Björn Baumbach [Tue, 20 Mar 2018 11:15:22 +0000 (12:15 +0100)]
samba-tool visualize: fix python2.6 incompatibility
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13337
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Mar 21 09:25:51 CET 2018 on sn-devel-144
(cherry picked from commit
9312a1cdafbd5a0140d72502487c4e478dc578d2)
Jeremy Allison [Wed, 28 Mar 2018 20:19:12 +0000 (13:19 -0700)]
s4: torture: Test all combinations of directory open with existing directory to ensure behavior is the same.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13358
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 29 23:13:42 CEST 2018 on sn-devel-144
(cherry picked from commit
c98cd0f25edaae7558f18fd331e2fef3aabb61f2)
Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-8-test): Fri Apr 6 13:50:18 CEST 2018 on sn-devel-144
Jeremy Allison [Wed, 28 Mar 2018 20:17:14 +0000 (13:17 -0700)]
s4: torture: Test all combinations of directory create to ensure behavior is the same.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13358
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE>
(cherry picked from commit
fd9084336e7e86ccec83141d880fd7c336c23b6c)
Jeremy Allison [Wed, 28 Mar 2018 18:44:40 +0000 (11:44 -0700)]
s4: torture: Test all combinations of file open with existing file to ensure behavior is the same.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13358
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE>
(cherry picked from commit
820b35bb1ceb445eb3659b67eedfb0a2f5b2f976)
Jeremy Allison [Wed, 28 Mar 2018 18:00:59 +0000 (11:00 -0700)]
s4: torture: Test all combinations of file create to ensure behavior is the same.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13358
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE>
(cherry picked from commit
22fe8dcb77565495886244e88bb0433363d1f80a)
Jeremy Allison [Wed, 28 Mar 2018 17:54:30 +0000 (10:54 -0700)]
s4: torture: Ensure a failed file create doesn't create the file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13358
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE>
(cherry picked from commit
53cdf7a9a18ed547eade4c3cdd80d286058e440d)
Jeremy Allison [Wed, 28 Mar 2018 19:42:20 +0000 (12:42 -0700)]
s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13358
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE>
(cherry picked from commit
2514bee0a3b0a12430e2679ee590075c54d4803a)
Amitay Isaacs [Thu, 8 Mar 2018 00:35:55 +0000 (11:35 +1100)]
ctdb-client: Client code should never free the client context
This should never have been done.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
376e9794e2d19e8d17b0bdde36ce8a1a205986c6)
Amitay Isaacs [Mon, 19 Mar 2018 02:58:43 +0000 (13:58 +1100)]
ctdb-client: Add missing initialization of tevent_context
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13356
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
4e37be92bfb790150b3791bef552aa4acf8f78b7)
Amitay Isaacs [Mon, 19 Mar 2018 02:38:28 +0000 (13:38 +1100)]
ctdb-client: Do not try to allocate 0 sized record
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13356
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
92a68af1a8473dc2a5d9d6036830f944e968606d)
Timur I. Bakeyev [Thu, 22 Mar 2018 04:47:58 +0000 (05:47 +0100)]
Fix invocation of gnutls_aead_cipher_encrypt()
Which was failing with GNUTLS_E_SHORT_MEMORY_BUFFER - The given memory
buffer is too short to hold parameters.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13352
Signed-off-by: Timur I. Bakeyev <timur@iXsystems.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Fri Mar 23 07:25:30 CET 2018 on sn-devel-144
(cherry picked from commit
b9f0c7f93c058685e24d104432978bd40b94b49f)
Eric Vannier [Fri, 23 Mar 2018 04:32:56 +0000 (21:32 -0700)]
Allow AESNI to be used on all processor supporting AESNI, not just Intel's This improves performance/reduced CPU usage. Tests performed: - Ran on Ivy Bridge and Ryzen and verified that AESNI is detected (crypto tests) - Ran on Ryzen, and observed 50% increased speed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13302
Signed-off-by: Eric Vannier <evannier@google.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 27 13:50:09 CEST 2018 on sn-devel-144
(cherry picked from commit
77d88d75f6262a855e818a9b2b4018f8b6ced7b0)
Jeremy Allison [Wed, 21 Mar 2018 19:56:12 +0000 (12:56 -0700)]
s3: docs: Add documentation for "smb2" and "smb2_credits" debug classes.
https://bugzilla.samba.org/show_bug.cgi?id=13347
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit
fc922bd29b40a20450f16728fa7347f8f83d3bcd)
Jeremy Allison [Wed, 21 Mar 2018 19:52:49 +0000 (12:52 -0700)]
s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues.
https://bugzilla.samba.org/show_bug.cgi?id=13347
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit
ad973fddef00d6d92443be89e7f5404006a94d99)
Jeremy Allison [Wed, 21 Mar 2018 19:40:50 +0000 (12:40 -0700)]
lib: debug: Add DBGC_XXX versions of the macros to allow class-specific messages.
https://bugzilla.samba.org/show_bug.cgi?id=13347
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit
cdde6d93605d15a59e816a35e8e02ca193bf1403)
Jeremy Allison [Wed, 21 Mar 2018 19:01:05 +0000 (12:01 -0700)]
s3: debug: smb2: Create a new DBGC_SMB2 debug class and mark all smbd/smb2_*.c files with it.
Will allow easier smb2-specific debugging.
https://bugzilla.samba.org/show_bug.cgi?id=13347
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit
8dabcf8948c2e514b489169c34673e093519b583)
Noel Power [Thu, 15 Mar 2018 16:46:39 +0000 (16:46 +0000)]
lib:replace: Fix linking when libtirpc-devel overwrites system headers
Some systems (like SUSE currently) install the new tirpc headers by
overwritting the existing system location used by gcc. This patch will
detect if the headers in the system location belong to tirpc or not.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13341
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
618c714b6b6c0b63993299b40b9a466adb753cc2)
Anton Nefedov via samba-technical [Thu, 15 Mar 2018 11:38:41 +0000 (14:38 +0300)]
s3:smbd: map nterror on smb2_flush errorpath
smbd_smb2_flush_recv() expects nterror in tevent_req, and otherwise
aborts in tevent_req_is_nterror()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13338
Signed-off-by: Anton Nefedov <anton.nefedov@virtuozzo.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
98623129446672521b7fa41d3457b8ce95db828c)
Martin Schwenke [Thu, 8 Mar 2018 00:49:56 +0000 (11:49 +1100)]
ctdb-tests: Don't use nc -d or -w options
nmap-ncat is used in some distributions to replace netcat. It has a
different meaning for these options.
We can get the same effect as the current combination of -d and -w by
piping a sleep process to nc. Subsequent use of $! works because it
gets the last process in pipeline.
Note that redirecting from /dev/null doesn't work with some versions
of nc. They just exit when they get EOF.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13327
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit
9e954bcbf43d67a18ee55f84cda0b09028f96b92)
Jeremy Allison [Mon, 19 Mar 2018 22:46:41 +0000 (15:46 -0700)]
s3: smbd: Fruit. Make the use of dom_sid_compare_domain() much clearer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
5c909ea4530d4e7e4aa27046c45e3e48b094a411)
Jeremy Allison [Thu, 15 Mar 2018 21:45:06 +0000 (14:45 -0700)]
s4: vfs: fruit tests: Add regression test for dealing with NFS ACE entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar 17 04:04:32 CET 2018 on sn-devel-144
(cherry picked from commit
a6054c01c29c2507e0d5a6aa110fee4fd5c5eeb9)
Ralph Boehme [Fri, 16 Mar 2018 20:57:31 +0000 (21:57 +0100)]
selftest: vfs.fruit: add xattr_tdb where possible
This makes the tests indepent from fs xattr support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
49996ca9324596b6cd72eb8051ca3676dab17191)
Ralph Boehme [Fri, 16 Mar 2018 20:55:26 +0000 (21:55 +0100)]
selftest: run vfs.fruit_netatalk test against seperate share
These tests require a fs with xattr support. This allows adding
xattr_tdb to all other shares in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
013aaffe7ff0ed4c30495761bb3208c29b3b5de2)
Jeremy Allison [Thu, 15 Mar 2018 16:57:09 +0000 (09:57 -0700)]
s3: smbd: vfs_fruit: Replace code in fruit_fget_nt_acl() with remove_virtual_nfs_aces().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
875ff2575feb96d06cf2290e5b6a226b32ef9758)
Jeremy Allison [Thu, 15 Mar 2018 16:54:41 +0000 (09:54 -0700)]
s3: smbd: vfs_fruit: Replace code in check_ms_nfs() with remove_virtual_nfs_aces().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
a3c925d80433e3d4fe1b1b315edf6520cacf0a9e)
Jeremy Allison [Thu, 15 Mar 2018 16:52:30 +0000 (09:52 -0700)]
s3: smbd: vfs_fruit: Add remove_virtual_nfs_aces() a generic NFS ACE remover.
Not yet used, will be used to tidyup existing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
ef091e2cf836793e2aa533990913609ccab5119a)
Jeremy Allison [Fri, 2 Mar 2018 21:53:55 +0000 (13:53 -0800)]
s3: vfs_fruit. Change check_ms_nfs() to remove the virtual ACE's generated by fruit_fget_nt_acl().
Ensures they don't get stored in the underlying ACL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar 8 04:09:38 CET 2018 on sn-devel-144
(cherry picked from commit
e0b147f650fe59f606d1faffe57059e6e9d7837b)
Jeremy Allison [Fri, 2 Mar 2018 21:51:54 +0000 (13:51 -0800)]
s3: vfs_fruit. If the security descriptor was modified, ensure we set the flags correctly to reflect the ACE's left.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
8edad37e476295e25932778721d8ef33713f6853)
Jeremy Allison [Fri, 2 Mar 2018 21:21:37 +0000 (13:21 -0800)]
s3: vfs_fruit: Ensure we operate on a copy of the incoming security descriptor.
This will allow us to modify it in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
019a1bc4caf3439adcaac48b384e86d84a1ad383)
Jeremy Allison [Fri, 2 Mar 2018 21:07:48 +0000 (13:07 -0800)]
s3: vfs_fruit. Ensure we only return one set of the 'virtual' UNIX ACE entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
e9059c7b40069cfb036bfb95958b78c6a2c800e4)
Jeremy Allison [Wed, 14 Feb 2018 21:23:12 +0000 (13:23 -0800)]
s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir()
HPUX has this problem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13270
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Feb 23 22:56:35 CET 2018 on sn-devel-144
(cherry picked from commit
5ad5e7966f555b1d2b39d276646934a2cd2535e6)
Jeremy Allison [Wed, 24 Jan 2018 22:09:43 +0000 (14:09 -0800)]
s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here.
Thanks to Isaac Boukris <iboukris@gmail.com> for finding the
issue and testing this fix.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13244
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 26 02:25:20 CET 2018 on sn-devel-144
(cherry picked from commit
e7425bd5245ffea68b7e8f794c9b5f864d103769)
Stefan Metzmacher [Fri, 2 Mar 2018 13:40:19 +0000 (14:40 +0100)]
s3:auth: make use of make_{server,session}_info_anonymous()
It's important to have them separated from make_{server,session}_info_guest(),
because there's a fundamental difference between anonymous (the client requested
no authentication) and guest (the server lies about the authentication failure).
When it's really an anonymous connection, we should reflect that in the
resulting session info.
This should fix a problem where Windows 10 tries to join
a Samba hosted NT4 domain and has SMB2/3 enabled.
We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST
for true anonymous connections.
The commit message from a few commit before shows the resulting
auth_session_info change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144
(cherry picked from commit
1957bf11f127fc08c6622999cadc7dd580ac7d3b)
Autobuild-User(v4-8-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-8-test): Wed Mar 21 02:29:57 CET 2018 on sn-devel-144
Stefan Metzmacher [Fri, 2 Mar 2018 13:40:19 +0000 (14:40 +0100)]
s3:rpc_server: make use of make_session_info_anonymous()
For unauthenticated connections we should default to a
session info with an anonymous nt token.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
0ee9a550944034718ea188b277cca4b6fc5fbc5c)
Stefan Metzmacher [Fri, 2 Mar 2018 13:39:44 +0000 (14:39 +0100)]
s3:auth: add make_{server,session}_info_anonymous()
It's important to have them separated from make_{server,session}_info_guest(),
because there's a fundamental difference between anonymous (the client requested
no authentication) and guest (the server lies about the authentication failure).
The following is the difference between guest and anonymous token:
security_token: struct security_token
- num_sids : 0x0000000a (10)
- sids: ARRAY(10)
- sids : S-1-5-21-
3793881525-
3372187982-
3724979742-501
- sids : S-1-5-21-
3793881525-
3372187982-
3724979742-514
- sids : S-1-22-2-65534
- sids : S-1-22-2-65533
+ num_sids : 0x00000009 (9)
+ sids: ARRAY(9)
+ sids : S-1-5-7
sids : S-1-1-0
sids : S-1-5-2
- sids : S-1-5-32-546
sids : S-1-22-1-65533
+ sids : S-1-22-2-65534
+ sids : S-1-22-2-100004
sids : S-1-22-2-100002
sids : S-1-22-2-100003
+ sids : S-1-22-2-65533
privilege_mask : 0x0000000000000000 (0)
...
unix_token : *
unix_token: struct security_unix_token
uid : 0x000000000000fffd (65533)
gid : 0x000000000000fffe (65534)
- ngroups : 0x00000004 (4)
- groups: ARRAY(4)
+ ngroups : 0x00000005 (5)
+ groups: ARRAY(5)
groups : 0x000000000000fffe (65534)
- groups : 0x000000000000fffd (65533)
+ groups : 0x00000000000186a4 (100004)
groups : 0x00000000000186a2 (100002)
groups : 0x00000000000186a3 (100003)
+ groups : 0x000000000000fffd (65533)
info: struct auth_user_info
account_name : *
- account_name : 'nobody'
+ account_name : 'ANONYMOUS LOGON'
user_principal_name : NULL
user_principal_constructed: 0x00 (0)
domain_name : *
- domain_name : 'SAMBA-TEST'
+ domain_name : 'NT AUTHORITY'
dns_domain_name : NULL
- full_name : NULL
- logon_script : NULL
- profile_path : NULL
- home_directory : NULL
- home_drive : NULL
- logon_server : NULL
+ full_name : *
+ full_name : 'Anonymous Logon'
+ logon_script : *
+ logon_script : ''
+ profile_path : *
+ profile_path : ''
+ home_directory : *
+ home_directory : ''
+ home_drive : *
+ home_drive : ''
+ logon_server : *
+ logon_server : 'LOCALNT4DC2'
last_logon : NTTIME(0)
last_logoff : NTTIME(0)
acct_expiry : NTTIME(0)
last_password_change : NTTIME(0)
allow_password_change : NTTIME(0)
force_password_change : NTTIME(0)
logon_count : 0x0000 (0)
bad_password_count : 0x0000 (0)
- acct_flags : 0x00000000 (0)
+ acct_flags : 0x00000010 (16)
authenticated : 0x00 (0)
security_token: struct security_token
num_sids : 0x00000006 (6)
sids: ARRAY(6)
+ sids : S-1-5-7
+ sids : S-1-1-0
+ sids : S-1-5-2
sids : S-1-22-1-65533
sids : S-1-22-2-65534
sids : S-1-22-2-65533
- sids : S-1-1-0
- sids : S-1-5-2
- sids : S-1-5-32-546
privilege_mask : 0x0000000000000000 (0)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(similar to commit
6afb6b67a198c88ab8fa3fee931729c43605716d)
Stefan Metzmacher [Fri, 2 Mar 2018 16:07:11 +0000 (17:07 +0100)]
s3:auth: pass the whole auth_session_info from copy_session_info_serverinfo_guest() to create_local_token()
We only need to adjust sanitized_username in order to keep the same behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
a2a289d0446fedb4ea40834b5b5b190fdca30906)
Stefan Metzmacher [Tue, 6 Mar 2018 23:51:51 +0000 (00:51 +0100)]
s3:auth: base make_new_session_info_system() on auth_system_user_info_dc() and auth3_create_session_info()
The changes in the resulting token look like this:
unix_token : *
unix_token: struct security_unix_token
uid : 0x0000000000000000 (0)
gid : 0x0000000000000000 (0)
- ngroups : 0x00000000 (0)
- groups: ARRAY(0)
+ ngroups : 0x00000001 (1)
+ groups: ARRAY(1)
+ groups : 0x0000000000000000 (0)
...
domain_name : *
domain_name : 'NT AUTHORITY'
dns_domain_name : NULL
- full_name : NULL
- logon_script : NULL
- profile_path : NULL
- home_directory : NULL
- home_drive : NULL
- logon_server : NULL
+ full_name : *
+ full_name : 'System'
+ logon_script : *
+ logon_script : ''
+ profile_path : *
+ profile_path : ''
+ home_directory : *
+ home_directory : ''
+ home_drive : *
+ home_drive : ''
+ logon_server : *
+ logon_server : 'SLOWSERVER'
last_logon : NTTIME(0)
last_logoff : NTTIME(0)
acct_expiry : NTTIME(0)
last_password_change : NTTIME(0)
allow_password_change : NTTIME(0)
force_password_change : NTTIME(0)
logon_count : 0x0000 (0)
bad_password_count : 0x0000 (0)
- acct_flags : 0x00000000 (0)
+ acct_flags : 0x00000010 (16)
authenticated : 0x01 (1)
unix_info : *
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
e8402ec0486ced6ac2adb640c61a9e5abc77d4e4)
Stefan Metzmacher [Tue, 6 Mar 2018 23:21:13 +0000 (00:21 +0100)]
s3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create()
These functions make it possible to construct a full auth_session_info
from the information available from an auth_user_info_dc structure.
This has all the logic from create_local_token() that is used
to transform a auth_serversupplied_info to a full auth_session_info.
In order to workarround the restriction that auth_user_info_dc
doesn't contain hints for the unix token/name, we use
the special S-1-5-88 (Unix_NFS) sids:
- S-1-5-88-1-Y gives the uid=Y
- S-1-5-88-2-Y gives the gid=Y
- S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_*
The currently implemented flags are:
- AUTH3_UNIX_HINT_QUALIFIED_NAME
unix_name = DOMAIN+ACCOUNT
- AUTH3_UNIX_HINT_ISLOLATED_NAME
unix_name = ACCOUNT
- AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS
Don't translate the nt token SIDS into uid/gids
using sid mapping.
- AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS
Don't translate the unix token uid/gids to S-1-22-X-Y SIDS
- AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS
The unix token won't get expanded gid values
from getgroups_unix_user()
By using the hints it is possible to keep the current logic
where an authentication backend provides uid/gid values and
the unix name.
Note the S-1-5-88-* SIDS never appear in the final security_token.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
af4bc135e486e17164da0ea918281fbf689892c3)
Stefan Metzmacher [Tue, 6 Mar 2018 15:38:10 +0000 (16:38 +0100)]
auth: add auth_user_info_copy() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
6ff891195855403bc485725aef8d43d4e3cabacb)
Stefan Metzmacher [Tue, 6 Mar 2018 22:45:30 +0000 (23:45 +0100)]
s3:auth: remove static from finalize_local_nt_token()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
7f47f9e1f220d2dd547cf77bbc292357a2173870)
Stefan Metzmacher [Tue, 6 Mar 2018 22:40:10 +0000 (23:40 +0100)]
s3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
d3aae5ba65c7ed0d5e9f8389101cf1c8c1f0a25b)
Stefan Metzmacher [Tue, 6 Mar 2018 22:36:03 +0000 (23:36 +0100)]
s3:auth: don't try to expand system or anonymous tokens in finalize_local_nt_token()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
4f81ef9353ad76390aa910c8c17456fec21916c6)
Stefan Metzmacher [Tue, 6 Mar 2018 22:26:28 +0000 (23:26 +0100)]
s3:auth: add add_builtin_guests() handling to finalize_local_nt_token()
We should add Builtin_Guests depending on the current token
not based on 'is_guest'. Even authenticated users can be member
a guest related group and therefore get Builtin_Guests.
Sadly we still need to use 'is_guest' within create_local_nt_token()
as we only have S-1-22-* SIDs there and still need to
add Builtin_Guests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
e8dc55d2b969b670322a913799d1af459a1000e7)
Stefan Metzmacher [Tue, 13 Mar 2018 20:38:27 +0000 (21:38 +0100)]
s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
c2ffbf9f764a94ef1dc1280741884cf63a017308)
Stefan Metzmacher [Tue, 13 Mar 2018 20:35:48 +0000 (21:35 +0100)]
s3:passdb: handle dom_sid=NULL in create_builtin_{users,administrators}()
We should not crash if we're called with NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
efdc617c76d9043286e33b961f45ad4564232102)
Stefan Metzmacher [Tue, 6 Mar 2018 16:14:34 +0000 (17:14 +0100)]
s3:auth: move add_local_groups() out of finalize_local_nt_token()
finalize_local_nt_token() will be used in another place,
were we don't want to add local groups in a following commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
df3d278853ec097df27c221369dfb3ed0297d6c8)
Stefan Metzmacher [Fri, 2 Mar 2018 15:37:58 +0000 (16:37 +0100)]
s3:auth: add the "Unix Groups" sid for the primary gid
The primary gid might not be in the gid array.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
f3ca3e71cc35876df47e31ec9c3643308add2405)
Stefan Metzmacher [Thu, 1 Mar 2018 17:05:28 +0000 (18:05 +0100)]
s3:auth: remove unused auth_serversupplied_info->system
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
28ad1306b880a44824ee956a19656ac29581a1b9)
Ralph Boehme [Wed, 14 Mar 2018 10:44:49 +0000 (11:44 +0100)]
libcli/security: only announce a session as GUEST if 'Builtin\Guests' is there without 'Authenticated User'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
f564847c8e9d31fe07dd3cbf435986b36f097fa3)
Stefan Metzmacher [Thu, 15 Mar 2018 17:04:21 +0000 (18:04 +0100)]
s3:selftest: run SMB2-ANONYMOUS
This fails against a non AD DC smbd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
bf707a1eba39e996bb19457b63ddb658cc4183c2)
Stefan Metzmacher [Thu, 15 Mar 2018 16:40:07 +0000 (17:40 +0100)]
s3:torture: add SMB2-ANONYMOUS which asserts no GUEST bit for anonymous
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
82d8aa3b9cb15512d29a97b5a7e55ea1a052734f)
Karolin Seeger [Tue, 13 Mar 2018 12:35:01 +0000 (13:35 +0100)]
VERSION: Bump version up to 4.8.1...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 13 Mar 2018 12:33:43 +0000 (13:33 +0100)]
VERSION: Bump version up to 4.8.0...
and disable GIT_SNAPSHOT for the 4.8.0 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 13 Mar 2018 12:33:05 +0000 (13:33 +0100)]
WHATSNEW: Add release notes for Samba 4.8.0.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Jeremy Allison [Tue, 2 Jan 2018 23:56:03 +0000 (15:56 -0800)]
CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(v4-8-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-8-test): Tue Mar 13 15:58:25 CET 2018 on sn-devel-144
Ralph Boehme [Thu, 15 Feb 2018 22:11:38 +0000 (23:11 +0100)]
CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control
This is not strictly needed to fig bug 13272, but it makes sense to also
fix this while fixing the overall ACL checking logic.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 16 Feb 2018 14:38:19 +0000 (15:38 +0100)]
CVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
This is used to pass information about which password change operation (change
or reset) the acl module validated, down to the password_hash module.
It's very important that both modules treat the request identical.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 16 Feb 2018 14:30:13 +0000 (15:30 +0100)]
CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control
Will be used to pass "user password change" vs "password reset" from the
ACL to the password_hash module, ensuring both modules treat the request
identical.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Wed, 14 Feb 2018 18:15:49 +0000 (19:15 +0100)]
CVE-2018-1057: s4:dsdb/acl: run password checking only once
This is needed, because a later commit will let the acl module add a
control to the change request msg and we must ensure that this is only
done once.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 22 Feb 2018 09:54:37 +0000 (10:54 +0100)]
CVE-2018-1057: s4/dsdb: correctly detect password resets
This change ensures we correctly treat the following LDIF
dn: cn=testuser,cn=users,...
changetype: modify
delete: userPassword
add: userPassword
userPassword: thatsAcomplPASS1
as a password reset. Because delete and add element counts are both
one, the ACL module wrongly treated this as a password change
request.
For a password change we need at least one value to delete and one value
to add. This patch ensures we correctly check attributes and their
values.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 16 Feb 2018 14:17:26 +0000 (15:17 +0100)]
CVE-2018-1057: s4:dsdb/acl: add a NULL check for talloc_new() in acl_check_password_rights()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 15 Feb 2018 16:43:43 +0000 (17:43 +0100)]
CVE-2018-1057: s4:dsdb/acl: add check for DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 15 Feb 2018 21:59:24 +0000 (22:59 +0100)]
CVE-2018-1057: s4:dsdb/acl: check for internal controls before other checks
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 15 Feb 2018 16:38:31 +0000 (17:38 +0100)]
CVE-2018-1057: s4:dsdb/acl: remove unused else branches in acl_check_password_rights()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 15 Feb 2018 16:38:31 +0000 (17:38 +0100)]
CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug() if we checked the acl in acl_check_password_rights()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 15 Feb 2018 13:40:59 +0000 (14:40 +0100)]
CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for passwordAttr->num_values
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 15 Feb 2018 09:56:06 +0000 (10:56 +0100)]
CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for LDB_FLAG_MOD_TYPE
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 15 Feb 2018 11:43:09 +0000 (12:43 +0100)]
CVE-2018-1057: s4:dsdb/tests: add a test for password change with empty delete
Note that the request using the clearTextPassword attribute for the
password change is already correctly rejected by the server.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 2 Mar 2018 15:16:41 +0000 (16:16 +0100)]
WHATSNEW: Domain member setups require winbindd
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(v4-8-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-8-test): Wed Mar 7 20:18:51 CET 2018 on sn-devel-144
Ralph Boehme [Thu, 1 Mar 2018 10:43:39 +0000 (11:43 +0100)]
nsswitch: fix wbinfo -m --verbose trust type "Local"
Remove wrong "Local" strcmp(), there's another one, the correct one, a few lines
below. Since commit
95e3307917b5731ab883ee5fce530c5b559b4934
WBC_DOMINFO_TRUSTTYPE_NONE, which corresponded to the string "None" in the
winbindd response, is not used anymore.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13313
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 2 05:49:18 CET 2018 on sn-devel-144
(cherry picked from commit
f59f6cefa11c4866d2ede47d9c9b415e3d5e233d)
Dan Robertson [Thu, 22 Feb 2018 20:47:11 +0000 (20:47 +0000)]
libsmb: Use smb2 tcon if conn_protocol >= SMB2_02
When the connection protocol is SMB2 the tid from the smb1 member is
used instead of smb2 in cli_state_set_tid which often results in a null
deref.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13310
Signed-off-by: Dan Robertson <drobertson@tripwire.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
b67ffaf518c971817b167b41bf6226cddfdcfd2f)
Andreas Schneider [Mon, 19 Feb 2018 17:07:50 +0000 (18:07 +0100)]
s3:smbd: Do not crash if we fail to init the session table
This should the following segfault with SMB1:
#6 sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94
#7 <signal handler called>
#8 smbXsrv_session_create (conn=conn@entry=0x5654d3512af0, now=now@entry=
131594481900356690, _session=_session@entry=0x7ffc93a778e8)
at ../source3/smbd/smbXsrv_session.c:1212
#9 0x00007f7618aa21ef in reply_sesssetup_and_X (req=req@entry=0x5654d35174b0) at ../source3/smbd/sesssetup.c:961
#10 0x00007f7618ae17b0 in switch_message (type=<optimized out>, req=req@entry=0x5654d35174b0) at ../source3/smbd/process.c:1726
#11 0x00007f7618ae3550 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=140, inbuf=0x0, xconn=0x5654d35146d0)
at ../source3/smbd/process.c:1762
#12 process_smb (xconn=xconn@entry=0x5654d3512af0, inbuf=<optimized out>, nread=140, unread_bytes=0, seqnum=0, encrypted=<optimized out>,
deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2008
#13 0x00007f7618ae4c41 in smbd_server_connection_read_handler (xconn=0x5654d3512af0, fd=40) at ../source3/smbd/process.c:2608
#14 0x00007f761587eedb in epoll_event_loop_once () from /lib64/libtevent.so.0
Inspection the core shows that:
conn->client-session_table is NULL
conn->protocol is PROTOCOL_NONE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13315
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
a89a7146563f2d9eb8bc02f1c090158ee499c878)
Karolin Seeger [Thu, 1 Mar 2018 20:03:53 +0000 (21:03 +0100)]
VERSION: Bump version up to 4.8.0rc5...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Thu, 1 Mar 2018 20:02:59 +0000 (21:02 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.8.0rc4 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Thu, 1 Mar 2018 20:02:15 +0000 (21:02 +0100)]
WHATSNEW: Add changes since rc4.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Ralph Boehme [Thu, 1 Mar 2018 11:10:56 +0000 (12:10 +0100)]
WHATSNEW: document changed wbinfo -m --verbose output
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 1 Mar 2018 08:52:51 +0000 (09:52 +0100)]
WHATSNEW: add 'Improved support for trusted domains (as AD DC)' section
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 1 Mar 2018 08:32:23 +0000 (09:32 +0100)]
WHATSNEW: reference 'smbclient reparse point symlink parameters reversed' to 'UPGRADING'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 1 Mar 2018 08:31:17 +0000 (09:31 +0100)]
WHATSNEW: move descriptions of removed features to "REMOVED FEATURES"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 1 Feb 2018 10:06:10 +0000 (11:06 +0100)]
s4:kdc: disable support for CROSS_ORGANIZATION domains
We don't support selective authentication yet,
so we shouldn't silently allow domain wide authentication
for such a trust.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 28 19:45:13 CET 2018 on sn-devel-144
(cherry picked from commit
31b5328c46c5f510ba234f75688886987276ee9e)
Autobuild-User(v4-8-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-8-test): Thu Mar 1 06:08:56 CET 2018 on sn-devel-144
Stefan Metzmacher [Thu, 1 Feb 2018 10:10:14 +0000 (11:10 +0100)]
s4:kdc: only support LSA_TRUST_TYPE_UPLEVEL domains in samba_kdc_trust_message2entry()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
d0a813a173be630c2def93cc55e4514204d265a2)
Stefan Metzmacher [Thu, 1 Feb 2018 10:10:14 +0000 (11:10 +0100)]
s4:kdc: make use of dsdb_trust_parse_tdo_info() in samba_kdc_trust_message2entry()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
274209f5cd4eec2ffe4ffe12bfbb41eb8ed0c9df)
Stefan Metzmacher [Thu, 1 Feb 2018 10:06:10 +0000 (11:06 +0100)]
winbindd: disable support for CROSS_ORGANIZATION domains
We don't support selective authentication yet,
so we shouldn't silently allow domain wide authentication
for such a trust.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
afd97e72090aaf31b084646b5fcecaeb8cde653d)
Ralph Boehme [Thu, 22 Feb 2018 14:52:46 +0000 (15:52 +0100)]
vfs_fruit: use off_t, not size_t for TM size calculations
size_t is only a 32-bit integer on 32-bit platforms. We must use off_t
for file sizes.
https://bugzilla.samba.org/show_bug.cgi?id=13296
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
f9e2cb1369fa9636ff613a4e9c7387151409eafc)
Günther Deschner [Mon, 15 Jan 2018 22:20:39 +0000 (23:20 +0100)]
build: fix libceph-common detection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13277
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Feb 22 19:30:12 CET 2018 on sn-devel-144
(cherry picked from commit
6a59619844e0def505a6bfa778c17721c062e0ee)
Andrew Bartlett [Thu, 22 Feb 2018 01:01:07 +0000 (14:01 +1300)]
WHATSNEW: Explain implications of GUID index change
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2018 09:44:44 +0000 (10:44 +0100)]
ldb: version 1.3.2
* Expose the SHOW_BINARY, ENABLE_TRACING and DONT_CREATE_DB flag constants
in the python api.
* Extend dn.is_child_of() test.
* Don't load LDB_MODULESDIR as a module file.
* Fix binary data in debug log (bug #13185).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 28 04:54:21 CET 2018 on sn-devel-144
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13306
(cherry picked from commit
cb58e188008bf920df88dc0212b9f9bb23263179)
Gary Lockyer [Fri, 23 Feb 2018 02:04:36 +0000 (15:04 +1300)]
ldb_debug tests: Fix binary data in debug log
Tests to ensure:
When duplicate objects are added, the GUID was printed in the debug log
are passed through the escape function.
And that duplicate DN's do not generate debug log entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13185
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb 26 07:29:49 CET 2018 on sn-devel-144
(cherry picked from commit
2a85bcb3f486ae6f473b934bbe920d1733b7f7a4)
Andrew Bartlett [Mon, 26 Feb 2018 01:31:24 +0000 (14:31 +1300)]
ldb_debug: Fix binary data in debug log
When duplicate objects were added, the GUID was printed in the debug log
The GUID was not escaped and therefore displayed as binary content.
This patch splits out the duplicate DN creation error and the duplicate
GIUD error. Duplicate DN's are a normal event and don't require debug
logging.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13185
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
(cherry picked from commit
c5a14306c82f702f4788faea262c9ec6ade584cb)
Gary Lockyer [Fri, 23 Feb 2018 02:03:20 +0000 (15:03 +1300)]
ldb tests: fix null test on incorrect variable
Fix up tests that were performing a null check on the wrong variable
after a call to ldb_msg_new
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Feb 24 15:50:35 CET 2018 on sn-devel-144
(cherry picked from commit
1ed693423d7a30c3810ddc1b6f052d376c8cd4e7)
Douglas Bagnall [Wed, 14 Feb 2018 04:15:07 +0000 (17:15 +1300)]
repl_md: avoid returning LDB_SUCCESS on failure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
bc56913271e9d3a30143ef5a45d32430766d9dc3)
Autobuild-User(v4-8-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-8-test): Tue Feb 27 20:59:28 CET 2018 on sn-devel-144
Garming Sam [Wed, 14 Feb 2018 00:32:33 +0000 (13:32 +1300)]
repl_metadata: Avoid silent skipping an object during DRS (due to RODC rename collisions)
No error code was being set in this case, and so, we would commit the
HWM and UDV without actually having all the updates.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Feb 15 10:18:42 CET 2018 on sn-devel-144
(cherry picked from commit
9952eda7a1923971f77f3183cfa4c505386b30ee)
Garming Sam [Wed, 14 Feb 2018 00:32:24 +0000 (13:32 +1300)]
repl_metadata: Avoid silent skipping an object during DRS (due to RODC name collisions)
No error code was being set in this case, and so, we would commit the
HWM and UDV without actually having all the updates.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
59fa9e7ecf84bd4c2469e9a6835855769c4f6287)
Garming Sam [Wed, 14 Feb 2018 00:30:26 +0000 (13:30 +1300)]
tests/replica_sync_rodc: Test conflict handling on an RODC
There are two cases we are interested in:
1) RODC receives two identical DNs which conflict
2) RODC receives a rename to a DN which already exists
Currently these issues are ignored, but the UDV and HWM are being
updated, leading to objects/updates being skipped.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
45d19167d52e42bd2f9369dbe37a233902cc81b0)
Garming Sam [Wed, 14 Feb 2018 00:27:27 +0000 (13:27 +1300)]
selftest: Add RODC variables to list of those exported
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e694b8a1b993bf7213b191e1132c5d02e16ab85d)
Garming Sam [Wed, 14 Feb 2018 00:27:59 +0000 (13:27 +1300)]
tests/drs_base: Allow the net drs replicate to try with a single object
This eventually passes down the replicate single object exop.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ff9e63f976ef76f7f70221d4f6276e221ecd167f)
Garming Sam [Wed, 14 Feb 2018 00:26:35 +0000 (13:26 +1300)]
tests/replica_sync: Add some additional replication in setUp
This should avoid some failures due to stale objects.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13269
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
19fcd872ec76afffbc4952266fdfad9a352c4871)
Stefan Metzmacher [Thu, 22 Feb 2018 09:19:58 +0000 (10:19 +0100)]
winbind: don't try to do an authenticated SMB connection as AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 23 17:58:23 CET 2018 on sn-devel-144
(cherry picked from commit
06601b3a9293db35feda1b033fa864dc1a764164)
Stefan Metzmacher [Thu, 22 Feb 2018 10:24:38 +0000 (11:24 +0100)]
winbind: set_dc_type_and_flags() is not needed on a DC
On a DC we load the trusts in the parent in add_trusted_domains_dc()
from our local configuration. There's no need to find out the trust details
via network calls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
55c3af89f1b0baecf5e2d6c2646902edd0684aa8)
Stefan Metzmacher [Fri, 2 Feb 2018 15:55:01 +0000 (16:55 +0100)]
winbind: make sure we don't contact trusted domains via LDAP as AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
18f27b5385240852e537cd5010cedb09f0bf233d)