Gary Lockyer [Wed, 18 Nov 2020 01:49:28 +0000 (14:49 +1300)]
tests python krb5: Extra canonicalization tests
Add tests that set the server name to the client name for the machine
account in the kerberos AS_REQ. This replicates the TEST_AS_REQ_SELF
test phase in source4/torture/krb5/kdc-canon-heimdal.c.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 30 05:21:42 UTC 2020 on sn-devel-184
Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Nov 27 17:15:07 UTC 2020 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Nov 27 13:48:20 UTC 2020 on sn-devel-184
Ralph Boehme [Fri, 20 Nov 2020 14:27:17 +0000 (15:27 +0100)]
s4: rename source4/smbd/ to source4/samba/
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Nov 27 10:07:18 UTC 2020 on sn-devel-184
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Thu Nov 26 21:15:40 UTC 2020 on sn-devel-184
This makes sure we do not dereference a NULL poineter.
Found by covscan.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Nov 26 11:07:09 UTC 2020 on sn-devel-184
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Nov 26 08:16:04 UTC 2020 on sn-devel-184
This fix makes sure the password is removed from the proctitle
of samba-tool so it cannot be exposed by e.g. ps(1).
- Moved code to python/samba/getopt.py as suggested by David Mulder
- Except ModuleNotFoundError when trying to load setproctitle module
- Improved code to keep option separator (space or equal sign) while
removing password from proctitle.
Signed-off-by: Heiko Baumann <heibau@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Mulder <dmulder@suse.com>
Andrew Bartlett [Mon, 23 Nov 2020 06:35:37 +0000 (19:35 +1300)]
Do not create an empty DB when accessing a sam.ldb
Samba already does this for samba-tool and doing this should make
our errors more sensible, particularly in BIND9 if not provisioned
with the correct --dns-backend=DLZ_BIND9
The old error was like:
named[62954]: samba_dlz: Unable to get basedn for
/var/lib/samba/private/dns/sam.ldb
- NULL Base DN invalid for a base search.
The new error will be like (in this case from the torture test):
Failed to connect to Failed to connect to
ldb:///home/abartlet/samba/st/chgdcpass/bind-dns/dns/sam.ldb:
Unable to open tdb '/home/abartlet/samba/st/chgdcpass/bind-dns/dns/sam.ldb':
No such file or directory: Operations error
This contain an important change:
"Fix gccdeps.scan() returning nodes that no longer exist on disk."
https://gitlab.com/ita1024/waf/-/merge_requests/2293
Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The fix was in in waf master, but not included in 2.0.20,
but it's now included in 2.0.21.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 17 Nov 2020 23:11:10 +0000 (12:11 +1300)]
samba-tool domain backup: Confirm the sidForRestore we will put into the backup is free
Otherwise the administrator might only find there is a problem once they
attempt to restore the domain!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14575 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
smbd: Fix failure to check dstdir for delete on close
We're preventing ourselves from holding two locks here,
not protecting from waiting for a lock someone else
holds.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Nov 22 01:22:36 UTC 2020 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Nov 21 00:11:02 UTC 2020 on sn-devel-184
Volker Lendecke [Thu, 19 Nov 2020 11:38:06 +0000 (12:38 +0100)]
smbd: Fix failure to check dstdir for delete on close
In smb2_setinfo.c the call to smbd_do_setfilepathinfo() to perform the
rename takes place while holding a share mode lock. The function
check_parent_access() called below tries to query the destination
directory's locking.tdb entry to check whether the delete on close
flag is set on the destination directory. This fails because the
file to be renamed already has the share mode entry locked, we can't
lock two share mode entries simultaneously.
Convert the check to use fetch_share_mode_unlocked(). This might
introduce races, but this whole check is racy anyway. It does not
really matter whether we do the check for delete_on_close under a lock
or not, fetch_share_mode_unlocked() retrieves a consistent status of
the locking.tdb entry at some point in time as well.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Nov 20 00:20:06 UTC 2020 on sn-devel-184
Ralph Boehme [Tue, 17 Nov 2020 10:02:31 +0000 (11:02 +0100)]
smbd: avoid a smb_fname copy in call_trans2setfilepathinfo()
There's no point in doing a copy here, we can just point smb_fname at
fsp->fsp_name.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 19 21:24:23 UTC 2020 on sn-devel-184
Ralph Boehme [Mon, 16 Nov 2020 09:44:48 +0000 (10:44 +0100)]
torture: avoid OPLOCK-CANCEL flapping on busy gitlab CI
I saw this test fail a few times on gitlab CI with
NT_STATUS_SHARING_VIOLATION:
Running OPLOCK-CANCEL
cli_unlink failed: NT_STATUS_SHARING_VIOLATION
TEST OPLOCK-CANCEL FAILED!
The only possible explanation I could come up for
this flapping test is that the fnum1 filehandle in cli1 is still not closed when
cli2 tries to open the file deletion 5 seconds after cli1 is thrown away. As
fnum1 doesn't have FILE_SHARE_DELELE the open-for-delete fails with a
SHARING_VIOLATION.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 18 Nov 2020 14:00:07 +0000 (15:00 +0100)]
pylibsmb: Multi-threaded use is now possible with SMB2
No non-async callees are used anymore
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 19 04:12:11 UTC 2020 on sn-devel-184
Volker Lendecke [Mon, 26 Oct 2020 08:21:17 +0000 (09:21 +0100)]
libsmb: Convert cli_list_recv() to single-recv
This converts the higher-level cli_list_recv() to the new
cli_smb2_list_recv() calling convention to just issue one entry per
recv() call in preparation of using the async cli_smb2_list_send() in
cli_list_send().
For SMB1 this will be a performance degradation, as we have to make
copies out of the arrays that cli_trans_recv() returns, but soon this
will become a performance improvement for the SMB2 directory
listing. And as hopefully most deployments these days are SMB2, I
think we can live with the SMB1 client directory listing
degradation. Also, we can also convert the lowerlevel SMB1 directory
listing routines in case someone actually sees problems from this
here.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 14 Nov 2020 17:31:22 +0000 (18:31 +0100)]
libsmb: Make cli_smb2_list() asynchronous
Return directory entries as soon as possible via
cli_smb2_list_recv(). This returns just one entry per call to
cli_smb2_list_recv() right out of the buffer without assembling
potentially thousands of entries in a big array. You must call
cli_smb2_recv() until an error (except NT_STATUS_RETRY) happens. This
reduces our latency for smbclient's "dir" command significantly for
large directories. In the future I hope I can do the same thing also for
SMBC_readdir_ctx() to improve all users of our published libsmbclient.
Initial attempts of this routine issued fresh smb2_query_directory
requests asynchronously while the receivers of the entries did their
processing, for example showing them in smbclient's "dir"
command. However, this breaks because for example the "showacls"
smbclient option needs to do synchronous smb requests to do their job,
which we can't do while async requests are pending. Thus I came up
with a semi-synchronous approach to issue additional
smb2_query_directory requests from within cli_smb2_list_recv() and
return NT_STATUS_RETRY. This means that we will call back our caller
via the tevent_req_notify function when a fresh entry is available.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Rowland Penny [Wed, 18 Nov 2020 12:09:16 +0000 (12:09 +0000)]
uptodateness.py: remove what appears to be debugging lines
They do nothing except confuse users.
Signed-off-by: Rowland Penny <rpenny@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Nov 19 00:36:58 UTC 2020 on sn-devel-184
Samuel Cabrero [Tue, 17 Nov 2020 12:32:19 +0000 (13:32 +0100)]
bootstrap: Add OpenSUSE 15.2
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Tue Nov 17 18:50:05 UTC 2020 on sn-devel-184
SATOH Fumiyasu [Tue, 10 Nov 2020 08:15:42 +0000 (17:15 +0900)]
autobuild: Encode text/plain into base64 to wrap long-lines
MIMEText(text, 'plain', 'utf-8') encodes the text into
base64 and adds 'Content-Transfer-Encoding: base64' header.
Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 16 22:43:35 UTC 2020 on sn-devel-184
Volker Lendecke [Fri, 13 Nov 2020 15:32:16 +0000 (16:32 +0100)]
libsmb: Remove unused sync cli_smb2_rename()
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 16 21:18:16 UTC 2020 on sn-devel-184
Volker Lendecke [Fri, 6 Nov 2020 21:08:00 +0000 (22:08 +0100)]
pylibsmb: Move deltree to python code
This is much shorter. There's also another aspect: I'm working on
improving cli_list() to not collect all files before starting to call
the callback function. This means that the cli_list cb will be called
from within tevent_loop_once(). In pylibsmb.c's deltree code this
would create a nested event loop. By moving the deltree code into the
python world this nested event loop is avoided. Now the python code
will first collect everything and then start to delete, avoiding the
nesting. A future development should make listing directories a
generator or something like that.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 10 Nov 2020 21:52:01 +0000 (13:52 -0800)]
lib: Fix file_lines_parse() to do what people expect. Much safer to use.
Take an incoming const char * pointer and return an allocated
array that must be freed. Don't expose the internal optimization
of file_lines_parse_internal() breaking the passed in string
into lines.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Jeremy Allison [Tue, 10 Nov 2020 21:43:24 +0000 (13:43 -0800)]
lib: create a wrapper for file_lines_parse().
Make the internal function file_lines_parse_internal().
Currently file_lines_parse() just wraps file_lines_parse_internal(),
but this allows me to change file_lines_parse() to take
a const char * to make it safe for callers (no talloc tricks).
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Gary Lockyer [Tue, 10 Nov 2020 03:57:11 +0000 (16:57 +1300)]
tests python krb5: add arcfour salt tests
MIT kerberos returns a salt when ARCFOUR_HMAC_MD5 encryption selected,
Heimdal does not.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov 12 22:54:22 UTC 2020 on sn-devel-184
Gary Lockyer [Thu, 5 Nov 2020 20:07:04 +0000 (09:07 +1300)]
tests python krb5: Convert kdc-heimdal to python
Implement the tests in source4/torture/krb5/kdc-heimdal.c in python.
The following tests were not re-implemented as they are client side
tests for the "Orpheus Lyre" attack:
TORTURE_KRB5_TEST_CHANGE_SERVER_OUT
TORTURE_KRB5_TEST_CHANGE_SERVER_IN
TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 10 Nov 2020 00:51:39 +0000 (13:51 +1300)]
tests python krb5: raw_testcase permit RC4 salts
MIT kerberos returns a salt when ARCFOUR_HMAC_MD5, this commit removes
the check that a salt is not returned. A test for the difference
between MIT and Heimdal will be added in the subsequent commits.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Nov 12 17:23:19 UTC 2020 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Nov 12 15:13:47 UTC 2020 on sn-devel-184
auth_sam: use pdb_get_domain_info to look up DNS forest information
When Samba is used as a part of FreeIPA domain controller, Windows
clients for a trusted AD forest may try to authenticate (perform logon
operation) as a REALM\name user account.
Fix auth_sam plugins to accept DNS forest name if we are running on a DC
with PASSDB module providing domain information (e.g. pdb_get_domain_info()
returning non-NULL structure). Right now, only FreeIPA or Samba AD DC
PASSDB backends return this information but Samba AD DC configuration is
explicitly ignored by the two auth_sam (strict and netlogon3) modules.
selftest/subunithelper: also output as much of unterminated DETAILS
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Nov 11 22:43:46 UTC 2020 on sn-devel-184
Jeremy Allison [Tue, 10 Nov 2020 18:18:18 +0000 (10:18 -0800)]
s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function.
file_lines_parse() plays horrible tricks with
the passed-in talloc pointers and the hierarcy
which makes freeing hard to get right.
As we know mem_ctx is freed by the caller, after
calling file_lines_parse don't free on exit and let the caller
handle it. This violates good Samba coding practice
but we know we're not leaking here.
lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC
In FreeIPA deployment with active Global Catalog service, when a two-way
trust to Active Directory forest is established, Windows systems can
look up FreeIPA users and groups. When using a security tab in Windows
Explorer on AD side, a lookup over a trusted forest might come as
realm\name instead of NetBIOS domain name:
If we are running as a DC and PASSDB supports returning domain info
(pdb_get_domain_info() returns a valid structure), check domain of the
name in lookup_name() against DNS forest name and allow the request to
be done against the primary domain. This corresponds to FreeIPA's use of
Samba as a DC. For normal domain members a realm-based lookup falls back
to a lookup over to its own domain controller with the help of winbindd.
Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Nov 11 10:59:01 UTC 2020 on sn-devel-184
Andrew Bartlett [Tue, 10 Nov 2020 00:50:37 +0000 (13:50 +1300)]
selftest: Windows 2019 implements the RemoveDollar behaviour for Enterprise principals
This is documented in MS-KILE.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Wed Nov 11 02:38:46 UTC 2020 on sn-devel-184
projects / thirdparty / samba.git / log
