Karolin Seeger [Tue, 8 Aug 2017 06:52:21 +0000 (08:52 +0200)]
VERSION: Disable GIT_SNAPSHOTS for the 4.6.7 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Fri, 4 Aug 2017 09:17:12 +0000 (11:17 +0200)]
WHATSNEW: Add release notes for Samba 4.6.7.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Andrew Bartlett [Tue, 25 Jul 2017 02:26:45 +0000 (14:26 +1200)]
s4-cldap/netlogon: Match Windows 2012R2 and return NETLOGON_NT_VERSION_5 when version unspecified
The previous patch set this incorrectly to NETLOGON_NT_VERSION_1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11392
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
0554bc237f1b84d672d36781bead8b2c33f2e5a4)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Tue Aug 1 12:15:22 CEST 2017 on sn-devel-144
Arvid Requate [Thu, 22 Jun 2017 11:37:13 +0000 (13:37 +0200)]
s4-dsdb/netlogon: allow missing ntver in cldap ping
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11392
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
88db634ed84647e5105c4b4fdf37d5892bebfd8d)
Arvid Requate [Tue, 20 Jun 2017 18:05:17 +0000 (20:05 +0200)]
s4:torture/ldap: Test netlogon without NtVer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11392
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
22a94b728bd5d513b2002b62c129271d2210ed73)
Noel Power [Thu, 20 Jul 2017 12:01:50 +0000 (13:01 +0100)]
s3/utils: smbcacls failed to detect DIRECTORIES using SMB2 (windows only)
uint16_t get_fileinfo(...) returns file attributes, this function
called
cli_qfileinfo_basic(cli, fnum, &mode, NULL, NULL, NULL,
NULL, NULL, NULL);
which was failing with NT_STATUS_ACCESS_DENIED errors when fnum above
was obtained via (when using protocol > SMB). Note: This only seems to be
an issue when run against a windows server, with smbd SMB1 & SMB2 work fine.
status = cli_ntcreate(cli, filename, 0, CREATE_ACCESS_READ,
0, FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_OPEN, 0x0, 0x0, &fnum, NULL);
The failing cli_qfileinfo_basic call above is unnecessary as we can already
obtain the required information from the cli_ntcreate call
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12937
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
(cherry picked from commit
c57dcafb150823b00fd873046e65a966a8488fa8)
David Disseldorp [Fri, 14 Jul 2017 21:55:29 +0000 (23:55 +0200)]
vfs_ceph: fix cephwrap_chdir()
When provided a '/' path (i.e. CephFS root), vfs_ceph does a *local*
chdir() to the share path. This breaks smb client directory listings.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12911
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Jul 21 19:10:46 CEST 2017 on sn-devel-144
(cherry picked from commit
1dcacff083019810e207a3d123a81fe32d9dde1a)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Tue Jul 25 19:51:08 CEST 2017 on sn-devel-144
Jeremy Allison [Thu, 13 Jul 2017 19:06:58 +0000 (12:06 -0700)]
s3: smbd: Fix a read after free if a chained SMB1 call goes async.
Reported to the Samba Team by Yihan Lian <lianyihan@360.cn>, a security
researcher of Qihoo 360 GearTeam. Thanks a lot!
smb1_parse_chain() incorrectly used talloc_tos() for the memory
context of the chained smb1 requests. This gets freed between
requests so if a chained request goes async, the saved request
array also is freed, which causes a crash on resume.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12836
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
5fe76a5474823ed7602938a07c9c43226a7882a3)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Tue Jul 25 06:16:37 CEST 2017 on sn-devel-144
Thomas Jarosch [Sat, 22 Jul 2017 16:36:18 +0000 (09:36 -0700)]
s3: libsmb: Fix use-after-free when accessing pointer *p.
talloc_asprintf_append() might call realloc()
and therefore move the memory address of "path".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12927
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jul 22 22:45:05 CEST 2017 on sn-devel-144
(cherry picked from commit
890137cffedcaf88a9ff808c01335ee14fcfd8da)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Mon Jul 24 02:24:33 CEST 2017 on sn-devel-144
Volker Lendecke [Wed, 19 Jul 2017 12:51:33 +0000 (14:51 +0200)]
smbd: Fix a connection run-down race condition
When we do a server exit with active aio jobs, we need to keep the
aio state active for the helper thread. Right now I don't see another
chance than to leak memory in this case. And, I don't really oversee
how cancelling requests works in this case, but this does fix crashes
seen at a customer site.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12925
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
0181fcc4aaa730e3a88ff5d397145332f4013950)
Ralph Boehme [Fri, 14 Jul 2017 14:38:36 +0000 (16:38 +0200)]
s3/notifyd: ensure notifyd doesn't return from smbd_notifyd_init
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12910
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
7f4e7cfd1b0bd917395c631a1a8195fffd13bbad)
Martin Schwenke [Wed, 12 Jul 2017 03:41:17 +0000 (13:41 +1000)]
ctdb-common: Set close-on-exec when creating PID file
Otherwise, for example, the file descriptor for the main PID file will
leak all the way down to event scripts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12898
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit
3e85cbfd7541d8f30ce1f3244ebcc44332b394fe)
Ralph Boehme [Wed, 12 Jul 2017 07:33:59 +0000 (09:33 +0200)]
vfs_fruit: don't use MS NFS ACEs with Windows clients
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12897
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Jul 13 22:21:08 CEST 2017 on sn-devel-144
(cherry picked from commit
df0db9d8f893f9245c6289200303b94a6e2d48d0)
Andreas Schneider [Fri, 7 Jul 2017 12:08:49 +0000 (14:08 +0200)]
s3:client: The smbspool krb5 wrapper needs negotiate for authentication
If you create a new printer it doesn't have AuthInfoRequired set and so
cups calls the backend with:
AUTH_INFO_REQUIRED=none
In this case we need to return:
ATTR: auth-info-required=negotiate
and return an error that we require authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12886
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
4cced4da4ca97f0c6db227e6b2c7e03c2e5c1f28)
Günther Deschner [Wed, 28 Jun 2017 16:10:28 +0000 (18:10 +0200)]
vfs_fruit: add fruit:model = <modelname> parametric option
fruit:model = iMac
fruit:model = MacBook
fruit:model = MacPro
fruit:model = Xserve
will all display a different icon inside Finder.
Formerly, we used "Samba" which resulted in a "?" icon in Finder, with
the new default "MacSamba" we appear with a computer box icon at least.
Guenther
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12840
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jul 12 03:17:57 CEST 2017 on sn-devel-144
(cherry picked from commit
259e1706e3206b215e136ea9d5beef4c9e3fcdee)
Dustin L. Howett via samba-technical [Fri, 30 Jun 2017 23:10:01 +0000 (16:10 -0700)]
idmap_ad: Retry query_user exactly once if we get TLDAP_SERVER_DOWN
All other ldap-querying methods in idmap_ad make a single retry attempt if they get
TLDAP_SERVER_DOWN. This patch brings idmap_ad_query_user in line with that design.
This fixes the symptom described in 12720 at the cost of an additional reconnect per
failed lookup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12720
Signed-off-by: Dustin L. Howett <dustin@howett.net>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
fe7020b0d1b6fe1ca9add4815e20c2e2262cb6c9)
Bob Campbell [Mon, 9 Jan 2017 20:20:47 +0000 (09:20 +1300)]
selftest: Do not force run of kcc at start of selftest
This should help to avoid clashes between periodic and manual runs of
the KCC during autobuild.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12869
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
c0a7d2bacdacc7a43e04f3b450ea069c000b3d8d)
Autobuild-User(v4-6-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-6-test): Thu Jul 20 01:54:41 CEST 2017 on sn-devel-144
Stefan Metzmacher [Thu, 22 Jun 2017 13:30:56 +0000 (15:30 +0200)]
selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join
Here we check that we get 'REDACTED SECRET VALUES' printed, in order
to avoid regression on the non '-f' behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
9530284383f252efd64bfdf138579964c6500eba)
Autobuild-User(v4-6-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-6-test): Fri Jul 14 00:00:12 CEST 2017 on sn-devel-144
Stefan Metzmacher [Tue, 23 May 2017 15:42:09 +0000 (17:42 +0200)]
s3:secrets: remove unused secrets_store_[prev_]machine_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
f513c20ee04fe896900c99ae804753d445414d7d)
Stefan Metzmacher [Tue, 23 May 2017 15:41:34 +0000 (17:41 +0200)]
s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
b874dc90c91dd41c35e99bf7c4fe04220465edca)
Stefan Metzmacher [Tue, 23 May 2017 15:29:31 +0000 (17:29 +0200)]
net: make use of secrets_*_password_change() for "net changesecretpw"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
4ae6a3ffb233c9b9576a3b5bb15a51ee56e4dbc3)
Stefan Metzmacher [Mon, 22 May 2017 18:47:17 +0000 (20:47 +0200)]
s3:trusts_util: make use the workstation password change more robust
We use secrets_{prepare,failed,defer,finish}_password_change() to make
the process more robust.
Even if we just just verified the current password with the DC
it can still happen that the remote password change will fail.
If a server has the RefusePasswordChange=1 under
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,
it will reject NetrServerPasswordSet2() with NT_STATUS_WRONG_PASSWORD.
This results in a successful local change, but a failing remote change,
which means the domain membership is broken (as we don't fallback to
the previous password for ntlmssp nor kerberos yet).
An (at least Samba) RODC will also reject a password change,
see https://bugzilla.samba.org/show_bug.cgi?id=12773.
Even with this change we still have open problems, e.g. if the password was
changed, but we didn't get the servers response. In order to fix that we need
to use only netlogon and lsa over unprotected transports, just using schannel
authentication (which supports the fallback to the old password).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
40c42af11fda062fef9df96a9b5ae3e02709f07c)
Stefan Metzmacher [Wed, 17 May 2017 08:29:59 +0000 (10:29 +0200)]
s3:libnet: make use of secrets_store_JoinCtx()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
c3ad8be5d5192070c599350d6ab28c064206b6cf)
Stefan Metzmacher [Wed, 24 May 2017 16:05:40 +0000 (18:05 +0200)]
net: add "net primarytrust dumpinfo" command that dumps the details of the workstation trust
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
c7c17d9f503d6037aa8ed0bd7ab7cf52f5f28382)
Stefan Metzmacher [Fri, 19 May 2017 14:28:17 +0000 (16:28 +0200)]
s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials
We now store various hashed keys at change time and maintain a lot of details
that will help debugging failed password changes.
We keep storing the legacy values:
SECRETS/SID/
SECRETS/DOMGUID/
SECRETS/MACHINE_LAST_CHANGE_TIME/
SECRETS/MACHINE_PASSWORD/
SECRETS/MACHINE_PASSWORD.PREV/
SECRETS/SALTING_PRINCIPAL/DES/
This allows downgrades to older Samba versions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
5f0038fba612afd7fc15b7ab321df979891170d8)
Stefan Metzmacher [Wed, 17 May 2017 08:11:18 +0000 (10:11 +0200)]
secrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine account trusts
This blob will be store in secrets.tdb. It makes it possible to store much
more useful details about the workstation trust.
The key feature that that triggered this change is the ability
to store details for the next password change before doing
the remote change. This will allow us to recover from failures.
While being there I also thought about possible new features,
which we may implement in the near future.
We also store the raw UTF16 like cleartext buffer as well as derived
keys like the NTHASH (arcfour-hmac-md5 key) and other kerberos keys.
This will allow us to avoid recalculating the keys for an in memory
keytab in future.
I also added pointer to an optional lsa_ForestTrustInformation structure,
which might be useful to implement multi-tenancy in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
a59c9cba31a801d90db06b767cfd44776f4ede77)
Stefan Metzmacher [Wed, 17 May 2017 08:09:01 +0000 (10:09 +0200)]
netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
28ac10503476de3c000b3deee2c1f67e0b305578)
Stefan Metzmacher [Wed, 17 May 2017 09:35:37 +0000 (11:35 +0200)]
netlogon.idl: make netr_TrustFlags [public]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
60274475332dafdfb829a7c086ea09cd9ed00540)
Stefan Metzmacher [Wed, 17 May 2017 09:35:20 +0000 (11:35 +0200)]
lsa.idl: make lsa_DnsDomainInfo [public]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
ea0798881a7aaf5897a3a3806149536d3d54fc3b)
Stefan Metzmacher [Wed, 21 Jun 2017 19:30:39 +0000 (21:30 +0200)]
s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth()
Even in the case where only the password is known to the server, we should
try to leave a valid authentication behind.
We have better ways to indentify which password worked than only using
the current one.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
d60404b032eca5384d889352f52b9b129861b4af)
Stefan Metzmacher [Tue, 13 Jun 2017 09:18:37 +0000 (11:18 +0200)]
libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
0f5945a06df4bef501ca5085c621294057007225)
Stefan Metzmacher [Tue, 13 Jun 2017 09:17:03 +0000 (11:17 +0200)]
libcli/auth: add const to set_pw_in_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
1b48c8515ed8fd29204c82cc47f958f4636cd494)
Stefan Metzmacher [Mon, 22 May 2017 18:44:40 +0000 (20:44 +0200)]
libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()
This way the caller can pass more than 2 hashes and can only
know which hash was used for a successful connection.
We allow up to 4 hashes (next, current, old, older).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
ddd7ac68ccae8b4df6c6a65b3dad20e21924f538)
Stefan Metzmacher [Mon, 22 May 2017 13:36:29 +0000 (15:36 +0200)]
s3:trusts_util: pass dcname to trust_pw_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
1421abfc733247a6b71eefd819dfeae7151a6d78)
Stefan Metzmacher [Wed, 24 May 2017 03:56:32 +0000 (05:56 +0200)]
s3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex()
We just want all values to be removed at the end, it doesn't matter
if they didn't existed before.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
bfe35abc1fb15e70a99fa74d064051a1ad541ed0)
Stefan Metzmacher [Mon, 22 May 2017 10:44:31 +0000 (12:44 +0200)]
s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
dfaadc81925e313901c9b30cd98a4b4fd2404f9d)
Stefan Metzmacher [Mon, 22 May 2017 10:40:05 +0000 (12:40 +0200)]
s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
cf8a4646fe71a974b6a5ee13ae7d7751a5a0adc9)
Stefan Metzmacher [Mon, 22 May 2017 10:31:01 +0000 (12:31 +0200)]
s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
5bc2764fe517748c03a57b61f2f7ef889c92825d)
Stefan Metzmacher [Wed, 24 May 2017 04:44:32 +0000 (06:44 +0200)]
s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
5b95cb74e7b2838d228f9773c0e20982b81d1e7d)
Stefan Metzmacher [Mon, 22 May 2017 10:27:45 +0000 (12:27 +0200)]
s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there's no value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
45eea321a6faa6db1c9c706a27527cc0766dc831)
Stefan Metzmacher [Mon, 22 May 2017 10:21:37 +0000 (12:21 +0200)]
s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
c5ded1123797b2bd152b0989e24eba7cae6a5792)
Stefan Metzmacher [Mon, 22 May 2017 10:21:37 +0000 (12:21 +0200)]
s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
fde4af1c329655d7ef3f55727632b3f026a3ea73)
Stefan Metzmacher [Tue, 20 Jun 2017 11:07:15 +0000 (13:07 +0200)]
s3:secrets: rename secrets_delete() to secrets_delete_entry()
secrets_delete_entry() fails if the key doesn't exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
cd1e888773c4fd3db63ce38a496fc3d54eb8e021)
Stefan Metzmacher [Mon, 22 May 2017 10:18:33 +0000 (12:18 +0200)]
s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
4e37d7805b345d80ca6e8a598e39fc81f72a27ce)
Stefan Metzmacher [Wed, 21 Jun 2017 17:38:15 +0000 (19:38 +0200)]
s3:secrets: add some const to secrets_store_domain_guid()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
99013685a1114829579e420df3625ed79eb7ee94)
Stefan Metzmacher [Mon, 22 May 2017 10:10:45 +0000 (12:10 +0200)]
s3:secrets: split out a domain_guid_keystr() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
d37e30cef7906b7b2b14351ad81d0d884811557b)
Stefan Metzmacher [Mon, 22 May 2017 09:38:12 +0000 (11:38 +0200)]
s3:secrets: rework des_salt_key() to take the realm as argument
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
072dd87e639d7dbfc583ede5ddf6559d9d433b8b)
Stefan Metzmacher [Fri, 19 May 2017 15:17:00 +0000 (17:17 +0200)]
s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
These don't use any krb5_context related functions and they just
work on secrets.tdb, so they really belong to machine_account_secrets.c.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
504b446d8dc7410ad63eba9d214e9cf271cf3b2f)
Stefan Metzmacher [Fri, 19 May 2017 15:09:20 +0000 (17:09 +0200)]
s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
1a26805ad9f19f02a52d9eaa4f2f11ff20ee76ac)
Stefan Metzmacher [Fri, 19 May 2017 15:08:24 +0000 (17:08 +0200)]
s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
b0928a2687a9ffe92ebdce7b5252781d62e7e02d)
Stefan Metzmacher [Fri, 19 May 2017 15:04:36 +0000 (17:04 +0200)]
s3:libnet: make use of kerberos_secrets_fetch_salt_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
51ae7b42d4d52016b39b79447a3e28d473e676cb)
Stefan Metzmacher [Fri, 19 May 2017 14:28:42 +0000 (16:28 +0200)]
s3:gse_krb5: simplify fill_keytab_from_password() by using kerberos_fetch_salt_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
1d1cf9792f9227e65857c85ff66a961331e3c16e)
Stefan Metzmacher [Fri, 19 May 2017 14:15:34 +0000 (16:15 +0200)]
s3:libads: provide a simpler kerberos_fetch_salt_princ() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
5fe939e32cdaf7bb5b6dac67e7b0118ce65846be)
Stefan Metzmacher [Fri, 19 May 2017 14:01:55 +0000 (16:01 +0200)]
s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback
The handling for per encryption type salts was removed in
Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone
has such an installation that got constantly upgraded over 10 years
with an automatic password change nor rejoin. It also means
that the KDC only has salt-less arcfour-hmac-md5 key together
with the salted des keys. So there would only be a problem
if the client whould try to use a des key to contact the smb server.
Having this legacy code adds quite some complexity for no
good reason.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
487b4717b58a6f1ba913708ce8419145b7f4fac8)
Stefan Metzmacher [Thu, 18 May 2017 14:02:44 +0000 (16:02 +0200)]
s3:libnet_join: move kerberos_secrets_store_des_salt() to libnet_join_joindomain_store_secrets()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
7d2eea39112fd69d2b710181b23301562efea387)
Stefan Metzmacher [Thu, 18 May 2017 13:59:00 +0000 (15:59 +0200)]
s3:libnet_join: move libnet_join_joindomain_store_secrets() to libnet_join_post_processing()
We should not store the secrets before we did all remote changes
(except the optional dns updates).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
a922e01baeccedc3ffc8a893f1d6072bb203220f)
Stefan Metzmacher [Thu, 18 May 2017 13:52:59 +0000 (15:52 +0200)]
s3:libnet_join: call do_JoinConfig() after we did remote changes on the server
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
559de1e7236fd4a38f2a1f9980216db95d0430ce)
Stefan Metzmacher [Thu, 18 May 2017 13:50:49 +0000 (15:50 +0200)]
s3:libnet_join: split libnet_join_post_processing_ads() into modify/sync
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
0ab7944a2b00df4aa155a239c86f97e4e731b864)
Stefan Metzmacher [Thu, 18 May 2017 13:48:49 +0000 (15:48 +0200)]
s3:libnet_join: move kerberos_secrets_store_des_salt() out of libnet_join_derive_salting_principal()
We should separate the calculation and the storing steps.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
0c65d5f41023076fd201c3a179df77dd615cdb01)
Stefan Metzmacher [Thu, 18 May 2017 13:40:25 +0000 (15:40 +0200)]
s3:libnet_join: remember r->out.krb5_salt in libnet_join_derive_salting_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
549c9d9a07d3002442cbbb7a90d0a7fef4a92bff)
Stefan Metzmacher [Thu, 18 May 2017 13:38:26 +0000 (15:38 +0200)]
s3:libnet_join.idl: add krb5_salt to libnet_JoinCtx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
3b13e4d2d0f73c6374ffdae57528cd1a7f333792)
Stefan Metzmacher [Wed, 17 May 2017 13:45:22 +0000 (15:45 +0200)]
s3:libnet_join: remember the domain_guid for AD domains
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
fc2bad0cf34fca5e65fba7e036acf1d8c61f05c0)
Stefan Metzmacher [Wed, 17 May 2017 13:45:22 +0000 (15:45 +0200)]
s3:libnet_join.idl: return the domain_guid in libnet_JoinCtx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
03e455f5a815ce2134e216dc28929646a964384f)
Stefan Metzmacher [Wed, 17 May 2017 11:53:19 +0000 (13:53 +0200)]
s3:libnet_join: calculate r->out.account_name in libnet_join_pre_processing()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
826223cc8d36871c2bcb37fe23241f1dbe99a0db)
Stefan Metzmacher [Wed, 17 May 2017 10:42:04 +0000 (12:42 +0200)]
s3:libnet_join: remove dead code from libnet_join_connect_ads()
username[strlen(username)] is *always* '\0'!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
5958c6790fbceb39065353c07fe25f74ddf09ef0)
Stefan Metzmacher [Thu, 18 May 2017 09:32:46 +0000 (11:32 +0200)]
krb5_wrap: add smb_krb5_salt_principal2data()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
ec2da944d304852d76137e8f9d234462bc807c6b)
Stefan Metzmacher [Wed, 17 May 2017 15:13:02 +0000 (17:13 +0200)]
krb5_wrap: add smb_krb5_salt_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
5df46700cfb0a15fec2d366e12728cd497188741)
Stefan Metzmacher [Wed, 17 May 2017 14:13:37 +0000 (16:13 +0200)]
s3:libads: remove unused kerberos_secrets_store_salting_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
c56043a94a10c76a220ce3c7eb7cb8cf2e992cab)
Stefan Metzmacher [Wed, 17 May 2017 13:05:51 +0000 (15:05 +0200)]
s3:librpc: let NDR_SECRETS depend on NDR_SECURITY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
4260b52a399667bcdbaa375a20952237ff68449c)
Stefan Metzmacher [Mon, 12 Jun 2017 15:58:46 +0000 (17:58 +0200)]
idl_types.h: add NDR_SECRET shortcut
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
969ab12c56cd12dcc0e63e9b662397c1604a0cc0)
Stefan Metzmacher [Mon, 12 Jun 2017 15:58:20 +0000 (17:58 +0200)]
librpc/ndr: add LIBNDR_FLAG_IS_SECRET handling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
32aa3a199dfd61eb5982e158008964b4747599b8)
Stefan Metzmacher [Mon, 12 Jun 2017 13:22:42 +0000 (15:22 +0200)]
librpc/ndr: align the definition of LIBNDR_STRING_FLAGS with currently defined flags
The range included the unused (1<<14) before.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
91d8272e8604b5d87bcc0ce365b553bc760c8ed3)
Stefan Metzmacher [Mon, 12 Jun 2017 16:58:49 +0000 (18:58 +0200)]
pidl:NDR/Parser: add missing {start,end}_flags() to ParseElementPrint()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
81bbfb010599b65308aca89cc50532372ca4cb00)
Stefan Metzmacher [Mon, 10 Jul 2017 09:29:58 +0000 (11:29 +0200)]
s3:smbd: consistently use talloc_tos() memory for rpc_pipe_open_interface()
The result is only used temporary and should not be leaked on a long term
memory context as 'conn'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12890
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
77cbced5d2f8bf65c8d02f5edfaba8cbad519d08)
Ralph Boehme [Fri, 7 Jul 2017 11:12:19 +0000 (13:12 +0200)]
selftest: add a test for accessing previous version of directories with snapdirseverywhere
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12885
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Jul 8 00:33:51 CEST 2017 on sn-devel-144
(cherry picked from commit
cc9ba98c08665e0ed6927fd81fa43a7bb7842e45)
Ralph Boehme [Fri, 7 Jul 2017 10:57:57 +0000 (12:57 +0200)]
s3/smbd: let non_widelink_open() chdir() to directories directly
If the caller passes O_DIRECTORY we just try to chdir() to smb_fname
directly, not to the parent directory.
The security check in check_reduced_name() will continue to work, but
this fixes the case of an open() for a previous version of a
subdirectory that contains snapshopt.
Eg:
[share]
path = /shares/test
vfs objects = shadow_copy2
shadow:snapdir = .snapshots
shadow:snapdirseverywhere = yes
Directory tree with fake snapshots:
$ tree -a /shares/test/
/shares/test/
├── dir
│ ├── file
│ └── .snapshots
│ └── @GMT-2017.07.04-04.30.12
│ └── file
├── dir2
│ └── file
├── file
├── .snapshots
│ └── @GMT-2001.01.01-00.00.00
│ ├── dir2
│ │ └── file
│ └── file
└── testfsctl.dat
./bin/smbclient -U slow%x //localhost/share -c 'ls @GMT-2017.07.04-04.30.12/dir/*'
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \@GMT-2017.07.04-04.30.12\dir\*
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12885
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
b886a9443d49f6e27fa3863d87c9e24d12e62874)
Garming Sam [Thu, 1 Jun 2017 02:36:07 +0000 (14:36 +1200)]
dnsserver: Stop dns_name_equal doing OOB read
This has been the cause of a large number of flakey autobuilds. Every
now and again dns_name_equal would not be equal between two empty
strings, thus causing failures.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12813
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 1 19:34:38 CEST 2017 on sn-devel-144
(cherry picked from commit
5ccfd38156ddf2435df15600638cde8ed020958f)
Andrew Bartlett [Thu, 20 Apr 2017 02:08:20 +0000 (14:08 +1200)]
selftest: Do not enable inbound replication during replica_sync
Instead we should use the forced=True to only do a very specific
replication, and so avoid noise from any other DC also live
on the network. This extra replication in turn causes (and this
patch fixes) flapping replica_sync tests.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12753
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Apr 22 05:19:11 CEST 2017 on sn-devel-144
(cherry picked from commit
52349a7e69a933cbfe410241c7ad80d012886e02)
Stefan Metzmacher [Wed, 12 Jul 2017 11:34:37 +0000 (13:34 +0200)]
VERSION: Bump version up to 4.6.7...
and re-enable GIT_SNAPSHOTS.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 12 Jul 2017 11:32:22 +0000 (13:32 +0200)]
Merge branch 'v4-6-stable' into v4-6-test
Andrew Bartlett [Wed, 12 Jul 2017 03:07:52 +0000 (15:07 +1200)]
VERSION: Release Samba 4.6.6 for CVE-2017-11103
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 12 Jul 2017 03:06:31 +0000 (15:06 +1200)]
WHATSNEW: Add release notes for Samba 4.6.6.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Jeffrey Altman [Wed, 12 Apr 2017 19:40:42 +0000 (15:40 -0400)]
CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894
(based on heimdal commit
6dd3eb836bbb80a00ffced4ad57077a1cdf227ea)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 28 Jun 2017 12:58:41 +0000 (14:58 +0200)]
s3:tests: Do *NOT* flush the complete gencache!
This removes important entries winbindd created during startup!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12868
Pair-Programmed-With: Ralph Boehme <slow@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
45da755430c6b124335c9dfeb8a252060823ac4c)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Thu Jul 6 13:17:19 CEST 2017 on sn-devel-144
Andreas Schneider [Wed, 28 Jun 2017 12:49:45 +0000 (14:49 +0200)]
selftest: Do *NOT* flush the complete gencache!
This removes *IMPORTANT* entries from the gencache winbindd creates on
startup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12868
Pair-Programmed-With: Ralph Boehme <slow@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
0a0fbaacbcbaa52ed5008e84958e2aea90cdba7c)
Stefan Metzmacher [Fri, 30 Jun 2017 04:24:01 +0000 (06:24 +0200)]
ldb: protect Samba < 4.7 against incompatible ldb versions and require ldb < 1.2.0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12859
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Mon Jul 3 15:15:14 CEST 2017 on sn-devel-144
Stefan Metzmacher [Fri, 30 Jun 2017 04:21:32 +0000 (06:21 +0200)]
wafsamba: add maxversion and version_blacklist to CHECK_BUNDLED_SYSTEM[_PKG]()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12859
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4ca48ee4d060f773dcdf9f78a5e4c1b1263b61f4)
Michael Saxl [Sat, 24 Jun 2017 11:41:48 +0000 (13:41 +0200)]
s3:gse_krb5: fix a possible crash in fill_mem_keytab_from_system_keytab()
If the keytab file isn't readable, we may call
krb5_kt_end_seq_get() with an invalid kt_cursor.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10490
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Saxl <mike@mwsys.mine.bz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
a9780a2eaa9cba4ab87cc3371d97fa494fa0198c)
Andrew Bartlett [Thu, 15 Jun 2017 04:20:11 +0000 (16:20 +1200)]
selftest: Also wait for winbindd to start
This ensures that the posixacl.py test does not race against winbindd starting up and so
give wrong mappings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12843
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
1b88c5d4c0e5da2e4092a06f6cd6bf3c8b767883)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Fri Jun 30 14:53:30 CEST 2017 on sn-devel-144
Stefan Metzmacher [Fri, 9 Jun 2017 10:30:33 +0000 (12:30 +0200)]
s3:smb2_create: avoid reusing the 'tevent_req' within smbd_smb2_create_send()
As the caller ("smbd_smb2_request_process_create()") already sets the callback,
the first time, it's not safe to reuse the tevent_req structure.
The typical 'tevent_req_nterror(); return tevent_req_post()' will
crash as the tevent_req_nterror() already triggered the former callback,
which calls smbd_smb2_create_recv(), were tevent_req_received() invalidates
the tevent_req structure, so that tevent_req_post() will crash.
We just remember the required values from the old state
and move them to the new state.
We tried to write reproducers for this, but sadly weren't able to trigger
the backtrace we had from a create a customer (using recent code)
with commit
6beba782f1bf951236813e0b46115b8102212c03
included. And this patch fixed the situation for the
customer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12832
Pair-Programmed-With: Volker Lendecke <vl@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
02146ea5ee729de0e49ecf617e6983f4e61fbe59)
Stefan Metzmacher [Fri, 12 May 2017 07:10:19 +0000 (09:10 +0200)]
auth/spnego: fix gensec_update_ev() argument order for the SPNEGO_FALLBACK case
This went unnoticed so long as we don't use -Wc++-compat
and gensec_update_ev() used the sync update() hook for all
NTLMSSP and Kerberos.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12788
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
31691963b3d9ac460df0c56d36f81ec815db0225)
Stefan Metzmacher [Fri, 5 May 2017 16:49:37 +0000 (18:49 +0200)]
s3:smbd: unimplement FSCTL_VALIDATE_NEGOTIATE_INFO with "server max protocol = SMB2_02"
A client that supports SMB3 will do a signed FSCTL_VALIDATE_NEGOTIATE_INFO
after a tree connect. This FSCTL_VALIDATE_NEGOTIATE_INFO call contains
the client capabilities, client guid, security mode and the array of supported
dialects. But if SMB 2.02 is negotiated the doesn't send these values to the
server in the first connection attempt (when the client starts with a SMB1 Negotiate).
Windows servers that only support SMB2 just return NT_STATUS_FILE_CLOSED
as answer to FSCTL_VALIDATE_NEGOTIATE_INFO.
We should do the same if we just pretend to support SMB 2.02,
as SMB 2.10 always include an SMB2 Negotiate request we can leave it as is.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12772
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
295c9f7b322e6377d0df1b49cb26597d66e80eda)
Stefan Metzmacher [Tue, 25 Apr 2017 11:25:10 +0000 (13:25 +0200)]
samba-tool: fix log message of 'samba-tool user syncpasswords'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12768
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri May 5 01:37:45 CEST 2017 on sn-devel-144
(cherry picked from commit
4c17850ae7b6c85e99e5d4d5bc5d8e89a9ba6d47)
Andreas Schneider [Mon, 26 Jun 2017 21:18:30 +0000 (23:18 +0200)]
s3:tests: Do not delete the contets of LOCAL_PATH with tarmode test
The test_smbclient_tarmode.pl test operates on $LOCAL_PATH by default
and removes everything. So it deletes all precreated files and
directories which the setup_fileserver() function initially set up.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12867
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
4f5cfe2713294462b9dc68afbec2ea2c72230885)
Stefan Metzmacher [Sat, 24 Jun 2017 11:16:03 +0000 (13:16 +0200)]
auth/ntlmssp: enforce NTLMSSP_NEGOTIATE_NTLM2 for the NTLMv2 client case
Some servers may not announce the NTLMSSP_NEGOTIATE_NTLM2
(a.k.a. NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) bit.
But if we're acting as a client using NTLMv2 we need to
enforce this flag, because it's not really a negotiationable
in that case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12862
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
8ee4f8236830eb3fa1b273fa6927792a800f86bd)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Wed Jun 28 15:19:53 CEST 2017 on sn-devel-144
Daniel Kobras [Fri, 23 Jun 2017 13:39:21 +0000 (15:39 +0200)]
s3: smbd: fix regression with non-wide symlinks to directories over SMB3.
The errno returned by open() is ambiguous when called with flags O_NOFOLLOW and
O_DIRECTORY on a symlink. With ELOOP, we know for certain that we've tried to
open a symlink. With ENOTDIR, we might have hit a symlink, and need to perform
further checks to be sure. Adjust non_widelink_open() accordingly. This fixes
a regression where symlinks to directories within the same share were no
longer followed for some call paths on systems returning ENOTDIR in the above
case.
Also remove the knownfail added in previous commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12860
Signed-off-by: Daniel Kobras <d.kobras@science-computing.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
acc16592b451905dabc093f1d261e93cd3b59520)
Jeremy Allison [Fri, 23 Jun 2017 18:12:22 +0000 (11:12 -0700)]
s3: smbd: Add regression test for non-wide symlinks to directories fail over SMB3.
Mark as knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12860
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
f1f388ef80a6516c2f44b7778420f8ffe28c6471)
Bernhard M. Wiedemann via samba-technical [Mon, 26 Jun 2017 07:46:18 +0000 (09:46 +0200)]
docs-xml: Sort input file list
because filesystems return entries in undeterministic order
and that ends up in index.xml and influences index.html
preventing reproducible builds of samba packages (e.g. for openSUSE)
See https://reproducible-builds.org/ for why this matters
Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Jun 27 16:56:06 CEST 2017 on sn-devel-144
(cherry picked from commit
eedebe2ef1b6ff92975289b6076f236650744621)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12854
Jeremy Allison [Tue, 13 Jun 2017 23:56:48 +0000 (16:56 -0700)]
s3: libsmb: Correctly save and restore connection tcon in smbclient, smbcacls and smbtorture3.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12831
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
(cherry picked from commit
bd31d538a26bb21cbb53986a6105204da4392e2d)
Jeremy Allison [Tue, 13 Jun 2017 23:37:39 +0000 (16:37 -0700)]
s3: libsmb: Correctly do lifecycle management on cli->smb1.tcon and cli->smb2.tcon.
Treat them identically. Create them on demand after for a tcon call,
and delete them on a tdis call.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12831
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
(cherry picked from commit
50f50256aa8805921c42d0f9f2f8f89d06d9bd93)