10:58:58 CET 2017 on sn-devel-144
Andreas Schneider [Tue, 21 Mar 2017 08:57:30 +0000 (09:57 +0100)]
s3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds()
There is no way we can get a better error code out of this. The original
function called was krb5_get_init_creds_opt_get_error() which has been
deprecated in 2008.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Volker Lendecke [Tue, 21 Mar 2017 15:00:27 +0000 (16:00 +0100)]
idmap_rfc2307: Clarify the documentation a bit
"bind_path" is a variable name internally used inside Samba. If you
look at "man ldapsearch" from OpenLDAP for example, the more common
term for this parameter is "search base". Adapt the documentation
accordingly.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Volker Lendecke [Tue, 21 Mar 2017 14:52:37 +0000 (15:52 +0100)]
idmap_rfc2307: Slightly simplify idmap_rfc2307_initialize()
Replace an "else" branch with an early "goto err"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Volker Lendecke [Sun, 8 Jan 2017 13:00:39 +0000 (13:00 +0000)]
idmap_tdb: Avoid a few casts
The times of attempting to be C++ compatible are gone since C compilers
can do very good warnings too.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Andreas Schneider [Mon, 20 Mar 2017 15:08:20 +0000 (16:08 +0100)]
s3:libsmb: Only print error message if kerberos use is forced
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Mar 21 14:25:54 CET 2017 on sn-devel-144
Martin Schwenke [Mon, 20 Mar 2017 03:49:34 +0000 (14:49 +1100)]
autobuild: Stop waf uninstall from removing test_tmpdir
Most of the autobuild tasks run "make distcheck", which does a
recursive "waf configure make install uninstall". "waf uninstall"
(via BuildContext.install() in Build.py) removes empty directories all
the way up the directory tree. This means that it removes
test_tmpdir, if it is empty, and any empty directories above it.
While this is arguably a waf bug, the simplest solution is to make
test_tmpdir non-empty so it don't get removed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12703
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 21 10:37:08 CET 2017 on sn-devel-144
Volker Lendecke [Sat, 18 Mar 2017 18:06:49 +0000 (19:06 +0100)]
idmap_autorid: Use idmap_config_int
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Mar 20 23:28:38 CET 2017 on sn-devel-144
Volker Lendecke [Sat, 18 Mar 2017 18:05:10 +0000 (19:05 +0100)]
idmap_rid: Use idmap_config_int
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Sun, 8 Jan 2017 11:52:56 +0000 (11:52 +0000)]
winbind: Add idmap_config_int
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Sat, 18 Mar 2017 18:01:01 +0000 (19:01 +0100)]
idmap_autorid: Use idmap_config_bool
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Sat, 18 Mar 2017 17:59:06 +0000 (18:59 +0100)]
idmap_ad: Use idmap_config_bool
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Sat, 18 Mar 2017 17:57:03 +0000 (18:57 +0100)]
idmap_rfc2307: Use idmap_config_bool
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Sat, 18 Mar 2017 17:53:58 +0000 (18:53 +0100)]
idmap: Use idmap_config_bool in idmap_init_domain
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Sat, 7 Jan 2017 15:10:05 +0000 (15:10 +0000)]
winbind: Add idmap_config_bool()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Sat, 18 Mar 2017 17:50:38 +0000 (18:50 +0100)]
idmap_ad: Use idmap_config_const_string
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Sat, 18 Mar 2017 17:48:46 +0000 (18:48 +0100)]
idmap_rfc2307: Use idmap_config_const_string
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Sat, 18 Mar 2017 17:40:28 +0000 (18:40 +0100)]
idmap_ldap: Use idmap_config_const_string
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Sat, 18 Mar 2017 17:38:10 +0000 (18:38 +0100)]
idmap_ldap: Use idmap_config_const_string
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>