In the GNU C Library, "makedev" is defined by <sys/sysmacros.h>. For
historical compatibility, it is currently defined by <sys/types.h> as
well, but it is planned to remove this soon.
Ralph Boehme [Tue, 28 Feb 2017 08:39:37 +0000 (09:39 +0100)]
vfs_fruit: enabling AAPL extensions must be a global switch
Apple's SMB2 AAPL extension is enabled once per SMB2
connection. Unfortunately the (per se correct) fix for bug #12541
results in vfs_fruit checking a per tcon config state variable to
determine whether AAPL has been negotiated. This variable will be false
for all but the first tcon. We must make it a global variable.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Thu Mar 2 04:34:10 CET 2017 on sn-devel-144
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 3 02:23:20 CET 2017 on sn-devel-144
The fixes for https://bugzilla.samba.org/show_bug.cgi?id=11691
changed the way we fill domain->domain_flags for domains
in other forests.
Commit fffefe72fcc62d9688b45f53a5327667dc0b2fe6 readded the
ability to enumerate trusts of other forests again, in order to
fix https://bugzilla.samba.org/show_bug.cgi?id=11830
Now we have the problem that multiple domains
(even outside of our forest) are considert to be
our forest root, as they have the following flags:
NETR_TRUST_FLAG_TREEROOT and NETR_TRUST_FLAG_IN_FOREST.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar 2 17:53:14 CET 2017 on sn-devel-144
Ralph Boehme [Thu, 19 Jan 2017 08:30:45 +0000 (09:30 +0100)]
vfs_fruit: only veto AppleDouble files with fruit:resource=file
vfs_fruit only creates AppleDouble files itself when "fruit:resource" is
set to "file" (the default). It is only then the these AppleDouble files
should be treated as an internal representation and should be
inaccessible from clients.
s3:winbindd: allow a fallback to NTLMSSP for LDAP connections
This matches the behaviour of pdb_get_trust_credentials() for
our machine account and allows us to fallback to NTLMSSP
when contacting trusted domains.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 4e9a0894cd977585ccc94e7c1811de1b0293382d)
Autobuild-User(v4-4-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-4-test): Tue Feb 28 13:13:04 CET 2017 on sn-devel-144
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 51caeb7c538b7546e5feccf27a735bb803c78a0b)
s3:passdb: use cli_credentials_set_kerberos_state() for trusts in pdb_get_trust_credentials()
Trust accounts can only use kerberos when contacting other AD domains,
using NTLMSSP will fail.
At the same time it doesn't make sense to try kerberos for NT4 domains,
still NTLMSSP will fail, but the callers has to deal with that
case and just fallback to an anonymous SMB connection.
In all cases we should be able to use NETLOGON SCHANNEL
over any anonymous smb or tcp transport.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit d961ae9d14b46708d2693ca91ace04f9f1a53ca2)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit b845f16d3ca02dd27cc40bbf722426d6f81bb4b7)
s3:winbindd: try a NETLOGON connection with noauth over NCACN_NP against trusted domains.
We're using only NCACN_NP here as we rely on the smb signing restrictions
of cm_prepare_connection().
This should fix SMB authentication with a user of a domain
behind a transitive trust.
With this change winbindd is able to call
dcerpc_netr_DsrEnumerateDomainTrusts against the
dc of a trusted domain again. This only works
for two-way trusts.
The main problem is the usage of is_trusted_domain()
which doesn't know about the domain, if winbindd can't
enumerate the domains in the other forest.
is_trusted_domain() is used in make_user_info_map(),
which is called in auth3_check_password() before
auth_check_ntlm_password().
That means we're mapping the user of such a domain
to our own local sam, before calling our auth modules.
A much better fix, which removes the usage of is_trusted_domain()
in planed for master, but this should do the job for current releases.
We should avoid talking to DCs of other domains and always
go via our primary domain. As we should code with one-way trusts
also, we need to avoid relying on a complete list of
domains in future.
For now "wbinfo -m" lists domains behind a two-way transitive
trust again, but that is likely to change in future again!
s3:winbindd: make sure cm_prepare_connection() only returns OK with a valid tree connect
If cm_get_ipc_credentials() returned anonymous creds and signing is required
we were returning the result of cm_get_ipc_credentials() instead of
the original error.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 22 08:25:46 CET 2017 on sn-devel-144
libcli/auth: use the correct creds value against servers without LogonSamLogonEx
If we use the credential chain we need to use the value from
netlogon_creds_client_authenticator() to make sure we have the current
value to encrypt in logon info.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0ed2a65593b5abc9ba7f40992ed0ed8f448f5836)
librpc/rpc: fix regression in NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping
Commit 1eef70872930fa4f9d3dedd23476b34cae638428 changed the mapping for
DCERPC_NCA_S_FAULT_INVALID_TAG from NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
to NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit c97e39b34fcf260ded42ef1a9efe7ed55e65a1cf)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Feb 21 20:08:16 CET 2017 on sn-devel-144
(similar to commit 10e1b92c288ae27f775debb16c3e122b6063fa21)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e9c184088cbbb47e48d9e96fc753a56c544301dc)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 21cbf8e4db6928a8a3fb712b3750bb50c1201948)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 13fd543929c72fa5af1ae6e21ca8dda9a57a0f55)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 77edef9555acd6e0c843582637bc367fa0d2a203)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit c21e9981d04fa016ef708941ea82051d0438b7a7)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 9e26ad86fbd7e6f39f98fb9d037ac86f3146cb11)
s3:libsmb: let trust_pw_change() verify the new password at the end.
We should notice problems as early as possible, it makes no
sense to keep things working for a while and later find out
the we lost our trust relationship with our domain.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit a2877541681e07f09aee7d7c21adbe50346755e3)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 4185689dbf0085fcb3840ad8b520df21a33e5d2a)
lib/util: add generate_random_machine_password() function
It generates more random password for the use as machine password,
restricted to codepoints <= 0xFFFF in order to be compatible
with MIT krb5 and Heimdal.
Note: the fallback to ascii if 'unix charset' is not 'utf8'.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit ad12cfae42cc592166d6a1c1ee323f1aae82f235)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit abe427775ee8ed1d278d5094ca127f85289ca5a3)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8a209e5a0ca810d8cf0e5ebc1902fae8c5cb241e)
Martin Schwenke [Mon, 13 Feb 2017 22:04:41 +0000 (09:04 +1100)]
ctdb-scripts: Initialise CTDB_NFS_CALLOUT in statd-callout
Some configurations may set CTDB_NFS_CALLOUT to the empty string.
They may do this if they allow a choice of NFS implementations. In
this case the default call-out for Linux kernel NFS should be used.
However, statd-callout does not call nfs_callout_init() to set the
default. Therefore, statd-callout is unable to restart the lock
manager, so the grace period is never entered.
statd-callout must call nfs_callout_init() before trying to restart
the lock manager.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Feb 16 09:21:03 CET 2017 on sn-devel-144
comm_write_send() creates a new tevent_req and adds it to the queue
of requests to be processed. If this tevent_req is freed, then the
queue entry is not removed causing use-after-free error.
If the tevent_req returned by comm_write_send() is freed, then that
request should be removed from the queue and any pending actions based
on that request should also be removed.
Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 9db7785fc6ffbaad434ee189c0f46c488358aab5)
Jeremy Allison [Wed, 15 Feb 2017 23:42:52 +0000 (15:42 -0800)]
s3: smbd: Don't loop infinitely on bad-symlink resolution.
In the FILE_OPEN_IF case we have O_CREAT, but not
O_EXCL. Previously we went into a loop trying first
~(O_CREAT|O_EXCL), and if that returned ENOENT
try (O_CREAT|O_EXCL). We kept looping indefinately
until we got an error, or the file was created or
opened.
The big problem here is dangling symlinks. Opening
without O_NOFOLLOW means both bad symlink
and missing path return -1, ENOENT from open(). As POSIX
is pathname based it's not possible to tell
the difference between these two cases in a
non-racy way, so change to try only two attempts before
giving up.
We don't have this problem for the O_NOFOLLOW
case as we just return NT_STATUS_OBJECT_PATH_NOT_FOUND
mapped from the ELOOP POSIX error and immediately
returned.
Pair-programmed-with: Ralph Boehme <slow@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 10c3e3923022485c720f322ca4f0aca5d7501310)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 6c3aaccd0eb648e31fd2717aaca0187966e125d5)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 15 06:20:52 CET 2017 on sn-devel-144
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jan 30 22:26:29 CET 2017 on sn-devel-144
Jeremy Allison [Mon, 23 Jan 2017 18:20:13 +0000 (10:20 -0800)]
s3: VFS: shadow_copy2: Fix usage of saved_errno to only set errno on error.
Rationale:
VFS calls must act like their POSIX equivalents, and the POSIX versions
*only* set errno on a failure. There is actually code in the upper smbd
layers that depends on errno being correct on a fail return from a VFS call.
For a compound VFS module like this, a common pattern is :
SMB_VFS_CALL_X()
{
int ret;
syscall1();
ret = syscall2();
syscall3();
return ret;
}
Where if *any* of the contained syscallX()'s fail, they'll set errno.
However, the actual errno we should return is *only* the one returned
if syscall2() fails (the others are lstat's checking for existence etc.).
So what we should do to correctly return only the errno from syscall2() is:
SMB_VFS_CALL_X()
{
int ret;
int saved_errno = 0;
syscall1()
ret = syscall2();
if (ret == -1) {
saved_errno = errno;
}
syscall3()
Jeremy Allison [Thu, 26 Jan 2017 18:49:51 +0000 (10:49 -0800)]
s3: VFS: shadow_copy2: Fix module to work with variable current working directory.
Completely cleans up the horrible shadow_copy2_strip_snapshot()
and adds an explaination of what it's actually trying to do.
* This function does two things.
*
* 1). Checks if an incoming filename is already a
* snapshot converted pathname.
* If so, it returns the pathname truncated
* at the snapshot point which will be used
* as the connectpath, and then does an early return.
*
* 2). Checks if an incoming filename contains an
* SMB-layer @GMT- style timestamp.
* If so, it strips the timestamp, and returns
* both the timestamp and the stripped path
* (making it cwd-relative).
Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 25 04:23:00 CET 2017 on sn-devel-144
Jeremy Allison [Wed, 1 Feb 2017 19:36:25 +0000 (11:36 -0800)]
s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open() store the same path as streams_xattr_recheck().
If the open is changing directories, fsp->fsp_name->base_name
will be the full path from the share root, whilst
smb_fname will be relative to the $cwd.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 2 01:55:42 CET 2017 on sn-devel-144
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jan 28 01:49:11 CET 2017 on sn-devel-144
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan 27 12:03:39 CET 2017 on sn-devel-144
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit c207f2a989fc791b5f9bf9043d3c6ac31db5cdfd)
Ralph Boehme [Tue, 17 Jan 2017 16:23:51 +0000 (17:23 +0100)]
selftest: disable SMB encryption in simpleserver environment
Encryption is currently not tested in this env so we can safely turn it
off. The next commit will add a blackbox tests that test combinations of
having encryption globally turned off and enabled (desired/required) on
a share.
This also adds a new share "enc_desired" with "smb encrypt = desired"
which will be used by the test in the next commit.
Björn Jacke [Thu, 19 Jan 2017 20:51:41 +0000 (21:51 +0100)]
vfs_default: unlock the right file in copy chunk
Signed-off-by: Bjoern Jacke <bj@sernet.de> Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Sat Jan 21 17:00:54 CET 2017 on sn-devel-144
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 10 17:40:58 CET 2017 on sn-devel-144
s3:librpc/gse: make use of gss_krb5_import_cred() instead of gss_acquire_cred()
This avoids the usage of the ccselect_realm logic in MIT krb5,
which leads to unpredictable results.
The problem is the usage of gss_acquire_cred(), that just creates
a credential handle without ccache.
As result gss_init_sec_context() will trigger a code path
where it use "ccselect" plugins. And the ccselect_realm
module just chooses a random ccache from a global list
where the realm of the provides target principal matches
the realm of the ccache user principal.
In the winbindd case we're using MEMORY:cliconnect to setup
the smb connection to the DC. For ldap connections we use
MEMORY:winbind_ccache.
The typical case is that we do the smb connection first.
If we try to create a new ldap connection, while the
credentials in MEMORY:cliconnect are expired,
we'll do the required kinit into MEMORY:winbind_ccache,
but the ccselect_realm module will select MEMORY:cliconnect
and tries to get a service ticket for the ldap server
using the already expired TGT from MEMORY:cliconnect.
The solution will be to use gss_krb5_import_cred() and explicitly
pass the desired ccache, which avoids the ccselect logic.
We could also use gss_acquire_cred_from(), but that's only available
in modern MIT krb5 versions, while gss_krb5_import_cred() is available
in heimdal and all supported MIT versions (>=1.9).
As far as I can see both call the same internal function in MIT
(at least for the ccache case).
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 7c3ea9fe96336483752adb821f8062a883d52998)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit b61a93755ca59a58775c1c8c21baee49fef42fbf)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 6f029d58703f657e46fee35fc663128157db4d9f)
smbd/ioctl: match WS2016 ReFS set compression behaviour
ReFS doesn't support compression, but responds to set-compression FSCTLs
with NT_STATUS_OK if (and only if) the requested compression format is
COMPRESSION_FORMAT_NONE.
Reported-by: Nick Barrett <nick@barrett.org.nz> Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jan 9 23:14:28 CET 2017 on sn-devel-144
This test case was overlooked in the previous bso#12144 update -
set compression requests with format=COMPRESSION_FORMAT_NONE should
succeed if the server / backing storage doesn't offer compression
support.
Confirm that Samba matches Windows Server 2016 ReFS behaviour here.
Reported-by: Nick Barrett <nick@barrett.org.nz> Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 6fde123176409e261d955e24b3d28e5124f33bed)
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(v4-4-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-4-test): Mon Jan 9 14:18:47 CET 2017 on sn-devel-144
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 4ef772be3a7259b48253643392574fab28c37916)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit f464f69b33b40c81d6ee57bebf9d59837431739b)
projects / thirdparty / samba.git / log
