Jeremy Allison [Wed, 16 Mar 2016 22:09:12 +0000 (15:09 -0700)]
examples: Remove all uses of strcpy in examples (except for validchr.c).
I can't figure out how to make git handle the CR/LF differences
in this file.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Jeremy Allison [Wed, 16 Mar 2016 16:37:42 +0000 (09:37 -0700)]
nsswitch: linux: Remove use of strcpy().
The previous use was safe, but having *any* use of strcpy inside
our code sets off security flags. Replace with an explicit length
calculation and memcpy.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Michael Adam [Tue, 15 Mar 2016 08:06:56 +0000 (09:06 +0100)]
torture:smb2: add durable-v2-open.reopen1a-lease
Lease variant of the reopen1a test which tests the
relevance of the client guid.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 22 03:47:02 CET 2016 on sn-devel-144
Michael Adam [Tue, 15 Mar 2016 08:02:28 +0000 (09:02 +0100)]
torture:smb2: for oplocks, durable reconnect works with different client-guid
for durable-v2-open.reopen1a
Try both different and original client guid.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Thu, 17 Mar 2016 01:35:35 +0000 (02:35 +0100)]
torture:smb2: get rid of supefluous io2 var in durable-v2-open.reopen1a
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Tue, 15 Mar 2016 08:44:06 +0000 (09:44 +0100)]
torture:smb2: fix crashes in smb2.durable-v2-open.reopen1a test
If the test failed too early, we dereferenced tree2 which
was still NULL.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Tue, 15 Mar 2016 08:39:43 +0000 (09:39 +0100)]
torture:smb2: use assert, not warning in error case in durable-v2-open.reopen1a
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Tue, 15 Mar 2016 09:02:14 +0000 (10:02 +0100)]
torture:smb2: add durable-open.reopen1a-lease
Lease variant of the reopen1a test which tests the
relevance of the client guid.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Tue, 15 Mar 2016 07:59:53 +0000 (08:59 +0100)]
torture:smb2: for oplocks, durable reconnect works with different client guid
in durabble-open.reopen1a test
Try both original and a different client guid.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Thu, 17 Mar 2016 01:45:16 +0000 (02:45 +0100)]
torture:smb2: durable-open.reopen1a only needs one io struct
Using two is confusing.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Fri, 4 Mar 2016 21:55:40 +0000 (22:55 +0100)]
torture:smb2: fix crashes in smb2.durable-open.reopen1a test
If the test failed too early, we dereferenced tree2 which
was still NULL.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Tue, 15 Mar 2016 08:35:03 +0000 (09:35 +0100)]
torture:smb2: use assert, not warning in error case in durable-open.reopen1a
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Anubhav Rakshit [Thu, 30 Oct 2014 07:50:57 +0000 (13:20 +0530)]
torture:smb2: Add test replay6 to verify Error Codes for DurableHandleReqV2 replay
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Anubhav Rakshit <anubhav.rakshit@gmail.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Günther Deschner [Wed, 24 Feb 2016 18:23:21 +0000 (19:23 +0100)]
lib/torture: add torture_assert_u64_not_equal_goto macro
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Günther Deschner [Thu, 25 Feb 2016 10:15:06 +0000 (11:15 +0100)]
torture:smb2: add test for checking sequence number wrap around.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Günther Deschner [Tue, 1 Mar 2016 14:15:10 +0000 (15:15 +0100)]
libcli:smb:smbXcli_base: add smb2cli_session_current_channel_sequence() call.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Sat, 27 Feb 2016 13:02:02 +0000 (14:02 +0100)]
smbd:smb2: add some asserts before decrementing the counters
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Tue, 23 Feb 2016 19:54:34 +0000 (20:54 +0100)]
smbd:smb2: update outstanding request counters before sending a reply
This is part of the channel sequence number treatment of multi-channel.
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Wed, 24 Feb 2016 14:54:41 +0000 (15:54 +0100)]
smbd:smb2: implement channel sequence checks and request counters in dispatch
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Tue, 15 Mar 2016 11:36:59 +0000 (12:36 +0100)]
smbd:smb2: add request_counters_updated to the smbd_smb2_request struct
This will be used to keep track of whether the outstanding request
counters have been updated in the dispatch, so that the reply
code can act accordingly.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Wed, 24 Feb 2016 14:51:14 +0000 (15:51 +0100)]
smbd:smb2: add a modify flag to dispatch table
This indicates that an operation is a modifying operation.
Some parts of the upcoming channel sequence number logic
only applies to modify operations.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Günther Deschner [Wed, 27 Jan 2016 15:18:25 +0000 (16:18 +0100)]
s3:smbXsrv.idl: add 8 byte channel_sequence number and request counters to IDL.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Fri, 18 Mar 2016 11:03:28 +0000 (12:03 +0100)]
lib: Update nss_wrapper to version 1.1.3
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Wed, 16 Mar 2016 14:12:41 +0000 (15:12 +0100)]
lib: Update uid_wrapper to version 1.2.1
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Tue, 15 Mar 2016 14:47:08 +0000 (15:47 +0100)]
lib: Update socket_wrapper to version 1.1.6
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Martin Schwenke [Fri, 18 Mar 2016 00:49:49 +0000 (11:49 +1100)]
ctdb-daemon: Replace an unsafe strcpy(3) call
Tweak another strncpy(3) call.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Jeremy Allison <jra@samba.org>
Martin Schwenke [Fri, 18 Mar 2016 09:41:45 +0000 (20:41 +1100)]
ctdb-daemon: Validate length of new interface names
Interface names that are too long will be truncated by strncpy(3)
later on. It is better to validate the length of each new interface
name to ensure it will be usable.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Jeremy Allison <jra@samba.org>
Douglas Bagnall [Tue, 15 Mar 2016 23:46:12 +0000 (12:46 +1300)]
ldb client controls: avoid talloc_memdup(x, y, (size_t)-1);
ldb_base64_decode() returns -1 if a string can't be parsed as base64,
and this is not the kind of value you want to use in talloc_memdup().
In these cases it can happen innocently if the strings are truncated
to fit in their buffers.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar 19 00:56:42 CET 2016 on sn-devel-144
Shyamsunder Rathi [Thu, 10 Mar 2016 20:37:49 +0000 (12:37 -0800)]
s3/vfs:stream_depots: Parse substitutions in streams-depot-directory path
At present, substitutions in the streams directory path are ignored. Fix it
by modifying 'stream_dir' function to call 'lp_parm_talloc_string' which
internally calls 'lp_string' on the path.
Signed-off-by: Shyamsunder Rathi <shyam.rathi@nutanix.com>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 18 Dec 2015 14:30:00 +0000 (15:30 +0100)]
s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 18 12:39:51 CET 2016 on sn-devel-144
Ralph Boehme [Thu, 17 Mar 2016 13:05:58 +0000 (14:05 +0100)]
s3:mdssvc: older glib2 versions require g_type_init()
Older glib2 versions will crash if g_type_init is not called:
(process:6712): GLib-GObject-CRITICAL **: ... ./gobject/gtype.c:2722:
You forgot to call g_type_init()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11801
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 18 03:52:55 CET 2016 on sn-devel-144
Volker Lendecke [Tue, 15 Mar 2016 20:00:30 +0000 (21:00 +0100)]
libsmb: Fix CID
1356312 Explicit null dereferenced
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 15 Mar 2016 19:55:37 +0000 (20:55 +0100)]
ctdb: Fix CID
1356313 Explicit null dereferenced
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 15 Mar 2016 19:48:19 +0000 (20:48 +0100)]
lib: Fix CID
1356315 Dereference before null check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 15 Mar 2016 19:38:02 +0000 (20:38 +0100)]
crypto: Fix CID
1356314 Resource leak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 15 Mar 2016 19:34:27 +0000 (20:34 +0100)]
libads: Fix CID
1356316 Uninitialized pointer read
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Günther Deschner [Sat, 26 Sep 2015 00:20:50 +0000 (02:20 +0200)]
s3-auth: check for return code of cli_credentials_set_machine_account().
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 17 20:43:19 CET 2016 on sn-devel-144
Günther Deschner [Sat, 26 Sep 2015 00:18:44 +0000 (02:18 +0200)]
s4-smb_server: check for return code of cli_credentials_set_machine_account().
We keep anonymous server_credentials structure in order to let
the rpc.spoolss.notify start it's test server.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 26 Jun 2015 06:10:46 +0000 (08:10 +0200)]
s4:rpc_server: require access to the machine account credentials
Even a standalone server should be selfjoined.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 15 Dec 2015 14:08:43 +0000 (15:08 +0100)]
auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
We only need this logic once.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 10 Jul 2015 11:01:47 +0000 (13:01 +0200)]
auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
ops->auth_type == 0, means the backend doesn't support DCERPC.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 11 Mar 2016 01:55:30 +0000 (02:55 +0100)]
s4:torture/rpc/schannel: don't use validation level 6 without privacy
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 11 Mar 2016 17:09:26 +0000 (18:09 +0100)]
s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 14 Mar 2016 00:56:07 +0000 (01:56 +0100)]
s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 10 Mar 2016 16:24:03 +0000 (17:24 +0100)]
s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 22 Dec 2015 11:10:12 +0000 (12:10 +0100)]
s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
This create a schannel connection to netlogon, this makes the tests
more realistic.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 22 Dec 2015 08:13:46 +0000 (09:13 +0100)]
s3:test_rpcclient_samlogon.sh: test samlogon with schannel
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 18 Dec 2015 06:10:06 +0000 (07:10 +0100)]
s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Sat, 9 Jan 2016 20:21:25 +0000 (21:21 +0100)]
selftest: setup information of new samba.example.com CA in the client environment
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Sat, 9 Jan 2016 20:21:25 +0000 (21:21 +0100)]
selftest: set tls crlfile if it exist
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Sat, 9 Jan 2016 20:21:25 +0000 (21:21 +0100)]
selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Sat, 9 Jan 2016 20:21:25 +0000 (21:21 +0100)]
selftest: add Samba::prepare_keyblobs() helper function
This copies the certificates from the samba.example.com CA if they
exist.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Sat, 9 Jan 2016 00:06:05 +0000 (01:06 +0100)]
selftest: mark commands in manage-CA-samba.example.com.sh as DONE
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Sat, 9 Jan 2016 00:09:31 +0000 (01:09 +0100)]
selftest: add CA-samba.example.com binary files (currently unused by Samba)
This patch can be skipped, when it causes problems with tools like 'patch'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Sat, 9 Jan 2016 00:09:31 +0000 (01:09 +0100)]
selftest: add CA-samba.example.com (non-binary) files
The binary files will follow in the next, this allows the next
commit to be skipped as the binary files are not used by samba yet.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Sat, 9 Jan 2016 00:08:02 +0000 (01:08 +0100)]
selftest: add config and script to create a samba.example.com CA
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Sat, 9 Jan 2016 00:06:05 +0000 (01:06 +0100)]
selftest: add some helper scripts to mange a CA
This is partly based on the SmartCard HowTo from:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Sat, 16 Jan 2016 12:57:47 +0000 (13:57 +0100)]
selftest: s!addc.samba.example.com!addom.samba.example.com!
It's confusing to have addc.samba.example.com as domain name
and addc.addc.samba.example.com as hostname.
We now have addom.samba.example.com as domain name
and addc.addom.samba.example.com as hostname.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Amitay Isaacs [Thu, 10 Mar 2016 04:44:24 +0000 (15:44 +1100)]
ctdb-tests: Add a utility to parse ctdb packets
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Mar 17 13:56:41 CET 2016 on sn-devel-144
Amitay Isaacs [Thu, 10 Mar 2016 03:00:56 +0000 (14:00 +1100)]
ctdb-protocol: Add protocol debug routines
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Thu, 10 Mar 2016 04:43:37 +0000 (15:43 +1100)]
ctdb-protocol: Check header is not null before copying
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Andreas Schneider [Wed, 20 Jan 2016 12:25:16 +0000 (13:25 +0100)]
mit-kdb: Add missing SDB_F_FOR_AS_REQ for AS requests
This correctly handles enterprise principals and ticket renewal.
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 17 07:57:49 CET 2016 on sn-devel-144
Andreas Schneider [Fri, 4 Dec 2015 11:04:49 +0000 (12:04 +0100)]
mit-kdb: Fix segfault in krb5kdc dereferencing an invalid pointer
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 30 Nov 2015 12:27:29 +0000 (13:27 +0100)]
mit-kdb: Add support for KDB version 8
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 20 May 2015 15:20:13 +0000 (17:20 +0200)]
mit-kdb: Add support for bad password count
This fixes the samba4.ldap.password_lockout.python test.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Thu, 7 Aug 2014 13:04:42 +0000 (15:04 +0200)]
mit-kdb: Restrict admin/changepw principal db_entry with some flags
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Wed, 6 Aug 2014 13:17:47 +0000 (15:17 +0200)]
mit-kdb: Return 0 in kdb_samba_db_put_principal()
This allows the kadmin server to assume an update of a db_entry has
succeeded (while in fact the update_pwd call did the update already).
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 30 Jul 2015 12:47:11 +0000 (14:47 +0200)]
mit-kdb: Implement KDB function to change passwords
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Mon, 4 Aug 2014 10:11:22 +0000 (12:11 +0200)]
mit-kdb: Use calloc to initialize master keylists.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 6 Aug 2014 13:38:41 +0000 (15:38 +0200)]
mit-kdb: Add ks_get_admin_principal() and use it for kadmin users.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 6 Aug 2014 13:37:41 +0000 (15:37 +0200)]
mit-kdb: Add ks_create_principal().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 6 Aug 2014 13:32:13 +0000 (15:32 +0200)]
mit-kdb: Do not allow to get a kadmin ticket as a client.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 6 Aug 2014 13:27:16 +0000 (15:27 +0200)]
mit-kdb: Add more ks_is_kadmin* functions.
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Fri, 16 May 2014 12:37:39 +0000 (14:37 +0200)]
mit-kdb: Use calloc so both authdata elements are zeroed
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Thu, 15 May 2014 07:05:25 +0000 (09:05 +0200)]
mit-kdb: Do not overwrite the error code in failure case.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 12 May 2014 08:49:24 +0000 (10:49 +0200)]
mit-kdb: Add initial MIT KDB Samba driver
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Simo Sorce <idra@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 23 Jul 2015 11:48:50 +0000 (13:48 +0200)]
wscript: Build the KDC code if we have the AD DC build enabled
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 30 Jul 2015 15:29:51 +0000 (17:29 +0200)]
mit_samba: Setup logging to stdout
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 20 May 2015 15:19:35 +0000 (17:19 +0200)]
mit_samba: Add function for handling bad password count
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 6 Aug 2014 13:41:05 +0000 (15:41 +0200)]
mit_samba: Add functions to generate random password and salt.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 30 Jul 2015 12:46:48 +0000 (14:46 +0200)]
mit_samba: Add function to change the password
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 30 Jul 2015 13:26:50 +0000 (15:26 +0200)]
mit_samba: Add ks_is_tgs_principal()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Mon, 12 May 2014 19:35:45 +0000 (21:35 +0200)]
mit_samba: Use talloc_zero in mit_samba_context_init().
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 30 Jul 2015 12:36:55 +0000 (14:36 +0200)]
mit_samba: Directly pass the principal and kflags
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 12 May 2014 08:50:33 +0000 (10:50 +0200)]
mit_samba: Make mit_samba a shim layer between Samba and KDB
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Mon, 12 May 2014 12:33:14 +0000 (14:33 +0200)]
mit_samba: Use sdb in the mit_samba plugin
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Fri, 9 May 2014 11:45:19 +0000 (13:45 +0200)]
s4-kdc: Introduce a simple sdb_kdb shim layer
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Fri, 9 May 2014 11:44:05 +0000 (13:44 +0200)]
wscript: detect if we have libkdb5 and kdb.h.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 3 Feb 2015 12:00:34 +0000 (13:00 +0100)]
krb5-wrap: Use the principal returned by the KDC to create the ccache
We request a TGT in uppercase from the KDC. We turned on
canonicalization for that so the KDC returns the principal in lowercase
cause of this. As we use the uppercase prinicpal to create the ccache we
fail to find the tickets we need later because it is stored in the
incorrect case. You have to use the princial returned by the KDC here.
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Michael Adam [Wed, 16 Mar 2016 22:57:33 +0000 (23:57 +0100)]
smbd: fix use after free via conn->fsp_fi_cache
Some instrumentation of the the durable reconnect
code uncovered a problem in the fsp_new, fsp_free pair:
vfs_default_durable_reconnect():
fsp_new() ==> this does DLIST_ADD(fsp->conn->sconn->files, fsp)
if (fsp->oplock_type == LEASE_OPLOCK) {
find_fsp_lease(fsp, &key, l) ==> this fills conn->fsp_fi_cache
if (client guids not equal) {
fsp_free(fsp) ==> this does DLIST_REMOVE(fsp->conn->sconn->files, fsp)
}
so after this code we have the fsp_fi_cache still pointing to the
free'd memory. The next call to find_fsp_lease will use the cache
and hence access the freed memory.
The fix consists in invalidating the cache in fsp_free() instead
of just in its wrapper file_free().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11799
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 17 04:31:10 CET 2016 on sn-devel-144
Michael Adam [Mon, 14 Mar 2016 16:07:34 +0000 (17:07 +0100)]
idmap_hash: only allow the hash module for default idmap config.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
This module only makes sense as the default idmap config
("idmap config * : backend = hash" ...)
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Mon, 14 Mar 2016 16:06:34 +0000 (17:06 +0100)]
idmap_hash: rename be_init() --> idmap_hash_initialize()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Günther Deschner [Thu, 10 Mar 2016 11:21:52 +0000 (12:21 +0100)]
s3:winbindd:idmap: check loadparm in domain_has_idmap_config() helper as well.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Günther Deschner [Thu, 10 Mar 2016 09:39:15 +0000 (10:39 +0100)]
s3:winbindd:idmap_hash: skip domains that already have their own idmap configuration.
Check if the domain from the list is not already configured to use another idmap
backend. Not checking this makes the idmap_hash module map IDs for *all* domains
implicitly. This is quite dangeorous in multi-idmap-config setups.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Thu, 10 Mar 2016 09:38:29 +0000 (10:38 +0100)]
s3:winbindd:idmap: add domain_has_idmap_config() helper function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Wed, 16 Mar 2016 18:20:02 +0000 (20:20 +0200)]
build: fix build when --without-quota specified
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11798
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Sun, 13 Mar 2016 06:18:47 +0000 (08:18 +0200)]
smbd: remove quota support for some ancient OSs
Remove quota support for SunOS4 and VxFS on Solaris 2
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Robin Hack [Mon, 14 Mar 2016 13:37:10 +0000 (14:37 +0100)]
samba3.blackbox.smbclient_auth.plain: Add new regression test case.
Test case covers commit:
96a49d23a4caebefcea66cfb855fadbae12ccf7c
Test case covers segfault of smbclient binary when
client NTLMv2 auth = yes
client use spnego = no
client max protocol = NT1
options are used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11793
RH BUG: http://bugzilla.redhat.com/show_bug.cgi?id=
1271763
How to test:
$ make -j test TESTS="samba3.blackbox.smbclient_auth.plain"
RESULD: Should PASS
$ git revert
96a49d23a4caebefcea66cfb855fadbae12ccf7c
$ make -j test TESTS="samba3.blackbox.smbclient_auth.plain"
RESULT: Should FAIL
(and you can see segfault in dmesg)
Signed-off-by: Robin Hack <rhack@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Mar 16 18:29:10 CET 2016 on sn-devel-144
Stefan Metzmacher [Tue, 15 Mar 2016 16:02:03 +0000 (17:02 +0100)]
ldb-samba:wscript: python_samba__ldb depends on pyauth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11789
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Mar 16 01:34:29 CET 2016 on sn-devel-144
Stefan Metzmacher [Tue, 15 Mar 2016 15:59:51 +0000 (16:59 +0100)]
s3:wscript: pylibsmb depends on pycredentials
The need for pytalloc-util was based on the fact that
pycredentials depends on pytalloc-util.
As pylibsmb only used pycredentials and not pytalloc-util directly,
we should depend on pycredentials.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11789
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>