Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Sat Feb 15 19:21:56 UTC 2025 on atb-devel-224
Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Fri Feb 14 16:18:19 UTC 2025 on atb-devel-224
Volker Lendecke [Wed, 12 Feb 2025 12:45:42 +0000 (13:45 +0100)]
pysmbd: Fix interactive samba-tool use after 0bb35e246141
samba-tool ntacl also calls into pysmbd, and 0bb35e246141 broke
relative path names. Thanks to Björn Baumbach <bb@sernet.de> for
testing interactively!!
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15806 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
s4:kdc: pass the full samba_kdc_db_context to most helper functions
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 14 15:19:24 UTC 2025 on atb-devel-224
s4:kdc: always go through samba_kdc_get_device_info_blob()
This means we always go through samba_kdc_get_user_info_dc()
both for client and also device pac.
It means we use the same logic regarding samba_krb5_pac_is_trusted()
and calling authsam_update_user_info_dc().
It means we do all logic on struct auth_user_info_dc
and only convert to PAC_DEVICE_INFO at the end.
Before we tried a mix of calling authsam_update_user_info_dc()
on a half constructed auth_user_info_dc,
while trying to apply the diff on auth_user_info_dc
to the also half constructed PAC_DEVICE_INFO.
Which can't work once auth_user_info_dc() will
apply sid filtering and the number of sids
may shrink.
Now we use authsam_update_user_info_dc()
followed by auth_convert_user_info_dc_saminfo3()
and samba_kdc_make_device_info().
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
So far the conversion from TGT PAC to
struct auth_user_info_dc back to TGS PAC
looses the information in what part of
the PAC_LOGON_INFO a sid was stored.
With this change we let
make_user_info_dc_{netlogon_validation,pac}()
remember this, so that
auth_convert_user_info_dc_sam{baseinfo,info6}()
can rebuild the information into the desired
parts of the PAC_LOGON_INFO.
This was found and fixed for sid filter related
tests, but it turns out that it already
fixes a few tests from samba.tests.krb5.device_tests.
All other places get an implicit AUTH_SID_ORIGIN_UNKNOWN (=0),
which means we use the same logic as before.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
libcli/security: simplify logic in add_sid_to_array_attrs()
(struct auth_SidAttr) {} makes sure we don't leave uninitialized
memory in case struct auth_SidAttr will change (which will happen in
the next commits).
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
ndr_claims: only use compression if it actually reduces the size
I have captures showing that claims compression depends on the payload
itself and how well it compresses, instead of the pure length of the
payload.
E.g. a single string claim with a value of 68 'a'
characters has an unpressed size of 336
and compressed size is 335.
While a single string with random string s1
has an unpressed size of 504 and it's still
uncompressed on the wire.
A different random string s2 also has an unpressed
size of 504, but it is compressed into a size of 502.
So it really depends if the compression makes it actually
smaller than the uncompressed version.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Feb 14 11:56:49 UTC 2025 on atb-devel-224
python:tests/krb5: only expect compressed claims if the compression reduces the size
I have captures showing that claims compression depends on the payload
itself and how well it compresses, instead of the pure length of the
payload.
E.g. a single string claim with a value of 68 'a'
characters has an unpressed size of 336
and compressed size is 335.
While a single string with random string s1
has an unpressed size of 504 and it's still
uncompressed on the wire.
A different random string s2 also has an unpressed
size of 504, but it is compressed into a size of 502.
So it really depends if the compression makes it actually
smaller than the uncompressed version.
This makes the tests more reliable against Windows DCs
with existing claims defined.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Wed, 29 Jan 2025 14:11:16 +0000 (15:11 +0100)]
mdssvc: support a few more attributes
This adds support for the following Spotlight Metadata Attributes:
_kMDItemFileName (another alias for kMDItemFSName and kMDItemDisplayName)
kMDItemLastUsedDate
kMDItemContentCreationDate
kMDItemLogicalSize (another alias for kMDItemFSSize)
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Thu Feb 13 18:45:21 UTC 2025 on atb-devel-224
We need to re-activate this once we support multitple domains
in out own forest.
Fixes CID 1642726: Control flow issues (UNREACHABLE)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Feb 11 23:18:02 UTC 2025 on atb-devel-224
Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Tue Feb 11 11:05:37 UTC 2025 on atb-devel-224
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Feb 8 19:49:33 UTC 2025 on atb-devel-224
drsblobs.idl: use dom_sid0 in ForestTrustDataDomainInfo
We already use ndr_size_dom_sid0() and when ForestTrustDataDomainInfo
is used as part of ForestTrustDataScannerInfo, sid_size is 0
and the subcontext for the sid is skipped.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
s4:kdc: let samba_kdc_trust_message2entry don't support WITHIN_FOREST and PIM_TRUST
These are not supported yet.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb 8 16:23:30 UTC 2025 on atb-devel-224
Reloading trusts should reload every aspect of
the trust and also remove deleted trusts from
the winbindd _domain_list.
But pending requests still continue.
With this commit it is required that
async state structures use struct winbindd_domain_ref
instead of raw struct winbindd_domain pointers,
in order to usage of stale pointers.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
winbindd: use struct winbindd_domain_ref in struct winbindd_domain_info_state
In the next commits it will be possible that
struct winbindd_domain instances become stale
because trusted domains were reloaded.
That means aync state structure should not use
pointers to 'struct winbindd_domain' as they
can become stale!
Instead they should use 'struct winbindd_domain_ref domain'
in the async state and use winbindd_domain_ref_set/get()
to manage the 'struct winbindd_domain' pointer.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
winbindd: use struct winbindd_domain_ref in struct wb_lookupsids_domain
In the next commits it will be possible that
struct winbindd_domain instances become stale
because trusted domains were reloaded.
That means aync state structure should not use
pointers to 'struct winbindd_domain' as they
can become stale!
Instead they should use 'struct winbindd_domain_ref domain'
in the async state and use winbindd_domain_ref_set/get()
to manage the 'struct winbindd_domain' pointer.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
winbindd: use struct winbindd_domain_ref in struct winbindd_list_groups_domstate
In the next commits it will be possible that
struct winbindd_domain instances become stale
because trusted domains were reloaded.
That means aync state structure should not use
pointers to 'struct winbindd_domain' as they
can become stale!
Instead they should use 'struct winbindd_domain_ref domain'
in the async state and use winbindd_domain_ref_set/get()
to manage the 'struct winbindd_domain' pointer.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
winbindd: use struct winbindd_domain_ref in struct winbindd_list_users_domstate
In the next commits it will be possible that
struct winbindd_domain instances become stale
because trusted domains were reloaded.
That means aync state structure should not use
pointers to 'struct winbindd_domain' as they
can become stale!
Instead they should use 'struct winbindd_domain_ref domain'
in the async state and use winbindd_domain_ref_set/get()
to manage the 'struct winbindd_domain' pointer.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
winbindd: use struct winbindd_domain_ref in struct trustdom_state
In the next commits it will be possible that
struct winbindd_domain instances become stale
because trusted domains were reloaded.
That means aync state structure should not use
pointers to 'struct winbindd_domain' as they
can become stale!
Instead they should use 'struct winbindd_domain_ref domain'
in the async state and use winbindd_domain_ref_set/get()
to manage the 'struct winbindd_domain' pointer.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
winbindd: use struct winbindd_domain_ref in struct getgrent_state
In the next commits it will be possible that
struct winbindd_domain instances become stale
because trusted domains were reloaded.
That means aync state structure should not use
pointers to 'struct winbindd_domain' as they
can become stale!
Instead they should use 'struct winbindd_domain_ref domain'
in the async state and use winbindd_domain_ref_set/get()
to manage the 'struct winbindd_domain' pointer.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
winbindd: use struct winbindd_domain_ref in struct getpwent_state
In the next commits it will be possible that
struct winbindd_domain instances become stale
because trusted domains were reloaded.
That means aync state structure should not use
pointers to 'struct winbindd_domain' as they
can become stale!
Instead they should use 'struct winbindd_domain_ref domain'
in the async state and use winbindd_domain_ref_set/get()
to manage the 'struct winbindd_domain' pointer.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
winbindd: use struct winbindd_domain_ref in struct wb_query_user_list_state
In the next commits it will be possible that
struct winbindd_domain instances become stale
because trusted domains were reloaded.
That means aync state structure should not use
pointers to 'struct winbindd_domain' as they
can become stale!
Instead they should use 'struct winbindd_domain_ref domain'
in the async state and use winbindd_domain_ref_set/get()
to manage the 'struct winbindd_domain' pointer.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
winbindd: use struct winbindd_domain_ref in struct wbint_bh_raw_call_state
In the next commits it will be possible that
struct winbindd_domain instances become stale
because trusted domains were reloaded.
That means aync state structure should not use
pointers to 'struct winbindd_domain' as they
can become stale!
Instead they should use 'struct winbindd_domain_ref domain'
in the async state and use winbindd_domain_ref_set/get()
to manage the 'struct winbindd_domain' pointer.
Note this is most likely not really needed because
the requests are in the domain or child tevent queue,
before the domain will be free'ed.
But we better use the winbindd_domain_ref in
all async state!
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
In the next commits it will be possible that
struct winbindd_domain instances become stale
because trusted domains were reloaded.
That means aync state structure should not use
pointers to 'struct winbindd_domain' as they
can become stale!
Instead they should use 'struct winbindd_domain_ref domain'
in the async state and use winbindd_domain_ref_set/get()
to manage the 'struct winbindd_domain' pointer.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
winbindd: winbindd_child->domain is a talloc grant parent if valid
This comment makes it easier to spot if we still have
'struct winbindd_domain' pointers in state structures,
which should be replaced by struct winbindd_domain_ref,
in order to handle stale domains after reloading trusts.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Pair-programmed-with: Volker Lendecke <vl@samba.org> Signed-off-by: Volker Lendecke <vl@samba.org> Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Sat Feb 8 03:30:27 UTC 2025 on atb-devel-224
Douglas Bagnall [Wed, 15 Jan 2025 02:33:18 +0000 (15:33 +1300)]
samba-tool: all subcommands know --version
Before `samba-tool -V` would give you the version,
but `samba-tool spn -V` would complain.
An ad-hoc selection of sub-commands already supported --version,
depending on whether VersionOptions was manually added to the
takes_options dict. The .run() methods of these subcommands all take a
'versionopts' keyword argument, but never use it. If it was set (i.e.,
argv contained "--version"), the process never gets to .run(), so the
value of versionopts.version is always None in run(). After this
commit we can remove VersionOptions/versionopts from sub-commands.
Anoop C S [Thu, 6 Feb 2025 12:20:10 +0000 (17:50 +0530)]
vfs_shadow_copy2: Use VFS interface to derive mount point
shadow_copy2_find_mount_point() does direct stat() calls locally while
trying to automatically detect the mount point. This cannot be always
true as there are virtual file systems like CephFS, GlusterFS etc.
without their share path locally available on the system. Instead use
the VFS interface to make the stat calls hit the underlying file system
irrespective of their local presence in the system.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: John Mulligan <jmulligan@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Feb 7 06:23:12 UTC 2025 on atb-devel-224
projects / thirdparty / samba.git / log
