git.ipfire.org Git - thirdparty/samba.git/log

bootstrap: Fix runner tags

See https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 84fb5cc8451c0af354850f39ae6debf388849ebb)

[v4-19-only] selftest: support for MIT krb5 1.21

This copes with the differences between MIT 1.20 and 1.21
during gitlab pipeline selftest.

We need this because Fedora 38 upgraded from 1.20.1 to 1.21.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Stefan Metzmacher <metze@samba.org>

selftest: Allow MIT Krb5 1.21 to still start to fl2000dc

This is the simplest way to keep this test environment alive.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit 4ae3e9b208d4badee5765eddd832b258e84665b2)

.gitlab-ci: Allow ext4 jobs to run on shared runners

At the time of this commit, GitLab shared runners
tagged "gce" were 2x AMD EPYC 7B12 with 8GB ram.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 19fb9a97dff2c0222d89a19bc9b0cd27f0306408)

.gitlab-ci: make it explicit that some tests require ext4/5.15 kernel

This is better then requiring private runners,
as we'll be able to use shared runners for ext4 soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b1e83b6cede6ad50e417a6cff583a9ab25f8c980)

Fix starvation of pending writes in CTDB queues

CTDB uses a queue to receive requests and send answers. It works
asynchronously using the tevent framework. However there was an issue
that gave priority to the receiving side so, when a request was
processed and the answer posted to the queue, if another incoming
request arrived, it was served before sending the previous answer.

This scenario could repeat for long periods of time if the frequency of
incoming requests was high enough.

Eventually, a small time gap between incoming request gave a chance to
process the pending output queue, sending many answers in a burst.

This patch makes sure that both queues (input and output) are processed
if the event contains the appropriate flag.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15678
RN: Fix unnecessary delays in CTDB while processing requests under high
load.

Signed-off-by: Xavi Hernandez <xhernandez@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jul 1 09:17:43 UTC 2024 on atb-devel-224

(cherry picked from commit 60550fbe184a5cefa55a8f0bab508f70def7a684)

Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Tue Jul 9 08:46:54 UTC 2024 on atb-devel-224

build: --vendor-suffix instead of --vendor-patch-revision --vendor-name

In practice there isn't a use for two options, and neither quite
matched what people thought they were doing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15673

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
(cherry picked from commit 673c8e6ca5994973e4887641c3599707a66a608c)

buildtools: sanitise strange characters in vendor strings

There is no reason to think '-' and '+' are the only characters that
might sneak into a vendor string; Debian habitually use '~'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15673

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
(cherry picked from commit 0bc5b6f29307ce758774c1b2f48ce62315fdc7f9)

third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54)

This lets us match the Windows FAST reply when the password is expired.

Windows clients were upset by the NTSTATUS field in the edata,
apparently interpreting it to mean “insufficient resource”.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(backported from commit fe90576871b5d644b9e888fd7a0b0351feaba750)

[jsutton@samba.org Fixed conflicts in knownfails and
third_party/heimdal/kdc/fast.c]

Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Wed Jul 3 09:56:13 UTC 2024 on atb-devel-224

tests/krb5: Add tests for errors produced when logging in with unusable accounts

Heimdal matches Windows in the no‐FAST case, but produces NTSTATUS codes
when it shouldn’t in the FAST case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(backported from commit c5ee0b60b20011aeaa60c2f549c2a78269c97c8f)

[jsutton@samba.org Fixed conflicts in selftest/knownfail_heimdal_kdc]

tests/krb5: Allow creation of disabled accounts for testing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(backported from commit 6dc6168719cf232ac2c1d747f10aad9b13300c02)

[jsutton@samba.org Fixed conflicting import statements in
python/samba/tests/krb5/kdc_base_test.py]

[jsutton@samba.org Fixed conflicting import statements in
python/samba/tests/krb5/kdc_base_test.py]

python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
(backported from commit b2fe1ea1c6aba116b31a1c803b4e0d36ac1a32ee)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

[jsutton@samba.org Fixed conflicting import statements in
python/samba/tests/krb5/pkinit_tests.py]

[jsutton@samba.org Fixed conflicting import statements in
python/samba/tests/krb5/kdc_base_test.py]

tests/krb5: Fix PK-INIT test framework to allow expired password keys

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7cc8f455191faacf32efc474c27e99d45ef2e024)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

dsdb: Reduce minimum maxPwdAge from 1 day to nil

This allows us to have tests, which pass on Windows, that
use a very short maxPwdAge.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
(cherry picked from commit 3669479f22f2109a64250ffabd1f6453882d29f1)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

tests/krb5: Use __slots__ to indicate which attributes are used by classes

These should help to catch mistaken attempts to set invalid attributes.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2b69e1e7c316e634090aad1d97ecadf8cdf529f3)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

tests/krb5: Add method to perform an armored AS‐REQ

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 849ee959845832b206ae315ab5911c623ea61148)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts

We only turn desired into off in the NT4 domain member case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 19 10:17:28 UTC 2024 on atb-devel-224

(cherry picked from commit 5b40cdf6e8885c9db6c5ffa972112f3516e4130a)

auth/credentials: add tests for cli_credentials_get_kerberos_state[_obtained]()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit eeb60574b6bf1a5209b85a8af843b93300550ba7)

auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit c715ac5e496ddde119212d3b880ff0e68c2da67b)

testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use-kerberos

This shows that they are ignored for machine accounts as domain member.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit db2c576f329675e8d66e19c336fe04ccba918b4a)

testprogs/blackbox: let test_trust_token.sh check for S-1-18-1 with kerberos

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit cda8beea45303a77080c64bb2391d22c59672deb)

ctdb/docs: Include ceph rados namespace support in man page

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15665

Document the new optional argument to specify the namespace to be
associated with RADOS objects in a pool.

Pair-Programmed-With: Anoop C S <anoopcs@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Jun 14 07:42:25 UTC 2024 on atb-devel-224

(cherry picked from commit 35f6c3f3d4a5521e6576fcc0dd7dd3bbcea041b2)

ctdb/ceph: Add optional namespace support for mutex helper

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15665

RADOS objects within a pool can be associated to a namespace for
logical separation. librados already provides an API to configure
such a namespace with respect to a context. Make use of it as an
optional argument to the helper binary.

Pair-Programmed-With: Anoop C S <anoopcs@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
(cherry picked from commit d8c52995f68fe088dd2174562faee69ed1c95edd)

vfs_default: also call vfs_offload_token_ctx_init in vfswrap_offload_write_send

If a client for whatever reason calls FSCTL_SRV_COPYCHUNK[_WRITE] without
FSCTL_SRV_REQUEST_RESUME_KEY, we call vfswrap_offload_write_send
before vfswrap_offload_read_send.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jun 17 18:02:27 UTC 2024 on atb-devel-224

(cherry picked from commit 462b74da79c51f9ba6dbd24e603aa904485d5123)

s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
(cherry picked from commit 372476aeb003e9c608cd2c0a78a9c577b57ba8f4)

script/autobuild.py: Add test for --vendor-name and --vendor-patch-revision

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15654

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
RN: We have added new options --vendor-name and --vendor-patch-revision arguments
to ./configure to allow distributions and packagers to put their name in the Samba
version string so that when debugging Samba the source of the binary is obvious.

[abartlet@samba.org adapted to 4.20 still having the seperate LDB build system
from commit 72112d4814eb3872016c1168c477531be835a1f9]

build: Add --vendor-name --vendor-patch-revision options to ./configure

These options are for packagers and vendors to set so that when
Samba developers are debugging an issue, we know exactly which
package is in use, and so have an idea if any patches have been
applied.

This is included in the string that a Samba backtrace gives,
as part of the PANIC message.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15654
REF: https://lists.samba.org/archive/samba-technical/2024-May/138992.html

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 651fb94c374c7f84405d960a9e0a0fd7fcb285dd)

s4:nbt_server: simulate nmbd and provide unexpected handling

This is needed in order to let nbt_getdc() work against
another AD DC and get back a modern response with
DNS based names. Instead of falling back to
the ugly name_status_find() that simulates just
an NETLOGON_SAM_LOGON_RESPONSE_NT40 response.

This way dsgetdcname() can work with just the netbios
domain name given and still return an active directory
response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 796f33c05a0ca337b675b5d4d127f7c53b22528f)

s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bfb10774b65af65f9c438a5d3e87529b1fcf46a1)

s4:libcli/dgram: make use of socket_address_copy()

This avoids talloc_reference...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 77f4f1c7dbaa2bb04d59d908923f6d11fd514da2)

s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 11861bcfc3054894bc445e631ae03befb4865db8)

libcli/nbt: add nbt_name_send_raw()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cca373b806e01fc57bd5316d3f8a17578b4b6531)

s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL

In 2024 we always want an active directory response...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2b66663c75cdb3bc1b6bc5b1736dd9d35b094b42)

s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}()

This will allow source4/nbt_server to make use of
nb_packet_server_create().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 696505a1efbcc9803a287d8c267fed9d04bf8885)

s3:libsmb/unexpected: don't use talloc_tos() in async code

It's not needed and it requires the caller to setup a
stackframe...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f90cf0822d6e66426d72f92bd585119066e2a9c3)

s3:wscript: LIBNMB requires lp_ functions

We need to make this explicit in order to let LIBNMB be used
in source4 code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 011f68ae5ddc3fae8b453744aeb95766d885915e)

s3:include: split out fstring.h

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 105247c90007474947e2314b63be72fb21f09811)

s3:include: let nameserv.h be useable on its own

A lot of stuff is private to nmbd and can
be moved from nameserv.h.

This allows move required types from smb.h to
nameserv.h, so that this can be standalone.
Including it from smb.h is not a huge problem
as nmbd internals are gone from nameserv.h.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7f96c21029e3b94d38bd871c79cabf872ad77fae)

s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share

This patch also removes known fail for existing test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 11 19:31:40 UTC 2024 on atb-devel-224

(cherry picked from commit 788ef8f07c75d5e6eca5b8f18d93d96f31574267)
[noel.power@suse.com backported to Samba 4.19 changed test of errno
    after return from widelink_openat to ENOENT because ELOOP isn't set
    for msdfs links in 4.19, ENOENT is set instead. Also minor change
    to use 4.19 create_open_symlink_err fn instead of read_symlink_reparse]

selftest: Add a python blackbox test for some misc (widelink) DFS tests

On master attempting to chdir into a nested dfs link

e.g. cd dfslink (works)
     cd dfslink/another_dfslink (fails)

[1] Add a test for this scenario (nested chdir)
[2] Add test for enumerating a dfs link in root of dfs share
[3] Add a test to check case insensitive chdir into dfs link on widelink
  enabled share

Add knownfails for tests 1 and 3

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
(cherry picked from commit 7f1de90f72d6e8287aec6ab1d9f7776b7df624e5)

[noel.power@suse.com backported to Samba 4.19 changed knownfails because
  test_ci_chdir doen't fail in 4.19 but test_enumerate_dfs_link does]

s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored

If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 6 03:18:16 UTC 2024 on atb-devel-224

(cherry picked from commit ed61c57e02309b738e73fb12877a0a565b627724)

s4:dns_server: correctly sign dns update responses with gss-tsig like Windows

This means we no longer generate strange errors/warnings
in the Windows event log nor in the nsupdate -g output.

Note: this is a only difference between gss-tsig and
the legacy gss.microsoft.com algorithms.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 76fec2668e73b9d15447abee551d5c04148aaf27)

s4:dns_server: dns_verify_tsig should return REFUSED on error

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit db350bc573b378fb0615bdd8592cc9c62f6db146)

s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5906ed94f2c5c68e83c63e7c201534eeb323cfe7)

s4:dns_server: use tkey->algorithm if available in dns_sign_tsig()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ae7538af04435658d2ba6dcab109beecb6c5f13e)

s4:dns_server: use the client provided algorithm for the fake TSIG structure

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bd0235cd515d5602ed9501bfc810a2487364ea10)

s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3467d1491490830d61d16cb6278051daf48466fc)

s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fa0f23e69eaf4f475bc9dc9aa0e23c7bd5208250)

s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a56627b0d125ef7b456bebe307087f324f1f0422)

python:tests/dns_tkey: add test_update_tsig_record_access_denied()

This demonstrates that access_denied is only generated if the client
really generates a change in the database.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 708a6fae6978e1462e1a53f4ee08f11b51a5637a)

s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 753428a3b6c488c4aacea04d2ddb9ea73244695a)

python:tests/dns_base: add get_unpriv_creds() helper

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 88457da00d4110b419f7a7ccabcd542fa77e463f)

python:tests/dns_tkey: let test_update_tsig_windows() actually pass against windows 2022

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 848318338b2972f331e067bf1c8d6c7dac0748c8)

python:tests/dns_base: let verify_packet() work against Windows

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8324d0739dfdd0a081c403e298a9038ee7df681f)

python:tests/dns_tkey: test bad and changing tsig algorithms

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit de4ed363d378f2065a4634f94af80ea0e3965c96)

python:tests/dns_tkey: add gss.microsoft.com tsig updates

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b9b03ca503c43c7ee06df6c331839bd47f9eac8c)

python:tests/dns_tkey: let us have test_update_gss_tsig_tkey_req_{additional,answers}()

Also test using the additional record in the answers section.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3c7cb85eaf8371be55a371601cc354440dab7a94)

python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and invalid algorithms

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 740bda87a80b97816d892e8f7aae28759f6916ec)

python:tests/dns_base: maintain a dict with tkey related state

This will allow tests to backup the whole state
and mix them.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b0af60e7850e656ef98edeac657c66b853080dab)

python:tests/dns_base: let dns_transaction_udp() take allow_{remaining,truncated}=True

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1b1e7e06cf6ebd283de73c351267d53b42663d2f)

python:tests/dns_base: pass tkey_trans(expected_rcode)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 27d92fa808c6617353c36fdb230504e880f4925b)

python:tests/dns_base: let tkey_trans() take tkey_req_in_answers

It's possible to put the additional into the answers section,
so we should be able to test that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cd747307d845f3cff723a7916aeeb31458f19202)

python:tests/dns_base: let tkey_trans() and sign_packet() take algorithm_name as argument

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f8dfa9b33bdedffbe2e3b6e229ffae4beb3c712e)

python:tests/dns_tkey: make use of self.assert_echoed_dns_error()

Failed DNS updates just echo the request flaged as response,
all other elements are unchanged.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6e997f93d53ac45af79aec030bad73f51bdc5629)

python:tests/dns_base: add self.assert_echoed_dns_error()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ce591464cb12ab00a5d5752a7cea5f909c3c3f1b)

python:tests/dns_base: let dns_transaction_tcp() handle short receives

With socket_wrapper we only get 1500 byte chunks...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c741d0f3969abe821e8ee2a10f848159eb2749fe)

python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c594cbad4af97031bb7b5b0eb2fb228b00acf646)

python:tests/dns_base: generate a real signature in bad_sign_packet()

We just destroy the signature bytes but keep the header unchanged.

This makes it easier to look at it in wireshark.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ae23d512a724650ae2de1178ac43deff8266aa56)

BUG 15569 ldb: add missing ABI/pyldb-util-2.8.1.sigs

This should have been in commit:
6ca4df6374136d1d205de689618dc8fce5177d14

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(v4-19-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-19-test): Wed Jul 3 08:36:32 UTC 2024 on atb-devel-224

VERSION: Bump version up to Samba 4.19.8...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.19.7 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.19.7.

Signed-off-by: Jule Anger <janger@samba.org>

BUG 15569 ldb: Release LDB 2.8.1

* BUG 15569: Many qsort() comparison functions are non-transitive, which
can lead to out-of-bounds access in some circumstances.

Signed-off-by: Jule Anger <janger@samba.org>

s3:smbcacls: fix ace_compare

We got this wrong in commit 31101a9fa1503be9d8137e42466f57d85136a156.

In fact, we should probably not reorder the inherited ACLs, but that
is for another patch series.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5abeb724d74af2b861f2ee6bc27762bb5bf07bca)

Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Mon Jun 10 14:40:17 UTC 2024 on atb-devel-224

ldb:attrib_handlers: reduce non-transitive behaviour in ldb_comparison_fold

If two strings are invalid UTF-8, the string is first compared with
memcmp(), which compares as unsigned char.

If the strings are of different lengths and one is a substring of the
other, the memcmp() returns 0 and a second comparison is made which
assumes the next character in the shorter string is '\0' -- but this
comparison was done using SIGNED chars (on most systems). That leads
to non-transitive comparisons.

Consider the strings {"a\xff", "a", "ab\xff"} under that system.

   "a\xff"  < "a",      because (char)0xff == -1.

   "ab\xff" > "a",     because  'b' == 98.

   "ab\xff" < "a\xff", because memcmp("ab\xff", "a\xff", 2) avoiding the
                       signed char tiebreaker.

(Before c49c48afe09a1a78989628bbffd49dd3efc154dd, the final character
might br arbitrarily cast into another character -- in latin-1, for
example, the 0xff here would have been seen as 'ÿ', which would be
uppercased to 'Ÿ', which is U+0178, which would be truncated to
'\x78', a positive char.

On the other hand e.g. 0xfe, 'þ', would have mapped to 0xde, 'Þ',
remaining negative).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e2051eebd492a419f840280336eb242d0b4a26ac)

ldb:attrib_handlers: use NUMERIC_CMP in ldb_comparison_fold

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f81b7c7eb206a447d799a25cc2da26304dc7567a)

s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()

No change at all in the result, just saving lines and branches.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 827b0c39ed0497407bfcfc5683735a165b1b0f0a)

s4:dsdb:mod: repl_md: make message_sort transitive

Before we had (with a TODO of regret):

       if (!a1 || !a2) {
               return strcasecmp(e1->name, e2->name);
       }

so, given {name:"A", id 2}, {name:"B", NO id}, {name:"C", id 1},

A < B by name
B < C by name
A > C by id

Now the sort order is always A > C > B.

This sort could have caused mysterious crashes in repl_meta_data if
the schema is out of sync.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5335f122fb551231a02a58f88f6a0aa23b5e02cb)

ldb: avoid NULL deref in ldb_db_compare

This also sorts NULLs after invalid DNs, which matches the comment
above.

CID 1596622.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit af7654331fb6a2d9cc41cf5bdffa74c81ff4ffee)

ldb:attrib_handlers: make ldb_comparison_Boolean more consistent

This isn't supposed to be used for sorting, but it is hard to say it
won't be, so we might as well make it sort properly.

Following long-standing behaviour, we try to sort "FALSE" > "TRUE", by
length, then switch to using strncasecmp().

strncasecmp would sort the other way, so we swap the operands. This is
to make e.g. "TRUE\0" sort the same as "TRUE".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a75c98ad688415aec8afc617a759ba90cfd9f23b)

ldb-samba:ldif_handlers: dn_link_comparison: sort invalid DNs

If both DNs are invalid, we can say they are equal.

This means invalid or NULL DNs will sort to the end of the array,
before deleted DNs:

[ valid DNs, sorted | invalid/NULL DNs | deleted DNs, sorted ]

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7280c8e53f463108fe3de443ce63572dde689a30)

ldb-samba:ldif_handlers: dn_link_comparison leaks less

dn1 and dn2 can be invalid but still occupying memory.
(ldb_dn_validate(dn2) does contain a NULL check, but a lot more besides).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 341b8fb60e291ad598fafd7a09a75e9b249de07f)

ldb-samba:ldif_handlers: dn_link_comparison correctly sorts deleted objects

This changes the behaviour of the DN syntax .comparison_fn when being
used in a search, if the search key is a deleted DN.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 70356592563bf758dbe509413445b77bb0d7da14)

ldb-samba:ldif_handlers: dn_link_comparison semi-sorts invalid DNs

these tend to go to the end of the sorted array.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 11d5a809325369b48d14023adf109e418bb1c7af)

ldb-samba:ldif_handlers: dn_link_comparison semi-sorts deleted objects

We were always returning -1 for a deleted object, which works for an
equality test, but not a relative comparison.

This sorts deleted DNs toward the end of the list -- except when both
DNs are deleted. What should happen there is yet to be determined.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit db963b1674ede357d4edba578e0e0372dcb2f287)

ldb-samba: ldif-handlers: make ldif_comparison_objectSid() accurate

This function compares blobs that might be SID strings or might be SID
structures. Until now, if they were both (seemingly) strings, they were
compared as strings, otherwise if either was a string it was converted to
a structure blob, then the blobs were compared. This had two big problems:

1. There is variety in the way a SID can be stringified. For example,
   "s-1-02-3" means the same SID as "S-1-2-3", but those wouldn't compare
   equal.

2. SID comparison was crazily non-transitive. Consider the three values
     a = "S-1-2-3-4-5",
     b = "S-1-9-1",
     c = SID("S-1-11-1"), where c is a struct and the others are string.

   then we had,
     a < b, because the 5th character '2' < '9'.
     a > c, because when converted to a structure, the number of sub-auths
            is the first varying byte. a has 3, c has 0.
     b < c, because after the sub-auth count comes the id_auth value
            (big-endian, which doesn't matter in this case).

That made the function unreliable for sorting, AND for simple equality
tests. Also it leaked.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6722e80d1b3a252a1ed714be4a35185cd99971e3)

s4:rpcsrv:samr: improve a comment in compare_msgRid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6229feab74a734190c302ee9b1cc36960669743d)

s4:rpcsrv:dnsserver: make dns_name_compare transitive with NULLs

Returning 0 on `(name1 == NULL || name2 == NULL)` made NULL equal to
everything, which confuses a sort (consider {A, B, NULL} where A > B,
but A == NULL == B).

The only caller is dnsserver_enumerate_records() which fails if it
finds a NULL in the sorted list. We make the happen more quickly by
sorting NULLs to the front.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7be535315a5eed5d5b7eaea025ecf9f55e772e8e)

s3:libsmb:nmblib: use NUMERIC_CMP in status_compare

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 31c322874b8b65518cec945e05a42fd014e6390b)

lib/socket: rearrange iface_comp() to use NUMERIC_CMP

We rearrange rather than just replacing the subtraction, because that
would call ntohl() more than necessary, and I think the flow is a bit
clearer this way.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7ba6fcb93656e5e88e1d5bcd6002747aa64f0a3a)

gensec: sort_gensec uses NUMERIC_CMP

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit acaa1323d0337ae9339dfff9f856ea54725a86ac)

s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP

usr->login_time is time_t, which is often bigger than int.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 75682e397b9cf22d04a5d80252554c6b2e376793)

dsdb:schema: use NUMERIC_CMP in place of uint32_cmp

uint32_cmp (introduced in 0c362597c0f933b3612bb17328c0a13b73d72e43
"fixed the sorting of schema attributes") was doing what NUMERIC_CMP
does, but it was adding an extra function call. This results in less
code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8317a6173646d425dc99e08bbf3d6086b0086bc5)

s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 386216d4a158d8bafb0879a0a753da096a939b93)

s3:mod:posixacl_xattr: use NUMERIC_CMP in posixacl_xattr_entry_compare

The first subtraction was between uint16_t, so is safe with 32 bit
int, but the second compared uint32_t, so was not safe.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8b2605a5d9cc14f9e6ddf2db704cdca2f523d74e)

s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9b73235d4957a487fbb3214fdfda6461a2cf0b21)

ldb:dn: make ldb_dn_compare() self-consistent

We were returning -1 in all these cases:

   ldb_dn_compare(dn, NULL);
   ldb_dn_compare(NULL, dn);
   ldb_dn_compare(NULL, NULL);

which would give strange results in sort, where this is often used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5fe488d515a8bb719bdeafb8b64d8479732b5ac8)

ldb:sort: generalise both-NULL check to equality check

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 531f31df99341b2cb1afc42538022451ca771983)