Jeremy Allison [Wed, 23 Jun 2021 19:07:37 +0000 (12:07 -0700)]
s3: VFS: Update status of SMB_VFS_GETXATTR.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Jul 4 18:01:16 UTC 2021 on sn-devel-184
Jeremy Allison [Fri, 2 Jul 2021 20:43:49 +0000 (13:43 -0700)]
s3: VFS: fruit: Add helper function ad_get_meta_fsp().
Not yet used. We will use this to replace calls
to ad_get(..., ADOUBLE_META). It uses openat_pathref_fsp()
to get a handle before calling into ad_get(..., ADOUBLE_META).
Uses the recursion guard to prevent recursion into openat_pathref_fsp()
from stat calls within.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 2 Jul 2021 20:40:39 +0000 (13:40 -0700)]
s3: VFS: fruit: In the fruit handle->fruit_config_data, add a recursion guard we will set before calling openat_pathref_fsp().
Not yet used.
Same technique as used to prevent recursion in stat calls in vfs_fake_acls.c
This will go away once SMB_VFS_STATX() is added and we can select exactly
what fields we are calling stat() to get.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 2 Jul 2021 20:37:56 +0000 (13:37 -0700)]
s3: VFS: fruit: In fruit_stat_meta_netatalk(), move the call to fruit_stat_base() before the ad_get() call.
Both must succeed for a valid return, and we're next going
to replace ad_get() with a wrapper that calls openat_pathref_fsp(),
which needs a VALID_STAT().
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Thu, 1 Jul 2021 01:40:59 +0000 (18:40 -0700)]
s3: smbd: Fix fsp->base_fsp->fsp_name->fsp == fsp->base_fsp invarient in non_widelink_open().
Currently in master when we call into openat() in the VFS
we violate the invarient:
fsp->base_fsp->fsp_name->fsp == fsp->base_fsp.
The reason for this is subtle. Inside open.c:non_widelink_open()
we change the fsp->base_fsp to be relative to the new $cwd.
We do this by the following code in open.c:non_widelink_open():
/* Also setup base_fsp to be relative to the new cwd */
if (fsp->base_fsp != NULL) {
base_smb_fname_rel = (struct smb_filename) {
.base_name = smb_fname_rel->base_name,
};
orig_base_fsp_name = fsp->base_fsp->fsp_name;
fsp->base_fsp->fsp_name = &base_smb_fname_rel;
}
Note that fsp->base_fsp->fsp_name now points at a
stack variable struct smb_filename, with smb_fname->fsp == NULL.
This fixes that problem by removing the horrid
stack based smb_filename and changing to use a
talloc'ed fsp->base_fsp->fsp_name, with
correctly linked fsp->base_fsp->fsp_name-> pointer.
Remove the selftest/knownfail.d/fruit_vfs_invariant
file as all vfs_fruit tests now pass again.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jul 2 11:45:48 UTC 2021 on sn-devel-184
s4:kdc: prefer newer enctypes for preauth responses
This matches Windows KDCs, which was demonstrated by the
krb5.as_req_tests tests.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jul 1 18:37:14 UTC 2021 on sn-devel-184
Joseph Sutton [Mon, 21 Jun 2021 02:14:48 +0000 (14:14 +1200)]
s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
This enables us to more easily switch to a different algorithm to find
the strongest key in _kdc_find_etype().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Wed, 16 Jun 2021 00:52:11 +0000 (12:52 +1200)]
tests/krb5: Use admin creds for SamDB rather than user creds
This makes the purpose of each set of credentials more consistent, and
makes some tests more convenient to run standalone as they no longer
require user credentials.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Making this test a subclass of KDCBaseTest allows us to make use of its
methods for obtaining credentials and creating accounts, which helps to
eliminate some duplicated code.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 15 Jun 2021 01:25:34 +0000 (13:25 +1200)]
tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
This is clearer than using the constant zero, which could be mistaken
for a valid kvno value.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 15 Jun 2021 01:24:22 +0000 (13:24 +1200)]
tests/krb5/as_req_tests.py: Check the client kvno
Ensure we have the correct kvno for the client, rather than an 'unknown'
value.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
The credentials for the client and krbtgt accounts are now fetched
automatically rather than using environment variables, and the client
account is now automatically created.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 15 Jun 2021 04:07:16 +0000 (16:07 +1200)]
tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
Now if the client credentials are not supplied in the environment, we
can fall back to creating a new user account. Similarly, if the krbtgt
credentials are not supplied, we can fetch the credentials of the
existing krbtgt account.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 15 Jun 2021 03:55:17 +0000 (15:55 +1200)]
tests/krb5/raw_testcase.py: Simplify conditionals
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 15 Jun 2021 05:12:39 +0000 (17:12 +1200)]
tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
This allows us to use other methods of obtaining credentials if getting
them from the environment fails.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If credentials are used more than once, we can now use the credentials
that we already obtained and so avoid fetching them again.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 15 Jun 2021 04:55:02 +0000 (16:55 +1200)]
tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
This allows us to require encryption keys in the case that a password
would not be required, such as for the krbtgt account.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 15 Jun 2021 03:59:11 +0000 (15:59 +1200)]
tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
This allows it to be used elsewhere in the tests.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 15 Jun 2021 01:15:10 +0000 (13:15 +1200)]
tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
This requires admin credentials, and removes the need to pass these keys
as environment variables.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 15 Jun 2021 03:12:38 +0000 (15:12 +1200)]
tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
This is done based on the domain functional level, which corresponds to
the logic Samba uses to decide whether or not to generate a
Primary:Kerberos-Newer-Keys element for the supplementalCredentials
attribute.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 15 Jun 2021 23:40:41 +0000 (11:40 +1200)]
tests/krb5/kdc_base_test.py: Create loadparm only when needed
Now the .conf file is only loaded on its first use, which means that
SMB_CONF_PATH need not be defined for tests that don't make use of it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 15 Jun 2021 23:31:26 +0000 (11:31 +1200)]
tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
Credentials for tests are now obtained using the get_user_creds()
method.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 15 Jun 2021 23:04:00 +0000 (11:04 +1200)]
tests/krb5/kdc_base_test.py: Create database connection only when needed
Now the database connection is only created on its first use, which
means database credentials are no longer required for tests that don't
make use of it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 15 Jun 2021 01:14:33 +0000 (13:14 +1200)]
tests/krb5/raw_testcase.py: Add get_admin_creds()
This method allows obtaining credentials that can be used for
administrative tasks such as creating accounts.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 15 Jun 2021 03:38:28 +0000 (15:38 +1200)]
tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
This allows accounts created for permutation tests to be reused, rather
than having to be recreated for every test.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
This allows building the pre-authentication data that encodes
the request for the KDC (or more likely a request not to include)
the KRB5 PAC in the resulting ticket.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint
we allow the BitString_NamedValues_prettyPrint() routine to show more named values.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint
we allow the BitString_NamedValues_prettyPrint() routine to show more named values.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 1 17:45:49 UTC 2021 on sn-devel-184
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jul 1 13:48:32 UTC 2021 on sn-devel-184
The key is that exactly one 'subexpression' starting with '\(' and
ending with '\)' is specified in order to select the position where
the digits are searched.
E.g. given a file name 'Re7599Ex01234.txt' will actually preopen:
docs-xml:vfs_preopen.8: improve the documentation of the current detection algorithm
We should be more verbose that the first digits in a name are taken by
default, if at least 3 digits were found.
There might be cases were the last group of digits describe the
increasing frame number, while the fixed name already contains
3 digits. This is currently not supported.
It's also possible to provide more than one pattern.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
vfs_preopen: make use of any hints from samba_path_matching_check_last_component()
samba_path_matching_check_last_component() may return the start and end
offset of a submatch (for us the bytes where the digits are expected).
We use that in order to allow preopen_parse_fname() to just
look at these bytes and ignore any trailing digits after the submatch.
For the current use of samba_path_matching_mswild_create(),
there's no difference as we'll always get replace_start=-1 and
replace_end=-1. But the next commit will make optional use of
samba_path_matching_regex_sub1_create(), which will change the situation
and allow to return hints we got from regexec().
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
vfs_preopen: only try to preopen if we can construct an absolute path
So we make sure the dirfsp contains an absolute path to begin with
and smb_fname is a relative name within the directory.
Note: dirfsp->fsp_name->base_name[0] is only '/' because currently all callers pass
conn->cwd_fsp as dirfsp ... though there's already one caller that calls
fd_openat() with a real dirfsp, that is in vfs_fruit though on the
resource fork stream so doesn't really effect us currently.
If more callers are changed in future the situation may change,
but I guess then this is not the only place with potential problems.
We most likely need a generic helper function that returns the absolute
path of a dirfsp and use it here.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 30 17:40:23 UTC 2021 on sn-devel-184
Ralph Boehme [Fri, 25 Jun 2021 13:47:38 +0000 (15:47 +0200)]
vfs_default: properly track written bytes for copy-chunk
No change in behavour, this just makes the logic slightly more
understandable. In theory it would also allow the logic to be adjusted for
allowing short reads which is not quite clear from MS-SMB2 if we should allow
it. The file could be truncated while we're reading it.
Jeremy Allison [Mon, 28 Jun 2021 23:48:51 +0000 (16:48 -0700)]
s3: VFS: fake_acls. Remove two static 'recursion' global booleans.
Ralph made me feel really guilty about this, so I cleaned it up :-).
This may also be the way we can finally get rid of SMB_VFS_GETXATTR()
from adouble.c too.
This will go away once we have SMB_VFS_STATX() and we will
have a way for a caller to as for specific stat fields in a
granular way. Then we will know exactly what fields the caller
wants, so we won't have to fill in everything.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 29 22:08:02 UTC 2021 on sn-devel-184
Noel Power [Thu, 17 Jun 2021 09:03:05 +0000 (10:03 +0100)]
s3: VFS: Update status of SMB_VFS_CHFLAGS
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Jun 29 09:10:00 UTC 2021 on sn-devel-184