This will be used by the dns services to only allow
spnego/krb5. This makes sure the accepting backend
doesn't require any RPC or IPC communication for now.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth/gensec: remove the sync update() hook from gensec_security_ops
Some backends still do some nested event context magic,
but that mapping between async and sync is done in these backends
and not in the core gensec code anymore.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:rpc_server: simplify the GENSEC_FEATURE_SIGN_PKT_HEADER logic
We can directly check this after gensec_start_mech_by_authtype(),
the backend either supports it or not. There's nothing that
can change during the authentication phase.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s3:rpc_server: move gensec_update() out of auth_generic_server_authtype_start*()
We let the caller use auth_generic_server_step() instead.
This allows us to request GENSEC_FEATURE_SIGN_PKT_HEADER before
starting the gensec_update() dance.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:smb_server: avoid using gensec_update_ev() for the negotiate blob
Getting the SPNEGO mech type blob, we don't expect to block for
any network io, so we can also use gensec_update() which creates
a temporary event context.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth/gensec: call gensec_verify_features() also after update_recv() in gensec_update_ev()
This is no a real problem until now, because the only backends with update_send()/recv()
are "schannel" (which only supports AUTH_LEVEL_{INTEGRITY,PRIVACY}) and
"naclrpc_as_system" (which doesn't support any protection beside using unix
domain sockets).
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 2 May 2017 10:55:45 +0000 (12:55 +0200)]
selftest: Actually run python3 tests during the selftest
These previously only ran if the develper was using EXTRA_PYTHON in their
OS environment
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat May 20 02:26:33 CEST 2017 on sn-devel-144
Petr Viktorin [Wed, 3 May 2017 14:57:07 +0000 (16:57 +0200)]
python3: Use "y#" instead of "s#" for binary data in PyArg_ParseTuple
The "s#" format code for PyArg_ParseTupleAndKeywords and Py_BuildValue
converts a char* and size to/from Python str (with utf-8 encoding under
Python 3).
In some cases, we want bytes (str on Python 2, bytes on 3) instead. The
code for this is "y#" in Python 3, but that is not available in 2.
Introduce a PYARG_BYTES_LEN macro that expands to "s#" or "y#", and use
that in:
- credentials.get_ntlm_response (for input and output)
- ndr_unpack argument in PIDL generated code
Signed-off-by: Petr Viktorin <pviktori@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jeremy Allison [Tue, 16 May 2017 23:12:19 +0000 (16:12 -0700)]
s3: smbd: Fix open_files.idl to correctly ignore share_mode_lease *lease in share_mode_entry.
This is currently marked 'skip', which means it isn't stored in the
db, but printed out in ndr dump. However, this pointer can be invalid
if the lease_idx is set to 0xFFFFFFFF (invalid).
This is fixed up inside parse_share_modes(), but not until after
ndr_pull_share_mode_data() is called. If lease_idx == 0xFFFFFFFF
then ndr_print_share_mode_lease() prints an invalid value and
crashes.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 18 03:01:40 CEST 2017 on sn-devel-144
Ralph Boehme [Fri, 12 May 2017 12:40:03 +0000 (14:40 +0200)]
vfs_fruit: add pread_send/recv and pwrite_send/recv
This is needed to support copy-chunk of streams. vfs_default issues
calls to async pread and pwrite (send/recv versions) since
commit60e45a2d25401eaf9a15a86d19114670ccfde259.
Ralph Boehme [Fri, 12 May 2017 05:58:01 +0000 (07:58 +0200)]
vfs_streams_xattr: add pread_send/recv and pwrite_send/recv
This is needed to support copy-chunk of streams. vfs_default issues
calls to async pread and pwrite (send/recv versions) since commit 60e45a2d25401eaf9a15a86d19114670ccfde259.
To make libads using 'struct smbldap_state' instead of direct LDAP
structure, we need to abstract out libads logic from connection
handling. SASL wrapping does not really depend on availability of LDAP
handle and does not need direct access to ADS_STRUCT. As result, we'll
be able to move SASL wrapping code under smbldap once the latter is able
to pass settings that libads passes to the SASL wrapping.
Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Peter Somogyi [Mon, 15 May 2017 08:21:01 +0000 (10:21 +0200)]
SMB_INFO_ALLOCATION: return with UINT32_MAX rather than cutting at 4 bytes
An AIX cifs client queries SMB_INFO_ALLOCATION that has only 4 bytes to report
dfree and dsize. Return the max instead of random unexpeced numbers.
Signed-off-by: Peter Somogyi <psomogyi@hu.ibm.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 17 05:49:46 CEST 2017 on sn-devel-144
Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed May 17 01:46:52 CEST 2017 on sn-devel-144
Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon May 15 08:08:10 CEST 2017 on sn-devel-144
Jeremy Allison [Thu, 11 May 2017 23:15:56 +0000 (16:15 -0700)]
s4: nmblookup: Allocate event context off NULL instead of talloc_autofree_context().
It's already correctly freed on exit.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat May 13 21:01:25 CEST 2017 on sn-devel-144
Jeremy Allison [Tue, 9 May 2017 23:28:53 +0000 (16:28 -0700)]
s4: torture: Remove use of local variables that are simply mirroring popt_get_cmdline_credentials().
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri May 12 00:37:29 CEST 2017 on sn-devel-144
Karolin Seeger [Fri, 5 May 2017 09:11:07 +0000 (11:11 +0200)]
docs: Rename Samba3-Developers-Guide to Samba-Developers-Guide
This guide is not obsolete but needs an update.
Signed-off-by: Karolin Seeger <kseeger@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed May 10 19:57:36 CEST 2017 on sn-devel-144
smbd/smb2_ioctl: instruct VFS to ignore locks for dup extents
As described in the previous commit - Windows Server 2016 (ReFS) ignores
locks for FSCTL_DUPLICATE_EXTENTS_TO_FILE. Do the same for Samba.
Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed May 10 12:27:00 CEST 2017 on sn-devel-144
vfs: add VFS_COPY_CHUNK_FL_IGNORE_LOCKS for dup extents
As confirmed by the Microsoft Protocol Open Specifications Team: Windows
Server 2016 (ReFS) ignores locks for FSCTL_DUPLICATE_EXTENTS_TO_FILE...
From: Jeff McCashland
To: David Disseldorp CC: "cifs-protocol@lists.samba.org" <cifs-protocol@lists.samba.org>
Subject: RE: [116100414754619] FSCTL_DUPLICATE_EXTENTS_TO_FILE appears
to completely bypass file locks
Date: Mon, 12 Dec 2016 20:44:08 +0000
Hi David,
We have made the following spec changes for the next doc release:
In section 2.1.5.9.4 FSCTL_DUPLICATE_EXTENTS_TO_FILE behavior notes have
been added to the following paragraphs.
Before:
§ The object store MUST check for byte range lock conflicts on
Open.Stream using the algorithm described in section 2.1.4.10 with
ByteOffset set to InputBuffer.TargetFileOffset, Length set to
InputBuffer.ByteCount, IsExclusive set to TRUE, LockIntent set to FALSE,
and Open set to Open. If a conflict is detected, the operation MUST be
failed with STATUS_FILE_LOCK_CONFLICT.
§ The object store MUST check for byte range lock conflicts on Source
using the algorithm described in section 2.1.4.10 with ByteOffset set to
InputBuffer.SourceFileOffset, Length set to InputBuffer.ByteCount,
IsExclusive set to FALSE, LockIntent set to FALSE, and Open set to
InputBuffer.FileHandle. If a conflict is detected, the operation MUST be
failed with STATUS_FILE_LOCK_CONFLICT.
After:
§ The object store SHOULD<WBN1> check for byte range lock conflicts on
Open.Stream using the algorithm described in section 2.1.4.10 with
ByteOffset set to InputBuffer.TargetFileOffset, Length set to
InputBuffer.ByteCount, IsExclusive set to TRUE, LockIntent set to FALSE,
and Open set to Open. If a conflict is detected, the operation MUST be
failed with STATUS_FILE_LOCK_CONFLICT.
§ The object store SHOULD<WBN2> check for byte range lock conflicts on
Source using the algorithm described in section 2.1.4.10 with ByteOffset
set to InputBuffer.SourceFileOffset, Length set to
InputBuffer.ByteCount, IsExclusive set to FALSE, LockIntent set to
FALSE, and Open set to InputBuffer.FileHandle. If a conflict is
detected, the operation MUST be failed with STATUS_FILE_LOCK_CONFLICT.
WBN1: The ReFS file system in Windows Server 2016 does not check for
byte range lock conflicts on Open.Stream.
WBN2: The ReFS file system in Windows Server 2016 does not check for
byte range lock conflicts on Source.
Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
FSCTL_DUPLICATE_EXTENTS_TO_FILE has some interesting behaviour when
exceeding the destination file length - the clone is truncated to only
cover the existing file region. If the existing length is zero, then
nothing is cloned.
Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
projects / thirdparty / samba.git / log
