Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 3 13:52:55 UTC 2019 on sn-devel-184
Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 3700998419738caa1ca8672fbf5dbaccaaa498fa)
Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 60afe949c3e664f81c9b0db9c54f701aa2874a5e)
Michael Adam [Wed, 31 Jul 2019 22:47:29 +0000 (00:47 +0200)]
vfs:glusterfs_fuse: build only if we have setmntent()
FreeBSD and other platforms that don't have setmntent() and friends can
not compile this module. This patch lets changes the build to only
compile this module if the setmntent() function is found.
This is the a follow-up fix to the actual fix for bug #13972.
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Thu Aug 1 09:49:04 UTC 2019 on sn-devel-184
Michael Adam [Sat, 18 May 2019 09:28:54 +0000 (11:28 +0200)]
vfs:glusterfs_fuse: ensure fileids are constant across nodes
Instead of adding a new gluster-specific mode to the fileid module,
this patches provides a fileid algorithm as part of the glusterfs_fuse
vfs module. This can not be configured further, simply adding the
glusterfs_fuse vfs module to the vfs objects configuration will enable
the new fileid mode.
Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Sat Jul 13 22:54:56 UTC 2019 on sn-devel-184
smbtorture: extend rpc.lsa to lookup machine over forest-wide LookupNames
Add a simple test to resolve DOMAIN\MACHINE$ via LSA LookupNames3
using LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 level. This level would pass
zero lookup flags to lookup_name().
Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Aug 14 13:07:42 UTC 2019 on sn-devel-184
lookup_name: allow own domain lookup when flags == 0
In 2007, we've added support for multiple lookup levels for LSA
LookupNames family of calls. However, forest-wide lookups, as described
in MS-LSAT 2.2.16, never worked because flags passed to lookup_name()
were always set to zero, expecting at least default lookup on a DC to
apply. lookup_name() was instead treating zero flags as 'skip all
checks'.
Allow at least own domain lookup in case domain name is the same.
This should allow FreeIPA DC to respond to LSA LookupNames3 calls from a
trusted AD DC side.
For the reference, below is a request Windows Server 2016 domain
controller sends to FreeIPA domain controller when attempting to look up
a user from a trusted forest root domain that attemps to login to the
domain controller. Notice the level in the lsa_LookupNames3 call and
resulting flags in lookup_name().
Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 685bb03de6ab733590831d1df4f5fd60d2ac427d)
torture/rpc/lsa: allow testing different lookup levels
Convert torture/rpc/lsa LookupNames/LookupSids code to allow testing
different LSA_LOOKUP_NAMES_* levels. Keep existing level 1
(LSA_LOOKUP_NAMES_ALL) for the current set of tests.
Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 317bc6a7342edfa2c503f5932142bf5883485cc9)
CTDB should start as a disabled unit (systemd) in most of the
distributions and, when trying to enable it for the first time, user
should get an unconfigured, or similar, error.
Depending on /etc/ctdb/nodes file will give a clear direction to final
user on what is needed in order to get cluster up and running. It should
work like previous ENABLED=NO variables in SySV like initialization
scripts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14017
RN: ctdb.service should only start if /etc/ctdb/nodes is not empty Signed-off-by: Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit c5803507df7def388edcd5b6cbfee30cd217b536)
Björn Baumbach [Tue, 28 May 2019 12:52:36 +0000 (14:52 +0200)]
samba-tool: add 'import samba.drs_utils' to fsmo.py
On some systems we're seeing this:
ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils'
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 185, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 533, in run
transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 136, in transfer_dns_role
except samba.drs_utils.drsException as e:
E.g. it happens on debian stretch (9.9) with python 2.7.13 (on 4.10.4)
While it doesn't happen on ubuntu 18.04 with python 2.7.15rc1 or
with python 3.6.7.
There were also some reports on the mailing lists, see:
https://lists.samba.org/archive/samba-technical/2019-May/133624.html
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bbaumbach@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 30 08:27:24 UTC 2019 on sn-devel-184
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit 6a2e3a15585086bcceb18283216978a2fcb30da3)
Signed-off-by: Björn Baumbach <bbaumbach@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0fbb013bef886e425602fdbbef14a4029719818f)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4793f8ed584a4e6d8a26b06b691ec636e77d8f2a)
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bbaumbach@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5e000a8487d788dd196980b77ec7299c8be74abf)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun 21 11:02:21 UTC 2019 on sn-devel-184
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 6fc7cc15048673d109042d7b40684ed63eb4ff9e)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 6d958af0b4cb6fd45cfda0298243859b3b043c6f)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 9a0c3a475f29138c0c49e0d22cf52ab45178d16b)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May 28 08:32:10 UTC 2019 on sn-devel-184
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit d98a971247450d494c581c5454e6c270ad1b6880)
Tim Beale [Mon, 1 Jul 2019 05:06:31 +0000 (17:06 +1200)]
s4/libnet: Fix joining a Windows pre-2008R2 DC
From v4.8 onwards, Samba may not be able join a DC older than 2008R2
because the Windows DC doesn't support GET_TGT.
If the dsdb repl_md code can't resolve a link target it returns an
error, and the calling code (e.g. drs_util.py) should retry with
GET_TGT. However, GET_TGT is only supported on Windows 2008R2 and later,
so if you try to join an earlier Windows DC, the join will throw an
error that you can't work-around.
We can avoid this problem by setting the same DSDB flag that GET_TGT
sets to indicate that the link targets are as up-to-date as possible,
and so there's no point retrying. Missing targets are still logged, so
this at least allows the admin to fix up any problems after the join
completed.
I've only done this for the join case (problems during periodic
replication are probably still worth escalating to an error).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14021
RN: From Samba v4.8 onwards, joining a Windows 2003 or 2008 (non-R2) AD
DC may not have worked. When this problem occurred, the following
message would be displayed:
'Failed to commit objects: DOS code 0x000021bf'
This particular issue has now been resolved. Note that there may still
be other potential problems that occur when joining an older Windows DC.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b3a2508f2ad79e2f1007464da7dbe918933038a0)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Mon Jul 8 16:24:32 UTC 2019 on sn-devel-144
Michael Adam [Thu, 20 Jun 2019 13:14:57 +0000 (15:14 +0200)]
vfs:glusterfs_fuse: treat ENOATTR as ENOENT
The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.
Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.
This patch changes the glusterfs_fuse vfs module to treat ENOATTR as
ENOENT to be fully functional again with latest gluster.
- Without this patch, samba against a new gluster will work correctly,
but the get_real_filename optimization for a non-existing entry
is lost.
- With this patch, Samba will not work correctly any more against
very old gluster servers: Those (correctly) returned ENOATTR
always, which Samba originally interpreted as EOPNOTSUPP, triggering
the expensive directory scan. With this patch, ENOATTR is
interpreted as ENOENT, the authoritative answer that the requested
entry does not exist, which is wrong unless it really does not exist.
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Jun 28 12:52:03 UTC 2019 on sn-devel-184
Michael Adam [Thu, 20 Jun 2019 13:14:57 +0000 (15:14 +0200)]
vfs:glusterfs: treat ENOATTR as ENOENT
The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.
Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.
This patch changes the glusterfs vfs module to treat ENOATTR as ENOENT
to be fully functional again with latest gluster.
- Without this patch, samba against a new gluster will work correctly,
but the get_real_filename optimization for a non-existing entry
is lost.
- With this patch, Samba will not work correctly any more against
very old gluster servers: Those (correctly) returned ENOATTR
always, which Samba originally interpreted as EOPNOTSUPP, triggering
the expensive directory scan. With this patch, ENOATTR is
interpreted as ENOENT, the authoritative answer that the requested
entry does not exist, which is wrong unless it really does not exist.
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 8899eb21d48b7077328ae560490f9fb9715a6b83)
Tim Beale [Mon, 24 Jun 2019 22:10:17 +0000 (10:10 +1200)]
dsdb: Handle DB corner-case where PSO container doesn't exist
A 2003 AD DB with functional level set to >= 2008 was non-functional
due to the PSO checks.
We already check the functional level is >= 2008 before checking for the
PSO container. However, users could change their functional level
without ensuring their DB conforms to the corresponding base schema.
The objectclass DSDB module should prevent the PSO container from ever
being deleted. So the only way we should be able to hit this case is
through upgrading the functional level (but not the underlying schema
objects). If so, log a low-priority message and continue without errors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14008
RN: Previously, AD operations such as user authentication could fail
completely with the message 'Error 32 determining PSOs in system' logged
on the samba server. This problem would only affect a domain that was
created using a pre-2008 AD base schema and then had its functional
level manually raised to 2008 or greater. This issue has now been
resolved.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 295bf73e9b24b1f2b4594320a6501dc7410d4b43)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0b6e37c9e801435e094194dd60d9213b4868c3de)
s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.
Note: NETLOGON_NEG_SCHANNEL is an alias to NEG_AUTHENTICATED_RPC.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit fa5215ce5b93fb032df341e718d7011e619f0916)
s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ead9b93ce5c2c67bbdb778232805d6d9e70112fc)
* LDAP_REFERRAL_SCHEME_OPAQUE was added
to ldb_module.h in order to fix bug #12478.
It means that Samba >= 4.9.11 is no longer able to
build with ldb 1.4.6.
Björn Baumbach [Wed, 12 Jun 2019 19:16:25 +0000 (21:16 +0200)]
python/ntacls: use correct "state directory" smb.conf option instead of "state dir"
samba-tool ntacl get testfile --xattr-backend=tdb --use-ntvfs Fixes: Unknown parameter encountered: "state dir" Signed-off-by: Björn Baumbach <bb@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 670a12df52df63a067b638d37bec71341bf18bdd)
docs: Document DCEPRC binding string for rpcclient
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb 4 02:03:56 CET 2019 on sn-devel-144
Looks like the dirty redefine trick doesn't work anymore with newer flex
versions. According to the flex manual the right thing to do is to provide own
functions for yyalloc and yyrealloc when passing the options "noyyalloc
noyyrealloc".
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue May 28 11:49:06 UTC 2019 on sn-devel-184
net.ipv4.tcp_tw_recycle has been removed from Linux 4.12 but, still,
makes sense to check its existence. Unfortunately, current check does
not test for the procfs file existence. This commit fixes the issue.
Signed-off-by: Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 4 23:31:24 UTC 2019 on sn-devel-184
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit dbf3e81f7f0b28c69dca004b32ea3a7344b0cad3)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 30 22:12:50 UTC 2019 on sn-devel-184
Ralph Boehme [Thu, 23 May 2019 14:42:52 +0000 (16:42 +0200)]
vfs_fruit: convert ad_open_rsrc() to open a proper fsp with SMB_VFS_CREATE_FILE()
A first step in converting all raw syscalls to use proper VFS functions. All
existing users of the raw system filedescriptor continue to use the fd from
fsp->fh for now.
Ralph Boehme [Wed, 22 May 2019 19:15:22 +0000 (21:15 +0200)]
vfs_fruit: remove xattr code from the AppleDouble subsystem
The subsystem consumers have been reworked in the previous commits, so this is
not used anymore. ad_init() doesn't need a handle argument anymore due to this,
remove it as well.
Ralph Boehme [Fri, 17 May 2019 12:31:15 +0000 (14:31 +0200)]
vfs_fruit: remove now unused AppleDouble code for resource fork in xattr
This was only needed to get the resourcefork size via the ad_* AppleDouble
function. This is now done with a fstat on the low level xattr fd (remember,
this is Solaris only code...), so we can remove the xattr special casing from
the AppleDouble functions.
Ralph Boehme [Wed, 22 May 2019 15:02:20 +0000 (17:02 +0200)]
vfs_fruit: use correct case FRUIT_RSRC_STREAM in readdir_attr_rfork_size()
This is a genuine bug, but luckily this would only impact configs which nobody
uses:
fruit:metadata = netatalk
fruit:resource = stream
With the above configuration the switch in readdir_attr_rfork_size() would hit
the default case and so always report resource forks as 0 bytes in size.
All deployment that I've seen that use fruit:resource=stream also use
fruit:metadata=stream, so the switch takes FRUIT_META_STREAM case which runs the
correct code readdir_attr_rfork_size_stream().
Ralph Boehme [Tue, 21 May 2019 09:42:47 +0000 (11:42 +0200)]
vfs_fruit: ignore AppleDouble files in fruit_unlink()
Otherwise, if SMB_VFS_UNLINK() is called for an AppleDouble path "._file", we
try to delete "._._file" which doesn't make sense. AppleDouble files don't have
AppleDouble themselves.
Ralph Boehme [Mon, 13 May 2019 18:16:47 +0000 (20:16 +0200)]
s3:auth: explicitly add BUILTIN\Guests to the guest token
This changes ensures that smbd always adds BUILTIN\Guests to the guest token
which is required for guest authentication.
Currently the guest token depends on the on-disk configured group mappings. If
there's an existing group mapping for BUILTIN\Guests, but LOCALSAM\Guest is not
a member, the final guest token won't contain BUILTIN\Guests.
For SMB2 the flag SMB2_SESSION_FLAG_IS_GUEST will not be set in the final SMB2
SESSION_SETUP response, because smbd sets it based on the token containing the
BUILTIN\Guests SID S-1-5-32-546.
At the same time, the packet is not signed which causes Windows clients and
smbclient to reject the unsigned SMB2 SESSION_SETUP response.
Pair-programmed-with: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 5 16:55:26 UTC 2019 on sn-devel-184
Ralph Boehme [Thu, 16 May 2019 10:47:34 +0000 (12:47 +0200)]
tests: add a test for guest authentication
This verifies that smbd always adds BUILTIN\Guests to the guest token which is
required for guest authentication.
Currently the guest token depends on the on-disk configured group mappings. If
there's an existing group mapping for BUILTIN\Guests, but LOCALSAM\Guest is not
a member, the final guest token won't contain BUILTIN\Guests.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0e88f98855e24cfddb55bef65c5910b8e662c630)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(backported from commit ac2167eb2349dc1c453e14a65692f16c8ba6532e)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f4e340a48b6f059a1daa66deb9c26da9e8fcd5e7)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8096cc7eb2b36b074ff17a52dc3540be4ecff6bb)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 706aba5bf62e674ae12786f6ab275752b8714464)
Gary Lockyer [Tue, 21 May 2019 01:17:22 +0000 (13:17 +1200)]
ldap server: generate correct referral schemes
Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 24 05:12:14 UTC 2019 on sn-devel-184
Gary Lockyer [Tue, 21 May 2019 01:14:08 +0000 (13:14 +1200)]
ldap tests: test scheme for referrals
Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6ccf74cf878c295903673e3a1d1ed924a5e87547)
Gary Lockyer [Tue, 14 May 2019 01:10:22 +0000 (13:10 +1200)]
s4 dsdb: fix use after free in samldb_rename_search_base_callback
Fix use after free detected by AddressSanitizer
AddressSanitizer: heap-use-after-free on address 0x60f0002b2738
at pc 0x7f89b1a213b5 bp 0x7ffce9528810 sp 0x7ffce9528800
READ of size 8 at 0x60f0002b2738 thread T0
#0 0x7f89b1a213b4 in samldb_rename_search_base_callback
../../source4/dsdb/samdb/ldb_modules/samldb.c:4203
#1 0x7f89d3a0db4a in ldb_module_send_entry
../../lib/ldb/common/ldb_modules.c:793
#2 0x7f89b6f27356 in es_callback
../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1418
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b0cc6d217485c317b2138347216fac5d74684328)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 661dc4574110b0f13c127c8aa6ed0c385292b77c)
Ralph Boehme [Tue, 21 May 2019 14:00:53 +0000 (16:00 +0200)]
vfs_fruit: change trigger points of AppleDouble conversion
This moves the trigger points where AppleDouble file conversion is run by
ad_convert() from deep down the callchain in ad_read_rsrc_adouble() to high
level VFS entry points.
Currently ad_convert() will be triggered as part of open_file_ntcreate(...,
"file:AFP_AfpResource", ...): after SMB_VFS_OPEN() has been called with O_CREAT,
what created the file, we call SMB_VFS_FSTAT() on the just created
filehandle. This ends up in ad_convert(), finds the resource fork empty and thus
deletes the file.
This commit moves calling of the conversion funtion to the high level VFS entry
points where the converted metadata is needed:
o for directory enumerations SMB_VFS_READDIR_ATTR() is called to fill in the
repurposed fields in the directory entry metadata
o obviously for SMB_VFS_CREATE_FILE() on an macOS stream
Ralph Boehme [Tue, 21 May 2019 12:05:04 +0000 (14:05 +0200)]
selftest: run vfs.fruit test against a share that deletes empty resource forks
This reveals a bug in the AppleDouble conversion code: the conversion code that
unlinks an empty resource fork AppleDouble sidecar file ("._file") gets
triggered as part of open_file_ntcreate(..., "file:AFP_AfpResource", ...):
after SMB_VFS_OPEN() has been called with O_CREAT, what created the file, we
call SMB_VFS_FSTAT() on the just created filehandle. This ends up in
ad_convert(), finds the resource fork empty and thus deletes the file.
Ralph Boehme [Tue, 21 May 2019 16:39:52 +0000 (18:39 +0200)]
s4:torture/vfs/fruit: ensure test_adouble_conversion_wo_xattr() uses a non-emtpy resourcefork
This ensures the resource fork is not deleted as part of the AppleDouble file
conversion for the option fruit:wipe_intentionally_left_blank_rfork=yes.
This is currently not a problem in selftest, as we don't enable the option, but
a subsequent commit will run all vfs.fruit tests against a share with this
option enabled.
Ralph Boehme [Tue, 21 May 2019 16:39:52 +0000 (18:39 +0200)]
s4:torture/vfs/fruit: ensure test_adouble_conversion() uses a non-emtpy resourcefork
This ensures the resource fork is not deleted as part of the AppleDouble file
conversion for the option fruit:wipe_intentionally_left_blank_rfork=yes.
This is currently not a problem in selftest, as we don't enable the option, but
a subsequent commit will run all vfs.fruit tests against a share with this
option enabled.
projects / thirdparty / samba.git / log
