Andreas Schneider [Thu, 6 Apr 2023 14:16:19 +0000 (16:16 +0200)]
lib:replace: Fix code spelling
Best reviewed with: `git show --word-diff`.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Thu, 6 Apr 2023 14:05:03 +0000 (16:05 +0200)]
lib:pthreadpool: Fix code spelling
Best reviewed with: `git show --word-diff`.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Thu, 6 Apr 2023 14:04:08 +0000 (16:04 +0200)]
lib:param: Fix code spelling
Best reviewed with: `git show --word-diff`.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Thu, 6 Apr 2023 14:02:58 +0000 (16:02 +0200)]
lib:messaging: Fix code spelling
Best reviewed with: `git show --word-diff`.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Thu, 6 Apr 2023 14:01:33 +0000 (16:01 +0200)]
lib:ldb: Fix code spelling
Best reviewed with: `git show --word-diff`.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Thu, 6 Apr 2023 13:54:30 +0000 (15:54 +0200)]
examples: Fix spelling
Best reviewed with: `git show --word-diff`.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Thu, 6 Apr 2023 13:52:49 +0000 (15:52 +0200)]
dynconfig: Fix code spelling
Best reviewed with: `git show --word-diff`.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Thu, 6 Apr 2023 13:51:35 +0000 (15:51 +0200)]
docs-xml: Fix spelling
Best reviewed with: `git show --word-diff`.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Thu, 6 Apr 2023 13:45:07 +0000 (15:45 +0200)]
ctdb: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Thu, 6 Apr 2023 13:43:10 +0000 (15:43 +0200)]
Makefile: Fix spelling
Best reviewed with: `git show --word-diff`.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Remi Collet [Tue, 4 Apr 2023 10:16:09 +0000 (12:16 +0200)]
libsmb: Fix test for smbc_getxattr
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14808
Signed-off-by: Remi Collet <rcollet@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Apr 9 10:44:38 UTC 2023 on atb-devel-224
Remi Collet [Tue, 4 Apr 2023 08:22:09 +0000 (10:22 +0200)]
libsmb: fix regression on smbc_getxattr and fix doc
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14808
Signed-off-by: Remi Collet <rcollet@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Andreas Schneider [Thu, 6 Apr 2023 19:40:31 +0000 (21:40 +0200)]
s3:libads: Remove executable bit from ldap.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Ralph Boehme [Thu, 6 Apr 2023 08:16:46 +0000 (10:16 +0200)]
rpcd_mdssvc: initialize POSIX locking
Otherwise the posix_pending_close_db is NULL and we crash when trying to close a
file descriptor:
#4 /usr/lib64/samba/libdbwrap-samba4.so(dbwrap_parse_record+0xe) [0x7fbc5d05c8ae]
#5 /usr/lib64/samba/libdbwrap-samba4.so(dbwrap_fetch_int32+0x38) [0x7fbc5d05d438]
#6 /usr/lib64/samba/libsmbd-base-samba4.so(fd_close_posix+0x7b) [0x7fbc5e276f8b]
#7 /usr/lib64/samba/libsmbd-base-samba4.so(+0x57900) [0x7fbc5e28a900]
#8 /usr/lib64/samba/libsmbd-base-samba4.so(fd_close+0x68) [0x7fbc5e2b7ea8]
#9 /usr/lib64/samba/libsmbd-base-samba4.so(+0x62608) [0x7fbc5e295608]
#10 /usr/lib64/samba/libtalloc-samba4.so(_talloc_free+0x51b) [0x7fbc5d9f439b]
#11 /usr/lib64/samba/vfs/fruit.so(+0xcac2) [0x7fbc45fcdac2]
#12 /usr/lib64/samba/vfs/fruit.so(+0xcbdd) [0x7fbc45fcdbdd]
#13 /usr/lib64/samba/vfs/fruit.so(+0xf603) [0x7fbc45fd0603]
#14 /usr/lib64/samba/libsmbd-base-samba4.so(+0x56375) [0x7fbc5e289375]
#15 /usr/lib64/samba/vfs/nothingtoseeherereally.so(+0x196c) [0x7fbc467f996c]
#16 /usr/lib64/samba/vfs/streams_xattr.so(+0x51fc) [0x7fbc461e71fc]
#17 /usr/lib64/samba/libsmbd-base-samba4.so(+0xade3a) [0x7fbc5e2e0e3a]
#18 /usr/lib64/samba/libsmbd-base-samba4.so(create_conn_struct_cwd+0x44) [0x7fbc5e2e1cf4]
#19 /usr/libexec/samba/rpcd_mdssvc(mds_init_ctx+0x2c3) [0x563fdac08f03]
#20 /usr/libexec/samba/rpcd_mdssvc(_mdssvc_open+0x141) [0x563fdac0b4d1]
The corresponding open is done as part of initializing a connection_struct
object, where we chdir() and stat() the root path of the share. The stat() in
vfs_fruit causes an expensive metadata request on the path which triggers an
internal open of a pathref handle. Note that this only affects servers that have
fruit:metadata = netatalk set, which is the default unfortunately.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15354
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Apr 7 21:12:21 UTC 2023 on atb-devel-224
Ralph Boehme [Wed, 5 Apr 2023 09:03:52 +0000 (11:03 +0200)]
smbd: Prevent creation of vetoed files
The problem is when checking for vetoed names on the last path component in
openat_pathref_fsp_case_insensitive() we return
NT_STATUS_OBJECT_NAME_NOT_FOUND. The in the caller
filename_convert_dirfsp_nosymlink() this is treated as the "file creation case"
causing filename_convert_dirfsp_nosymlink() to return NT_STATUS_OK.
In order to correctly distinguish between the cases
1) file doesn't exist, we may be creating it, return
2) a vetoed a file
we need 2) to return a more specific error to
filename_convert_dirfsp_nosymlink(). I've chosen NT_STATUS_OBJECT_NAME_INVALID
which gets mapped to the appropriate errror NT_STATUS_OBJECT_PATH_NOT_FOUND or
NT_STATUS_OBJECT_NAME_NOT_FOUND depending on which path component was vetoed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr 6 23:03:50 UTC 2023 on atb-devel-224
Ralph Boehme [Wed, 5 Apr 2023 09:32:09 +0000 (11:32 +0200)]
CI: add a test creating a vetoed file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Dmitry Antipov [Fri, 17 Mar 2023 10:06:52 +0000 (13:06 +0300)]
lib:registry: drop unused argument of reg_open_remote()
Drop 'struct auth_session_info *' argument of reg_open_remote()
which is actually unused (NULL passed by all of the callers).
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Apr 6 16:46:03 UTC 2023 on atb-devel-224
Andreas Schneider [Thu, 16 Mar 2023 11:58:21 +0000 (12:58 +0100)]
python:tests: Correctly skip some GPO tests in release tarball
These tests require provision data we do not ship in release tarballs.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Apr 6 15:42:12 UTC 2023 on atb-devel-224
Andreas Schneider [Tue, 21 Mar 2023 08:15:20 +0000 (09:15 +0100)]
testprogs: Remove unused test_export_keytab_(heimdal|mit).sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Apr 6 14:47:20 UTC 2023 on atb-devel-224
Andreas Schneider [Wed, 15 Mar 2023 12:14:16 +0000 (13:14 +0100)]
testprogs: Merge export keytab tests into a single script for MIT and Heimdal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 08:34:52 +0000 (09:34 +0100)]
testprogs: Fix shell arithmetic in test_export_keytab_mit.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 08:34:29 +0000 (09:34 +0100)]
testprogs: Reformat test_export_keytab_mit.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 08:26:24 +0000 (09:26 +0100)]
testprogs: Fix shell arithmetic in test_export_keytab_heimdal.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 08:26:07 +0000 (09:26 +0100)]
testprogs: Reformat test_export_keytab_heimdal.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 08:14:18 +0000 (09:14 +0100)]
testprogs: Remove unused test_kinit_trusts_(heimdal|mit).sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 15 Mar 2023 07:43:54 +0000 (08:43 +0100)]
testprogs: Merge kinit trust tests into a single script for MIT and Heimdal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 08:12:21 +0000 (09:12 +0100)]
testprogs: Fix shell arithmetic in test_kinit_trusts_heimdal.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 08:19:28 +0000 (09:19 +0100)]
testprogs: Fix shell arithmetic in test_kinit_trusts_mit.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 08:19:07 +0000 (09:19 +0100)]
testprogs: Reformat test_kinit_trusts_mit.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 08:11:46 +0000 (09:11 +0100)]
testprogs: Reformat test_kinit_trusts_heimdal.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 07:50:43 +0000 (08:50 +0100)]
testprogs: Remove unused test_kinit_(heimdal|mit).sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 14 Mar 2023 09:22:36 +0000 (10:22 +0100)]
testprogs: Merge kinit tests into a single script for MIT and Heimdal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 07:40:11 +0000 (08:40 +0100)]
testprogs: Fix shell arithmetic in test_kinit_mit.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 07:39:47 +0000 (08:39 +0100)]
testprogs: Reformat test_kinit_mit.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 07:48:19 +0000 (08:48 +0100)]
testprogs: Use common binary detection functions in test_kinit_heimdal.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 07:39:19 +0000 (08:39 +0100)]
testprogs: Fix shell arithmetic in test_kinit_heimdal.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 21 Mar 2023 07:31:03 +0000 (08:31 +0100)]
testprogs: Reformat test_kinit_heimdal.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 13 Mar 2023 13:36:58 +0000 (14:36 +0100)]
nsswitch:tests: Use configuration variable passed to test_rfc2307_mapping.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 16 Mar 2023 21:09:34 +0000 (22:09 +0100)]
s4:selftest: Move rfc2307_mapping test to ad_dc
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 16 Mar 2023 21:08:46 +0000 (22:08 +0100)]
s4:selftest: Reformat samba4.blackbox.rfc2307_mapping
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 15 Mar 2023 07:45:15 +0000 (08:45 +0100)]
testprogs: Pass configuration to test_kinit_trusts_mit.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 15 Mar 2023 07:50:33 +0000 (08:50 +0100)]
testprogs: Pass configuration to test_kinit_trusts_heimdal.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 22 Mar 2023 07:37:15 +0000 (08:37 +0100)]
testprogs: Remove UID_WRAPPER_ROOT export
This is not needed, we only need it for smbpasswd and in order to get
root we need to set the ruid and euid, which we already do.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 13 Mar 2023 13:32:50 +0000 (14:32 +0100)]
testprogs: Pass configuration to test_password_settings.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 15 Mar 2023 20:24:44 +0000 (21:24 +0100)]
s4:selftest: Use ad_dc env for samba4.blackbox.password_settings
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 13 Mar 2023 13:29:48 +0000 (14:29 +0100)]
s4:selftest: Reformat samba4.blackbox.password_settings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 13 Mar 2023 11:23:26 +0000 (12:23 +0100)]
testprogs: Pass configuration to test_kpasswd_mit.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 13 Mar 2023 11:23:08 +0000 (12:23 +0100)]
testprogs: Pass configuration to test_kpasswd_heimdal.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 15 Mar 2023 07:08:45 +0000 (08:08 +0100)]
testprogs: Specify the KRB5CCNAME on the command line
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 13 Mar 2023 10:56:39 +0000 (11:56 +0100)]
testprogs: Pass configuration to test_export_keytab_mit.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 13 Mar 2023 10:50:47 +0000 (11:50 +0100)]
testprogs: Pass configuration to test_export_keytab_heimdal.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 13 Mar 2023 10:40:32 +0000 (11:40 +0100)]
testprogs: Correctly set configuration in test_kinit_heimdal.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 13 Mar 2023 09:47:15 +0000 (10:47 +0100)]
testprogs: Correctly set configuration in test_kinit_mit.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 14 Mar 2023 07:08:22 +0000 (08:08 +0100)]
s4:selftest: Use ad_dc environment for kinit tests
This makes sure they are run as part of "samba-addc-mit-1".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 14 Mar 2023 07:06:35 +0000 (08:06 +0100)]
s4:selftest: Use smbclient3 for kinit tests
smbclient3 has support for SMB2+.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 13 Mar 2023 10:38:02 +0000 (11:38 +0100)]
s4:tests: Reformat kerberos tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 20 Mar 2023 09:37:01 +0000 (10:37 +0100)]
testprogs: Fix running export.keytab heimdal test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 6 Apr 2023 00:28:12 +0000 (12:28 +1200)]
selftest: Use "debug syslog format = always" in selftest
Some of the most difficult to debug issues in Samba development are around
timing, so this changes our default logging format in the selftest system
to include a high-resolution timestamp to help correlate bad events with
what else is going on at the same time.
This fits in well with the timestamps already logged into st/subunit
and may assist with correlation.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Apr 6 13:44:47 UTC 2023 on atb-devel-224
Andrew Bartlett [Thu, 6 Apr 2023 00:26:11 +0000 (12:26 +1200)]
lib/util: Add "debug syslog format = always", which logs to stdout in syslog style
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 5 Apr 2023 08:04:57 +0000 (10:04 +0200)]
s4:torture: Extend smb2 session requested_life_time
It also only waits for the required amount of time elapsed. Hopefully
this should avoid running into timeouts.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 5 Apr 2023 08:04:34 +0000 (10:04 +0200)]
s4:torture: Fix warning messages for smb2.session
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 5 Apr 2023 08:00:15 +0000 (10:00 +0200)]
s4:torture: Fix warning messages for smb.raw.session
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 5 Apr 2023 07:59:14 +0000 (09:59 +0200)]
s4:torture: Remove trailing white spaces
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 5 Apr 2023 07:23:41 +0000 (09:23 +0200)]
s3:tests: Add exit code with failed tests
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 5 Apr 2023 07:21:24 +0000 (09:21 +0200)]
s3:tests: Use CONFIGURATION passed down to the test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 5 Apr 2023 06:48:29 +0000 (08:48 +0200)]
s3:tests: Correctly implement tests for forceuser/forcegroup
They used the tmp share ...
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 5 Apr 2023 06:47:16 +0000 (08:47 +0200)]
s3:tests: Use the CONFIGURATION passed down to the test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 5 Apr 2023 06:57:49 +0000 (08:57 +0200)]
s3:selftest: Remove ad_dc_ntvfs for smbclient_machine_auth.plain
There is no need to run it against this environment and saves resources.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 5 Apr 2023 06:44:54 +0000 (08:44 +0200)]
lib:ldb:tests: Fix signedness build error
lib/ldb/tests/ldb_filter_attrs_in_place_test.c:836:55: error: pointer
targets in passing argument 1 of ‘_assert_string_equal’ differ in
signedness [-Werror=pointer-sign]
836 | assert_string_equal(msg->elements[0].values[0].data,
| ^
| |
| uint8_t * {aka unsigned char *}
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 2 Mar 2023 13:46:25 +0000 (14:46 +0100)]
net_ads: fill ads->auth.realm from c->creds
We get the realm we use for authentication needs to
the realm belonging to the username we use.
We derive the username from c->creds, so we need to
do the same for the realm.
Otherwise we try to authenticate as the wrong user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 5 Apr 2023 14:45:21 +0000 (16:45 +0200)]
testprogs/blackbox: add test_net_ads_search_server.sh
This reproduces a regression with
'net ads search -P --server server.of.trusted.domain'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Rob van der Linde [Sun, 19 Feb 2023 22:50:36 +0000 (11:50 +1300)]
dsdb: modify unicodePwd requires encrypted connection
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr 6 01:33:05 UTC 2023 on atb-devel-224
Rob van der Linde [Wed, 5 Apr 2023 00:30:03 +0000 (12:30 +1200)]
dsdb/tests: Add test for modification of unicodePwd over a cleartext/signed connection
This demonstrates that the server did not detect CVE-2023-0922
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Rob van der Linde [Thu, 16 Feb 2023 00:23:42 +0000 (13:23 +1300)]
dsdb: fix spelling in password_hash.c
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 5 Apr 2023 20:59:17 +0000 (08:59 +1200)]
dsdb/tests: Double number of expressions in large_ldap.py ldap_timeout test
By slowing the filter down more this makes the test reliable on the
autobuild host.
This is not a long-term solution, but is a quick tweak that can be done
today to address current issues with getting commits past the host-based
(compared with cloud-based) autobuild.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 5 Apr 2023 20:54:02 +0000 (08:54 +1200)]
dsdb/tests: Move SD modification on class-created objects to classSetUp
These modifications persist, so should be done at the class level,
not in the test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Rob van der Linde [Mon, 27 Feb 2023 01:06:23 +0000 (14:06 +1300)]
CVE-2023-0922 set default ldap client sasl wrapping to seal
This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 5 03:08:51 UTC 2023 on atb-devel-224
Joseph Sutton [Sun, 8 Jan 2023 22:22:34 +0000 (11:22 +1300)]
CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no values
This early return would mistakenly allow an unprivileged user to delete
the dNSHostName attribute by making an LDAP modify request with no
values. We should no longer allow this.
Add or replace operations with no values and no privileges are
disallowed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 4 Jan 2023 08:37:49 +0000 (21:37 +1300)]
CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 14 Feb 2023 04:19:27 +0000 (17:19 +1300)]
s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG
It's no longer used anywhere.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 1 Mar 2023 01:49:06 +0000 (14:49 +1300)]
dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL
The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now
remove the complexity.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 14 Feb 2023 01:18:45 +0000 (14:18 +1300)]
ldb: Use correct member of union
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 2 Mar 2023 04:24:15 +0000 (17:24 +1300)]
CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN
Setting the LDB_HANDLE_FLAG_UNTRUSTED tells the acl_read module to operate on this request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Thu, 2 Mar 2023 03:51:25 +0000 (16:51 +1300)]
CVE-2023-0614 lib/ldb-samba: Add test for SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and ACL hidden attributes
The chain for transitive evaluation does consider ACLs, avoiding the disclosure of
confidential information.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Fri, 3 Mar 2023 03:49:00 +0000 (16:49 +1300)]
CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in match_rules tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Thu, 2 Mar 2023 03:31:17 +0000 (16:31 +1300)]
CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED
This will allow our dsdb helper search functions to mark the new
request as untrusted, forcing read ACL evaluation (per current behaviour).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Thu, 23 Feb 2023 21:03:25 +0000 (10:03 +1300)]
CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed
In the unlikely case that someone adds a confidential indexed attribute
to the schema, LDAP search expressions on that attribute could disclose
information via timing differences. Let's not use the index for searches
on confidential attributes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 3 Mar 2023 04:35:55 +0000 (17:35 +1300)]
CVE-2023-0614 ldb: Filter on search base before redacting message
Redaction may be expensive if we end up needing to fetch a security
descriptor to verify rights to an attribute. Checking the search scope
is probably cheaper, so do that first.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 14 Feb 2023 00:17:24 +0000 (13:17 +1300)]
CVE-2023-0614 ldb: Centralise checking for inaccessible matches
This makes it less likely that we forget to handle a case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 15 Feb 2023 23:35:34 +0000 (12:35 +1300)]
CVE-2023-0614 ldb: Use binary search to check whether attribute is secret
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 27 Feb 2023 00:31:44 +0000 (13:31 +1300)]
CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help it
If the AS_SYSTEM control is present, we know we have system privileges,
and have no need to call dsdb_module_am_system().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 3 Mar 2023 04:34:29 +0000 (17:34 +1300)]
CVE-2023-0614 ldb: Prevent disclosure of confidential attributes
Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
marks inaccessible any message elements used by an LDAP search filter
that the user has no right to access. Make the various ldb_match_*()
functions check whether message elements are accessible, and refuse to
match any that are not. Remaining message elements, not mentioned in the
search filter, are checked in aclread_callback(), and any inaccessible
elements are removed at this point.
Certain attributes, namely objectClass, distinguishedName, name, and
objectGUID, are always present, and hence the presence of said
attributes is always allowed to be checked in a search filter. This
corresponds with the behaviour of Windows.
Further, we unconditionally allow the attributes isDeleted and
isRecycled in a check for presence or equality. Windows is not known to
make this special exception, but it seems mostly harmless, and should
mitigate the performance impact on searches made by the show_deleted
module.
As a result of all these changes, our behaviour regarding confidential
attributes happens to match Windows more closely. For the test in
confidential_attr.py, we can now model our attribute handling with
DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by
Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 27 Feb 2023 00:55:36 +0000 (13:55 +1300)]
CVE-2023-0614 s4-acl: Split out function to set up access checking variables
These variables are often used together, and it is useful to have the
setup code in one place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 26 Feb 2023 23:19:08 +0000 (12:19 +1300)]
CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf()
This function parses a SID from an ldb_message, similar to
samdb_result_dom_sid(), but does it without allocating anything.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 27 Feb 2023 00:40:33 +0000 (13:40 +1300)]
CVE-2023-0614 s4-acl: Split out logic to remove access checking attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 3 Mar 2023 04:31:54 +0000 (17:31 +1300)]
CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 26 Jan 2023 19:32:41 +0000 (08:32 +1300)]
CVE-2023-0614 tests/krb5: Add test for confidential attributes timing differences
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 6 Feb 2023 20:25:48 +0000 (09:25 +1300)]
CVE-2023-0614 schema_samba4.ldif: Allocate previously added OID
DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID was added in commit
08187833fee57a8dba6c67546dfca516cd1f9d7a.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 6 Feb 2023 20:48:37 +0000 (09:48 +1300)]
CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in confidential attributes test
The object returned by schema_format_value() is a bytes object.
Therefore the search expression would resemble:
(lastKnownParent=<GUID=b'
00000000-0000-0000-0000-
000000000000'>)
which, due to the extra characters, would fail to match anything.
Fix it to be:
(lastKnownParent=<GUID=
00000000-0000-0000-0000-
000000000000>)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 6 Feb 2023 20:35:24 +0000 (09:35 +1300)]
CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a search tree we don't own
In extended_dn_fix_filter() we had:
req->op.search.tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree);
which overwrote the parse tree on an existing ldb request with a fixed
up tree. This became a problem if a module performed another search with
that same request structure, as extended_dn_in would try to fix up the
already-modified tree for a second time. The fixed-up tree element now
having an extended DN, it would fall foul of the ldb_dn_match_allowed()
check in extended_dn_filter_callback(), and be replaced with an
ALWAYS_FALSE match rule. In practice this meant that <GUID={}> searches
would only work for one search in an ldb request, and fail for
subsequent ones.
Fix this by creating a new request with the modified tree, and leaving
the original request unmodified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>