amitay/samba.git
18 months agoAdded redirect from GitHub to GitLab
Daniel Southward-Ellis [Tue, 4 Dec 2018 01:35:47 +0000 (14:35 +1300)]
Added redirect from GitHub to GitLab

Signed-off-by: Daniel Southward-Ellis <danielsouthwardellis@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Dec  5 16:35:33 CET 2018 on sn-devel-144

18 months agoctdb/wscript: make use of MODE_{644,744,755,777}
Stefan Metzmacher [Tue, 4 Dec 2018 23:05:36 +0000 (00:05 +0100)]
ctdb/wscript: make use of MODE_{644,744,755,777}

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agowafsamba: add MODE_{744,_777}
Stefan Metzmacher [Sat, 17 Nov 2018 12:11:52 +0000 (13:11 +0100)]
wafsamba: add MODE_{744,_777}

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agoctdb/wscript: use python 3.6 compatible functions
Stefan Metzmacher [Mon, 19 Nov 2018 11:05:29 +0000 (12:05 +0100)]
ctdb/wscript: use python 3.6 compatible functions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agobuildtools: remove unused buildtools/bin/waf-1.9
Stefan Metzmacher [Mon, 19 Nov 2018 11:04:56 +0000 (12:04 +0100)]
buildtools: remove unused buildtools/bin/waf-1.9

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agowinbindd: Route predefined domains through the BUILTIN domain child
Ralph Boehme [Wed, 28 Nov 2018 14:39:21 +0000 (15:39 +0100)]
winbindd: Route predefined domains through the BUILTIN domain child

Without this eg "NT Authority" didn't work:

  $ bin/wbinfo -n "NT Authority/Authenticated Users"
  failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
  Could not lookup name NT Authority/Authenticated Users

  $ bin/wbinfo --group-info="NT Authority/Authenticated Users"
  failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
  Could not get info for group NT Authority/Authenticated Users

With the patch:

  $ bin/wbinfo -n "NT Authority/Authenticated Users"
  S-1-5-11 SID_WKN_GROUP (5)

  $ bin/wbinfo --group-info="NT Authority/Authenticated Users"
  NT AUTHORITY\authenticated users:x:10002:

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Dec  5 11:27:22 CET 2018 on sn-devel-144

18 months agowinbindd: fix predefined domains routing in find_lookup_domain_from_sid()
Ralph Boehme [Wed, 28 Nov 2018 16:20:41 +0000 (17:20 +0100)]
winbindd: fix predefined domains routing in find_lookup_domain_from_sid()

Route predefined domains through the BUILTIN domain child, not passdb.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
18 months agowinbindd: add some braces
Ralph Boehme [Tue, 27 Nov 2018 16:32:09 +0000 (17:32 +0100)]
winbindd: add some braces

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
18 months agolibcli/security: add dom_sid_lookup_is_predefined_domain()
Ralph Boehme [Wed, 28 Nov 2018 16:19:39 +0000 (17:19 +0100)]
libcli/security: add dom_sid_lookup_is_predefined_domain()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
18 months agoselftest: test wbinfo -n and --gid-info with "NT Authority"
Ralph Boehme [Tue, 27 Nov 2018 19:32:09 +0000 (20:32 +0100)]
selftest: test wbinfo -n and --gid-info with "NT Authority"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
18 months agos3:tests: Add test for checking that root is not allowed as home dir
Andreas Schneider [Mon, 3 Dec 2018 10:05:46 +0000 (11:05 +0100)]
s3:tests: Add test for checking that root is not allowed as home dir

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec  5 05:22:43 CET 2018 on sn-devel-144

18 months agos3:smbd: Make sure we do not export "/" (root) as home dir
Andreas Schneider [Thu, 22 Nov 2018 17:23:24 +0000 (18:23 +0100)]
s3:smbd: Make sure we do not export "/" (root) as home dir

If "/" (root) is returned as the home directory, prevent exporting it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
18 months agos3:tests: Test for users connecting to their 'homes' share
Andreas Schneider [Fri, 16 Nov 2018 14:40:59 +0000 (15:40 +0100)]
s3:tests: Test for users connecting to their 'homes' share

This adds a test for CVE-2009-2813.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
18 months agoselftest: Add gooduser and eviluser to Samba3
Andreas Schneider [Thu, 15 Nov 2018 15:06:49 +0000 (16:06 +0100)]
selftest: Add gooduser and eviluser to Samba3

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
18 months agowaf: Utils package not defined
Swen Schillig [Mon, 26 Nov 2018 19:14:21 +0000 (20:14 +0100)]
waf: Utils package not defined

Fix the package name for the WafError routine.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Tue Dec  4 18:45:38 CET 2018 on sn-devel-144

18 months agotraffic_replay: Add a max-members option to cap group size
Tim Beale [Tue, 27 Nov 2018 00:50:32 +0000 (13:50 +1300)]
traffic_replay: Add a max-members option to cap group size

traffic_replay tries to distribute the users among the groups in a
realistic manner - some groups will have almost all users in them.
However, this becomes a problem when testing a really large database,
e.g. we may want 100K users, but no more than 5K users in each group.

This patch adds a max-member option so we can limit how big the groups
actually get.

If we detect that a group exceeds the max-members, we reset the group's
probability (of getting selected) to zero, and then recalculate the
cumulative distribution. The means that the group should no longer get
selected by generate_random_membership(). (Note we can't completely
remove the group from the list because that changes the
list-index-to-group-ID mapping).

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec  4 12:22:50 CET 2018 on sn-devel-144

18 months agotraffic: Rework how assignments are generated slightly
Tim Beale [Mon, 26 Nov 2018 21:47:48 +0000 (10:47 +1300)]
traffic: Rework how assignments are generated slightly

We want to cap the number of members that can be in a group. But first,
we need to tweak how the assignment dict gets generated, so that we get
rid of the intermediary set.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agotests: Add test-case for 'group list --verbose'
Tim Beale [Mon, 26 Nov 2018 22:51:51 +0000 (11:51 +1300)]
tests: Add test-case for 'group list --verbose'

Check that the number of members reported is correct.
(This change somehow got left off the ca570bd4827aa commit that was
actually delivered).

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agonetcmd: Minor changes to 'group stats' command
Tim Beale [Mon, 26 Nov 2018 22:45:51 +0000 (11:45 +1300)]
netcmd: Minor changes to 'group stats' command

These changes were inadvertently left off 0c910245fca70948a3.
(They were made to the 2nd patch-set iteration posted to the
mailing-list, but for some reason the first patch-set got delivered).

Changes are:
+ rework some variable names for better readability
+ Average members defaulted to int, so lost any floating point
precision.
+ Replace 'Min members' (which was fairly meaningless) with 'Median
members per group'.
+ Fix flake8 long line warnings

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agoCVE-2018-14629 dns: fix CNAME loop prevention using counter regression
Stefan Metzmacher [Wed, 28 Nov 2018 14:21:56 +0000 (15:21 +0100)]
CVE-2018-14629 dns: fix CNAME loop prevention using counter regression

The loop prevention should only be done for CNAME records!

Otherwise we truncate the answer records for A, AAAA or
SRV queries, which is a bad idea if you have more than 20 DCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec  4 08:52:29 CET 2018 on sn-devel-144

18 months agoCVE-2018-14629: Tests to expose regression from dns cname loop fix
Aaron Haslett [Fri, 30 Nov 2018 05:37:27 +0000 (18:37 +1300)]
CVE-2018-14629: Tests to expose regression from dns cname loop fix

These tests expose the regression described by Stefan Metzmacher in
discussion on the bugzilla paged linked below.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
18 months agos3:lib: Fix undefined behavior in tdb_unpack()
Andreas Schneider [Tue, 27 Nov 2018 07:23:25 +0000 (08:23 +0100)]
s3:lib: Fix undefined behavior in tdb_unpack()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Tue Dec  4 00:23:03 CET 2018 on sn-devel-144

18 months agos3:lib: Fix undefined behavior in tdb_pack()
Andreas Schneider [Thu, 22 Nov 2018 12:33:11 +0000 (13:33 +0100)]
s3:lib: Fix undefined behavior in tdb_pack()

util_tdb.c:98:5: runtime error: null pointer passed as argument 2, which
is declared to never be null

This means the second argument of memcpy() can't be NULL.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos3:lib: Fix uninitialized variable
Andreas Schneider [Fri, 23 Nov 2018 11:00:36 +0000 (12:00 +0100)]
s3:lib: Fix uninitialized variable

util_tdb.c:116:7: error: ‘len’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
   buf += len;
       ^~
../../source3/lib/util_tdb.c:44:6: note: ‘len’ was declared here
  int len;
      ^~~

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agoctdb-daemon: Exit with error if a database directory does not exist
Martin Schwenke [Fri, 30 Nov 2018 01:44:26 +0000 (12:44 +1100)]
ctdb-daemon: Exit with error if a database directory does not exist

Since 4.9.0, the log messages can be confusing if a required database
directory does not exist.  Explicitly check for database directories,
logging a clear error and exiting if one is missing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13696

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Mon Dec  3 06:56:41 CET 2018 on sn-devel-144

18 months agovfs_fruit: avoid dereferencing fsp->base_fsp in fruit_fstat_meta_stream()
Ralph Boehme [Fri, 30 Nov 2018 09:27:19 +0000 (10:27 +0100)]
vfs_fruit: avoid dereferencing fsp->base_fsp in fruit_fstat_meta_stream()

This helps avoiding a NULL dereference on systems where additional
patches modify the following condition in open_file()

  if ((open_access_mask & (FILE_READ_DATA|FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_EXECUTE)) ||
      (!file_existed && (local_flags & O_CREAT)) ||
      ((local_flags & O_TRUNC) == O_TRUNC) ) {

to

  if ((open_access_mask & (FILE_READ_DATA|FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_EXECUTE|DELETE_ACCESS)) ||
      (!file_existed && (local_flags & O_CREAT)) ||
      ((local_flags & O_TRUNC) == O_TRUNC) ) {

Ie addtionally check open_access_mask against DELETE_ACCESS. As a result
opens with DELETE_ACCESS go through the code that does an fd_open() plus
a subsequent fstat().

That will trigger a crash in fruit_fstat_meta_stream() when a client
wants to delete a file for deletion. When we open base file for delete,
we call open_streams_for_delete() which internally calls create-file
with NTCREATEX_OPTIONS_PRIVATE_STREAM_DELETE which prevents opening of
the base_fsp. Voila, combined with the change described above you get a
NULL deref.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Dec  2 07:52:34 CET 2018 on sn-devel-144

18 months agoWHATSNEW: standard process limits
Gary Lockyer [Wed, 19 Sep 2018 03:52:15 +0000 (15:52 +1200)]
WHATSNEW: standard process limits

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov 30 15:05:04 CET 2018 on sn-devel-144

18 months agos4 smdb standard: Limit processes forked on accept.
Gary Lockyer [Thu, 6 Sep 2018 19:04:48 +0000 (07:04 +1200)]
s4 smdb standard: Limit processes forked on accept.

Limit the number of processes started by the standard model on accept.
For those services that support fork on accept, the standard model forks
a new process for each new connection. This patch limits the number of
processes to the value specified in 'max smbd processes', a value of
zero indicates that there is no limit on the number of processes that
can be forked.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agos4 smbd standard tests: limit forked processes
Gary Lockyer [Mon, 17 Sep 2018 23:21:40 +0000 (11:21 +1200)]
s4 smbd standard tests: limit forked processes

Tests to confirm the standard process model honours the smbd.conf
variable "max smbd processes", when forking a new process on accept.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agoreplace: Correctly check for 'extern char **environ' in unistd.h
Andreas Schneider [Thu, 29 Nov 2018 07:12:06 +0000 (08:12 +0100)]
replace: Correctly check for 'extern char **environ' in unistd.h

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Nov 30 11:41:44 CET 2018 on sn-devel-144

18 months agoutil: Fix include file order
Martin Schwenke [Fri, 30 Nov 2018 05:58:47 +0000 (16:58 +1100)]
util: Fix include file order

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andreas Schneider <asn@samba.org>
18 months agoConverted README to markdown
Daniel Southward-Ellis [Thu, 29 Nov 2018 22:25:42 +0000 (11:25 +1300)]
Converted README to markdown

Signed-off-by: Daniel Southward-Ellis <danielsouthwardellis@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Nov 30 07:07:36 CET 2018 on sn-devel-144

18 months agoAdd simple tests for net rpc share allowedusers
Olly Betts [Tue, 27 Nov 2018 20:09:51 +0000 (09:09 +1300)]
Add simple tests for net rpc share allowedusers

Signed-off-by: Olly Betts <olly@survex.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agoFix net rpc share allowedusers short description
Olly Betts [Tue, 23 Oct 2018 00:46:38 +0000 (13:46 +1300)]
Fix net rpc share allowedusers short description

This command allows one to list allowed users, not modify them.

Signed-off-by: Olly Betts <olly@survex.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agonet rpc share allowedusers: Allow restricting shares
Olly Betts [Tue, 1 May 2018 02:37:08 +0000 (14:37 +1200)]
net rpc share allowedusers: Allow restricting shares

The help already implies that you can specify "targets" for net rpc
share allowedusers, but actually the tail end of the command line
is just ignored.

This patch allows a list of shares to be specified, and only those
shares are checked, which can be much faster if you're only interested
in a few shares on a server which exports lots.

This subcommand already accepts an optional filename for the output
of net usersidlist, with a default of stdin.  Typically you'd just pipe
one command to the other so stdin is most likely what you want.  This
patch adds support for a filename of "-" to mean stdin so that you can
specify stdin explicitly when you provide a list of shares, since in
this case the filename can't be omitted.

Signed-off-by: Olly Betts <olly@survex.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agoFix spelling mistakes
Olly Betts [Tue, 27 Nov 2018 22:10:17 +0000 (11:10 +1300)]
Fix spelling mistakes

Signed-off-by: Olly Betts <olly@survex.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agoNew testcase samba3.blackbox.net_rpc_join_creds
Olly Betts [Tue, 23 Oct 2018 22:46:11 +0000 (11:46 +1300)]
New testcase samba3.blackbox.net_rpc_join_creds

Tests that you can now use a credentials file with net.

Signed-off-by: Olly Betts <olly@survex.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agonet: Add support for a credentials file
Olly Betts [Tue, 1 May 2018 01:19:58 +0000 (13:19 +1200)]
net: Add support for a credentials file

Add support for the same -A authfile/--authentication-file authfile
option that most of the other tools already do.

Signed-off-by: Olly Betts <olly@survex.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agos3/testparm: Reduce debug level to 1
Anoop C S [Fri, 23 Nov 2018 08:41:45 +0000 (14:11 +0530)]
s3/testparm: Reduce debug level to 1

Adhere to what we document in manual page for testparm that default
debug level is set to reasonable value 1.

Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Nov 29 11:52:22 CET 2018 on sn-devel-144

18 months agos4:torture: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Wed, 21 Nov 2018 10:38:24 +0000 (11:38 +0100)]
s4:torture: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Thu Nov 29 02:20:48 CET 2018 on sn-devel-144

18 months agos4:smbd: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Wed, 21 Nov 2018 10:37:26 +0000 (11:37 +0100)]
s4:smbd: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos4:ntvfs: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Wed, 21 Nov 2018 10:36:23 +0000 (11:36 +0100)]
s4:ntvfs: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos4:lib: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Wed, 21 Nov 2018 10:33:51 +0000 (11:33 +0100)]
s4:lib: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos3:winbindd: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 14:58:28 +0000 (15:58 +0100)]
s3:winbindd: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos3:utils: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 14:57:51 +0000 (15:57 +0100)]
s3:utils: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos3:smbd: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 14:57:09 +0000 (15:57 +0100)]
s3:smbd: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos3:rpc_server: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 14:56:14 +0000 (15:56 +0100)]
s3:rpc_server: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos3:nmbd: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 14:55:43 +0000 (15:55 +0100)]
s3:nmbd: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos3:modules: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 14:54:28 +0000 (15:54 +0100)]
s3:modules: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos3:libsmb: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 14:53:23 +0000 (15:53 +0100)]
s3:libsmb: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos3:libads: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 13:14:07 +0000 (14:14 +0100)]
s3:libads: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos3:lib: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 13:12:49 +0000 (14:12 +0100)]
s3:lib: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos3:include: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 13:12:23 +0000 (14:12 +0100)]
s3:include: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos3:ldap: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 13:11:39 +0000 (14:11 +0100)]
s3:ldap: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos3:auth: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 13:10:36 +0000 (14:10 +0100)]
s3:auth: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agonss_winbind: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 13:08:31 +0000 (14:08 +0100)]
nss_winbind: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agowins: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 13:08:05 +0000 (14:08 +0100)]
wins: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agowbclient: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 13:07:39 +0000 (14:07 +0100)]
wbclient: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agokrb5_plugin: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 13:06:48 +0000 (14:06 +0100)]
krb5_plugin: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agolibcli:smbreadline: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 13:06:21 +0000 (14:06 +0100)]
libcli:smbreadline: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agolibcli:smb: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 13:05:39 +0000 (14:05 +0100)]
libcli:smb: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agolib:util: Avoid name confusion with config.h
Andreas Schneider [Wed, 21 Nov 2018 17:24:59 +0000 (18:24 +0100)]
lib:util: Avoid name confusion with config.h

The HAVE_* is normally used for config.h definitions, so rename it to
USE_ASM_BYTEORDER.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agolib:util: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 13:01:20 +0000 (14:01 +0100)]
lib:util: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agotdb: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 13:00:39 +0000 (14:00 +0100)]
tdb: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agoreplace: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 12:57:48 +0000 (13:57 +0100)]
replace: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agokrb5_wrap: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 12:57:13 +0000 (13:57 +0100)]
krb5_wrap: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agoctdb: Use #ifdef instead of #if for config.h definitions
Andreas Schneider [Tue, 20 Nov 2018 12:55:49 +0000 (13:55 +0100)]
ctdb: Use #ifdef instead of #if for config.h definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agoautobuild: Add _FORTIFY_SOURCE=2 to the -O3 build
Andreas Schneider [Tue, 20 Nov 2018 11:11:43 +0000 (12:11 +0100)]
autobuild: Add _FORTIFY_SOURCE=2 to the -O3 build

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agowafsamba: Do not always set _FORTIFY_SOURCE=2
Andreas Schneider [Tue, 20 Nov 2018 11:09:31 +0000 (12:09 +0100)]
wafsamba: Do not always set _FORTIFY_SOURCE=2

This requires to be compiled with optimization (-O).

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agos3: Remove unsused MMAP_BLACKLIST ifdef checks
Andreas Schneider [Tue, 20 Nov 2018 11:06:13 +0000 (12:06 +0100)]
s3: Remove unsused MMAP_BLACKLIST ifdef checks

This doesn't get defined by anything.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agolib:replace: Check if HAVE_DECL_ENVIRON is defined first
Andreas Schneider [Tue, 20 Nov 2018 11:01:32 +0000 (12:01 +0100)]
lib:replace: Check if HAVE_DECL_ENVIRON is defined first

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agokrb5_wrap: Fix a typo
Volker Lendecke [Wed, 21 Nov 2018 13:55:10 +0000 (14:55 +0100)]
krb5_wrap: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 28 21:15:31 CET 2018 on sn-devel-144

18 months agoauth: Align integer types
Volker Lendecke [Tue, 20 Nov 2018 16:03:17 +0000 (17:03 +0100)]
auth: Align integer types

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
18 months agolib: Align integer types
Volker Lendecke [Tue, 20 Nov 2018 12:38:05 +0000 (13:38 +0100)]
lib: Align integer types

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
18 months agokrb5_wrap: Add a talloc_ctx to smb_krb5_principal_get_realm()
Volker Lendecke [Tue, 20 Nov 2018 16:45:11 +0000 (17:45 +0100)]
krb5_wrap: Add a talloc_ctx to smb_krb5_principal_get_realm()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
18 months agocredentials: Remove an unnecessary talloc_steal()
Volker Lendecke [Wed, 21 Nov 2018 14:30:29 +0000 (15:30 +0100)]
credentials: Remove an unnecessary talloc_steal()

ccc was already allocated off cred, this talloc_steal was a no-op.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
18 months agocredentials: Fix set_ccache with empty creds cache
Volker Lendecke [Wed, 21 Nov 2018 14:28:42 +0000 (15:28 +0100)]
credentials: Fix set_ccache with empty creds cache

This is an extension of bb2f7e3aee7e9b8: Without this fix in the
"empty ccache" case we never set cred->ccache, so the whole call to
cli_credentials_set_ccache became pointless

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
18 months agocredentials: Fix an error path memleak
Volker Lendecke [Wed, 21 Nov 2018 14:24:24 +0000 (15:24 +0100)]
credentials: Fix an error path memleak

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
18 months agocredentials: Only do shallow copies of valid ccaches
Volker Lendecke [Wed, 21 Nov 2018 16:36:35 +0000 (17:36 +0100)]
credentials: Only do shallow copies of valid ccaches

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
18 months agotfork: add a README how to run test torture test under valgrind
Ralph Boehme [Tue, 20 Nov 2018 14:50:52 +0000 (15:50 +0100)]
tfork: add a README how to run test torture test under valgrind

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Nov 28 15:57:43 CET 2018 on sn-devel-144

18 months agotfork: add a suppresssions file for drd
Ralph Boehme [Tue, 20 Nov 2018 15:03:03 +0000 (16:03 +0100)]
tfork: add a suppresssions file for drd

drd reports:

 initialized twice: cond 0x514f188
    at 0x4C3A399: pthread_cond_init_intercept (drd_pthread_intercepts.c:1022)
    by 0x4C3A399: pthread_cond_init@* (drd_pthread_intercepts.c:1030)
    by 0x50F3FF3: tfork_atfork_child (tfork.c:250)
    by 0x9A4B95D: fork (fork.c:204)
    by 0x50F4834: tfork_start_waiter_and_worker (tfork.c:581)
    by 0x50F4CDB: tfork_create (tfork.c:780)
    by 0x2F7469: tfork_thread (tfork.c:431)
    by 0x4C358F8: vgDrd_thread_wrapper (drd_pthread_intercepts.c:444)
    by 0x8D46593: start_thread (pthread_create.c:463)
    by 0x9A7EE6E: clone (clone.S:95)
 cond 0x514f188 was first observed at:
    at 0x4C3A399: pthread_cond_init_intercept (drd_pthread_intercepts.c:1022)
    by 0x4C3A399: pthread_cond_init@* (drd_pthread_intercepts.c:1030)
    by 0x50F413A: tfork_global_initialize (tfork.c:287)
    by 0x8D4DEA6: __pthread_once_slow (pthread_once.c:116)
    by 0x4C377FD: pthread_once_intercept (drd_pthread_intercepts.c:800)
    by 0x4C377FD: pthread_once (drd_pthread_intercepts.c:806)
    by 0x50F4C0E: tfork_create (tfork.c:743)
    by 0x2F7469: tfork_thread (tfork.c:431)
    by 0x4C358F8: vgDrd_thread_wrapper (drd_pthread_intercepts.c:444)
    by 0x8D46593: start_thread (pthread_create.c:463)
    by 0x9A7EE6E: clone (clone.S:95)

This is intentional, the reinit is in a child process. Cf the comment in
tfork.c.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
18 months agotfork: add a suppresssions file for helgrind
Ralph Boehme [Mon, 19 Nov 2018 14:18:34 +0000 (15:18 +0100)]
tfork: add a suppresssions file for helgrind

tfork_atexit_unknown[1|2]:

  No idea what triggers this, definitely not tfork itself.

tfork_pthread_get_specific:

 Helgrind reports:

 Possible data race during read of size 4 at 0x5141304 by thread #3
 Locks held: none
    at 0x50E602E: tfork_global_get (tfork.c:301)
    by 0x50E69B1: tfork_create (tfork.c:737)
    by 0x2F7419: tfork_thread (tfork.c:431)
    by 0x4C35AC5: mythread_wrapper (hg_intercepts.c:389)
    by 0x8D38593: start_thread (pthread_create.c:463)
    by 0x9A70E6E: clone (clone.S:95)

 This conflicts with a previous write of size 4 by thread #2
 Locks held: none
    at 0x8D3F7B7: pthread_key_create (pthread_key_create.c:41)
    by 0x50E5F79: tfork_global_initialize (tfork.c:280)
    by 0x8D3FEA6: __pthread_once_slow (pthread_once.c:116)
    by 0x50E6999: tfork_create (tfork.c:728)
    by 0x2F7419: tfork_thread (tfork.c:431)
    by 0x4C35AC5: mythread_wrapper (hg_intercepts.c:389)
    by 0x8D38593: start_thread (pthread_create.c:463)
    by 0x9A70E6E: clone (clone.S:95)
  Location 0x5141304 is 0 bytes inside global var "tfork_global_key"
  declared at tfork.c:122

  This is nonsense, tfork_global_get() calls pthread_getspecific, so
  we're looking at the pthread_key_create()/pthread_[g|s]etspecific()
  API here which works with threads by design.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
18 months agotfork: TFORK_ANNOTATE_BENIGN_RACE
Ralph Boehme [Mon, 19 Nov 2018 22:07:55 +0000 (23:07 +0100)]
tfork: TFORK_ANNOTATE_BENIGN_RACE

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
18 months agotfork/test: ensure all threads start with SIGCHLD unblocked
Ralph Boehme [Mon, 19 Nov 2018 15:47:33 +0000 (16:47 +0100)]
tfork/test: ensure all threads start with SIGCHLD unblocked

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
18 months agoCVE-2018-16857 dsdb/util: Add better default lockOutObservationWindow
Tim Beale [Tue, 13 Nov 2018 00:22:41 +0000 (13:22 +1300)]
CVE-2018-16857 dsdb/util: Add better default lockOutObservationWindow

Clearly the lockOutObservationWindow value is important, and using a
default value of zero doesn't work very well.

This patch adds a better default value (the domain default setting of 30
minutes).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Wed Nov 28 11:31:14 CET 2018 on sn-devel-144

18 months agoCVE-2018-16857 dsdb/util: Fix lockOutObservationWindow for PSOs
Tim Beale [Tue, 13 Nov 2018 00:19:04 +0000 (13:19 +1300)]
CVE-2018-16857 dsdb/util: Fix lockOutObservationWindow for PSOs

Fix a remaining place where we were trying to read the
msDS-LockoutObservationWindow as an int instead of an int64.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agoCVE-2018-16857 dsdb/util: Correctly treat lockOutObservationWindow as 64-bit int
Tim Beale [Mon, 12 Nov 2018 23:24:16 +0000 (12:24 +1300)]
CVE-2018-16857 dsdb/util: Correctly treat lockOutObservationWindow as 64-bit int

Commit 442a38c918ae1666b35 refactored some code into a new
get_lockout_observation_window() function. However, in moving the code,
an ldb_msg_find_attr_as_int64() inadvertently got converted to a
ldb_msg_find_attr_as_int().

ldb_msg_find_attr_as_int() will only work for values up to -2147483648
(about 3.5 minutes in MS timestamp form). Unfortunately, the automated
tests used a low enough timeout that they still worked, however,
password lockout would not work with the Samba default settings.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agoCVE-2018-16857 tests: Sanity-check password lockout works with default values
Tim Beale [Mon, 12 Nov 2018 22:49:56 +0000 (11:49 +1300)]
CVE-2018-16857 tests: Sanity-check password lockout works with default values

Sanity-check that when we use the default lockOutObservationWindow that
user lockout actually works.

The easiest way to do this is to reuse the _test_login_lockout()
test-case, but stop at the point where we wait for the lockout duration
to expire (because we don't want the test to wait 30 mins).

This highlights a problem currently where the default values don't work.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agoCVE-2018-16853: fix crash in expired passowrd case
Isaac Boukris [Wed, 7 Nov 2018 20:53:35 +0000 (22:53 +0200)]
CVE-2018-16853: fix crash in expired passowrd case

When calling encode_krb5_padata_sequence() make sure to
pass a null terminated array as required.

Fixes expired passowrd case in samba4.blackbox.kinit test.

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
18 months agoCVE-2018-16853: Do not segfault if client is not set
Andreas Schneider [Wed, 28 Sep 2016 05:22:32 +0000 (07:22 +0200)]
CVE-2018-16853: Do not segfault if client is not set

This can be triggered with FAST but we don't support this yet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
18 months agoCVE-2018-16853: Add a test to verify s4u2self doesn't crash
Isaac Boukris [Sat, 18 Aug 2018 13:01:59 +0000 (16:01 +0300)]
CVE-2018-16853: Add a test to verify s4u2self doesn't crash

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
18 months agoCVE-2018-16853: The ticket in check_policy_as can actually be a TGS
Isaac Boukris [Fri, 17 Aug 2018 21:40:30 +0000 (00:40 +0300)]
CVE-2018-16853: The ticket in check_policy_as can actually be a TGS

This happens when we are called from S4U2Self flow, and in that case
kdcreq->client is NULL.  Use the name from client entry instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
18 months agoCVE-2018-16853: Fix kinit test on system lacking ldbsearch
Isaac Boukris [Sat, 18 Aug 2018 12:32:43 +0000 (15:32 +0300)]
CVE-2018-16853: Fix kinit test on system lacking ldbsearch

By fixing bindir variable name.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
18 months agoCVE-2018-16853 WHATSNEW: The Samba AD DC, when build with MIT Kerberos is experimental
Andrew Bartlett [Tue, 6 Nov 2018 00:40:48 +0000 (13:40 +1300)]
CVE-2018-16853 WHATSNEW: The Samba AD DC, when build with MIT Kerberos is experimental

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13678

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agoCVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental
Andrew Bartlett [Tue, 6 Nov 2018 00:32:05 +0000 (13:32 +1300)]
CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental

This matches https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13678

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
18 months agoCVE-2018-16852 dcerpc dnsserver: refactor common properties handling
Gary Lockyer [Wed, 7 Nov 2018 02:08:04 +0000 (15:08 +1300)]
CVE-2018-16852 dcerpc dnsserver: refactor common properties handling

dnsserver_common.c and dnsutils.c both share similar code to process
zone properties.  This patch extracts the common code and moves it to
dnsserver_common.c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agoCVE-2018-16852 dcerpc dnsserver: Ensure properties are handled correctly
Gary Lockyer [Mon, 5 Nov 2018 23:16:30 +0000 (12:16 +1300)]
CVE-2018-16852 dcerpc dnsserver: Ensure properties are handled correctly

Fixes for
Bug 13669 - (CVE-2018-16852) NULL
            pointer de-reference in Samba AD DC DNS management

The presence of the ZONE_MASTER_SERVERS property or the
ZONE_SCAVENGING_SERVERS property in a zone record causes the server to
follow a null pointer and terminate.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agoCVE-2018-16852 dcerpc dnsserver: Verification tests
Gary Lockyer [Mon, 5 Nov 2018 23:10:07 +0000 (12:10 +1300)]
CVE-2018-16852 dcerpc dnsserver: Verification tests

Tests to verify
Bug 13669 - (CVE-2018-16852) NULL
            pointer de-reference in Samba AD DC DNS management

The presence of the ZONE_MASTER_SERVERS property or the
ZONE_SCAVENGING_SERVERS property in a zone record causes the server to
follow a null pointer and terminate.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agoCVE-2018-16851 ldap_server: Check ret before manipulating blob
Garming Sam [Mon, 5 Nov 2018 03:18:18 +0000 (16:18 +1300)]
CVE-2018-16851 ldap_server: Check ret before manipulating blob

In the case of hitting the talloc ~256MB limit, this causes a crash in
the server.

Note that you would actually need to load >256MB of data into the LDAP.
Although there is some generated/hidden data which would help you reach that
limit (descriptors and RMD blobs).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18 months agoCVE-2018-16841 selftest: Check for mismatching principal in certficate compared with...
Andrew Bartlett [Wed, 24 Oct 2018 02:41:28 +0000 (15:41 +1300)]
CVE-2018-16841 selftest: Check for mismatching principal in certficate compared with principal in AS-REQ

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>