Douglas Bagnall [Fri, 15 Mar 2024 10:29:34 +0000 (23:29 +1300)]
ldb_dn: make LDB_FREE, TALLOC_FREE
This LDB_FREE() seems to predate TALLOC_FREE(), and was identical
until TALLOC_FREE was optimised to avoid calling talloc_free(NULL) in b9fcfc6399eab750880ee0b9806311dd351a8ff6.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 15 Mar 2024 02:03:44 +0000 (15:03 +1300)]
ldb:ldb_dn: use safe transitive comparison in ldb_dn_compare()
The comparison we make is unconventional, and makes no difference in
normal usage, where we just want to know whether two DNs are the same
or not. But with over 100 callers, it is possible that something
somewhere is attempting a sort.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 6 Mar 2024 22:05:55 +0000 (11:05 +1300)]
pytest:segfault: prevent @no_gdb_backtrace smearing on exception
It is OK for one of these tests to raise an exception -- that is often
the only reasonable thing to do when you'd otherwise crash -- but the
@no_gdb_backtrace decorator would not clean up in that case, leading to
no gdb backtraces for all subsequent tests.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 7 Mar 2024 10:13:56 +0000 (23:13 +1300)]
selftest/gdb_backtrace: avoid printing backtrace twice with 1 thread
We call 'thread apply all bt full' in case there are interesting
things going on in other threads, but often there are no other threads
and it only serves to repeat the original trace (and very slowly, for
some reason).
The $_inferior_thread_count convenience variable is new in gdb 13.1
(2022-ish) so we init-if-undefined it to default to the old behaviour.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 20 04:53:57 UTC 2024 on atb-devel-224
tests: models: test additional Computer constructor cases
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests: models: fix username should be account_name
The reason this didn't fail, is because it doesn't save the Computers.
This gets fixed in the next commit.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It was fetching the GMSA with the models straight after creating it anyway.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This happens if --json is used and a CommandError is raised, so will affect other commands too where --json is used.
This happens in the print_json_status method.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python: models: add kwargs to __json__ and as_dict methods
Allows passing arguments through
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Only touch files where samba.domain.models import was moved
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
netcmd: gmsa: show viewers also works if SID is not found
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
netcmd: gmsa: add and remove don't fetch trustee if it is a SID
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
netcmd: gmsa: add_trustee and remove_trustee change argument to sid
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In some cases the previous code would end up creating computers where the account name ended on double "$"
Rewrote constructor to handle more cases, for example only an account name is provided, only a name is provided, or both.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
netcmd: models: allow scope to be overridden in query
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Unlike User.find, this will not fetch the User if an SID is provided.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python: samdb: Make connecting_user_sid a property
This is following the same design as other similar properties like samdb.domain_sid, only it doesn't need a setter.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python: samdb: Move get_connecting_user_sid to samdb
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 17 Mar 2024 10:08:23 +0000 (23:08 +1300)]
libcli/security: check again for NULL values
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224
Douglas Bagnall [Sun, 17 Mar 2024 10:07:17 +0000 (23:07 +1300)]
libcli/security: claims_conversions: check for NULL in claims array
If by mistake we end up with a NULL in our array of claims pointers,
it is better to return an error than crash.
There can be NULLs in the array if a resource attribute ACE has a
claim that uses 0 as a relative data pointer. Samba assumes this means
a NULL pointer, rather than a zero offset.
Andrew Bartlett [Thu, 14 Mar 2024 03:55:19 +0000 (16:55 +1300)]
s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries()
Previously any errors noticed during the main loop would be ignored.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 14 23:16:16 UTC 2024 on atb-devel-224
Andrew Bartlett [Thu, 7 Mar 2024 01:53:53 +0000 (14:53 +1300)]
samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export
Since 87f67d336919172845f53067c67d1eab8e7ef18a samba-tool domain exportkeytab has
silently unlinked the given target file. Instead, the administrator now needs
to specify a file that does not exist.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Mar 2024 04:48:09 +0000 (17:48 +1300)]
s4-libnet: Prepare for a "rolling update" keytab export
This mode will allow keytabs to be exported with all current keys added
to historical keys, which will be useful in a domain with many gMSA
servers that require wireshark decryption.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Mar 2024 22:59:21 +0000 (11:59 +1300)]
samba-tool: Add option --keep-stale-entries to "samba-tool domain exportkeytab"
This will keep stale keys in the keytab, which may be useful for wireshark
but is not correct if the keytab is used for accepting Kerberos tickets,
as tickets encrypted with old passwords would still be accepted.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Mar 2024 04:42:01 +0000 (17:42 +1300)]
lib/krb5_wrap: Pull already_hashed case out of smb_krb5_kt_add_entry()
The two callers of this function want two very different things, the
common point was wanting to call smb_krb5_kt_seek_and_delete_old_entries()
however this is now done earlier in sdb_kt_copy() with
smb_krb5_remove_obsolete_keytab_entries() or an unlink() in
libnet_export_keytab().
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Fri, 2 Feb 2024 01:40:24 +0000 (14:40 +1300)]
auth/credentials: Cope with GMSA 5min password preview in cli_credentials_set_gmsa_passwords()
This is unused in Samba currently, but is a subtle race that will be difficult
to debug if this is ever used, so this makes things easier for some future
developer.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Thu, 21 Dec 2023 23:09:45 +0000 (12:09 +1300)]
s4-kdc: Prepare for gMSA support by recording it on the entry
This will allow the "samba-tool domain exportkeytab" code to do special gMSA
processing and in the future will allow the KDC to know it needs to check
if the keys in the DB need refreshing.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
packaging: Provide a systemd service file for samba-bgqd
There might be scenarios where the background queue daemon should be
running all the time instead of being started on demand. This makes
especially sense for bigger printing servers with a lot of printers. It
takes ~1 sec to get a printer from cups, so a print server with 100
printers needs 100 seconds to update the printer_list.tdb. The service
will be killed because of idle in the meantime.
Noel Power [Tue, 20 Feb 2024 09:26:29 +0000 (09:26 +0000)]
s3/smbd: If we fail to close file_handle ensure we should reset the fd
if fsp_flags.fstat_before_close == true then close_file_smb will call
vfs_stat which can fail. If it does fail then the fd associated
with the file handle will still be set (and we will hit an assert
is the file handle destructor) when calling file_free.
We need to set fd to -1 to avoid that. To achieve that we capture and
return the vfs_stat_fsp failure status while still processing the rest
of the fd_close logic.
[2024/02/20 09:23:48.454671, 0, pid=9744] ../../source3/smbd/smb2_close.c:226(smbd_smb2_close)
smbd_smb2_close: close_file[]: NT_STATUS_ACCESS_DENIED
[2024/02/20 09:23:48.454757, 0, pid=9744] ../../source3/smbd/fd_handle.c:40(fd_handle_destructor)
PANIC: assert failed at ../../source3/smbd/fd_handle.c(40): (fh->fd == -1) || (fh->fd == AT_FDCWD)
[2024/02/20 09:23:48.454781, 0, pid=9744] ../../lib/util/fault.c:178(smb_panic_log)
===============================================================
[2024/02/20 09:23:48.454804, 0, pid=9744] ../../lib/util/fault.c:185(smb_panic_log)
INTERNAL ERROR: assert failed: (fh->fd == -1) || (fh->fd == AT_FDCWD) in smbd (smbd[192.168.10) (client [192.168.100.15]) pid 9744 (4.21.0pre1-DEVELOPERBUILD)
[2024/02/20 09:23:48.454844, 0, pid=9744] ../../lib/util/fault.c:190(smb_panic_log)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
[2024/02/20 09:23:48.454869, 0, pid=9744] ../../lib/util/fault.c:191(smb_panic_log)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Wed Mar 13 10:34:45 UTC 2024 on atb-devel-224
Ralph Boehme [Mon, 5 Feb 2024 14:03:48 +0000 (15:03 +0100)]
smbd: simplify handling of failing fstat() after unlinking file
close_remove_share_mode() already called vfs_stat_fsp(), so we can skip the
fstat() triggered in fd_close() by fsp->fsp_flags.fstat_before_close being true.
This avoids getting an EACCESS error when doing an fstat() on the removed file
which seems to happen with some FUSE filesystems.
projects / thirdparty / samba.git / log
