passdb: Fixing CID 1508970 for time_t in DEBUG statement
Fix: typecast changing from (unsigned int)entry->bad_password_time to
(intmax_t)entry->bad_password_time as intmax_t can hold epoch seconds
after 2038 year
Signed-off-by: Rabinarayan Panigrahi <rapanigr@redhat.com> Reviewed-by: Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Andreas Schneider <asn@samba.org>
Very simple reopen of a directory as pathref. Too much magic in
openat_pathref_fsp_lcomp() leads to Bug 15897:
openat_pathref_fsp_lcomp() can return NT_STATUS_OK but still leave the
file descriptor at -1 for msdfs and smb1 posix reasons. When using it
in filename_convert_dirfsp_nosymlink() this bites us, the -1 can leak
into vfswrap_openat(). Avoid any magic by directly calling
SMB_VFS_OPENAT() with maximum NOFOLLOW/etc safety for this use case
and fail when this does not work.
This adds another flavor of openat_pathref_fsp, and at some point we
need to consolidate them again.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15897 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Sep 10 03:13:07 UTC 2025 on atb-devel-224
s3:script: Avoid UnicodeDecodeError for samba-log-parser processing whole directory
When log directory contains zipped files like
old/log.rpcd_spoolss-20250831.gz we get error.
We want to ignore such files.
$ samba-log-parser --traceid 6 --merge-by-timestamp
Traceback (most recent call last):
File "/usr/bin/samba-log-parser", line 382, in <module>
main()
~~~~^^
File "/usr/bin/samba-log-parser", line 311, in main
process_file(
~~~~~~~~~~~~^
record_list,
^^^^^^^^^^^^
...<3 lines>...
options.traceid,
^^^^^^^^^^^^^^^^
)
^
File "/usr/bin/samba-log-parser", line 92, in process_file
data = infile.readlines()
File "<frozen codecs>", line 325, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8b in position 1: invalid start byte
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Sep 9 13:50:00 UTC 2025 on atb-devel-224
Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Sep 8 04:47:37 UTC 2025 on atb-devel-224
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Jennifer Sutton <jsutton@samba.org>
Autobuild-Date(master): Mon Sep 8 02:27:53 UTC 2025 on atb-devel-224
s3:shadow_copy: CID 1449539 talloc_realloc and error handling
- Replace TALLOC_REALLOC with talloc_realloc inorder to handle
the integer overflow better.
- Rename tlabels as tmp_labels for clarity.
- Use shadow_copy_data->labels directly after successful
reallocation instead of relying on a temporary variable.
- Ensure that shadow_copy_data->num_volumes is set to 0 and
shadow_copy_data->labels is freed on error paths inorder to
address the potential resource leaks.
Fixes: CID_1449539 Signed-off-by: Shwetha K Acharya <Shwetha.K.Acharya@ibm.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Sat Sep 6 10:34:27 UTC 2025 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Pair-Programmed-With: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Fri Sep 5 13:38:33 UTC 2025 on atb-devel-224
GSS-Proxy stores its credential in encrypted form in the Kerberos ccache
with a start and end time of 0 and a server principal in the realm named
'X-GSSPROXY:'. This credential is accessed through GSS-Proxy interposer
mechanism in MIT Kerberos and cannot be analysed with raw krb5 API.
As MIT Kerberos has no krb5_cc_get_lifetime() implementation, add check
for the GSS-Proxy credential to smb_krb5_cc_get_lifetime() wrapper to
return KRB5_PLUGIN_NO_HANDLE. The two places where
smb_krb5_cc_get_lifetime() is used then handle this return code to avoid
deciding on the 'expired' lifetime to cause a kinit.
This fixes FreeIPA use case where an IPA API endpoint uses Samba Python
bindings with a GSS-Proxy-controlled credential cache.
Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Wed Sep 3 10:15:50 UTC 2025 on atb-devel-224
Douglas Bagnall [Sun, 31 Aug 2025 09:24:34 +0000 (21:24 +1200)]
dsdb:audit log: cmocka unit tests for KCL
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Sep 3 03:13:47 UTC 2025 on atb-devel-224
Douglas Bagnall [Thu, 28 Aug 2025 05:09:43 +0000 (17:09 +1200)]
dsdb:audit: bump minor version of password logs (1.1 -> 1.2)
In https://wiki.samba.org/index.php/Interpreting_JSON_Audit_Logs we say:
> a version number for the JSON format. It has two parts.
>
> major: incremented if fields change meaning
> minor: incremented if a field is added
>
> A change in possible values does not usually trigger a version
> change. This is obviously true for client supplied data, but also
> applies to e.g. passwordType, where the set of supported password
> formats can change over time without changing the JSON version.
The last paragraph explicitly exempts us from a version change for
adding a new possible value ("Public key change") to the "action"
field. On the other hand we have expanded the scope of the log, which
deserves some version recognition.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Volker Lendecke [Tue, 13 May 2025 09:31:12 +0000 (11:31 +0200)]
libsmb: Slightly clarify format in set/get_secdesc
We have reserved fields after those 16-bit ones. With little endian
those are set to 0 with PUSH_LE32. That is unnecessary here, the
fields are already set to 0. This patch is not for efficiency, I just
got a bit confused by the subtlety.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Volker Lendecke [Sat, 30 Aug 2025 12:04:11 +0000 (14:04 +0200)]
dsdb: Align an integer type
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Aug 31 07:23:20 UTC 2025 on atb-devel-224
Jennifer Sutton [Wed, 20 Aug 2025 07:10:43 +0000 (19:10 +1200)]
s4:dsdb:tests: Add tests for msDS-KeyCredentialLink attribute
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Aug 27 04:44:59 UTC 2025 on atb-devel-224
Jennifer Sutton [Tue, 12 Aug 2025 01:56:16 +0000 (13:56 +1200)]
s4:dsdb:acl: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to
(el->flags & LDB_FLAG_MOD_MASK) == 0
which is only true if none of the LDB_FLAG_MOD_* values are set, so we
would not successfully return if the element was a DELETE. Correct the
expression to what it was intended to be.
Jennifer Sutton [Sun, 18 May 2025 22:31:47 +0000 (10:31 +1200)]
lib:async_req: Initialize variables
../../lib/async_req/async_sock.c: In function ‘writev_do’:
../../lib/async_req/async_sock.c:360:12: error: ‘written’ may be used uninitialized [-Werror=maybe-uninitialized]
360 | if ((written == -1) &&
| ^
../../lib/async_req/async_sock.c:343:17: note: ‘written’ was declared here
343 | ssize_t written;
| ^~~~~~~
../../lib/async_req/async_sock.c: In function ‘read_packet_do’:
../../lib/async_req/async_sock.c:563:12: error: ‘nread’ may be used uninitialized [-Werror=maybe-uninitialized]
563 | if ((nread == -1) && (errno == EINTR)) {
| ^
../../lib/async_req/async_sock.c:531:17: note: ‘nread’ was declared here
531 | ssize_t nread, more;
| ^~~~~
cc1: all warnings being treated as errors
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Jennifer Sutton [Thu, 20 Feb 2025 02:05:42 +0000 (15:05 +1300)]
s3:lib: Initialize pointer to NULL
../../source3/lib/netapi/tests/netdisplay.c: In function ‘test_netquerydisplayinformation’:
../../source3/lib/netapi/tests/netdisplay.c:87:45: error: ‘current_name’ may be used uninitialized [-Werror=maybe-uninitialized]
87 | if (name && strcasecmp(current_name, name) == 0) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../source3/lib/netapi/tests/netdisplay.c:37:21: note: ‘current_name’ was declared here
37 | const char *current_name;
| ^~~~~~~~~~~~
cc1: all warnings being treated as errors
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Jennifer Sutton [Thu, 20 Feb 2025 00:51:24 +0000 (13:51 +1300)]
libcli: Fix maybe-uninitialized warning
../../libcli/wsp/wsp_aqs.c: In function ‘create_size_range_shortcut’:
../../libcli/wsp/wsp_aqs.c:872:37: error: ‘upper_size’ may be used uninitialized [-Werror=maybe-uninitialized]
872 | right->value.number = upper_size;
| ~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~
../../libcli/wsp/wsp_aqs.c:835:18: note: ‘upper_size’ was declared here
835 | uint32_t upper_size;
| ^~~~~~~~~~
cc1: all warnings being treated as errors
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Jennifer Sutton [Thu, 20 Feb 2025 00:41:48 +0000 (13:41 +1300)]
ldb: Fix maybe-uninitialized warning
In file included from ../../lib/ldb/include/ldb.h:50,
from ../../lib/ldb/include/ldb_private.h:43,
from ../../lib/ldb/common/ldb_pack.c:34:
../../lib/ldb/common/ldb_pack.c: In function ‘ldb_filter_attrs’:
../../lib/talloc/talloc.h:1173:48: error: ‘i’ may be used uninitialized [-Werror=maybe-uninitialized]
1173 | #define talloc_array(ctx, type, count) (type *)_talloc_array(ctx, sizeof(type), count, #type)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../lib/ldb/common/ldb_pack.c:1178:34: note: in expansion of macro ‘talloc_array’
1178 | filtered_msg->elements = talloc_array(filtered_msg,
| ^~~~~~~~~~~~
../../lib/ldb/common/ldb_pack.c:1134:22: note: ‘i’ was declared here
1134 | unsigned int i;
| ^
cc1: all warnings being treated as errors
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
CID 1509059 winbind: Fixing print statement for time_t
Fixing DEBUG output for time_t to uintmax_t
Signed-off-by: Rabinarayan Panigrahi <rapanigr@redhat.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Aug 27 02:17:29 UTC 2025 on atb-devel-224
Douglas Bagnall [Fri, 22 Aug 2025 04:23:16 +0000 (16:23 +1200)]
python:tarfile: notes about extraction_filter
a reminder to delete.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Tue Aug 26 23:43:08 UTC 2025 on atb-devel-224
gh-135034: Normalize link targets in tarfile, add `os.path.realpath(strict='allow_missing')` (#135037)
Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
Signed-off-by: Łukasz Langa <lukasz@langa.pl> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
our ../../ test that looks for a tarfile.OutsideDestinationError now
meets a NotADirectoryError in recent Python versions (this from 3.13,
Fedora 42):
UNEXPECTED(error): samba.tests.safe_tarfile.samba.tests.safe_tarfile.SafeTarFileTestCase.test_dots(none)
REASON: Exception: Exception: Traceback (most recent call last):
File "/tmp/samba-testbase/b1/samba-o3/bin/python/samba/tests/safe_tarfile.py", line 48, in test_dots
self.assertRaises(tarfile.OutsideDestinationError,
~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
stf.extractall,
^^^^^^^^^^^^^^^
tarname)
^^^^^^^^
File "/usr/lib64/python3.13/unittest/case.py", line 795, in assertRaises
return context.handle('assertRaises', args, kwargs)
~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.13/unittest/case.py", line 238, in handle
callable_obj(*args, **kwargs)
~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.13/tarfile.py", line 2343, in extractall
tarinfo, unfiltered = self._get_extract_tarinfo(
~~~~~~~~~~~~~~~~~~~~~~~~~^
member, filter_function, path)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.13/tarfile.py", line 2432, in _get_extract_tarinfo
self._handle_fatal_error(e)
~~~~~~~~~~~~~~~~~~~~~~~~^^^
File "/usr/lib64/python3.13/tarfile.py", line 2430, in _get_extract_tarinfo
filtered = filter_function(unfiltered, path)
File "/usr/lib64/python3.13/tarfile.py", line 842, in tar_filter
new_attrs = _get_filtered_attrs(member, dest_path, False)
File "/usr/lib64/python3.13/tarfile.py", line 783, in _get_filtered_attrs
target_path = os.path.realpath(os.path.join(dest_path, name),
strict=os.path.ALLOW_MISSING)
File "<frozen posixpath>", line 457, in realpath
NotADirectoryError: [Errno 20] Not a directory: '/tmp/samba-testbase/b1/samba-o3/bin/ab/tmp/tmpbn6e69ci/tar.tar'
In this commit, we say that a NotADirectoryError is OK.
When we started safe_tarfile we were acting in advance of upstream
Python, but now they are well ahead of us. If we trust their work in
recent versions and accept the error conditions they choose, we can
more easily get rid of our safe_tarfile when the time is right.
For the moment we still support as far back as Python 3.6 for some old
enterprise distros, and it is for those that we continue to maintain
safe_tarfile. In versions before 3.11 we will see
tarfile.ExtractError, and the test for that is unaffected by this
change.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Douglas Bagnall [Sat, 4 May 2024 01:07:26 +0000 (13:07 +1200)]
domsid: be less alarmed by non-SID
This has been causing log noise when something is trying to parse an
identifier using a sequence of parsers, to see if it is a SID, a DN,
an account name, etc.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Douglas Bagnall [Thu, 29 May 2025 00:58:48 +0000 (12:58 +1200)]
python:build: do not allow sizeof(int) != 4
A non-32 bit int will (if the compiler allows it) result in code
where we write into memory adjacent to a target uint32_t value in
many python bindings using the python arg-parsing API. The more
correct thing to do would be to always parse into an unsigned long
long and error if it is greater than UINT32_MAX, but we do this in
so many places that there is reason to believe we'll just keep
adding more.
Note, we already check in lib/replace/wscript that int is at least
32 bits; here we are effectively just checking that it is not more.
There was apparently a version of 64 bit Solaris in the 1990s that
had 64 bit ints.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Aug 26 22:00:26 UTC 2025 on atb-devel-224
projects / thirdparty / samba.git / log
