The VFS flock function is called with a zero access_mask to indicate
that the share mode should be cleared. Adjust the check to directly
check the access_mask and provide a better message to indicate this
case.
Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 2 Jan 2020 21:58:06 +0000 (22:58 +0100)]
auth: Simplify struct auth4_context
The fake async code has been pushed down into the 3 users, remove the sync
callback. Overall it's more lines of code, but the central interface is
simplified.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jan 6 23:34:00 UTC 2020 on sn-devel-184
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jan 6 20:33:55 UTC 2020 on sn-devel-184
Volker Lendecke [Fri, 3 Jan 2020 13:24:13 +0000 (14:24 +0100)]
auth: Avoid casts in ntlm_check.c
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Mon Jan 6 03:12:20 UTC 2020 on sn-devel-184
Signed-off-by: Bjoern Jacke <bjacke@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Fri Jan 3 22:19:47 UTC 2020 on sn-devel-184
When Samba is running as a domain controller and the "vfs objects"
parameter is not set, then the dfs_samba4 and acl_xattr modules are
automatically enabled.
However, if the "vfs objects" is defined, then the setting is left
as-is. This means that attempts to us other VFS modules have the side
effect of disabling the dfs_samba4 and acl_xattr modules, causing
unexpected behaviour, which is then blamed on the VFS modules that were
explicitly defined.
This change ensures that when running as a domain controller, Samba logs
an error if the required VFS modules are not enabled by an explicit
"vfs objects" definition.
Volker Lendecke [Sun, 22 Dec 2019 17:20:12 +0000 (18:20 +0100)]
smbd: Remove an unused parameter from defer_open()
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Jan 3 01:30:24 UTC 2020 on sn-devel-184
Martin Schwenke [Fri, 13 Dec 2019 00:09:04 +0000 (11:09 +1100)]
ctdb-scripts: Strip square brackets when gathering connection info
ss added square brackets around IPv6 addresses in versions > 4.12.0
via commit aba9c23a6e1cb134840c998df14888dca469a485. CentOS 7 added
this feature somewhere mid-release. So, backward compatibility is
obviously needed.
As per the comment protocol/protocol_util.c should probably print and
parse such square brackets. However, for backward compatibility the
brackets would have to be stripped in both places in
update_tickles()... or added to the ss output when missing. Best to
leave this until we have a connection tracking daemon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jan 1 12:04:52 UTC 2020 on sn-devel-184
Volker Lendecke [Fri, 20 Dec 2019 15:20:00 +0000 (16:20 +0100)]
lib: Fix contending with a READ lock
When contending a WRITE with an existing READ, the contender puts
himself into the exclusive slot, waiting for the READers to go
away. If the async lock request is canceled before we got the lock, we
need to remove ourselves again. This is done in the destructor of the
g_lock_lock_state. In the successful case, the destructor needs to go
away.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Dec 22 18:57:17 UTC 2019 on sn-devel-184
awalker [Fri, 30 Aug 2019 19:30:57 +0000 (15:30 -0400)]
vfs_zfsacl: fix issue with ACL inheritance in zfsacl
Add parameter zfsacl:map_dacl_protected to address issue preventing Windows Clients
from disabling inheritance on ACLs. FreeBSD does not currently expose the ACL_PROTECTED
NFS4.1 flag, but it does expose ACE4_INHERITED_ACE. When the parameter is enabled,
map the absence of ACE4_INHERITED_ACE to SEC_DESC_DACL_PROTECTED.
Signed-off-by: Andrew Walker <awalker@ixsystems.com> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 20 23:24:54 UTC 2019 on sn-devel-184
Ralph Boehme [Sat, 19 Oct 2019 13:36:15 +0000 (15:36 +0200)]
vfs_zfsacl: pass nfs4_params to smb_set_nt_acl_nfs4()
Now that we parse nfs4_params in the VFS connect in this module, we can pass it
to smb_set_nt_acl_nfs4() which avoids having smb_set_nt_acl_nfs4() parse
it *every time* it's called.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Walker <awalker@ixsystems.com> Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Mon, 25 Nov 2019 09:17:38 +0000 (10:17 +0100)]
s3: remove unused session_keystr from struct user_struct
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Dec 20 13:06:20 UTC 2019 on sn-devel-184
Ralph Boehme [Tue, 17 Dec 2019 14:32:17 +0000 (15:32 +0100)]
python/tests: use a system session_info in posixacl.py
Previously posixacl.py passed None as session_info object from
get_session_info().
That meant that the if/else branch referring to session_info:
if nwrap_winbind_active or session_info:
self.assertEquals(posix_acl.acl[1].a_perm, 7)
else:
self.assertEquals(posix_acl.acl[1].a_perm, 6)
must be tweaked to take into account that session info is now either
* a system session_info in which case we must continue to use the if branch in
the code, or
* a user session_info in which case we must continue to go through the else
branch
Using
is_user_session = not session_info.security_token.is_system()
in place of just "session_info" does the trick.
Cf the classes SessionedPosixAclMappingTests and
UnixSessionedPosixAclMappingTests in posixacl.py, those are the ones that
trigger test execution with a user session.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 19 Dec 2019 21:50:09 +0000 (10:50 +1300)]
librpc: Do not access name[-1] trying to push "" into a dnsp_name
This simply matches the behaviour from before e7b1acaddf2ccc7de0301cc67f72187ab450e7b5
when the logic for a trailing . was added. This matches what is added in
the dnsRecord attribute for a name of "." over the dnsserver RPC
management interface and is based on what Windows does for that name
in (eg) an MX record.
No a security bug because we use talloc and so name will be just the
end of the talloc header.
Credit to OSS-Fuzz
Found using the fuzz_ndr_X fuzzer
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Dec 20 11:33:52 UTC 2019 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec 20 09:01:30 UTC 2019 on sn-devel-184
Gary Lockyer [Thu, 19 Dec 2019 03:31:46 +0000 (16:31 +1300)]
upgradedns: ensure lmdb lock files linked
Ensure that the '-lock' files for the dns partitions as well as the data
files are linked when running
samba_dnsupgrade --dns-backend=BIND9_DLZ
failure to create these links can cause corruption of the corresponding
data file.