Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Aug 5 06:15:14 UTC 2021 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Aug 3 20:35:49 UTC 2021 on sn-devel-184
xml.etree.ElementTree.ParseError: not well-formed (invalid token)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Aug 3 18:36:37 UTC 2021 on sn-devel-184
winbindd_pam: add NT4 DC handling into winbind_samlogon_retry_loop()
Handle the case where a NT4 DC does not fill in the acct_flags in
the samlogon reply info3. Yes, in 2021, there are still admins
arround with real NT4 DCs.
NT4 DCs reject authentication with workstation accounts with
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, even if
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT is specified.
We no longer call dcerpc_samr_QueryUserInfo(level=16)
to get the acct_flags, as we only ever got
ACB_NORMAL back (maybe with ACB_PWNOEXP in addition),
which is easy to calculate on our own.
This was removed in commit (for 4.15.0rc1):
commit 73528f26eea24033a7093e5591b8f89ad2b8644e
Author: Ralph Boehme <slow@samba.org>
AuthorDate: Mon Jan 11 14:59:46 2021 +0100
Commit: Jeremy Allison <jra@samba.org>
CommitDate: Thu Jan 21 22:56:20 2021 +0000
winbind: remove legacy flags fallback
Some very old NT4 DCs might have not returned the account flags filled in. This
shouldn't be a problem anymore. Additionally, on a typical domain member server,
this request is (and can only be) send to the primary domain, so this will not
work with accounts from trusted domains.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 21 22:56:20 UTC 2021 on sn-devel-184
It means one more caller of the problematic cm_connect_sam()
function is removed! SAMR connections may not be allowed for
machine accounts with modern AD DCs.
For network logons NT4 DCs also skip the
account_name, so we have to fallback to the
one given by the client. We have code to cope
with that deeply hidden inside of netsamlogon_cache_store().
Up to Samba 4.7 netsamlogon_cache_store() operated on the
info3 structure that was passed to the caller of winbind_dual_SamLogon()
and pass propagated up to auth_winbind in smbd.
winbindd: let winbind_dual_SamLogon return validation
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
actually changed the situation and only a temporary info3 structure
was passed into netsamlogon_cache_store(), which means
account_name was NULL and get propagated as "" into auth_winbind
in smbd, where getpwnam() is no longer possible and every
smb access gets NT_STATUS_LOGON_FAILURE.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Aug 3 11:10:27 UTC 2021 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Aug 3 10:18:26 UTC 2021 on sn-devel-184
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Ralph Boehme [Tue, 29 Jun 2021 10:47:34 +0000 (12:47 +0200)]
smbd: only open full fd for directories if needed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14700
RN: File owner not available when file unreadable
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug 2 18:05:04 UTC 2021 on sn-devel-184
Ralph Boehme [Sat, 8 May 2021 19:45:25 +0000 (21:45 +0200)]
smbd: drop requirement for full open for READ_CONTROL_ACCESS, WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS
This was needed before we had pathref fsps, with pathref fsps we can do
operation requiring WRITE_OWNER_ACCESS, WRITE_DAC_ACCESS and READ_CONTROL_ACCESS
on the pathref fsp.
samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry"
With the above combination, some flavor of lp_load() already
initializes global_event_ctx, for which the closeall_except() later on
will happily close the epoll fd for. If we want to close all file
descriptors at startup, this must be the very first thing overall.
Can't really write a proper test for this with knownfail that is
removed with the fix, because if we have clustering+include=registry,
the whole clusteredmember environment does not even start up.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jul 31 16:58:41 UTC 2021 on sn-devel-184
Jeremy Allison [Thu, 15 Jul 2021 02:11:05 +0000 (19:11 -0700)]
s3: smbd: Don't leak meta-data about the containing directory of the share root.
This is a subtle one. In smbd_dirptr_get_entry() we now
open a pathref fsp on all entries - including "..".
If we're at the root of the share we don't want
a handle to the directory above it, so silently
close the smb_fname->fsp for ".." names to prevent
it from being used to return meta-data to the client
(more than we already have done historically by
calling pathname functions on "..").
The marshalling returned entries and async DOS
code copes with smb_fname->fsp == NULL perfectly
well.
Only in master, but will need fixing for 4.15.rc1
or 2.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jul 28 15:07:54 UTC 2021 on sn-devel-184
selftest: Remove fips env variables from client env
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul 28 07:12:55 UTC 2021 on sn-devel-184
bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul 21 12:18:30 UTC 2021 on sn-devel-184
s3:tests: Add smbclient kerberos tests for ad_dc and ad_dc_fips
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul 21 07:19:00 UTC 2021 on sn-devel-184
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 20 16:13:28 UTC 2021 on sn-devel-184
Defining _PUBLIC_ in the same way as in talloc.h resolves an issue with
a previous fix for Solaris Studio compiler 12.4 that prefixed all calls
in tdb.h with _PUBLIC_. Thanks to Lukas Slebodnik
<lslebodn@redhat.com>.
Martin Schwenke [Tue, 27 Apr 2021 05:45:17 +0000 (15:45 +1000)]
utils: Avoid pylint warning
pylint warns:
Use lazy % formatting in logging functions
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Jul 20 05:29:18 UTC 2021 on sn-devel-184
Martin Schwenke [Wed, 26 May 2021 00:57:07 +0000 (10:57 +1000)]
utils: Move argument processing into function and call from main()
Removes the need for the global variables currently associated with
this processing. Also removes unnecessarily double-handling the
defaults, which are assigned to the global variables and set via
add_argument().
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Martin Schwenke [Tue, 27 Apr 2021 05:46:14 +0000 (15:46 +1000)]
utils: Use Python 3
Due to the number of flake8 and pylint warnings it is unclear if the
source has Python 3 incompatibilities. These will be cleaned up in
subsequent commits.
Signed-off-by: "L.P.H. van Belle" <belle@bazuin.nl> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 19 15:27:14 UTC 2021 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 16 03:45:19 UTC 2021 on sn-devel-184
Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jan 15 08:36:34 UTC 2021 on sn-devel-184
RN: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 15 23:53:55 UTC 2021 on sn-devel-184
This turns the 'smb2.read.bug14607' test from 'skip' into 'xfailure',
as the 2nd smb2cli_read() function will now return
NT_STATUS_INVALID_NETWORK_RESPONSE.
This test will use a FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8
in order to change the server behavior of READ responses regarding
the data offset.
It will demonstrate the problem in smb2cli_read*() triggered
by NetApp Ontap servers.
David Mulder [Mon, 12 Jul 2021 21:18:04 +0000 (15:18 -0600)]
Update WHATSNEW for Certificate Auto Enrollment
Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 15 20:03:45 UTC 2021 on sn-devel-184
Jeremy Allison [Wed, 14 Jul 2021 18:23:54 +0000 (11:23 -0700)]
s3: VFS: default. In vfswrap_getxattrat_do_async() always use the pathref fsp.
This is always called via a path that mandates
smb_fname->fsp is valid.
https://bugzilla.samba.org/show_bug.cgi?id=14758
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jul 15 05:48:05 UTC 2021 on sn-devel-184
Jeremy Allison [Wed, 14 Jul 2021 22:00:13 +0000 (15:00 -0700)]
s3: smbd: Allow "smbd async dosmode = yes" to return valid DOS attributes again.
We already have a valid smb_fname->fsp, don't drop
it when returning from smbd_dirptr_lanman2_entry()
to allow it to be reused inside dos_mode_at_send().
We can add more about this in the final 4.15.0 release notes later.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jul 15 00:57:24 UTC 2021 on sn-devel-184
libcli/smb: skip session setup signing for REQUEST_OUT_OF_SEQUENCE, NOT_SUPPORTED and ACCESS_DENIED
We should propagate these errors to the caller instead of masking them
with ACCESS_DENIED. And for ACCESS_DENIED we should not disconnect the
connection.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>