Signed-off-by: Amit Kumar <amitkuma@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 2a7fc40fb3f3ca994cecad3e2957433d7a411208)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Apr 6 19:09:53 UTC 2020 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit ec69752cb963ae850568d3f4905d2941e485627e)
Volker Lendecke [Sat, 2 May 2020 13:18:07 +0000 (15:18 +0200)]
libsmb: Protect cli_oem_change_password() from rprcnt<2
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue May 5 17:12:04 UTC 2020 on sn-devel-184
Volker Lendecke [Thu, 19 Mar 2020 10:01:41 +0000 (11:01 +0100)]
libsmb: Don't try to find posix stat info in SMBC_getatr()
This wrongly used "frame" instead of "fname", which can never have
worked. A first attempt to fix in 51551e0d53fa6 caused a few followup
patches in an attempt to clean up the test failures 51551e0d53fa6
introduced. They were reverted after a few discussions. So rather than
changing behaviour, just remove the code that introduced the valgrind
error again.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 20 05:06:07 UTC 2020 on sn-devel-184
The test python/samba/tests/ldap_raw.py does not run under python 3
which means the CI task build_ad_dc_py2 fails. The test is run and
passes in the CI task build_ad_dc. This patch adds a check for the
Python version and skips the tests if running under python 2, allowing
CI to run for V4.10.
This patch is only applied to version 4.10.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Thu, 2 Apr 2020 02:25:53 +0000 (15:25 +1300)]
CVE-2020-10704: libcli ldap: test recursion depth in ldap_decode_filter_tree
Add tests to check that ASN.1 ldap requests with deeply nested elements
are rejected. Previously there was no check on the on the depth of
nesting and excessive nesting could cause a stack overflow.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(backported from patch for master due to selftest changes) Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(backported from patch for master due to selftest changes) Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Martin Schwenke [Fri, 6 Mar 2020 05:11:23 +0000 (16:11 +1100)]
ctdb-tcp: Do not stop outbound connection in ctdb_tcp_node_connect()
The only place the outgoing connection needs to be stopped is when
there is a timeout when waiting for the connection to become writable.
Add a new function ctdb_tcp_node_connect_timeout() to handle this
case.
All of the other cases are attempts to establish a new outgoing
connection (initial attempt, retry after an error or disconnect, ...)
so drop stopping the connection in those cases.
Signed-off-by: Amitay Isaacs <amitay@gmail.com> Signed-off-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Mar 12 05:29:20 UTC 2020 on sn-devel-184
Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 2c73dbafba50b28e72a8ec7b4382fae42fca6d17)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 1e2a967ff41cc29c3a0d7f61a46937c68fdb90ba)
Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit ea37ecdcd5960311f54a7a5510b88a654da23daa)
Ralph Boehme [Sat, 29 Feb 2020 11:13:12 +0000 (12:13 +0100)]
ctdb-tcp: always call node_dead() upcall in ctdb_tcp_tnode_cb()
ctdb_tcp_tnode_cb() is called when we receive data on the outgoing connection.
This can happen when we get an EOF on the connection because the other side as
closed. In this case data will be NULL.
It would also be called if we received data from the peer. In this case data
will not be NULL.
The latter case is a fatal error though and we already call
ctdb_tcp_stop_connection() for this case as well, which means even though the
node is not fully connected anymore, by not calling the node_dead() upcall
NODE_FLAGS_DISCONNECTED will not be set.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit b83ef98c7466b2a81968555de83fb977bb6ca9f0)
Noel Power [Sat, 29 Feb 2020 15:49:28 +0000 (15:49 +0000)]
ctdb-tcp: move free of inbound queue to TCP restart
Since commit 77deaadca8e8dbc3c92ea16893099c72f6dc874e, a nodeA which
had previously accepted a connection from nodeB (where nodeB dies
e.g. as as result of fencing) when nodeB attempts to connect again
after restarting is always rejected with
ctdb_listen_event: Incoming queue active, rejecting connection from w.x.y.z
messages.
Consolidate dead node handling in the TCP restart handling.
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 0ff1b78fc2f0491f9e11131d0040bdaba8873770)
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 15762a34559599cf908e30651a2d4c11560068ed)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 6a4fa0785fc83561939fa41617d526eb96c1af89)
Douglas Bagnall [Sun, 19 Jan 2020 02:08:58 +0000 (15:08 +1300)]
nmblib: avoid undefined behaviour in handle_name_ptrs()
If *offset is length - 1, we would read ubuf[(*offset)+1] as the lower
bits of the new *offset. This value is undefined, but because it is
checked against the valid range, there is no way to read further
beyond that one byte.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb 7 10:19:39 UTC 2020 on sn-devel-184
Tim Beale [Mon, 11 Feb 2019 04:15:22 +0000 (17:15 +1300)]
selftest: Export DC conf path for special cases
In a few rare cases, a test needs to assert aspects both client-side and
server-side aspects. A typical example would be the audit logging, which
is exercising client-side behaviour, but also asserting the server-side
logging.
Usually this has involved a kludge in tests.py to either use
socket-wrapper explicitly, or hardcode in the server smb.conf path.
This patch exposes the existing SERVERCONFFILE env variable to the
tests. DC_SERVERCONFFILE has been added for 2 DC testenvs, where we need
the PDC's smb.conf.
The benefit of doing this way is the filepath/testenv-dependency logic
is all self-contained with the Perl code, and it doesn't bleed out into
tests.py as well.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit aeadf75c24a4af4143e389e2b27d3a90899fb638)
Fixes autobuild with the patches for
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14285
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Wed Mar 4 11:26:37 UTC 2020 on sn-devel-144
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Feb 6 16:24:25 UTC 2020 on sn-devel-184
Andrew Bartlett [Thu, 30 Jan 2020 03:41:39 +0000 (16:41 +1300)]
dsdb: Correctly handle memory in objectclass_attrs
el->values is caller-provided memory that should be thought of as constant,
it should not be assumed to be a talloc context.
Otherwise, if the caller gives constant memory or a stack
pointer we will get an abort() in talloc when it expects
a talloc magic in the memory preceeding the el->values.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 3657bbc21182d764ddfcd603025f24ec240fd263)
wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9
See https://docs.python.org/3.9/whatsnew/3.9.html#changes-in-the-python-api
"open(), io.open(), codecs.open() and fileinput.FileInput no longer accept 'U'
(“universal newline”) in the file mode. This flag was deprecated since Python
3.3. In Python 3, the “universal newline” is used by default when a file is
open in text mode. The newline parameter of open() controls how universal
newlines works."
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Feb 6 07:30:13 UTC 2020 on sn-devel-184
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Thu Feb 20 15:31:20 UTC 2020 on sn-devel-144
Martin Schwenke [Tue, 28 Jan 2020 05:49:14 +0000 (16:49 +1100)]
ctdb-tcp: Make error handling for outbound connection consistent
If we can't bind the local end of an outgoing connection then
something has gone wrong. Retrying is better than failing into a
zombie state. The interface might come back up and/or the address my
be reconfigured.
While here, do the same thing for the other (potentially transient)
failures.
The unknown address family failure is special but just handle it via a
retry. Technically it can't happen because the node address parsing
can only return values with address family AF_INET or AF_INET6.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14274
RN: Retry inter-node TCP connections on more transient failures
Reported-by: 耿纪超 <gengjichao@jd.com> Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit a40fc709cc972dadb40efbf1394b10fae3cfcc07)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Mon Feb 17 15:50:11 UTC 2020 on sn-devel-144
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Feb 5 17:56:58 UTC 2020 on sn-devel-184
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 590df382bea44eec2dbfd2a28c659b0a29188bca)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a9eeea6ef78cc44c8423c7125fa1376921060018)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a63e2a312c761093fedb09bd234b6736485a930a)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 01b8374e7942141e7f6cbdec7623c981a008e4c1)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 72ef8d3a52c1ab07c079a4c014ba8ac7bff528f7)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 85b168c6dac88f5065c0ec6e925937439f2c12ed)
For smbd we want an error and for smbclient we only want it in NOTICE
debug level.
The default log level of smbclient is log level 1 so we need notice to
not spam the user.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jan 30 16:54:33 UTC 2020 on sn-devel-184
Signed-off-by: Jeremy Allison <jra@samba.org>
Pair programmed with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 21 23:33:41 UTC 2020 on sn-devel-184
Signed-off-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Tue Jan 14 12:46:17 UTC 2020 on sn-devel-144
Karolin Seeger [Thu, 9 Jan 2020 11:51:27 +0000 (12:51 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.10.12 release.
o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
Directory not automatic.
o CVE-2019-14907: Crash after failed character conversion at log level 3 or
above.
o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
Karolin Seeger [Thu, 9 Jan 2020 11:48:31 +0000 (12:48 +0100)]
WHATSNEW: Add release notes for Samba 4.11.5.
o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
Directory not automatic.
o CVE-2019-14907: Crash after failed character conversion at log level 3 or
above.
o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
Martin Schwenke [Fri, 13 Dec 2019 00:09:04 +0000 (11:09 +1100)]
ctdb-scripts: Strip square brackets when gathering connection info
ss added square brackets around IPv6 addresses in versions > 4.12.0
via commit aba9c23a6e1cb134840c998df14888dca469a485. CentOS 7 added
this feature somewhere mid-release. So, backward compatibility is
obviously needed.
As per the comment protocol/protocol_util.c should probably print and
parse such square brackets. However, for backward compatibility the
brackets would have to be stripped in both places in
update_tickles()... or added to the ss output when missing. Best to
leave this until we have a connection tracking daemon.
Gary Lockyer [Thu, 19 Dec 2019 03:31:46 +0000 (16:31 +1300)]
upgradedns: ensure lmdb lock files linked
Ensure that the '-lock' files for the dns partitions as well as the data
files are linked when running
samba_dnsupgrade --dns-backend=BIND9_DLZ
failure to create these links can cause corruption of the corresponding
data file.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0bd479140c18ab79479ced4f25f366744c3afe18)
Gary Lockyer [Thu, 19 Dec 2019 03:31:24 +0000 (16:31 +1300)]
test upgradedns: ensure lmdb lock files linked
Add tests to check that the '-lock' files for the dns partitions as well as
the data files are linked when running
samba_dnsupgrade --dns-backend=BIND9_DLZ
failure to create these links can cause corruption of the corresponding
data file.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f0cebbe4dd0317e2abfcbe252977383e6f37f3bd)
Björn Jacke [Tue, 7 Jan 2020 09:21:18 +0000 (10:21 +0100)]
docs-xml/winbindnssinfo: clarify interaction with idmap_ad etc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14122
RN: docs: clarify interaction between winbind nss info and idmap backend
Signed-off-by: Bjoern Jacke <bjacke@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jan 8 15:37:46 UTC 2020 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec 19 15:44:25 UTC 2019 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit b3e3cb3bbd86a53b48ee009adf811d48dd50dc8b)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 0fe9dc5219beaf605da9c7922053f7324507b50e)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit bf9a3a7aa1913238ae2c997ce00369d0dbae3a08)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ea51a426e506bd6456814ecddcb63441859f9d89)
Jeremy Allison [Fri, 18 Oct 2019 17:48:55 +0000 (10:48 -0700)]
s3: libsmb: Move setting all struct stat fields into setup_stat().
That way we only have one place where a struct stat is synthesised
for libsmbclient callers.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1f0715c0e5e6ff371e3b393a0b35222c8b6f49bc)
Noel Power [Fri, 24 May 2019 13:37:00 +0000 (13:37 +0000)]
CVE-2019-14907 lib/util/charset: clang: Fix Value stored to 'reason' is never read warning
Fixes:
lib/util/charset/convert_string.c:301:5: warning: Value stored to 'reason' is never read <--[clang]
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer gary@catalyst.net.nz
(cherry picked from commit add47e288bc80c1bf45765d1588a9fa5998ea677)
Andrew Bartlett [Thu, 12 Dec 2019 01:44:57 +0000 (14:44 +1300)]
CVE-2019-14902 dsdb: Change basis of descriptor module deferred processing to be GUIDs
We can not process on the basis of a DN, as the DN may have changed in a rename,
not only that this module can see, but also from repl_meta_data below.
Therefore remove all the complex tree-based change processing, leaving only
a tree-based sort of the possible objects to be changed, and a single
stopped_dn variable containing the DN to stop processing below (after
a no-op change).
Andrew Bartlett [Sun, 15 Dec 2019 22:29:27 +0000 (11:29 +1300)]
selftest: Add test to confirm ACL inheritence really happens
While we have a seperate test (sec_descriptor.py) that confirms inheritance in
general we want to lock in these specific patterns as this test covers
rename.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Anoop C S [Tue, 12 Nov 2019 14:28:43 +0000 (19:58 +0530)]
s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir
On receiving an already initialized stat_ex buffer for readdir() call we
invoke readdirplus() GlusterFS API, an optimized variant of readdir(),
which then returns stat information along with dir entry result. But for
symlink entries we don't know if link or target info is needed. In that
case it is better to leave this decision back to caller by resetting
nlinks value inside stat information to make it invalid.
This was also preventing us from displaying msdfs link as directories
inside the share.
Signed-off-by: Anoop C S <anoopcs@redhat.com> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 17 21:53:07 UTC 2019 on sn-devel-184
Signed-off-by: Torsten Fohrer <torsten.fohrer@sbe.de> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Dec 18 14:33:58 UTC 2019 on sn-devel-184
Douglas Bagnall [Mon, 2 Dec 2019 22:17:26 +0000 (11:17 +1300)]
pygpo: use correct method flags
The METH_KEYWORDS argument must always be combined with METH_VARARGS.
In Python up to 3.7 this was checked at runtime, and as we had no callers to
get_unix_path() in Python we never noticed. In Python 3.8 it is checked at
import time, and everyone notices even if they aren't directly using GPOs.
Found and reported by Val Kulkov.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14209 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 12cccf3447333dfd4f5e437cd57ca5ec68724fdd)
projects / thirdparty / samba.git / log
