Vinit Agnihotri [Tue, 3 Dec 2024 05:42:34 +0000 (11:12 +0530)]
param: Add API to load registry without share info
As number of shares increases loading entire registry configuration along with
share information becomes very costly operation.
Since we may not require share information all time, we can optimise
this by using API just loading configuration without any share info.
s4:selftest: samba.tests.krb5.netlogon don't need explicit FAST_SUPPORT
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jan 8 10:16:50 UTC 2025 on atb-devel-224
s4:dsdb: fix logic of dsdb_trust_routing_by_name()
We need to use the longest dnsname match as possible.
If we are the domain samba.example.com and have a trust
to example.com, a routing request for dc.samba.example.com
should return the tdo for samba.example.com instead
of example.com.
It lets the KDC of ADDOM.SAMBA2008R2.EXAMPLE.COM to
generate a (referral) ticket for
krbtgt/SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA2008R2.EXAMPLE.COM
instead of
cifs/addc.addom.samba2008r2.example.com@ADDOM.SAMBA2008R2.EXAMPLE.COM
As ADDOM.SAMBA2008R2.EXAMPLE.COM has a forest trust (without msDS-TrustForestTrustInfo)
to SAMBA2008R2.EXAMPLE.COM dsdb_trust_update_best_tln() overwrote the
best match of addom.samba2008r2.example.com with samba2008r2.example.com.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Jan 8 04:14:47 UTC 2025 on atb-devel-224
Ralph Boehme [Thu, 5 Dec 2024 09:26:59 +0000 (10:26 +0100)]
smbd: fill fsp_flas.posix_append in open_file_ntcreate()
This small changes enables the new append-IO machinery.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 7 23:05:57 UTC 2025 on atb-devel-224
Ralph Boehme [Fri, 22 Nov 2024 18:40:38 +0000 (19:40 +0100)]
smbd: prepare smb2_write.c for handling a negative offset
Use off_t instead of uint64_t for the offset in order to support negative
offsets coming in over the wire for SMB3 POSIX append-IO which enforces
offset=VFS_PWRITE_APPEND_OFFSET (-1) for all writes.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 29 Nov 2024 12:04:36 +0000 (13:04 +0100)]
smbd: check for VFS_PWRITE_APPEND_OFFSET in vfs_fill_sparse()
This is the only place a function dealing with allocation and file length being
called from the write IO path. In the case of POSIX append-IO with
offset=VFS_PWRITE_APPEND_OFFSET vfs_fill_sparse() must be a noop.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 29 Nov 2024 12:00:30 +0000 (13:00 +0100)]
smbd: add vfs_valid_allocation_range() as a copy of vfs_valid_pwrite_range()
Not a copy of the whole code obviously, a copy of behaviour. A subsequent commit
will further change vfs_valid_pwrite_range().
Existing callers of vfs_valid_pwrite_range() that are not calling it in the
write-IO codepath, but when dealing with allocation and size, are converted to
use vfs_valid_allocation_range().
No change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sat, 9 Nov 2024 15:00:39 +0000 (16:00 +0100)]
smbtorture: verify Windows SEC_FILE_APPEND_DATA behaviour
This test proves that Windows will not enforce append behaviour when using
SEC_FILE_APPEND_DATA: writing with an offset and length into existing data is
not mapped to an append operation. According to
If only the FILE_APPEND_DATA and SYNCHRONIZE flags are set, the caller can
write only to the end of the file, and any offset information on writes to the
file is ignored. However, the file is automatically extended as necessary for
this type of write operation.
...but at least over SMB2 it doesn't work.
This also demonstrates that Windows behaves as documented in the footnote in
MS-SMB2 3.3.5.13 "Receiving an SMB2 WRITE Request":
If the range being written to is within the existing file size and
Open.GrantedAccess does not include FILE_WRITE_DATA, or if the range being
written to extends the file size and Open.GrantedAccess does not include
FILE_APPEND_DATA, the server SHOULD<358> fail the request with
STATUS_ACCESS_DENIED.
MS-SMB2 <358> Section 3.3.5.13:
Windows SMB2 servers allow the operation when either FILE_APPEND_DATA or
FILE_WRITE_DATA is set in Open.GrantedAccess.
==47833== Invalid read of size 1
==47833== at 0x4846782: strlen (vg_replace_strmem.c:494)
==47833== by 0x4F9D257: __vfprintf_internal (vfprintf-process-arg.c:397)
==47833== by 0x4FBD3A5: __vasprintf_internal (vasprintf.c:57)
==47833== by 0x4EBDFFD: __dbgtext_va (debug.c:1939)
==47833== by 0x4EBE125: dbgtext (debug.c:1960)
==47833== by 0x49A9E77: exit_server_common (server_exit.c:230)
==47833== by 0x49A9EE6: smbd_exit_server_cleanly (server_exit.c:247)
==47833== by 0x4ECA2EF: exit_server_cleanly (smbd_shim.c:113)
==47833== by 0x495E72B: smbd_server_connection_terminate_done (smb2_server.c:1758)
==47833== by 0x4D4ED6A: _tevent_req_notify_callback (tevent_req.c:177)
==47833== by 0x4D4EEFB: tevent_req_finish (tevent_req.c:234)
==47833== by 0x4D4F02A: tevent_req_trigger (tevent_req.c:291)
==47833== Address 0xb8cf820 is 96 bytes inside a block of size 123 free'd
==47833== at 0x484317B: free (vg_replace_malloc.c:872)
==47833== by 0x4CF8950: _tc_free_internal (talloc.c:1222)
==47833== by 0x4CF993E: _tc_free_children_internal (talloc.c:1669)
==47833== by 0x4CF8830: _tc_free_internal (talloc.c:1184)
==47833== by 0x4CF993E: _tc_free_children_internal (talloc.c:1669)
==47833== by 0x4CF8830: _tc_free_internal (talloc.c:1184)
==47833== by 0x4CF89F7: _talloc_free_internal (talloc.c:1248)
==47833== by 0x4CF9D93: _talloc_free (talloc.c:1792)
==47833== by 0x495E700: smbd_server_connection_terminate_done (smb2_server.c:1748)
==47833== by 0x4D4ED6A: _tevent_req_notify_callback (tevent_req.c:177)
==47833== by 0x4D4EEFB: tevent_req_finish (tevent_req.c:234)
==47833== by 0x4D4F02A: tevent_req_trigger (tevent_req.c:291)
==47833== Block was alloc'd at
==47833== at 0x48407B4: malloc (vg_replace_malloc.c:381)
==47833== by 0x4CF7CAC: __talloc_with_prefix (talloc.c:783)
==47833== by 0x4CF7E46: __talloc (talloc.c:825)
==47833== by 0x4CFB007: __talloc_strlendup (talloc.c:2454)
==47833== by 0x4CFB0BD: talloc_strdup (talloc.c:2470)
==47833== by 0x495E7B6: smbd_server_connection_terminate_ex (smb2_server.c:1775)
==47833== by 0x4969222: smbd_smb2_connection_handler (smb2_server.c:5291)
==47833== by 0x4D4CAE2: tevent_common_invoke_fd_handler (tevent_fd.c:174)
==47833== by 0x4D596D5: epoll_event_loop (tevent_epoll.c:696)
==47833== by 0x4D59E5E: epoll_event_loop_once (tevent_epoll.c:926)
==47833== by 0x4D5529C: std_event_loop_once (tevent_standard.c:110)
==47833== by 0x4D4B3B9: _tevent_loop_once (tevent.c:820)
==47833==
state was a child of "xconn", so when xconn was freed state went away.
As reason is used at the very end of exit_server_common() after *all* global
objects that could be used as talloc parent are freed, there's just no other way
to make "reason" a talloc string then allocating it from the NULL context right
away.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Tokarev [Thu, 17 Nov 2022 20:51:03 +0000 (23:51 +0300)]
fruit: fixup size_t overflow check
https://bugzilla.samba.org/show_bug.cgi?id=13622 .
The check ('bandsize > SIZE_MAX/nbands' is wrong, since
it caps the total size to the wrong data type size_t
instead of off_t -- samba is always built with LFS support
so off_t is always 64bits, while size_t is 32bit son a
32bit platform. This has caused issues already, capping
size of the bands: https://bugs.debian.org/974868 .
Since there's another overflow check already, let's just
fold this one to the following one and log a more complete
error message.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Sat Jan 4 20:47:35 UTC 2025 on atb-devel-224
Michael Tokarev [Fri, 29 Nov 2024 06:34:42 +0000 (09:34 +0300)]
include <grp.h> for setgroups in a few places
setgroups(), unlike getgroups(), is not in <unistd.h> but in <grp.h>.
Recent compilers require function declaration before using a function
(or more and more distributions treat lack of declaration as error),
so all configure-time tests fails with source3/lib/util_sec.c:
source3/../lib/util/setid.c: In function 'samba_setgroups':
source3/../lib/util/setid.c:244:16: error: implicit declaration of function \
'setgroups'; did you mean 'getgroups'? [-Wimplicit-function-declaration]
244 | return setgroups(setlen, gidset);
Add the missing include so configuration finds the existing system
functions instead of failing.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Thu Jan 2 17:58:50 UTC 2025 on atb-devel-224
Michael Tokarev [Mon, 18 Nov 2024 12:00:05 +0000 (15:00 +0300)]
remove usage of bzero
bzero() function has been deprecated for a long time.
In samba it is replaced with memset(). But samba also
provides common memory-zeroing macros, like ZERO_STRUCT().
In all places where bzero() is used, it actually meant to
zero a structure or an array.
So replace these bzero() calls with ZERO_STRUCT() or
ZERO_ARRAY() as appropriate, and remove bzero() replacement
and testing entirely.
While at it, also stop checking for presence of memset() -
this function is standard for a very long time, and the
only conditional where HAVE_MEMSET were used, was to
provide replacement for bzero() - in all other places
memset() is used unconditionally.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Michael Tokarev [Mon, 18 Nov 2024 11:19:54 +0000 (14:19 +0300)]
replace direct calls to memset_s() with commonly used macros
samba provides macros for zeroing various structures in memory,
and all code uses them instead of relying on memset_s().
However, a few places use memset_s() directly. Replace these
usages with macros for consistency and to be able to replace
memset_s() easier.
A few notes.
Commit 03a50d8f7d872b6ef701d12 "lib:util: Check memset_s() error
code in talloc_keep_secret_destructor()" (Aug-2022) added a check
for error return from memset_s(). This is the only place in whole
codebase which bothers about doing this. But I've difficult time
figuring out the intention. Was there a real case when this code
path is actually executed?
Commit 7658c9bf0a9c99e3f200571 "lib:crypto: Remove redundant array
zeroing" (Nov-2023) removed the OTHER line from the two lines used
to zero memory in here. Initially the code used both memset_s()
*and* ZERO_ARRAY_LEN(), the former has been removed. This change
removes the other - memset_s(), reintroducing ZERO_ARRAY_LEN().
Here however, it's probably better to use BURN_PTR instead of
ZERO_ARRAY - in this place and a few lines above.
Commit 8dddea2ceda40f2365bd6b1 "lib:talloc: Use memset_s() to avoid
the call gets optimized out" (Feb-2024) is a recent commit which
introduces memset_s(). However, it does not seem like it makes
any difference whatsoever for a testsuite, or that it actually
needs to clean up the memory to begin with.
We've quite an assortment of all this memory zeroing stuff. Also
it is repeated in replace.h and memory.h (two sets in these files
are different but has big intersection). I'd say, to fix this mess,
things from replace.h should be removed in favour of memory.h, and
necessary includes added, but this is for the next time. We also
have lots of direct usages of memset_s() in heimdal code.
Cc: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Michael Tokarev [Tue, 26 Apr 2022 13:14:38 +0000 (16:14 +0300)]
testparm: do not fail if /run/samba does not exist
testparm explicitly fails if $piddir or $lockdir does not exist.
However, the daemons which actually use these directories, will
create it on demand, there is no need to fail even simple testparm
operations if the dirs are not there.
This change lets to (pre)configure samba without bothering to
pre-create the directories which are overwise needed only to fulfil
testparm criteria.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Michael Tokarev [Mon, 26 Feb 2024 11:15:00 +0000 (14:15 +0300)]
Minimal EDNS0 support for built-in DNS client
Currently, samba built-in DNS client is UDP-only (it does
support TCP mode, but not all components use it). In
particular, when winbind queries list of AD DCs (SRV
record) which can be quite large, it uses UDP-only query.
And at the same time, samba DNS client does not support
EDNS0 at all, so the reply is limited to standard DNS
packet size which is 512 bytes.
Add minimal EDNS0 OPT record to ADDITIONAL section when
sending a DNS request out, indicating we can accept
DNS packets up to 4Kb in size.
Since DNSSEC is in wide use today and DNSSEC requires
EDNS0, it is okay to assume ENDS0 is widely supported
these days, so there should be no regressions when
enabling EDNS0.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Michael Tokarev [Mon, 18 Nov 2024 09:45:08 +0000 (12:45 +0300)]
libsamba-errors: eliminate dependency on samba-debug
libsamba-errors is a collection of error codes/descriptions
like strerror(), - it is a set of simple functions converting
error code to string or the like. However, in one single
place there's a DBG_DEBUG() "call" in errmap_unix.c, in
map_errno_from_nt_status(), which is here for a very long time
(since before samba3, initially with debug level 10).
Drop this debugging info, and eliminate extra dependency.
This makes libsamba-errors independent and self-contained,
with a well-known and stable ABI.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Michael Tokarev [Thu, 19 May 2022 17:37:21 +0000 (20:37 +0300)]
specify some deps on private libs actually used directly
Lots of samba libraries has incomplete dependencies listed
in wscript files. This usually is not a problem since the
link line includes dependencies of their dependencies of
their dependencies, and somewhere down that line all immediate
dependencies which are missing are actually present. But
sometimes this becomes a problem when a library does not
declare direct dependency on at least one private library
which it actually uses: in case no private library is
listed as direct dependency, private library directory is
not put into RUNPATH of the resulting binary, so the binary
can not find its own dependencies.
Fix a few such places, including some libraries which are
a part of public abi (libsmbldap, libndr).
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jan 1 19:16:03 UTC 2025 on atb-devel-224
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Dec 30 04:17:46 UTC 2024 on atb-devel-224
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec 20 07:59:51 UTC 2024 on atb-devel-224
Douglas Bagnall [Wed, 11 Dec 2024 02:56:20 +0000 (15:56 +1300)]
samba-tool user: hashlib.sha1 is always present
We maybe thought we were checking that sha1 was in hashlib, but we were
only checking that hashlib is in the Python library (`hashlib.sha1()`
would not raise ImportError).
The documentation says hashlib always contains sha1 -- if that
changes, it is better we know by failing noisily with the import error
at the top of the file.
Douglas Bagnall [Wed, 11 Dec 2024 01:30:15 +0000 (14:30 +1300)]
pyglue: add crypt() function
This wraps talloc_crypt_blob() from lib/util/util_crypt.c which in
turn wraps the system crypt[_r[n]].
We want this because the Python standard library crypt module is going
away. That one also wrapped the system crypt or crypt_r, so there
should be no change.
Douglas Bagnall [Mon, 29 Jul 2024 21:53:14 +0000 (09:53 +1200)]
samba-tool: no traceback for unauthenticated rootdse access
Under some circumstances rootdse returns an operations error with
"Operation unavailable without authentication" instead of insufficient
access rights.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Dec 20 00:00:02 UTC 2024 on atb-devel-224
The index code (lib/ldb_key_value/ldb_kv_index.c) recapitulates LDB
expression logic, and it seemed less than completely obvious that it
would never make a mistake and return a different result than an
unindexed search.
Here we run the same search on an unindexed database and on some that
have been indexed with a variety of options. We assert that the
results are identical over a number of searches.
By default, when run from the command line, that number is 495161,
which takes a couple of minutes. But if the SKIP_SLOW_TESTS
environment variable is set, the number is 33569, which takes 20
seconds or so. In selftest we set the variable and run the smaller
number.
The tests will print the cumulative search time for each database for
each testsuite, like this:
Like all benchmarks it is interesting but misleading. One caveat here
is that you have (probably) compiled tdb in developer mode without
optimisation, while lmdb is probably a system package compiled with -O2,
though perhaps not tuned to your exact architecture.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
Pavel Filipenský [Mon, 16 Dec 2024 13:39:54 +0000 (14:39 +0100)]
s3:winbindd: Remove unused set_routing_domain()
Commit 9a613f4 winbindd: add routing_domain as parameter to add_trusted_domain
deleted all calls of set_routing_domain().
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Dec 17 13:30:25 UTC 2024 on atb-devel-224
Pavel Filipenský [Mon, 16 Dec 2024 13:12:22 +0000 (14:12 +0100)]
s4:torture: Remove test for deprecated WINBINDD_SHOW_SEQUENCE
torture_winbind_struct_show_sequence() is failing if run as:
make -j8 test TESTS="samba4.rpc.lsa.trusted.*ad_dc samba4.winbind.struct.ad_dc"
The reason is that the test constructs two lists of domains and assumes
that the list contain same domains in the same order.
However:
- the list based on DO_STRUCT_REQ_REP(WINBINDD_SHOW_SEQUENCE, &req, &rep) contains 51 domains
- the list based on DO_STRUCT_REQ_REP(WINBINDD_LIST_TRUSTDOM, &req, &rep) contains 39 domains
and we got:
failure: show_sequence [ ../../source4/torture/winbind/struct_based.c:824: domlist[i].netbios_name was TORTURE201, expected TORTURE200: inconsistent order of domain lists
]
Both list are based on full domain list, however the smaller one filters
out domain without trust_type in winbindd_list_trusted_domains():
projects / thirdparty / samba.git / log
