Douglas Bagnall [Wed, 7 Apr 2021 01:34:50 +0000 (13:34 +1200)]
py/dnsserver: add .from_string() methods
The logic to parse DNS value strings (e.g. "example.com 10" for an MX,
which needs to be split on the space) is repeated at least in
samba-tool dns and tests/dcerpc/dnsserver.py. Here we bring it
together so we can do it once.
The sep= keyword allows callers to separate on all runs of
whitespace (the default, as samba-tool dns does) or, using sep='', to
separate on true spaces only.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
Ralph Boehme [Thu, 8 Apr 2021 10:17:22 +0000 (12:17 +0200)]
smbd: SMB2 Compound related chain handling when generation of FileId has failed
Issue:
We have a scenario where an application sends a Compound Related chain
consisting of:
SMB2_CREATE
SMB2_IOCTL
SMB2_SET_INFO
SMB2_CLOSE
SMB2_CREATE failed with NT_STATUS_ACCESS_DENIED and subsequent
requests all fail. In Samba they return NT_STATUS_FILE_CLOSED.
When I tried the same against a Win2k12 server, I noticed that all the
failed requests of the chain would return NT_STATUS_ACCESS_DENIED.
I believe this behaviour is also mentioned in the [MS-SMB2] Specs
3.3.5.2.7.2: Handling Compounded Related Requests
"When the current operation requires a FileId and the previous
operation either contains or generates a FileId, if the previous
operation fails with an error, the server SHOULD<223> fail the current
operation with the same error code returned by the previous
operation."
Fix:
Save NTATUS of a failed Create request. When we process subsequent
requests of the chain we check if the previous Create has failed. In
case of a Create failure we returned the saved NTSTATUS.
Signed-off-by: Anubhav Rakshit <anubhav.rakshit@gmail.com> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr 8 17:30:50 UTC 2021 on sn-devel-184
Ralph Boehme [Thu, 8 Apr 2021 10:25:22 +0000 (12:25 +0200)]
torture: add another smbtorture compound SMB2 requests test "related9"
This test verifies that if a compound related request is not preceeded by a
request that generates or contains a File-ID, the request fails with
NT_STATUS_INVALID_PARAMETER.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
torture: add smbtorture testcase "related7" for failure in compound related chain
We want to verify what Windows does when the first request of the
chain has failed and an async request is part of the chain. We see
Windows fails the async request with the same error. Also the async
request is immediately failed.
Signed-off-by: Anubhav Rakshit <anubhav.rakshit@gmail.com> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Mon, 22 Mar 2021 19:36:39 +0000 (12:36 -0700)]
Update status of SMB_VFS_REMOVEXATTR
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Apr 7 17:32:07 UTC 2021 on sn-devel-184
Jeremy Allison [Thu, 1 Apr 2021 20:16:34 +0000 (13:16 -0700)]
VFS: nfs4acl_xattr: Ensure nfs4acl_get_blob() always gets a valid fsp pointer.
This means adding a synthetic_pathref() call into the
nfs4acl_xattr version of SMB_VFS_GET_NT_ACL_AT() which
is the pathname-based ACL fetch call.
One place where this (smb_fname->fsp == NULL)
can happen is from open when checking parent
directory ACL - check_parent_access() currently
isn't always passed a smb_fname with a valid
fsp and check_parent_access() currently doesn't
open a pathref smb_fname->fsp itself (eventually
it should be passed in a pathref from the caller).
There are also a few other places inside smbd
that call smbd_check_access_rights() also without
a pathref fsp.
This check should be moved into the
callers inside smbd to ensure that smb_fname->fsp
is always valid here, and in a later patchset (not
part of this set) I will do just that.
Ultimately it may be possible to remove
pathname based SMB_VFS_GET_NT_ACL_AT(), this
requires further investigation.
But until then, we need this change.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Tue, 6 Apr 2021 18:53:40 +0000 (11:53 -0700)]
s3: smbd: Fix parent_pathref() to cope with symlink parents.
We know that the parent name must
exist, and the name has been canonicalized
even if this was a POSIX pathname.
Ensure that we follow symlinks for
the parent. See the torture test
POSIX-SYMLINK-PARENT for details.
Remove knownfail entry.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Apr 7 15:39:45 UTC 2021 on sn-devel-184
Jeremy Allison [Tue, 6 Apr 2021 18:46:23 +0000 (11:46 -0700)]
s3: torture: Add an SMB1 POSIX specific test POSIX-SYMLINK-PARENT.
This creates a directory, then a symlink to a directory,
and then checks we can POSIX create and delete file, directory,
symlink and hardlink filesystem objects under the symlink
parent directory.
Mark as knownfail until next commit.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 7 10:24:17 UTC 2021 on sn-devel-184
Bernd Kuhls [Sat, 27 Mar 2021 16:17:34 +0000 (17:17 +0100)]
dcesrv_core: fix build
Move include of system/network.h to avoid a build error:
In file included from ../../lib/replace/system/network.h:35,
from ../../librpc/rpc/dcesrv_core.c:2658:
usr/include/unistd.h: At top level:
usr/include/unistd.h:675:16: error: conflicting types for ‘geteuid’
675 | extern __uid_t geteuid (void) __THROW;
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Samuel Cabrero [Fri, 26 Jun 2020 15:20:32 +0000 (17:20 +0200)]
s3: rpc_server: Store new association groups in the id tree
Right now a new association group is created for each connection
assigning the legacy 0x53F0 id, but it is not stored anywhere. When a
second client request to join an association group by its id it is not
found and a new one is created with the same ID.
In practise, it means the association groups are not working even in the
same server process.
This commit stores the created association group in the idtree, but to
make use of it assigns a random id instead of the historical 0x53F0.
The test assoc_group_ok2 was wrongly passing before this change because
the same id 0x53F0 was assigned to all association groups.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Samuel Cabrero [Fri, 19 Jun 2020 14:31:39 +0000 (16:31 +0200)]
selftest: Test RPC handles and association groups from different connection
Add a test to check if a RPC handle can be used from a different connection
than the one where it was created, when the same association group is
requested in the bind operation of the second connection.
The association group handling is one of the differences between the S3
and S4 RPC server implementations provided by the implementation
callbacks after the merge.
Association groups work fine in the S4 implementation as the RPC server
runs in one process, except for the 'smbd' embedded services provided
by the S3 implementation like winreg (see lp_enforce_ad_dc_settings()).
In the S3 implementation, association groups should work in the same
process, but the merge introduced a bug where a new association group is
always created even when it already exists in the same process.
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 Feb 2021 13:46:38 +0000 (02:46 +1300)]
s4:dsdb/password_hash: Add additional check for crypt() and crypt_r() failure
While crypt_rn() always returns a null pointer in the event of
failure, crypt() and crypt_r() may instead return a string starting
with the character '*'. This commit adds a check to detect failure in
this case.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 Feb 2021 13:03:25 +0000 (02:03 +1300)]
provision: Decrease the length of random machine passwords
The current length of 128-255 UTF-16 characters currently causes
generation of crypt() passwords to typically fail. This commit
decreases the length to 120 UTF-16 characters, which is the same as
that used by Windows.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 23 Feb 2021 12:13:41 +0000 (01:13 +1300)]
s4:dsdb/password_hash: Don't generate crypt() password for krbtgt account
Since the length of the krbtgt password after conversion to UTF-8 form is
typically greater than the maximum accepted by crypt(), the call usually
fails. This commit disables generation of crypt() passwords for this specific
account, as it's not necessary.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 7 03:16:39 UTC 2021 on sn-devel-184
Martin Schwenke [Mon, 29 Mar 2021 05:30:37 +0000 (16:30 +1100)]
build: Only add -Wl,--as-needed when supported
If -Wl,--as-needed is added to EXTRA_LDFLAGS (via ADD_LDFLAGS, as per
commit 996560191ac6bd603901dcd6c0de5d239e019ef4) then on some
platforms (at least CentOS 8 and Fedora 33), any indirect/recursive
dependencies (i.e. private libraries) are added to both the
binary (reqid_test in the CTDB case) and to samba-util.so. However,
only samba-util.so has rpath set to find private libraries.
When ld.so tries to resolve these dependencies for the binary it
fails. This may be a bug on those platforms, but it occurs reliably
and our users will also hit the bug. For binaries that have other
private library dependencies (e.g. bundled talloc) rpath will contain
the private library directory so the duplicate private library
dependencies are then found... that is, when it works, it works by
accident!
For some reason (deep in waf or wafsamba) if -Wl,--as-needed is added to
LINKFLAGS (as is done in conf.add_as_needed()) then it works: the direct
dependencies are only added to samba-util.so and the same depenencies
(indirect dependencies for binaries) are not added incorrectly to the
binaries.
So, without changing 1/2 of waf/wafsamba the simplest fix is to revert
to adding -Wl,--as-needed to LINKFLAGS, which was the case before
commit 996560191ac6bd603901dcd6c0de5d239e019ef4.
librpc: Remove the gensec dependency from library dcerpc-binding
This means yet another library, but having to depend on gensec just
for dcerpc_parse_binding() and basic packet parsing seems like a bit
overkill to me.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 6 23:33:14 UTC 2021 on sn-devel-184
Volker Lendecke [Tue, 23 Feb 2021 09:38:16 +0000 (10:38 +0100)]
winbindd: Use samr instead of lsa in sam_name_to_sid()
After the "Unix Users/Groups" and wkn names have been taken care of,
all that remains here is our domain (BUILTIN or workgroup). We don't
need any of the fancy routing in lsa_lookupnames, and samr_LookupNames
is a lot less prone to deadlocks back into winbind.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 23 Feb 2021 07:27:07 +0000 (08:27 +0100)]
winbindd: Avoid deadlock in sam_name_to_sid()
"Unix Users" and "Unix Groups" can recurse into nsswitch and thus into
winbind. In the binding process, we have winbindd_off(), but if we
pass the lookupNames request to a forked lsad, lsad does not
necessarily have that setting. So lsad might turn back to winbind,
which could lead to a deadlock. Handle the nsswitch lookups in
winbind.
While there, also do the simple wellknown names and the "DOMAIN\" type
3 lookups directly in winbind.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Samuel Cabrero [Tue, 30 Mar 2021 14:17:31 +0000 (16:17 +0200)]
oss-fuzz: Update build script to be compatible with rpm distros
The /etc/default/locale file does not exists in the rpm family distros
so the do_build.sh script failed with:
./lib/fuzzing/oss-fuzz/do_build.sh: line 31: /etc/default/locale: No
such file or directory
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Tue Apr 6 15:54:54 UTC 2021 on sn-devel-184
Ralph Boehme [Tue, 6 Apr 2021 12:47:39 +0000 (14:47 +0200)]
smbd: reduce loglevel for failed openat_pathref_fsp() calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14685
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1884
RN: Log clutter from filename_convert_internal()
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Apr 6 14:39:46 UTC 2021 on sn-devel-184
Volker Lendecke [Tue, 30 Mar 2021 15:18:10 +0000 (17:18 +0200)]
lib: Fix rundown of jobs sent with background_job_send()
When using this with a trigger message in smbd it will crash at
rundown in messaging_deregister because the global messaging context
can be TALLOC_FREE'ed before the background job is freed.
Using messaging_filtered_send already takes care of this situation
properly.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr 1 17:50:49 UTC 2021 on sn-devel-184
selftest: Allow to set the 'log level' for clients
This allows to set the 'log level' for clients on the command line:
make test TESTS=wurst CLIENT_LOG_LEVEL=10
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 31 21:20:23 UTC 2021 on sn-devel-184
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 31 12:14:01 UTC 2021 on sn-devel-184
Ralph Boehme [Tue, 23 Mar 2021 10:40:21 +0000 (11:40 +0100)]
pidl: set the per-request memory context in the pidl generator
The talloc memory context referenced by the pipe_struct mem_ctx member is used
as talloc parent for RPC response data by the RPC service implementations.
In Samba versions up to 4.10 all talloc children of p->mem_ctx were freed after
a RPC response was delivered by calling talloc_free_children(p->mem_ctx). Commit 60fa8e255254d38e9443bf96f2c0f31430be6ab8 removed this call which resulted in all
memory allocations on this context not getting released, which can consume
significant memory in long running RPC connections.
Instead of putting the talloc_free_children(p->mem_ctx) back, just use the
mem_ctx argument of the ${pipename}_op_dispatch_internal() function which is a
dcesrv_call_state object created by dcesrv_process_ncacn_packet() and released
by the RPC server when the RPC request processing is finished.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@amba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 31 06:13:39 UTC 2021 on sn-devel-184
Jeremy Allison [Thu, 25 Mar 2021 22:46:45 +0000 (15:46 -0700)]
s3: smbd: Fix SMB_VFS_FGET_NT_ACL/SMB_VFS_FSET_NT_ACL on stream handles.
As this is done on existing files, we know that
fsp->base_fsp != NULL and fsp->base_fsp->fh->fd != -1
(i.e. it's a pathref fd) for stream handles.
When getting and setting ACLs on stream handles,
use the fsp->base_fsp instead (as Windows does).
This not only fixes streams_xattr, but will
allow us to later analyze and remove all
special casing code for get/set ACLs on streams
handles.
Remove the knownfail.d/stream-acl file.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 30 20:14:35 UTC 2021 on sn-devel-184
Douglas Bagnall [Sun, 21 Mar 2021 07:49:32 +0000 (20:49 +1300)]
ldb-samba: remove redundant negative check
smb_strtoull() already checks for negative numbers, but does
it properly, catching " -2" as well as "-2".
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 30 18:55:28 UTC 2021 on sn-devel-184
projects / thirdparty / samba.git / log
