Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Mar 17 20:48:55 UTC 2025 on atb-devel-224
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Björn Jacke <bjacke@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Mar 12 01:32:30 UTC 2025 on atb-devel-224
Xavi Hernandez [Tue, 4 Mar 2025 11:48:41 +0000 (12:48 +0100)]
vfs_ceph_new: detect case sensitivity in CephFS
CephFS has recently added support for case insensitive access to the
file system. This modification detects whether the shared volume is case
sensitive or not and reports the FILE_CASE_SENSITIVE_SEARCH capability
accordingly.
Anoop C S [Tue, 17 Sep 2024 18:28:50 +0000 (23:58 +0530)]
vfs_glusterfs: Retrieve fs capabilities using vfs_get_fs_capabilities
vfs_glusterfs is supposed to be the last entry when listed with
other vfs modules. This is due to the fact that the connection path
is not local to the server but relative to the virtual remote file
system beneath it. Especially SMB_VFS_FS_CAPABILITIES implementation
from vfs_default is likely to return incorrect results based on the
connection path assumed to be local to the server which might not be
the case with glusterfs module stacked. Therefore it doesn't make sense
to pass through any vfs interface implementations further down the line
to vfs_default.
Instead make use of get_fs_capabilties to start with already known fs
capabilties from connect phase.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Oct 7 13:36:11 UTC 2024 on atb-devel-224
Anoop C S [Thu, 3 Oct 2024 06:59:58 +0000 (12:29 +0530)]
vfs_ceph_new: Populate fs capabilities within vfs_ceph_statvfs
SMB_VFS_STATVFS implementation for vfs_ceph_new failed to fill in the
FsCapabilities field for vfs_statvfs_struct. Insert the minimum
required values for defining the capabilties of a ceph file system.
Anoop C S [Tue, 17 Sep 2024 18:20:25 +0000 (23:50 +0530)]
vfs_ceph: Retrieve fs capabilties using vfs_get_fs_capabilities
vfs_ceph is supposed to be the last entry when listed with other vfs
modules. This is due to the fact that the connection path is not local
to the server but relative to the virtual remote file system beneath
it. Especially SMB_VFS_FS_CAPABILITIES implementation from vfs_default
is likely to return incorrect results based on the connection path
assumed to be local to the server which might not be the case with
ceph module stacked. Therefore it doesn't make sense to pass through
any vfs interface implementations further down the line to vfs_default.
Instead make use of get_fs_capabilties to start with already known fs
capabilties from connect phase.
Anoop C S [Mon, 23 Sep 2024 09:25:59 +0000 (14:55 +0530)]
vfs_ceph: Populate fs capabilities within cephwrap_statvfs
SMB_VFS_STATVFS implementation for vfs_ceph failed to fill in the
FsCapabilities field for vfs_statvfs_struct. Insert the minimum
required values for defining the capabilties of a ceph file system.
Anoop C S [Tue, 24 Sep 2024 05:36:58 +0000 (11:06 +0530)]
s3/smbd: Add a helper to fetch fs capabilities
We create a new helper function to retrieve the fs capabilties via
STATVFS call. Additionally set other capabilities based on specific
parametric options. This is 99.9% taken from SMB_VFS_FS_CAPABILITIES
implementation of vfs_default in preparation to be called from any
required vfs module.
Ralph Boehme [Thu, 6 Jun 2024 13:38:16 +0000 (15:38 +0200)]
smbd: consolidate fs capabilities code in vfswrap_fs_capabilities()
This ensures the values we return via SMB_FS_ATTRIBUTE_INFORMATION is the same
we use internally via conn->fs_capabilities.
This deliberately preserves existing behaviour as much as possible and leaves
possible improvements as a future excercize. Particularily FILE_VOLUME_QUOTAS is
already set insided SMB_VFS_STATVFS() depending on backend filesystem flags
which is probably the correct way to do it instead of just setting the
capability when Samba was built with quota support.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
(cherry picked from commit deeca8ff176e7e9082cc0fcf48d7f981de2523c5)
Anoop C S [Tue, 25 Feb 2025 12:10:13 +0000 (17:40 +0530)]
vfs_ceph_new: Do not resolve by inode number
CephFS snapshots within snap directory shares the same inode number from
its parent. Until unless we resolve by name we may incorrectly point at
an inode which is not a snapshot directory. Therefore to be functionally
correct we avoid resolving by inode number but proper name.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Mar 7 18:20:47 UTC 2025 on atb-devel-224
Anoop C S [Mon, 24 Feb 2025 08:30:56 +0000 (14:00 +0530)]
vfs_ceph_new: Handle absolute path in vfs_ceph_ll_walk
It can very well be the case that the incoming path is absolute in
nature which breaks the assumption inside vfs_ceph_ll_walk that it
is within the current working directory. Instead perform a check to
see whether the path includes current working directory path in its
components and accordingly trim it to make it relative in nature.
Shachar Sharon [Tue, 1 Oct 2024 09:09:40 +0000 (12:09 +0300)]
vfs_ceph_new: use libcephfs nonblocking API for async-io ops
Use libcephfs non-blocking API (ceph_ll_nonblocking_readv_writev[1]) in
combination with smb VFS async hooks ({pread,pwrite,fsync}_send/_recv).
Fills libcephfs' struct ceph_ll_io_info with single iovec and
submit/complete the operation asynchronously on libcephfs side, with
corresponding tevent schedule-immediate upon completion on smbd side.
Control nonblocking/normal I/O mode via config parameter. The common
parts of async I/O (with/without HAVE_CEPH_ASYNCIO) are united.
Specifically, use same struct vfs_ceph_aio_state and common code via
helper function for all async I/O hooks. When HAVE_CEPH_ASYNCIO
is True _and_ config option 'asyncio = yes' use libcephfs asynchronous
I/O API. Otherwise, fake async operation using normal blocking APIs.
Anoop C S [Mon, 28 Oct 2024 05:43:10 +0000 (11:13 +0530)]
vfs_ceph_new: Remove unused symbol for ceph_readdir
ce459ddbcd0f32252858a7640f6871057eb14645 recently switched the readdir
implementation to use ceph_readdir_r(). Thus ceph_readdir() is
unnecessarily loaded which is no longer used.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Sun Nov 3 11:07:23 UTC 2024 on atb-devel-224
Anoop C S [Mon, 5 Aug 2024 13:21:49 +0000 (18:51 +0530)]
source3/wscript: Introduce auto mode to build ceph vfs modules
Use 'auto' mode as the default for building ceph vfs modules so that an
explicit --enable-cephfs can reliably fail in the absence of required
dependencies.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Tue Aug 27 06:18:51 UTC 2024 on atb-devel-224
s3:utils: Remove call of ads_startup() from net_ads_keytab_create()
Calling ads_startup() is not needed in net_ads_keytab_create. Keytab
creation code in sync_pw2keytabs() decides if it needs to talk to DC or
not and connects to AD accordingly.
Fixing this, makes the bug below easier to reproduce using
'net ads keytab create'.
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon Mar 10 11:09:29 UTC 2025 on atb-devel-224
s3:libads: Make sure that REALM is always added to keytab principals
The code responsible for adding SPNs to keytab should always set the
REALM part. Current code is not adding it for e.g. SPNs synced from AD.
If REALM is missing, krb5_parse_name() will succeed (and add the REALM)
only if the krb5.conf contains libdefaults section with
default_realm set and will fail otherwise. E.g.:
Pair-Programmed-With: Noel Power <noel.power@suse.com>
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Sun Mar 9 00:25:08 UTC 2025 on atb-devel-224
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit cf34645050df64d6b8c4fa45394c3feebe691e79)
Anoop C S [Thu, 6 Feb 2025 12:20:10 +0000 (17:50 +0530)]
vfs_shadow_copy2: Use VFS interface to derive mount point
shadow_copy2_find_mount_point() does direct stat() calls locally while
trying to automatically detect the mount point. This cannot be always
true as there are virtual file systems like CephFS, GlusterFS etc.
without their share path locally available on the system. Instead use
the VFS interface to make the stat calls hit the underlying file system
irrespective of their local presence in the system.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: John Mulligan <jmulligan@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Feb 7 06:23:12 UTC 2025 on atb-devel-224
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Mar 5 03:40:15 UTC 2025 on atb-devel-224
GNU getopt(3) is by default non-POSIX compliant and accepts options after
positional arguments (unless forced with POSIXLY_CORRECT). This is not portable,
e..g., on FreeBSD. Put options first and then positional arguments.
Signed-off-by: Andrea Venturoli <ml@netfence.it> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
(cherry picked from commit 7e083a6b3a12933b79ef19ccbd4c13bfa0203498)
Autobuild-User(v4-21-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-21-test): Tue Mar 4 13:36:01 UTC 2025 on atb-devel-224
Douglas Bagnall [Thu, 30 Jan 2025 21:31:32 +0000 (10:31 +1300)]
provision: always use a large transaction index cache
A larger cache costs more per transaction, but makes a large number
of operations within a transaction faster. We expect to be dealing
with the latter case here, regardless of the batch_mode parameter
and the database size. 200000 is chosen because it is also used in
join and schemaupgrade, and should be sufficient in most cases.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Tue Feb 4 22:47:35 UTC 2025 on atb-devel-224
Ralph Boehme [Wed, 29 Jan 2025 14:11:16 +0000 (15:11 +0100)]
mdssvc: support a few more attributes
This adds support for the following Spotlight Metadata Attributes:
_kMDItemFileName (another alias for kMDItemFSName and kMDItemDisplayName)
kMDItemLastUsedDate
kMDItemContentCreationDate
kMDItemLogicalSize (another alias for kMDItemFSSize)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0ba1a8d77694182058d1c01b54a8759bdf0e28a6)
Autobuild-User(v4-21-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-21-test): Mon Feb 17 11:04:23 UTC 2025 on atb-devel-224
Ralph Boehme [Wed, 22 Jan 2025 11:34:31 +0000 (12:34 +0100)]
vfs_gpfs: add gpfs:clamp_invalid_times
The timestamp validation added as part of the fix for bug 15151 causes hard
failures for certain clients that seem to use a temporary timestamp initially
when creating files, changing in a later step.
Clamp invalid timestamps to the allowed range 0..UINT32_MAX if
"gpfs:clamp_invalid_times = yes" is set.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 455a0558c89312061f3b9ccaa577a4a60df7ee77)
[bugzilla link added in backport]
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Sat Feb 15 19:21:56 UTC 2025 on atb-devel-224
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ccc3b2b2fba7b5d223c79bffc0f655490aed19cf)
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Thu Feb 13 18:45:21 UTC 2025 on atb-devel-224
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 15e191736d3eaba83b2fb4b901e1df2214526b64)
Shachar Sharon [Sun, 6 Oct 2024 10:26:48 +0000 (13:26 +0300)]
vfs_ceph_new: log open-flags upon release-fh
Store the set of open O_XXX flags as part of the referenced file-handle
to allow more verbose debug-logging info upon close. This should ease
the developer's logging analysis where same inode is opened multiple
times but with different flags set.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com>
(cherry picked from commit 341ff48a5a787ed358a28037b5ec751b7b530e20)
Have more verbose and explicit values in various DBG_DEBUG logging. In
particular, do not use the redundant '__func__' argument as it's info is
already provided via the DBG_ logging macros.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com>
(cherry picked from commit 73d5503a90e3bd5b1d1cfc6322d7de10955faf6c)
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com>
(cherry picked from commit 2153bedc8eb53e5d9f44ef677bd1781d934abd34)
Shachar Sharon [Sun, 20 Oct 2024 08:50:13 +0000 (11:50 +0300)]
vfs_ceph_new: improve mount cache-entry add
Use boolean return value from cephmount_cache_add, to align code-style
with other caphmount helper functions. Returns false in case of memory
allocation failure, true otherwise (success).
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com>
(cherry picked from commit 866b872cdb2b08a8b5e6a9015cde9b34c4bcdf01)
Use singed int32_t for cached mount-entries reference counting. Define
helper function for inc/dec ref-count which also provides proper
logging. Prefer boolean return-value for 'cephmount_cache_remove' as
'int' is often used as error indicator within the context of libcephfs
and this VFS module.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com>
(cherry picked from commit 29a9d18d2d21842bb38bcdc6b9e366abac458ed9)
vfs_ceph_new: avoid setting errno in cephmount_cache_update
Do not set 'errno' to ENOENT in cephmount_cache_update. Setting this
errno value upon newly inserted entry may cause vfs_ceph_connect to
change errno to non-zero value even though the final result is OK.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com>
(cherry picked from commit 1f7581c9edb32a2a63bf032f7e167be8a401c3d5)
vfs_ceph_new: refactor error-case in cephmount_mount_fs
Align code-style of 'cephmount_mount_fs' with rest of the code: use
'goto' for bail-out upon error case (with proper cleanups). For the
common case of successful operation complete execution and return final
value. Added extra debug-logging for good-path case.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com>
(cherry picked from commit d9b872afeee4dee49de2e6eb86e4b59e07804363)
Prefer a safe version of ceph_readdir, where the directory entry struct
is allocated by the caller. Use a dynamic-allocated 'struct dirent'
which is associated with a directory vfs_ceph_fh (optional), which is
allocated on-the-fly upon start of READDIR and released at the end or
CLOSEDIR (or unlikely readdir error).
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: John Mulligan <jmulligan@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Oct 25 10:29:44 UTC 2024 on atb-devel-224
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Sep 12 16:51:14 UTC 2024 on atb-devel-224
Anoop C S [Thu, 5 Sep 2024 09:46:54 +0000 (15:16 +0530)]
vfs_ceph_new: Pass module config to userperm helpers
userperm helpers will switch to function references instead of direct
invocation of APIs. This would mean the matching config structure is
passed to those helpers.
Anoop C S [Thu, 5 Sep 2024 08:31:37 +0000 (14:01 +0530)]
vfs_ceph_new: Hold a config reference in vfs_ceph_fh
This is required to perform the cleanup when fsp extension destructor is
called as part of VFS_REMOVE_FSP_EXTENSION where mount information and
function references are to be used in upcoming changes.
Anoop C S [Thu, 5 Sep 2024 09:20:48 +0000 (14:50 +0530)]
vfs_ceph_new: Call vfs_ceph_userperm_new with handle->conn
vfs_ceph_userperm_new() only need connection structure from handle
for fetching the current unix token. Therefore modify the signature
to accept just handle->conn.
Pair-Programmed-With: Anoop C S <anoopcs@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit e4fc1df4b4486f5eed095135f905bdbf10bb1793)
Pair-Programmed-With: Anoop C S <anoopcs@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 0d2ad13d8e5191f4b01584afa0bcdbf1114042b8)
vfs_ceph_new: Dynamically open library for 'proxy' mode
Use dlopen() to load either of the shared libraries(libcephfs.so or
libcephfs_proxy.so) based on the configuration for 'proxy' module
parameter. Further down the line we will define the required APIs
as function pointers within the config structure.
Pair-Programmed-With: Anoop C S <anoopcs@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 47812a279118befbaeffdd6c81e3d49b071f04c5)
vfs_ceph_new: Introduce new parametric option 'proxy'
Provide early support for consuming yet to come libcephfs proxy[1] for
optimized resource utilization. For better control we make use of an
additional module specific option 'proxy' to specify the intent to load
proxy library. With the default value 'no' a regular cephfs connection
is established. There is also an 'auto' mode which can fall back to the
regular connection if proxy requirements are not met.
vfs_ceph_new: Add a new struct to hold ceph module config
Consolidate all required configuration related data under a dedicated
structure named vfs_ceph_config. As of now it includes the location of
configuration file, file system name, ceph client user id and mount
related information. This is expected to grow in future with more
details as and when required. Apart from that small cleanups are also
done to make code more robust.
Pair-Programmed-With: Anoop C S <anoopcs@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit f1d418181d12bd513204cf2b77c37990939e2041)
Shachar Sharon [Mon, 12 Aug 2024 11:45:53 +0000 (14:45 +0300)]
vfs_ceph_new: implement DFS hooks using libcephfs low-level APIs
Refactor the VFS hooks 'create_dfs_pathat_fn' and 'read_dfs_pathat_fn'
in 'vfs_ceph_new.c' to use libcephfs low-level APIs: instead of using
path-based operations (as done in legacy 'vfs_ceph.c') use inode based
operations to create and read msdfs symbolic-links values.
This codepath is also used for provisiong non-local machines into AD
during offlinejoin operations. When creating accounts for non-local
machines we certainly need to be able to use arbitrary hostname other
than lp_netbios_name() (which is used internally by lp_dns_hostname()).
This partly reverts 0e96092c1895ecb41d4064111566b4ada71fe457.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jan 30 07:35:05 UTC 2025 on atb-devel-224
Vinit Agnihotri [Tue, 3 Dec 2024 05:42:34 +0000 (11:12 +0530)]
param: Add API to load registry without share info
As number of shares increases loading entire registry configuration along with
share information becomes very costly operation.
Since we may not require share information all time, we can optimise
this by using API just loading configuration without any share info.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 218a0f067c894cbf61cde6183a269c0474d64ddc)
Autobuild-User(v4-21-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-21-test): Mon Feb 3 20:01:38 UTC 2025 on atb-devel-224
libcli/security: let dom_sid_lookup_predefined_sid() behave like Windows 2008R2
Windows 2008R2 (172.31.9.133) returns the following:
#> rpcclient 172.31.9.133 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
S-1-22-1 *unknown*\*unknown* (8)
S-1-22-1-0 *unknown*\*unknown* (8)
result was NT_STATUS_INVALID_SID
S-1-3-0 \CREATOR OWNER (5)
S-1-3-99 *unknown*\*unknown* (8)
result was NT_STATUS_INVALID_SID
While the current Samba (172.31.9.163) returns the following:
#> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
result was NT_STATUS_INVALID_SID
result was NT_STATUS_INVALID_SID
S-1-3-0 \CREATOR OWNER (5)
S-1-3-99 *unknown*\*unknown* (8)
S-1-3 *unknown*\*unknown* (8)
With this change also return the same as Windows 2008R2:
#> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
S-1-22-1 *unknown*\*unknown* (8)
S-1-22-1-0 *unknown*\*unknown* (8)
result was NT_STATUS_INVALID_SID
S-1-3-0 \CREATOR OWNER (5)
S-1-3-99 *unknown*\*unknown* (8)
result was NT_STATUS_INVALID_SID
This is a minimal fix in order to avoid crashes in the Windows Explorer.
The real fix needs more work and additional tests, as the behavior seems
to be different in newer Windows releases.
The following patch will let us behave like Windows 2022/2025...
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 9f369c62317d74615834f99a088caababef685fc)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit abba3495d23524142a4cf55d208dce041adee96b)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 6b1ff9a38fcddbe72b00e28960414526a42bde14)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 7ecaf1a779370ef3ecf189e51a5e668329fa24c7)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 67c35d6b4ef6b7dbe9db3c52547b25580cd4756c)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 13d9231800ea969675f3207cd2c863e433104b4d)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit f7282c0dffbf30d72051a81d46d831344a9bbcf9)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 9dfb0ed8d29bd4a9146cf38bd63c4bb55b5faf73)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 8cdf7af43a365b0545562033f6c51150f2fbb3a4)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit fa6d0fd1b00e4836215b4d80f1a9f527db82e01a)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 10f38aff7c23dc20bc98cf0e02a430f8b0d7b1ad)
s4:auth/ntlm: let authsam_check_password_internals() add NETLOGON_NTLMV2_ENABLED
Windows returns NETLOGON_NTLMV2_ENABLED in all
netr_LogonSamLogon* response messages.
Even if NTLMv1 was actually used and also
for password authentication.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1414004ee953975c50e0ee374684ff8e01246946)
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Christian Ambach <ambi@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Jan 17 12:01:47 UTC 2025 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jan 21 19:38:37 UTC 2025 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit dbff53f77680f0ccd022f2d864ba6ae7585a34b7)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Jan 17 23:21:13 UTC 2025 on atb-devel-224
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec 20 07:59:51 UTC 2024 on atb-devel-224
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 552053b6445611ecef6ac4c11c55ebf92f03571d)
Douglas Bagnall [Wed, 11 Dec 2024 02:56:20 +0000 (15:56 +1300)]
samba-tool user: hashlib.sha1 is always present
We maybe thought we were checking that sha1 was in hashlib, but we were
only checking that hashlib is in the Python library (`hashlib.sha1()`
would not raise ImportError).
The documentation says hashlib always contains sha1 -- if that
changes, it is better we know by failing noisily with the import error
at the top of the file.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 4af4dd8135e8edbe2a16cfdfc7ded8c145c82e98)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 405187d2ef4920a9a284649c9c3287f5844d5180)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5636d30c0959fd4a211ee7b8d1b267dcdbf0b963)
Douglas Bagnall [Wed, 11 Dec 2024 01:30:15 +0000 (14:30 +1300)]
pyglue: add crypt() function
This wraps talloc_crypt_blob() from lib/util/util_crypt.c which in
turn wraps the system crypt[_r[n]].
We want this because the Python standard library crypt module is going
away. That one also wrapped the system crypt or crypt_r, so there
should be no change.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
(backported from commit 88e3c82d88a68cf972f8189e1c3718698b49974a)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5f365e71c1fa8cdc533159283a5977164b5d39f2)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit c7597380b479208e33a403211cec9b3c7bd3f034)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1edb12f79593d0b2aac36d5acdaaae6f495772f6)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
(backported from commit 833455c7f9f71583d567e3a53e854567cd8c3b0b,
Signed-off-by added)
s4:dsdb: fix logic of dsdb_trust_routing_by_name()
We need to use the longest dnsname match as possible.
If we are the domain samba.example.com and have a trust
to example.com, a routing request for dc.samba.example.com
should return the tdo for samba.example.com instead
of example.com.
It lets the KDC of ADDOM.SAMBA2008R2.EXAMPLE.COM to
generate a (referral) ticket for
krbtgt/SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA2008R2.EXAMPLE.COM
instead of
cifs/addc.addom.samba2008r2.example.com@ADDOM.SAMBA2008R2.EXAMPLE.COM
As ADDOM.SAMBA2008R2.EXAMPLE.COM has a forest trust (without msDS-TrustForestTrustInfo)
to SAMBA2008R2.EXAMPLE.COM dsdb_trust_update_best_tln() overwrote the
best match of addom.samba2008r2.example.com with samba2008r2.example.com.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Jan 8 04:14:47 UTC 2025 on atb-devel-224
projects / thirdparty / samba.git / log
