Martin Schwenke [Wed, 28 Oct 2020 22:05:37 +0000 (09:05 +1100)]
selftest: Drop dummy environment variables for CTDB daemons
This existed to avoid UID_WRAPPER_ROOT=1 causing ctdbd to fail to
chown the socket. The chown is no longer done in test mode so remove
this confusing hack.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Mon Nov 2 10:20:45 UTC 2020 on sn-devel-184
Rowland Penny [Fri, 30 Oct 2020 15:39:58 +0000 (15:39 +0000)]
idmap_nss.8.xml: update manpage as discussed on the samba mailing
list
Signed-off-by: Rowland Penny <rpenny@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 30 17:11:02 UTC 2020 on sn-devel-184
Signed-off-by: Bjoern Jacke <bjacke@samba.org> Reviewed-by: Björn Baumbach <bbaumbach@samba.org>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Thu Oct 29 20:49:16 UTC 2020 on sn-devel-184
Jule Anger [Tue, 20 Oct 2020 07:42:38 +0000 (09:42 +0200)]
tests: avoid returning an already used ID in randomXid()
The error 'uidNumber xxx is already being used.' in the samba tool tests
occurs when the random.randint functions returns the same value twice and
therefore a user or group with an already used gid or uid should be created.
Avoid this error by adding a list that stores the used IDs, so that the randomXid
function can check wheter a value is already used before returning it.
Signed-off-by: Jule Anger <ja@sernet.de> Reviewed-by: Björn Baumbach <bb@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 29 18:54:24 UTC 2020 on sn-devel-184
python:tests: Add SAMR password change tests for fips
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Oct 29 15:41:37 UTC 2020 on sn-devel-184
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Oct 29 11:47:35 UTC 2020 on sn-devel-184
CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call
We can't add this test before the fix, add it to knownfail and have the fix
remove the knownfail entry again. As this crashes winbind, many tests after
this one will fail.
Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
Andrew Walker [Wed, 28 Oct 2020 18:38:48 +0000 (14:38 -0400)]
s3:rpcclient fix NULL - deref caused by misuse of chgpasswd3
Passing wrong number of arguments to chgpasswd3 will cause rpcclient to crash.
Signed-off-by: Andrew Walker <awalker@ixsystems.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 29 03:31:56 UTC 2020 on sn-devel-184
../../source4/torture/basic/denytest.c: In function ‘torture_createx_specific.isra’:
../../source4/torture/basic/denytest.c:2372:9: error: ‘write’ reading 56 bytes from a region of size 8 [-Werror=stringop-overflow=]
2372 | res = write(data_file_fd, &cxd, cxd_len);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Oct 28 17:52:19 UTC 2020 on sn-devel-184
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru> Reviewed-by: Björn Jacke <bjacke@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Wed Oct 28 15:31:05 UTC 2020 on sn-devel-184
s3: Rerun genmsg to update pam_winbind after 10 years
Previous run was in 2010 (10 years ago!), a lot of strings have changed.
Also removed all fuzzies because many strings do not exist any more in nterr.c
and then regenerated pos to restore strings that do exist.
I ran:
$ ./genmsg (with previous commits applied)
$ for i in *.po ; do mv -v $i ${i}.t && msgattrib --no-fuzzy -o $i ${i}.t && rm -fv ${i}.t ; done
$ ./genmsg
bjacke edited: don't remove old nterr.c translations, we should keep those
translatins and translate the mappings to the new strings coming from
nterr_gen.c, see b7b289f372535dc479a9c9b7ea80da4711edf4f8 for the related
change.
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru> Reviewed-by: Björn Jacke <bjacke@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
daemons: report status to systemd even when running in foreground
When systemd launches samba services, the configuration we have in
systemd service files expects that the main process (/usr/sbin/*)
would use sd_notify() to report back its status. However, we only use
sd_notify() when running become_daemon().
As a result, samba/smbd/winbindd/nmbd processes never report back its
status and the status updates from other childs (smbd, winbindd, etc)
are not accepted as we now have implied NotifyAccess=main since commit d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc
This leads to a timeout and killing samba process by systemd. Situation
is reproducible in Fedora 33, for example.
Make sure that we have required status updates for all daemons in case
we aren't runnning in interactive mode.
Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Oct 26 19:58:18 UTC 2020 on sn-devel-184
DNS Resolver: support both dnspython before and after 2.0.0
`dnspython` 2.0.0 has many changes and several deprecations like:
```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.
> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```
The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
to spend trying to get an answer to the question)
The compatibility shim was developed by Stanislav Levin for FreeIPA and
adopted for Samba by Alexander Bokovoy.
Signed-off-by: Stanislav Levin <slev@altlinux.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Fri, 23 Oct 2020 13:14:21 +0000 (15:14 +0200)]
test: Check that notifyd messages actually change the database
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Oct 24 07:20:17 UTC 2020 on sn-devel-184
Volker Lendecke [Thu, 22 Oct 2020 09:52:27 +0000 (11:52 +0200)]
notifyd: Add fcn_wait_send()/recv()
tevent_req based functions to listen for file change
notifications. Mainly right now for testing purposes, but it could be
used to also implement smbd's file change notify in a more tevent_req
based fashion than it is implemented now.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 21 Oct 2020 15:26:30 +0000 (17:26 +0200)]
notifyd: Factor out notifyd_parse_entry() into its own file
The next step will be to factor out notifyd_parse_db() and and
notify_walk() for consumption outside of smbd. notifyd_parse_db()
needs access to the internal representation of notifyd's database, so
move it into a commonly usable file.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 23 Oct 2020 14:25:06 +0000 (16:25 +0200)]
smbd: add and use SMB2_FILE_ALL_INFORMATION
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 23 19:06:40 UTC 2020 on sn-devel-184
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Fri Oct 23 17:24:37 UTC 2020 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Oct 23 15:32:08 UTC 2020 on sn-devel-184
Ralph Boehme [Thu, 22 Oct 2020 10:26:17 +0000 (12:26 +0200)]
smbd: split out POSIX info_levels from smbd_do_setfilepathinfo() into own function
smbd_do_setfilepathinfo() can be made fully handle based for all non-POSIX
infolevels with pathref fsps, but for a POSIX create we may not have a fsp if
the path points at a symlink.
Splitting the POSIX from the non-POSIX logic allows for cleaner handling of this
in the future with pathref fsps.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 23 09:19:12 UTC 2020 on sn-devel-184
Ralph Boehme [Thu, 22 Oct 2020 09:04:59 +0000 (11:04 +0200)]
smbd: use UCF_POSIX_PATHNAMES flag for path validation logic in filename_convert_internal()
This change means that if a client path is a symlink, we *always* only call
check_veto_path() for POSIX clients using a POSIX pathname, not just when a
POSIX info-level was used in an SMB request.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 15 Oct 2020 17:45:21 +0000 (19:45 +0200)]
smbd: let directory entries inherit the smb_fname->flags from the directory
If the listed directory has SMB_FILENAME_POSIX_PATH set, this change causes the
smb_fname of directory entries to inherit the flag so subsequent operations on
the directory entry can correctly implement POSIX semantics.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 15 Oct 2020 08:27:23 +0000 (10:27 +0200)]
smbd: base POSIX semantics in call_trans2findfirst() on req->posix_pathnames
This will require a SMB1 client to enable SMB1 POSIX extensions, just sending
POSIX info-level requests without first enabling them won't cut it.
As discussed with Jeremy, SMB1 POSIX extensions is a global thing and the client
that wants to use it is expected to enable them explicitly before making use of
POSIX info-levels.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 23 04:47:26 UTC 2020 on sn-devel-184
wb_sids2xids: build state->idmap_doms based on wb_parent_idmap_config
In future we'll try to avoid wb_lookupsids_send() and only call
it if needed.
The domain name passed should be only relevant to find the correct
idmap backend, and these should all be available in
wb_parent_idmap_config as it was created before the idmap child was forked.
wb_sids2xids: directly use state->all_ids to collect results
In order to translate the indexes from state->lookup_sids[]
for wb_lookupsids_send/recv() and state->map_ids.ids[]
for dcerpc_wbint_Sids2UnixIDs_send/recv() back to
state->all_ids.ids[] or state->sids[] we have state->tmp_idx[].
This simplifies wb_sids2xids_recv() a lot and make further
restructuring much easier.
wb_sids2xids: inline wb_sids2xids_extract_for_domain_index() into wb_sids2xids_next_sids2unix()
Instead of re-creating the dom_ids element,
we just use a pre-allocated map_ids_in array.
This is a bit tricky as we need to use map_ids_out as a copy of
map_ids_in, because the _ids argument of dcerpc_wbint_Sids2UnixIDs_send()
in [in,out], which means that _ids->ids is changed between
dcerpc_wbint_Sids2UnixIDs_send() and dcerpc_wbint_Sids2UnixIDs_recv()!
If the domain doesn't need any mappings, we'll move to the next domain
early, for now this can't happend but it will in future.
Douglas Bagnall [Mon, 19 Oct 2020 20:42:56 +0000 (09:42 +1300)]
rpc: avoid undefined behaviour when parsing bindings
If the binding string ends with "[", we were setting options to an
empty string, then asking for 'options[strlen(options)-1]', which
UBSan dosn't like because the offset evaluates to (size_t)0xFFFFF...
causing pointer overflow.
I believe this is actually well defined in practice, but we don't want
to be in the habit of leaving sanitiser warnings in code parsing
untrusted strings.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
projects / thirdparty / samba.git / log
