]> git.ipfire.org Git - thirdparty/samba.git/log
thirdparty/samba.git
4 years agomit-samba: Use talloc_get_type_abort() instead of casting
Andreas Schneider [Mon, 12 Jul 2021 11:05:59 +0000 (13:05 +0200)] 
mit-samba: Use talloc_get_type_abort() instead of casting

This is safer to use and fixes compiler warnings.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agomit-samba: Send the logging to the kdc log facility
Andreas Schneider [Mon, 11 Jun 2018 14:15:10 +0000 (16:15 +0200)] 
mit-samba: Send the logging to the kdc log facility

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agomit-samba: Define debug class for kdb module
Andreas Schneider [Wed, 14 Jul 2021 10:49:11 +0000 (12:49 +0200)] 
mit-samba: Define debug class for kdb module

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agos3: VFS: ceph. Fix enumerating directories. dirfsp->fh->fd != AT_FDCWD in this case.
Jeremy Allison [Sat, 17 Jul 2021 01:53:24 +0000 (18:53 -0700)] 
s3: VFS: ceph. Fix enumerating directories. dirfsp->fh->fd != AT_FDCWD in this case.

Same as the fix for glusterfs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14766

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Aug  5 06:15:14 UTC 2021 on sn-devel-184

4 years agogitlab: Use shorter names for Samba AD DC env with MIT KRB5
Andreas Schneider [Tue, 3 Aug 2021 11:20:40 +0000 (13:20 +0200)] 
gitlab: Use shorter names for Samba AD DC env with MIT KRB5

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14779

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Aug  3 20:35:49 UTC 2021 on sn-devel-184

4 years agos3:winbindd: Add a check for the path length of 'winbindd socket directory'
Andreas Schneider [Tue, 3 Aug 2021 09:04:37 +0000 (11:04 +0200)] 
s3:winbindd: Add a check for the path length of 'winbindd socket directory'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14779

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoconfigure: Do not put arguments into double quotes
Andreas Schneider [Mon, 2 Aug 2021 15:43:01 +0000 (17:43 +0200)] 
configure: Do not put arguments into double quotes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14777

This could create an issue that arguments don't get split by python and then the
following could happen:

    ./configure --libdir=/usr/lib64 --enable-clangdb

    LIBDIR='/usr/lib64 --enable-clangdb'

This ends then up in parameters.all.xml:

    <!ENTITY pathconfig.LIBDIR   '/usr/lib64 --enable-clangdb'>

The python parser then errors out:

    xml.etree.ElementTree.ParseError: not well-formed (invalid token)

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Aug  3 18:36:37 UTC 2021 on sn-devel-184

4 years agowinbindd_pam: add NT4 DC handling into winbind_samlogon_retry_loop()
Stefan Metzmacher [Mon, 2 Aug 2021 12:17:47 +0000 (14:17 +0200)] 
winbindd_pam: add NT4 DC handling into winbind_samlogon_retry_loop()

Handle the case where a NT4 DC does not fill in the acct_flags in
the samlogon reply info3. Yes, in 2021, there are still admins
arround with real NT4 DCs.

NT4 DCs reject authentication with workstation accounts with
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, even if
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT is specified.

We no longer call dcerpc_samr_QueryUserInfo(level=16)
to get the acct_flags, as we only ever got
ACB_NORMAL back (maybe with ACB_PWNOEXP in addition),
which is easy to calculate on our own.
This was removed in commit (for 4.15.0rc1):

  commit 73528f26eea24033a7093e5591b8f89ad2b8644e
  Author:     Ralph Boehme <slow@samba.org>
  AuthorDate: Mon Jan 11 14:59:46 2021 +0100
  Commit:     Jeremy Allison <jra@samba.org>
  CommitDate: Thu Jan 21 22:56:20 2021 +0000

      winbind: remove legacy flags fallback

      Some very old NT4 DCs might have not returned the account flags filled in. This
      shouldn't be a problem anymore. Additionally, on a typical domain member server,
      this request is (and can only be) send to the primary domain, so this will not
      work with accounts from trusted domains.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
      Autobuild-User(master): Jeremy Allison <jra@samba.org>
      Autobuild-Date(master): Thu Jan 21 22:56:20 UTC 2021 on sn-devel-184

It means one more caller of the problematic cm_connect_sam()
function is removed! SAMR connections may not be allowed for
machine accounts with modern AD DCs.

For network logons NT4 DCs also skip the
account_name, so we have to fallback to the
one given by the client. We have code to cope
with that deeply hidden inside of netsamlogon_cache_store().

Up to Samba 4.7 netsamlogon_cache_store() operated on the
info3 structure that was passed to the caller of winbind_dual_SamLogon()
and pass propagated up to auth_winbind in smbd.

But for Samba 4.8 the following commit:

  commit f153c95176b7759e10996b24b66d9917945372ed
  Author: Ralph Boehme <slow@samba.org>
  Date:   Mon Dec 11 16:25:35 2017 +0100

      winbindd: let winbind_dual_SamLogon return validation

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
actually changed the situation and only a temporary info3 structure
was passed into netsamlogon_cache_store(), which means
account_name was NULL and get propagated as "" into auth_winbind
in smbd, where getpwnam() is no longer possible and every
smb access gets NT_STATUS_LOGON_FAILURE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14772

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Aug  3 11:10:27 UTC 2021 on sn-devel-184

4 years agos4:torture: Add rpc netlogon fips test
Andreas Schneider [Mon, 26 Jul 2021 08:18:05 +0000 (10:18 +0200)] 
s4:torture: Add rpc netlogon fips test

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Aug  3 10:18:26 UTC 2021 on sn-devel-184

4 years agos4:torture: Remove trailing whitespaces in rpc.c
Andreas Schneider [Mon, 26 Jul 2021 08:17:38 +0000 (10:17 +0200)] 
s4:torture: Remove trailing whitespaces in rpc.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agos4:selftest: Pass environ to plansmbtorture4testsuite()
Andreas Schneider [Wed, 28 Jul 2021 09:57:02 +0000 (11:57 +0200)] 
s4:selftest: Pass environ to plansmbtorture4testsuite()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoselftest: Fix setting environ for plansmbtorture4testsuite()
Andreas Schneider [Wed, 28 Jul 2021 09:56:12 +0000 (11:56 +0200)] 
selftest: Fix setting environ for plansmbtorture4testsuite()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agonetlogon:schannel: If weak crypto is disabled, do not announce RC4 support.
Andreas Schneider [Thu, 3 Sep 2020 13:58:56 +0000 (15:58 +0200)] 
netlogon:schannel: If weak crypto is disabled, do not announce RC4 support.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agos4:libnet: Allow libnet_SetPassword() for encrypted SMB connections
Andreas Schneider [Mon, 26 Jul 2021 08:13:52 +0000 (10:13 +0200)] 
s4:libnet: Allow libnet_SetPassword() for encrypted SMB connections

This is needed for smbtorture to join a domain in FIPS mode.

FYI: The correct way would be to join using LDAP as the s3 code is doing it. But
this requires a bigger rewrite.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agos4:libnet: Remove trailing whitespaces
Andreas Schneider [Mon, 26 Jul 2021 08:12:56 +0000 (10:12 +0200)] 
s4:libnet: Remove trailing whitespaces

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agos4:rpc_server: Allow to set user password in FIPS mode
Andreas Schneider [Mon, 26 Jul 2021 08:02:13 +0000 (10:02 +0200)] 
s4:rpc_server: Allow to set user password in FIPS mode

Only in case we have an SMB encrypted connection ...

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoauth:gensec: Use lpcfg_weak_crypto()
Andreas Schneider [Fri, 23 Apr 2021 14:32:27 +0000 (16:32 +0200)] 
auth:gensec: Use lpcfg_weak_crypto()

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agosmbd: only open full fd for directories if needed
Ralph Boehme [Tue, 29 Jun 2021 10:47:34 +0000 (12:47 +0200)] 
smbd: only open full fd for directories if needed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14700
RN: File owner not available when file unreadable

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug  2 18:05:04 UTC 2021 on sn-devel-184

4 years agosmbd: drop requirement for full open for READ_CONTROL_ACCESS, WRITE_DAC_ACCESS and...
Ralph Boehme [Sat, 8 May 2021 19:45:25 +0000 (21:45 +0200)] 
smbd: drop requirement for full open for READ_CONTROL_ACCESS, WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS

This was needed before we had pathref fsps, with pathref fsps we can do
operation requiring WRITE_OWNER_ACCESS, WRITE_DAC_ACCESS and READ_CONTROL_ACCESS
on the pathref fsp.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14700

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosamba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry"
Volker Lendecke [Fri, 30 Jul 2021 09:43:08 +0000 (11:43 +0200)] 
samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry"

With the above combination, some flavor of lp_load() already
initializes global_event_ctx, for which the closeall_except() later on
will happily close the epoll fd for. If we want to close all file
descriptors at startup, this must be the very first thing overall.

Can't really write a proper test for this with knownfail that is
removed with the fix, because if we have clustering+include=registry,
the whole clusteredmember environment does not even start up.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jul 31 16:58:41 UTC 2021 on sn-devel-184

4 years agos3: smbd: Don't leak meta-data about the containing directory of the share root.
Jeremy Allison [Thu, 15 Jul 2021 02:11:05 +0000 (19:11 -0700)] 
s3: smbd: Don't leak meta-data about the containing directory of the share root.

This is a subtle one. In smbd_dirptr_get_entry() we now
open a pathref fsp on all entries - including "..".

If we're at the root of the share we don't want
a handle to the directory above it, so silently
close the smb_fname->fsp for ".." names to prevent
it from being used to return meta-data to the client
(more than we already have done historically by
calling pathname functions on "..").

The marshalling returned entries and async DOS
code copes with smb_fname->fsp == NULL perfectly
well.

Only in master, but will need fixing for 4.15.rc1
or 2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jul 28 15:07:54 UTC 2021 on sn-devel-184

4 years agos3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname...
Jeremy Allison [Thu, 15 Jul 2021 04:30:09 +0000 (21:30 -0700)] 
s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agoselftest: Remove fips env variables from client env
Andreas Schneider [Tue, 27 Jul 2021 12:15:06 +0000 (14:15 +0200)] 
selftest: Remove fips env variables from client env

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul 28 07:12:55 UTC 2021 on sn-devel-184

4 years agoselftest: Pass env variables to fips tests
Andreas Schneider [Tue, 27 Jul 2021 14:06:07 +0000 (16:06 +0200)] 
selftest: Pass env variables to fips tests

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agos4:selftests: Pass env variables to fips tests
Andreas Schneider [Tue, 27 Jul 2021 12:11:39 +0000 (14:11 +0200)] 
s4:selftests: Pass env variables to fips tests

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agos3:selftests: Pass env variables to fips tests
Andreas Schneider [Tue, 27 Jul 2021 12:06:33 +0000 (14:06 +0200)] 
s3:selftests: Pass env variables to fips tests

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoselftest: Add support for setting ENV variables in plantestsuite()
Andreas Schneider [Tue, 27 Jul 2021 11:45:03 +0000 (13:45 +0200)] 
selftest: Add support for setting ENV variables in plantestsuite()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoselftest: Add support for setting ENV variables in plansmbtorture4testsuite()
Andreas Schneider [Tue, 27 Jul 2021 11:25:59 +0000 (13:25 +0200)] 
selftest: Add support for setting ENV variables in plansmbtorture4testsuite()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoselftest: Re-format long lines in selftesthelpers.py
Andreas Schneider [Tue, 27 Jul 2021 06:50:54 +0000 (08:50 +0200)] 
selftest: Re-format long lines in selftesthelpers.py

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agokrb5_wrap: remove unused code
Pavel Filipenský [Thu, 22 Jul 2021 12:11:51 +0000 (14:11 +0200)] 
krb5_wrap: remove unused code

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jul 27 10:09:03 UTC 2021 on sn-devel-184

4 years agolib:cmdline: Use lp_load_global() for servers
Andreas Schneider [Wed, 21 Jul 2021 14:06:15 +0000 (16:06 +0200)] 
lib:cmdline: Use lp_load_global() for servers

As for client we need to enable support for 'config backend = registry'.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 22 14:47:09 UTC 2021 on sn-devel-184

4 years agos3-torture: Only install vfstest manpage when vfstest binary gets installed.
Günther Deschner [Mon, 9 Nov 2020 16:08:27 +0000 (17:08 +0100)] 
s3-torture: Only install vfstest manpage when vfstest binary gets installed.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jul 21 13:41:26 UTC 2021 on sn-devel-184

4 years agos3-torture: give torture test binaries their own wscript_build
Günther Deschner [Mon, 9 Nov 2020 14:12:21 +0000 (15:12 +0100)] 
s3-torture: give torture test binaries their own wscript_build

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
4 years agobootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros
Andreas Schneider [Wed, 21 Jul 2021 07:32:42 +0000 (09:32 +0200)] 
bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul 21 12:18:30 UTC 2021 on sn-devel-184

4 years agopython:waf: Correctly check for python-dateutil
Andreas Schneider [Wed, 21 Jul 2021 07:17:31 +0000 (09:17 +0200)] 
python:waf: Correctly check for python-dateutil

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
4 years agos3:tests: Add smbclient kerberos tests for ad_dc and ad_dc_fips
Andreas Schneider [Tue, 20 Jul 2021 12:58:09 +0000 (14:58 +0200)] 
s3:tests: Add smbclient kerberos tests for ad_dc and ad_dc_fips

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul 21 07:19:00 UTC 2021 on sn-devel-184

4 years agoautobuild: Exclude fips envs from samba and samba-mitkrb5
Andreas Schneider [Tue, 20 Jul 2021 17:06:28 +0000 (19:06 +0200)] 
autobuild: Exclude fips envs from samba and samba-mitkrb5

The FIPS envs only work on Fedora. Ubuntu doesn't have FIPS support!

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
4 years agobootstrap: Install krb5-workstation on Fedora based distros
Andreas Schneider [Tue, 20 Jul 2021 13:55:53 +0000 (15:55 +0200)] 
bootstrap: Install krb5-workstation on Fedora based distros

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
4 years agos3:smbd: really support AES-256* in the server
Stefan Metzmacher [Thu, 15 Jul 2021 11:20:22 +0000 (13:20 +0200)] 
s3:smbd: really support AES-256* in the server

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14764

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 20 16:13:28 UTC 2021 on sn-devel-184

4 years agos4:torture/smb2: add tests to check all signing and encryption algorithms
Stefan Metzmacher [Mon, 19 Jul 2021 16:38:06 +0000 (18:38 +0200)] 
s4:torture/smb2: add tests to check all signing and encryption algorithms

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14764

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agognutls: allow gnutls_aead_cipher_encryptv2 with gcm before 3.6.15
Stefan Metzmacher [Tue, 9 Mar 2021 09:40:04 +0000 (10:40 +0100)] 
gnutls: allow gnutls_aead_cipher_encryptv2 with gcm before 3.6.15

The memory leak bug up to 3.6.14 was only related to ccm, but gcm was
fine.

This avoids talloc+memcpy on more systems, e.g. ubuntu 20.04,
and brings ~ 20% less cpu overhead, see:
https://hackmd.io/@asn/samba_crypto_benchmarks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14764

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
4 years agogpo: Improve debug when extension fails to apply
David Mulder [Mon, 19 Jul 2021 17:36:09 +0000 (11:36 -0600)] 
gpo: Improve debug when extension fails to apply

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agogpo: Warn when fetching the supported templates fails
David Mulder [Mon, 19 Jul 2021 17:18:53 +0000 (11:18 -0600)] 
gpo: Warn when fetching the supported templates fails

When Certificate Auto Enrollment fails to fetch
the list of supported templates, display a
warning.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agogpo: Ensure Network Device Enrollment Service if sscep fails
David Mulder [Mon, 19 Jul 2021 17:11:56 +0000 (11:11 -0600)] 
gpo: Ensure Network Device Enrollment Service if sscep fails

Prompt the user to check that Network Device
Enrollment Service is installed and configured
if sscep fails to download the certificate root
chain.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agotdb: version 1.4.5 tdb-1.4.5
Stefan Metzmacher [Mon, 19 Jul 2021 10:57:50 +0000 (12:57 +0200)] 
tdb: version 1.4.5

* fix standalone usage of tdb.h

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul 20 11:48:38 UTC 2021 on sn-devel-184

4 years agotdb: Fix invalid syntax in tdb.h
Günther Deschner [Fri, 16 Jul 2021 15:29:40 +0000 (17:29 +0200)] 
tdb: Fix invalid syntax in tdb.h

Defining _PUBLIC_ in the same way as in talloc.h resolves an issue with
a previous fix for Solaris Studio compiler 12.4 that prefixed all calls
in tdb.h with _PUBLIC_.  Thanks to Lukas Slebodnik
<lslebodn@redhat.com>.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14762

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agoutils: Avoid pylint warning
Martin Schwenke [Tue, 27 Apr 2021 05:45:17 +0000 (15:45 +1000)] 
utils: Avoid pylint warning

pylint warns:

  Use lazy % formatting in logging functions

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Jul 20 05:29:18 UTC 2021 on sn-devel-184

4 years agoutils: Reformat lines that are longer than 80 columns
Martin Schwenke [Tue, 27 Apr 2021 05:37:43 +0000 (15:37 +1000)] 
utils: Reformat lines that are longer than 80 columns

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
4 years agoutils: Tweak exception handling to stop flake8 complaining
Martin Schwenke [Tue, 27 Apr 2021 04:56:20 +0000 (14:56 +1000)] 
utils: Tweak exception handling to stop flake8 complaining

Don't bother with "as e" to avoid warning about unused variable.
Don't use bare "except:" (though pylint still complains about this
version).

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
4 years agoutils: Simplify log level logic, drop global variable
Martin Schwenke [Wed, 26 May 2021 01:18:04 +0000 (11:18 +1000)] 
utils: Simplify log level logic, drop global variable

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
4 years agoutils: Inline defaults and help strings
Martin Schwenke [Tue, 27 Apr 2021 04:50:15 +0000 (14:50 +1000)] 
utils: Inline defaults and help strings

Removes an unnecessary level of indirection: defaults and help strings
are now where they are expected.  Also removes some global variables.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
4 years agoutils: Move argument processing into function and call from main()
Martin Schwenke [Wed, 26 May 2021 00:57:07 +0000 (10:57 +1000)] 
utils: Move argument processing into function and call from main()

Removes the need for the global variables currently associated with
this processing.  Also removes unnecessarily double-handling the
defaults, which are assigned to the global variables and set via
add_argument().

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
4 years agoutils: Reorder imports so that standard imports are first
Martin Schwenke [Tue, 27 Apr 2021 03:00:49 +0000 (13:00 +1000)] 
utils: Reorder imports so that standard imports are first

Avoids numerous pylint warnings.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
4 years agoutils: Clean up ctdb_etcd_lock using autopep8
Martin Schwenke [Tue, 27 Apr 2021 02:59:17 +0000 (12:59 +1000)] 
utils: Clean up ctdb_etcd_lock using autopep8

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
4 years agoutils: Use Python 3
Martin Schwenke [Tue, 27 Apr 2021 05:46:14 +0000 (15:46 +1000)] 
utils: Use Python 3

Due to the number of flake8 and pylint warnings it is unclear if the
source has Python 3 incompatibilities.  These will be cleaned up in
subsequent commits.

Signed-off-by: "L.P.H. van Belle" <belle@bazuin.nl>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
4 years agoexamples: Make winreg.py sample work with python3 in current master
Volker Lendecke [Sat, 26 Jun 2021 12:21:49 +0000 (14:21 +0200)] 
examples: Make winreg.py sample work with python3 in current master

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jul 19 17:44:08 UTC 2021 on sn-devel-184

4 years agogitignore: Add .cache directory
Andreas Schneider [Thu, 15 Jul 2021 14:52:02 +0000 (16:52 +0200)] 
gitignore: Add .cache directory

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 19 15:27:14 UTC 2021 on sn-devel-184

4 years agoselftest: Add PYTHONPATH for lsp servers to devel_env.sh
Andreas Schneider [Thu, 15 Jul 2021 14:50:56 +0000 (16:50 +0200)] 
selftest: Add PYTHONPATH for lsp servers to devel_env.sh

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
4 years agos3:utils: Use better error message for smbtree
Andreas Schneider [Wed, 14 Jul 2021 09:38:39 +0000 (11:38 +0200)] 
s3:utils: Use better error message for smbtree

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 16 03:45:19 UTC 2021 on sn-devel-184

4 years agolibcli/smb: allow unexpected padding in SMB2 READ responses
Stefan Metzmacher [Tue, 29 Jun 2021 13:42:56 +0000 (15:42 +0200)] 
libcli/smb: allow unexpected padding in SMB2 READ responses

Make use of smb2cli_parse_dyn_buffer() in smb2cli_read_done()
as it was exactly introduced for a similar problem see:

    commit 4c6c71e1378401d66bf2ed230544a75f7b04376f
    Author:     Stefan Metzmacher <metze@samba.org>
    AuthorDate: Thu Jan 14 17:32:15 2021 +0100
    Commit:     Volker Lendecke <vl@samba.org>
    CommitDate: Fri Jan 15 08:36:34 2021 +0000

        libcli/smb: allow unexpected padding in SMB2 IOCTL responses

        A NetApp Ontap 7.3.7 SMB server add 8 padding bytes to an
        offset that's already 8 byte aligned.

        RN: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7
        BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

        Pair-Programmed-With: Volker Lendecke <vl@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
        Autobuild-User(master): Volker Lendecke <vl@samba.org>
        Autobuild-Date(master): Fri Jan 15 08:36:34 UTC 2021 on sn-devel-184

RN: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 15 23:53:55 UTC 2021 on sn-devel-184

4 years agolibcli/smb: make smb2cli_ioctl_parse_buffer() available as smb2cli_parse_dyn_buffer()
Stefan Metzmacher [Tue, 29 Jun 2021 13:24:13 +0000 (15:24 +0200)] 
libcli/smb: make smb2cli_ioctl_parse_buffer() available as smb2cli_parse_dyn_buffer()

It will be used in smb2cli_read.c soon...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agos3:smbd: implement FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8
Stefan Metzmacher [Mon, 5 Jul 2021 15:49:00 +0000 (17:49 +0200)] 
s3:smbd: implement FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8

This turns the 'smb2.read.bug14607' test from 'skip' into 'xfailure',
as the 2nd smb2cli_read() function will now return
NT_STATUS_INVALID_NETWORK_RESPONSE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agos3:smbd: introduce a body_size variable in smbd_smb2_request_read_done
Stefan Metzmacher [Mon, 5 Jul 2021 15:49:00 +0000 (17:49 +0200)] 
s3:smbd: introduce a body_size variable in smbd_smb2_request_read_done

This will simplify the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agos4:torture/smb2: add smb2.read.bug14607 test
Stefan Metzmacher [Tue, 6 Jul 2021 14:24:59 +0000 (16:24 +0200)] 
s4:torture/smb2: add smb2.read.bug14607 test

This test will use a FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8
in order to change the server behavior of READ responses regarding
the data offset.

It will demonstrate the problem in smb2cli_read*() triggered
by NetApp Ontap servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agoUpdate WHATSNEW for Certificate Auto Enrollment
David Mulder [Mon, 12 Jul 2021 21:18:04 +0000 (15:18 -0600)] 
Update WHATSNEW for Certificate Auto Enrollment

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 15 20:03:45 UTC 2021 on sn-devel-184

4 years agogpo: Test Certificate Auto Enrollment Policy
David Mulder [Fri, 2 Jul 2021 20:44:43 +0000 (20:44 +0000)] 
gpo: Test Certificate Auto Enrollment Policy

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agogpo: Fix up rsop output of ca certificate
David Mulder [Mon, 28 Jun 2021 15:06:09 +0000 (09:06 -0600)] 
gpo: Fix up rsop output of ca certificate

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agogpo: Add Certificate Auto Enrollment Policy
David Mulder [Thu, 17 Jun 2021 15:13:12 +0000 (09:13 -0600)] 
gpo: Add Certificate Auto Enrollment Policy

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agoWHATSNEW: Start release notes for Samba 4.16.0pre1.
Karolin Seeger [Thu, 15 Jul 2021 07:42:49 +0000 (09:42 +0200)] 
WHATSNEW: Start release notes for Samba 4.16.0pre1.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
4 years agoVERSION: Bump version up to 4.16.0pre1...
Karolin Seeger [Thu, 15 Jul 2021 07:38:41 +0000 (09:38 +0200)] 
VERSION: Bump version up to 4.16.0pre1...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
4 years agoVERSION: Disable GIT_SNAPSHOT for the Samba 4.15.0rc1 release. samba-4.15.0rc1
Karolin Seeger [Thu, 15 Jul 2021 07:09:37 +0000 (09:09 +0200)] 
VERSION: Disable GIT_SNAPSHOT for the Samba 4.15.0rc1 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
4 years agoWHATSNEW: Up to Samba 4.15.0rc1.
Karolin Seeger [Thu, 15 Jul 2021 07:06:20 +0000 (09:06 +0200)] 
WHATSNEW: Up to Samba 4.15.0rc1.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
4 years agoWHATSNEW: Fix typos.
Karolin Seeger [Thu, 15 Jul 2021 07:04:18 +0000 (09:04 +0200)] 
WHATSNEW: Fix typos.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
4 years agos3: VFS: default. In vfswrap_getxattrat_do_async() always use the pathref fsp.
Jeremy Allison [Wed, 14 Jul 2021 18:23:54 +0000 (11:23 -0700)] 
s3: VFS: default. In vfswrap_getxattrat_do_async() always use the pathref fsp.

This is always called via a path that mandates
smb_fname->fsp is valid.

https://bugzilla.samba.org/show_bug.cgi?id=14758

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jul 15 05:48:05 UTC 2021 on sn-devel-184

4 years agos3: VFS: default. In vfswrap_getxattrat_do_sync() always use the pathref fsp.
Jeremy Allison [Wed, 14 Jul 2021 18:23:03 +0000 (11:23 -0700)] 
s3: VFS: default. In vfswrap_getxattrat_do_sync() always use the pathref fsp.

This is always called via a path that mandates
smb_fname->fsp is valid.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14758

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: VFS: default: Add 'handle' member to struct vfswrap_getxattrat_state
Jeremy Allison [Wed, 14 Jul 2021 18:35:06 +0000 (11:35 -0700)] 
s3: VFS: default: Add 'handle' member to struct vfswrap_getxattrat_state

Not yet used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14758

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: VFS: default: Move vfswrap_fgetxattr() before the async versions.
Jeremy Allison [Wed, 14 Jul 2021 18:17:49 +0000 (11:17 -0700)] 
s3: VFS: default: Move vfswrap_fgetxattr() before the async versions.

We want to re-use this and don't want to have to add forward
declarations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14758

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Allow "smbd async dosmode = yes" to return valid DOS attributes again.
Jeremy Allison [Wed, 14 Jul 2021 22:00:13 +0000 (15:00 -0700)] 
s3: smbd: Allow "smbd async dosmode = yes" to return valid DOS attributes again.

We already have a valid smb_fname->fsp, don't drop
it when returning from smbd_dirptr_lanman2_entry()
to allow it to be reused inside dos_mode_at_send().

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14758

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: tests: Add "SMB2-LIST-DIR-ASYNC" test.
Jeremy Allison [Wed, 14 Jul 2021 22:29:01 +0000 (15:29 -0700)] 
s3: tests: Add "SMB2-LIST-DIR-ASYNC" test.

Add as knownfail.

Shows our "smbd async dosmode" code wasn't working.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14758

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: tests: Our tests for "smbd async dosmode = yes" haven't been working correctly...
Jeremy Allison [Wed, 14 Jul 2021 22:26:42 +0000 (15:26 -0700)] 
s3: tests: Our tests for "smbd async dosmode = yes" haven't been working correctly as the parameter has been set incorrectly.

If must be "smbd async dosmode", not "smbd:async dosmode"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14758

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agoWHATSNEW: add client/server smb3 signing/encryption algorithms
Stefan Metzmacher [Wed, 14 Jul 2021 16:40:34 +0000 (18:40 +0200)] 
WHATSNEW: add client/server smb3 signing/encryption algorithms

We can add more about this in the final 4.15.0 release notes later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jul 15 00:57:24 UTC 2021 on sn-devel-184

4 years agos3:smbd: improve the error returns for invalid session binding requests
Stefan Metzmacher [Mon, 8 Mar 2021 01:05:55 +0000 (02:05 +0100)] 
s3:smbd: improve the error returns for invalid session binding requests

This brings us closer to what a Windows Server with GMAC signing
returns.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agos4:torture: more smb2.session.bind_negative_smb3* combinations
Stefan Metzmacher [Wed, 14 Jul 2021 14:12:41 +0000 (16:12 +0200)] 
s4:torture: more smb2.session.bind_negative_smb3* combinations

This tests all kind of signing/encryption algorithm mismatches
and passes against Windows with GMAC signing support.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agodocs-xml: offer aes-128-gmac by default
Stefan Metzmacher [Tue, 13 Jul 2021 21:28:04 +0000 (23:28 +0200)] 
docs-xml: offer aes-128-gmac by default

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibcli/smb: add support for SMB2_SIGNING_AES128_GMAC
Stefan Metzmacher [Wed, 11 Nov 2020 13:10:01 +0000 (14:10 +0100)] 
libcli/smb: add support for SMB2_SIGNING_AES128_GMAC

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agos4:torture: force AES_CMAC or HMAC_SHA256 for some SMB 3.1.1 tests
Stefan Metzmacher [Wed, 14 Jul 2021 13:04:22 +0000 (15:04 +0200)] 
s4:torture: force AES_CMAC or HMAC_SHA256 for some SMB 3.1.1 tests

Allowing GMAC in future will generate different results, so
make sure the tests keep working as is.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibcli/smb: actually make use of "client/server smb3 signing algorithms"
Stefan Metzmacher [Tue, 13 Jul 2021 19:26:19 +0000 (21:26 +0200)] 
libcli/smb: actually make use of "client/server smb3 signing algorithms"

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agodocs-xml: add "client/server smb3 signing algorithms" options
Stefan Metzmacher [Tue, 13 Jul 2021 19:26:19 +0000 (21:26 +0200)] 
docs-xml: add "client/server smb3 signing algorithms" options

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agos3:smbd: prepare support for SMB2_SIGNING_CAPABILITIES
Stefan Metzmacher [Wed, 11 Nov 2020 13:27:30 +0000 (14:27 +0100)] 
s3:smbd: prepare support for SMB2_SIGNING_CAPABILITIES

But notice that srv_sign_algos->num_algos is always 0 for now,
but that'll change in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibcli/smb: prepare support for SMB2_SIGNING_CAPABILITIES negotiation
Stefan Metzmacher [Thu, 11 Mar 2021 10:04:14 +0000 (11:04 +0100)] 
libcli/smb: prepare support for SMB2_SIGNING_CAPABILITIES negotiation

For now client_sign_algos->num_algos will always be 0,
but that'll change in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibcli/smb: make sure smb2_signing_calc_signature() never generates a signature witho...
Stefan Metzmacher [Wed, 11 Nov 2020 13:10:01 +0000 (14:10 +0100)] 
libcli/smb: make sure smb2_signing_calc_signature() never generates a signature without a valid MID

This is important as AES-128-GMAC signing will derive the NONCE from the MID.

It also means a STATUS_PENDING response must never be signed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibcli/smb: make sure we always send a valid MID in cancel PDUs
Stefan Metzmacher [Thu, 6 May 2021 21:07:13 +0000 (23:07 +0200)] 
libcli/smb: make sure we always send a valid MID in cancel PDUs

This is important as with AES-128-GMAC signing, the nonce will be
derived from the MID.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibcli/smb: skip session setup signing for REQUEST_OUT_OF_SEQUENCE, NOT_SUPPORTED...
Stefan Metzmacher [Mon, 8 Mar 2021 01:03:30 +0000 (02:03 +0100)] 
libcli/smb: skip session setup signing for REQUEST_OUT_OF_SEQUENCE, NOT_SUPPORTED and ACCESS_DENIED

We should propagate these errors to the caller instead of masking them
with ACCESS_DENIED. And for ACCESS_DENIED we should not disconnect the
connection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibcli/smb: add smb2cli_conn_server_{signing,encryption}_algo()
Stefan Metzmacher [Wed, 14 Jul 2021 14:23:54 +0000 (16:23 +0200)] 
libcli/smb: add smb2cli_conn_server_{signing,encryption}_algo()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agos3:smbd: make sure we don't try to sign CANCEL response PDUs
Stefan Metzmacher [Tue, 13 Jul 2021 20:37:36 +0000 (22:37 +0200)] 
s3:smbd: make sure we don't try to sign CANCEL response PDUs

Normally these are never generated, but it can happen when the
signing check fails.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agos3:smbd: make sure STATUS_PENDING responses are never signed
Stefan Metzmacher [Fri, 11 Jun 2021 13:33:46 +0000 (13:33 +0000)] 
s3:smbd: make sure STATUS_PENDING responses are never signed

It's important to match Windows here in order to avoid reusing
a NONCE for AES-128-GMAC signing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agos3:smbstatus: pretty print the use of new signing/encryption algorithms
Stefan Metzmacher [Thu, 6 May 2021 21:55:49 +0000 (23:55 +0200)] 
s3:smbstatus: pretty print the use of new signing/encryption algorithms

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agos3:smbd: only allow cancel with the same session
Stefan Metzmacher [Tue, 13 Jul 2021 19:50:27 +0000 (21:50 +0200)] 
s3:smbd: only allow cancel with the same session

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibcli/smb: add SMB2_SIGNING_CAPABILITIES related defines to smb2_constants.h
Stefan Metzmacher [Wed, 11 Nov 2020 12:47:11 +0000 (13:47 +0100)] 
libcli/smb: add SMB2_SIGNING_CAPABILITIES related defines to smb2_constants.h

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibcli/smb: add SMB2_RDMA_TRANSFORM_CAPABILITIES related defines to smb2_constants.h
Stefan Metzmacher [Wed, 11 Nov 2020 12:47:11 +0000 (13:47 +0100)] 
libcli/smb: add SMB2_RDMA_TRANSFORM_CAPABILITIES related defines to smb2_constants.h

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>