Joseph Sutton [Mon, 7 Feb 2022 23:15:36 +0000 (12:15 +1300)]
tests/krb5: Add helper function to modify ticket flags
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 1 Feb 2022 07:59:15 +0000 (20:59 +1300)]
tests/krb5: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 1 Feb 2022 07:57:22 +0000 (20:57 +1300)]
tests/krb5: Add account to cleanup list before adding it to database
This ensures accounts are still cleaned up if a test fails before adding
it to the cleanup list.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 1 Feb 2022 07:55:56 +0000 (20:55 +1300)]
tests/krb5: Add more encryption type constants
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 1 Feb 2022 07:54:39 +0000 (20:54 +1300)]
tests/krb5: Remove accounts in reverse order of addition
This prevents problems if accounts are added as children of other
accounts.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 1 Feb 2022 07:52:16 +0000 (20:52 +1300)]
s4:kdc: Fix copy-paste typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 7 Mar 2022 04:07:48 +0000 (17:07 +1300)]
tests/krb5: Simplify logic
This code can be made part of the previous 'else' branch.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Fri Mar 18 00:11:25 UTC 2022 on sn-devel-184
Joseph Sutton [Mon, 7 Mar 2022 04:01:40 +0000 (17:01 +1300)]
tests/krb5: Improve mock RODC creation
Use a unique name for the mock RODC. Don't assign to _rodc_ctx until the
RODC has been created, so we don't try to use a mock RODC that failed to
create.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Fri, 4 Mar 2022 03:57:27 +0000 (16:57 +1300)]
selftest: Simplify krb5 test environments
It's not necessary to repeat the required environment variables for
every test.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 14 Mar 2022 21:20:59 +0000 (10:20 +1300)]
python: Restore SDDL abbreviations for SIDs
This time we use the correct values.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 14 Mar 2022 05:18:39 +0000 (18:18 +1300)]
sddl: Remove SDDL SID strings unsupported by Windows
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 14 Mar 2022 05:18:09 +0000 (18:18 +1300)]
sddl: Add new SDDL SID strings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 14 Mar 2022 05:14:15 +0000 (18:14 +1300)]
sddl: Fix incorrect SDDL SID strings
Change the values to match those used by Windows.
Verified with PowerShell commands of the form:
New-Object Security.Principal.SecurityIdentifier ER
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 14 Mar 2022 06:40:45 +0000 (19:40 +1300)]
s4:rpc_server/lsa: Use explicit SID instead of SDDL abbreviation
This is to prepare for the SDDL string being removed.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 14 Mar 2022 06:40:16 +0000 (19:40 +1300)]
python: Use explicit SIDs instead of SDDL abbreviations
This is to prepare for changing the SDDL string values.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 15 Mar 2022 06:24:38 +0000 (19:24 +1300)]
python:tests: Add tests for SDDL SID strings
We get the server to decode the SDDL by putting the SID strings in the
defaultSecurityDescriptor of a new class and making an object of that
class. We then check that the resulting SID is what we expect.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 28 Feb 2022 00:24:31 +0000 (13:24 +1300)]
torture: Allow Samba as an AD DC to use zeros for LM key
This is simple, explainable and secure.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 17 02:47:13 UTC 2022 on sn-devel-184
Andrew Bartlett [Mon, 28 Feb 2022 00:19:58 +0000 (13:19 +1300)]
torture: Do not expect LM passwords to be accepted except by samba3
This allows Samba as an AD DC (compared with the fileserver/NT4-like DC mode) to match
windows and refuse all LM passwords, no matter what.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 27 Feb 2022 21:07:35 +0000 (10:07 +1300)]
torture: Update rpc.samlogon to match Win19 and newer Samba behaviour for LM key
Not all cases are covered, but this much covers the areas that Samba and Win19
will agree on.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 17 Feb 2022 23:55:57 +0000 (12:55 +1300)]
selftest: Remove auth_log test for RAP password change
RAP is SMB1, the password change routine requires LM hashes and so everything
here is going away or has now gone, so remove the test.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 17 Feb 2022 04:50:43 +0000 (17:50 +1300)]
ntlm_auth: Adapt --diagnostics mode to expect that the DC does not support LANMAN by default
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 16 Feb 2022 21:48:54 +0000 (10:48 +1300)]
s3-ntlm_auth: Convert table of tests in --diagnostics to designated initialisers
This makes it easeir to set some as "LM auth".
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 16 Feb 2022 18:35:54 +0000 (07:35 +1300)]
dsdb: Remove LM hash parameter from samdb_set_password() and callers
This fixes the rpc.samr test because we no longer specify an LM hash
to the DSDB layer only to have it rejected by password_hash.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 16 Feb 2022 04:24:19 +0000 (17:24 +1300)]
selftest: Allow RPC-SAMR to cope with OemChangePasswordUser2 being un-implemented
This is important to allow, after other changes, for the Samba AD DC to again
pass rpc.samr after the removal of LM hash support from the DC.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 15 Feb 2022 23:56:41 +0000 (12:56 +1300)]
selftest: Cope with LM hash not being stored in the tombstone_reanimation test
The removal of LM hash storage changes the expected metadata.
We do not need to track these values exactly to prove the
behaviour here.
This is not due to the changes in password_hash directly, which in
update_final_msg() sets DSDB_FLAG_INTERNAL_FORCE_META_DATA to force
a push out of the removed attribute to the replication state.
However at the stage of a subsequent LDAP Delete there is no longer
a lmPwdHistory nor dBCSPwd attribute, in the directory, so there is
no subsequent version bump to remove them when building a tombstone.
Samba's behaviour is different to that seen by Metze on windows 2022,
where he sees dBCSPwd removed (for the no LM store case) but
lmPwdHistory kept. We in Samba choose to differ, not storing an
ambiguous LM hsitory (of "" values likely), so allowing any version
for these two attributes is the sensible choice.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 10 Feb 2022 05:58:52 +0000 (18:58 +1300)]
dsdb: Remove parsing of LM password hash from "dBCSPwd" attribute
This means Samba will essentially ignore this attribute, not even attempting
to read it from the AD DC sam.ldb
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 10 Feb 2022 05:40:31 +0000 (18:40 +1300)]
s4-rpc_server: Do not use LM hash in password changes
We now only change passwords based on the NT hash.
This means we no longer support samr_OemChangePasswordUser2()
and we do not check the LM verifier din samr_ChangePasswordUser3()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 10 Feb 2022 05:19:50 +0000 (18:19 +1300)]
s4-auth: Do not supply the LM hash to the AD DC authentication code
This still passes in the value in the LM field for checking
in case it is an NT response or LMv2.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 10 Feb 2022 05:15:58 +0000 (18:15 +1300)]
s4-auth: Disable LM authenticaton in the AD DC despite "lanman auth = yes"
LM authentication is very weak and a very bad idea, so has been deprecated since
Samba 4.11.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 10 Feb 2022 04:40:29 +0000 (17:40 +1300)]
s4/dsdb: Remove LM password generation and storage from password_hash
We no longer generate nor store the LM hash in the Samba AD DC.
This adds much to the knownfail, some future commits will trim this
back down by making the tests understand that the server will not
support or store the LM hash.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 14 Mar 2022 03:06:36 +0000 (16:06 +1300)]
s4-rpc_server: Remove pre-check for existing NT and LM hash from netlogon
We no longer use the old NT and LM hash as proof of performing a
password change, and this removes the privileged status of these
attributes.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 10 Feb 2022 01:11:03 +0000 (14:11 +1300)]
kdc: Remove pre-check for existing NT and LM hash from kpasswd
We no longer use the old NT and LM hash as proof of performing a
password change, and this removes the privileged status of these
attributes.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 9 Feb 2022 03:53:08 +0000 (16:53 +1300)]
dsdb: Return dsdb_password_change control name to DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID
This makes it clearer that the purpose of this control is to indicate that the password
was already checked (by an out-of-band mechanism, eg kpasswd) and so can safely be changed
subject to ACLs etc.
This essentially reverts
bbb9dc806e4399c65dee9b5dc2cde0bfaa9609bd
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 9 Feb 2022 03:33:23 +0000 (16:33 +1300)]
dsdb: No longer supply exact password hashes in a control to indicate password changes
This returns the API for password changes via (eg) kpasswd to the
previous design as at
7eebcebbab8f62935bd1d5460e58b0a8f2cc30e8
where a control but no partiuclar values were specified.
This avoids the issues that were attempted to be addressed between
7eebcebbab8f62935bd1d5460e58b0a8f2cc30e8 and
786c41b0954b541518d1096019e1ce7ca11e5e98
by still keeping the ACL check from
23bd3a74176be4a1f8d6d70b148ababee397cf8c.
The purpose of this change is to move away from the NT hash (unicodePwd) being
the primary password in Samba, to allow installations to operate without this
unsalted hash.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Fri, 11 Feb 2022 22:26:37 +0000 (11:26 +1300)]
selftest: run s4member tests less
The s4member test environment is a historical artifact, provisioned like an
AD DC using sam.ldb and joined using the historical S4 join code.
Once running however it is nothing particualr special in winbindd, so
there is no need to run the tests against ad_member and s4member.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sat, 12 Feb 2022 01:09:34 +0000 (14:09 +1300)]
selftest: Remove duplicate run of rpc.lsa tests against ad_dc as "samba3"
Running these tests twice is a waste (sorry, thas was my choice when
merging s3 and s4 to just run all the tests against the AD DC) and
more importantly means that tests are run in "samba3" mode against
the AD DC, making it difficult to change the tests to expect a different
behaivour against the AD DC compared to the NT4 DC.
To assure that we have not lost tests, I ran:
grep command st/subunit | grep ad_dc| cut -f 2 -d\" | cut -f 2- -d. | sort | uniq -c
The two blocks (for rpc.lsa and rpc.lsa.*) are because the rpc.lsa.*
subtests were not previously run under ncacn_ip_tcp: and this is the
minimal change.
The output is:
--- /tmp/3 2022-02-12 14:01:50.
435761067 +1300
+++ /tmp/now 2022-02-12 14:01:37.
427595351 +1300
@@ -13,9 +13,8 @@
2 rpc.lsa-getuser on ncalrpc with validate.
2 rpc.lsa-getuser with bigendian.
2 rpc.lsa-getuser with seal,padcheck.
2 rpc.lsa-getuser with validate.
- 2 rpc.lsa.lookupnames.
2 rpc.lsa.lookupnames with .
2 rpc.lsa.lookupnames with bigendian.
2 rpc.lsa.lookupnames with validate.
2 rpc.lsalookup on ncacn_ip_tcp with bigendian.
@@ -26,9 +25,8 @@
2 rpc.lsalookup on ncacn_np with validate.
2 rpc.lsalookup on ncalrpc with bigendian.
2 rpc.lsalookup on ncalrpc with seal,padcheck.
2 rpc.lsalookup on ncalrpc with validate.
- 2 rpc.lsa.lookupsids.
2 rpc.lsa.lookupsids with .
2 rpc.lsa.lookupsids with bigendian.
2 rpc.lsa.lookupsids with validate.
2 rpc.lsalookup with bigendian.
@@ -42,15 +40,11 @@
2 rpc.lsa on ncacn_np with validate.
2 rpc.lsa on ncalrpc with bigendian.
2 rpc.lsa on ncalrpc with seal,padcheck.
2 rpc.lsa on ncalrpc with validate.
- 2 rpc.lsa over ncacn_ip_tcp .
- 2 rpc.lsa over ncacn_np .
- 2 rpc.lsa.privileges.
2 rpc.lsa.privileges with .
2 rpc.lsa.privileges with bigendian.
2 rpc.lsa.privileges with validate.
- 2 rpc.lsa.secrets.
2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=no.
2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=no --option=clientntlmv2auth=yes.
2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=yes.
2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=yes --option=clientntlmv2auth=yes.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Fri, 11 Feb 2022 08:05:38 +0000 (21:05 +1300)]
selftest: Remove duplicate run of rpc.samr tests against ad_dc as "samba3"
Running these tests twice is a waste (sorry, thas was my choice when
merging s3 and s4 to just run all the tests against the AD DC) and
more importantly means that tests are run in "samba3" mode against
the AD DC, making it difficult to change the tests to expect a different
behaivour against the AD DC compared to the NT4 DC.
To assure that we have not lost tests, I ran:
grep command st/subunit | grep ad_dc| cut -f 2 -d\" | cut -f 2- -d. | sort | uniq -c
The output is:
--- /tmp/2 2022-02-11 21:00:54.
033610748 +1300
+++ /tmp/now 2022-02-11 21:01:13.
849823721 +1300
@@ -1,32 +1,21 @@
- 2 rpc.samr.
- 2 rpc.samr.handletype.
2 rpc.samr.handletype with .
2 rpc.samr.handletype with bigendian.
2 rpc.samr.handletype with validate.
- 2 rpc.samr.large-dc.
2 rpc.samr.large-dc on ncacn_np with .
- 2 rpc.samr.machine.auth.
2 rpc.samr.machine.auth with .
2 rpc.samr.machine.auth with bigendian.
2 rpc.samr.machine.auth with validate.
2 rpc.samr on ncacn_np with .
- 2 rpc.samr.passwords.
- 2 rpc.samr.passwords.badpwdcount.
2 rpc.samr.passwords.badpwdcount on ncacn_np with .
2 rpc.samr.passwords.lockout on ncacn_np with .
2 rpc.samr.passwords on ncacn_np with .
- 2 rpc.samr.passwords.pwdlastset.
2 rpc.samr.passwords.pwdlastset on ncacn_np with .
2 rpc.samr.passwords.validate on ncacn_ip_tcp with bigendian.
2 rpc.samr.passwords.validate on ncacn_ip_tcp with seal,padcheck.
2 rpc.samr.passwords.validate on ncacn_ip_tcp with validate.
- 2 rpc.samr.passwords.validate over ncacn_ip_tcp .
- 2 rpc.samr.priv.
2 rpc.samr.priv with .
2 rpc.samr.priv with bigendian.
2 rpc.samr.priv with validate.
- 2 rpc.samr.users.
2 rpc.samr.users on ncacn_np with .
- 2 rpc.samr.users.privileges.
2 rpc.samr.users.privileges on ncacn_np with .
4 tests.dcerpc.samr_change_password.
It is clear that the tests are all still being run at least once against the AD DC.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sat, 12 Feb 2022 01:52:44 +0000 (14:52 +1300)]
selftest: Allow samba.tests.ntlm_auth to fail rather than error checking --diagnostics
This allows a knownfail entry to be written for this test.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 15 Feb 2022 07:21:00 +0000 (20:21 +1300)]
selftest: Use more torture_assert_goto() et al in rpc.samlogon test
This testsuite can otherwise fail with an error, which cannot be covered with
a knownfail.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 15 Feb 2022 07:05:55 +0000 (20:05 +1300)]
wafsamba: Fix call to sorted()
In Python 3, sorted() does not take a 'cmp' parameter, so we need to use
the 'key' parameter instead.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 17 01:36:59 UTC 2022 on sn-devel-184
Joseph Sutton [Mon, 14 Feb 2022 20:25:38 +0000 (09:25 +1300)]
s4-smbtorture: Fix typo in assertion message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 4 Mar 2022 03:11:42 +0000 (16:11 +1300)]
python/ntacls.py: Fix ACE type comparison
SEC_ACE_TYPE_ values are not flags, so this comparison does not behave
as intended. Modify the check to more closely match the one in
gp_create_gpt_security_descriptor().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 2 Mar 2022 04:14:42 +0000 (17:14 +1300)]
s4:policy: Fix ACE type comparison
SEC_ACE_TYPE_ values are not flags, so this comparison does not behave
as intended. Modify the check to more closely match the comment.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 16 Mar 2022 22:20:45 +0000 (11:20 +1300)]
dsdb audit tests: Use assert_in_range() for comparing timestamps
This can make the code clearer. assert_in_range() takes only integer
parameters, but POSIX allows us to assume that time_t is an integer.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 28 Sep 2021 07:42:36 +0000 (20:42 +1300)]
dsdb audit tests: Fix flapping test
Use gettimeofday() to obtain the current time for comparison, to be
consistent with audit_logging.c. On Linux, time() may occasionally
return a smaller value than gettimeofday(), despite being called later.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 18 Mar 2021 06:22:52 +0000 (19:22 +1300)]
samba-tool: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 7 Mar 2022 09:41:41 +0000 (10:41 +0100)]
s4:kdc: Use samba_kdc_update_pac() in Heimdal DB plugin
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Mon, 7 Mar 2022 12:15:08 +0000 (13:15 +0100)]
s4:kdc: Remove trailing whitespace in wdc-samba4.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Tue, 15 Mar 2022 06:33:57 +0000 (07:33 +0100)]
s4:kdc: Remove ks_is_tgs_principal()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Tue, 8 Mar 2022 06:34:16 +0000 (07:34 +0100)]
s4:kdc: Use samba_kdc_update_pac() in mit_samba_update_pac()
This is for MIT Kerberos >= 1.20.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Thu, 10 Mar 2022 16:20:46 +0000 (17:20 +0100)]
s4:kdc: Use samba_kdc_update_pac() in mit_samba_reget_pac()
This is for MIT Kerberos <= 1.19
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Mon, 7 Mar 2022 09:24:14 +0000 (10:24 +0100)]
s4:kdc: Implement common samba_kdc_update_pac()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Mon, 7 Mar 2022 09:23:18 +0000 (10:23 +0100)]
s4:kdc: Make pac parameter of samba_client_requested_pac() const
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Mon, 7 Mar 2022 06:45:03 +0000 (07:45 +0100)]
s4:kdc: Cleanup include files in pac-glue.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Tue, 15 Mar 2022 06:30:03 +0000 (07:30 +0100)]
lib:krb5_wrap: Implement smb_krb5_principal_is_tgs()
This will be used later and allows to remove static implementations.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Mon, 7 Mar 2022 09:25:38 +0000 (10:25 +0100)]
auth: Add required headers to auth_sam_reply.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Mon, 7 Mar 2022 15:02:18 +0000 (16:02 +0100)]
s4:kdc: Fix comparison in samba_kdc_check_s4u2proxy()
CID
1502873: Control flow issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always
true. "el->num_values >= 0U".
This is probably just a paranoia check as num_values should be set to at least
1 if the we have an LDAP entry.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Tue, 8 Mar 2022 14:04:34 +0000 (15:04 +0100)]
s4:kdc: Make sure ret is set if we goto bad_option
The ret variable is just used to set the error message for logging.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Tue, 8 Mar 2022 07:43:07 +0000 (08:43 +0100)]
s4:kdc: Fix return code in mit_samba_update_pac()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andreas Schneider [Mon, 7 Mar 2022 10:22:29 +0000 (11:22 +0100)]
python:tests: Fix type error in raw_testcase.py
This fixes a lot of tests with Python 3.8. Stacktrace example:
File "python/samba/tests/krb5/as_req_tests.py", line 249, in test_as_req_enc_timestamp_rc4_dummy
self._run_as_req_enc_timestamp(
File "python/samba/tests/krb5/as_req_tests.py", line 129, in _run_as_req_enc_timestamp
as_rep, kdc_exchange_dict = self._test_as_exchange(
File "python/samba/tests/krb5/raw_testcase.py", line 3982, in _test_as_exchange
rep = self._generic_kdc_exchange(kdc_exchange_dict,
File "python/samba/tests/krb5/raw_testcase.py", line 2029, in _generic_kdc_exchange
return check_rep_fn(kdc_exchange_dict, callback_dict, rep)
File "python/samba/tests/krb5/raw_testcase.py", line 2328, in generic_check_kdc_rep
self.check_reply_padata(kdc_exchange_dict,
File "python/samba/tests/krb5/raw_testcase.py", line 2998, in check_reply_padata
got_patypes = tuple(pa['padata-type'] for pa in rep_padata)
TypeError: 'NoneType' object is not iterable
This adds additional checks for rep_padata.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Stefan Metzmacher [Wed, 16 Mar 2022 08:21:03 +0000 (09:21 +0100)]
s4:kdc: tunnel the check_client_access status to hdb_samba4_audit()
Otherwise useful information gets lost while converting
from NTSTATUS to krb5_error and back to NTSTATUS again.
E.g. NT_STATUS_ACCOUNT_DISABLED would be audited as
NT_STATUS_ACCOUNT_LOCKED_OUT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 15 Mar 2022 02:34:34 +0000 (15:34 +1300)]
s4-kdc: Handle previously unhandled auth event types
Cases to handle KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY and
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED were removed in:
commit
791be84c3eecb95e03611458e2305bae272ba267
Author: Stefan Metzmacher <metze@samba.org>
Date: Wed Mar 2 10:10:08 2022 +1300
s4:kdc: hdb_samba4_audit() is only called once per request
Normally these auth event types are overwritten with the
KDC_AUTH_EVENT_CLIENT_AUTHORIZED event type, but if a client passes the
pre-authentication check, and happens to fail the client access check
(e.g. because the account is disabled), we get error messages of the
form:
hdb_samba4_audit: Unhandled hdb_auth_status=9 => INTERNAL_ERROR
To avoid such errors, use the error code provided in the request
structure to obtain a relevant status code in cases not handled
explicitly.
For unexpected values we return KRB5KRB_ERR_GENERIC
in order to hopefully prevent success. And within make test
we panic in order let a ci run fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Elia Geretto [Fri, 11 Mar 2022 18:32:30 +0000 (19:32 +0100)]
s3:libsmb: Fix errno for failed authentication in SMBC_server_internal()
In SMBC_server_internal(), when authentication fails, the errno value is
currently hard-coded to EPERM, while it should be EACCES instead. Use the
NT_STATUS map to set the appropriate value.
This bug was found because it breaks listing printers protected by
authentication in GNOME Control Panel.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14983
Signed-off-by: Elia Geretto <elia.f.geretto@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 16 19:44:18 UTC 2022 on sn-devel-184
Archana [Mon, 14 Mar 2022 09:46:17 +0000 (15:16 +0530)]
vfs: Getting exact attribute value during gpfs_stat_x calls
To properly update the filesize on all cluster nodes simultaneously
Signed-off-by: Archana Chidirala <archana.chidirala.chidirala@ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Tue, 15 Mar 2022 12:10:06 +0000 (13:10 +0100)]
s3:libads: Fix creating local krb5.conf
We create an KDC ip string entry directly at the beginning, use it if we
don't have any additional DCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 16 14:26:36 UTC 2022 on sn-devel-184
Andreas Schneider [Tue, 15 Mar 2022 12:02:05 +0000 (13:02 +0100)]
s3:libads: Check print_canonical_sockaddr_with_port() for NULL in get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Tue, 15 Mar 2022 11:57:18 +0000 (12:57 +0100)]
s3:libads: Remove obsolete free's of kdc_str
This is allocated on the stackframe now!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Tue, 15 Mar 2022 11:56:58 +0000 (12:56 +0100)]
s3:libads: Allocate all memory on the talloc stackframe
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Tue, 15 Mar 2022 11:48:23 +0000 (12:48 +0100)]
s3:libads: Use talloc_asprintf_append() in get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Tue, 15 Mar 2022 11:10:47 +0000 (12:10 +0100)]
s3:libads: Improve debug messages for get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Tue, 15 Mar 2022 11:04:34 +0000 (12:04 +0100)]
s3:libads: Leave early on error in get_kdc_ip_string()
This avoids useless allocations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Tue, 15 Mar 2022 11:03:40 +0000 (12:03 +0100)]
s3:libads: Remove trailing spaces in kerberos.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Tue, 15 Mar 2022 15:53:02 +0000 (16:53 +0100)]
testprogs: Add test that local krb5.conf has been created
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Volker Lendecke [Thu, 30 Dec 2021 15:58:58 +0000 (16:58 +0100)]
smbd: Remove a few vfs_stat() calls
openat_pathref_fsp() does not need them anymore
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 11 19:19:21 UTC 2022 on sn-devel-184
Volker Lendecke [Sat, 8 Jan 2022 09:08:16 +0000 (10:08 +0100)]
smbd: Return ISLNK from non_widelink_open() in smb_fname
Soon we want to not require stat() calls before entering
openat_pathref_fsp() anymore but rely on the fstat on the O_PATH file
handle (alternatively the call to fstatat(AT_SYMLINK_NOFOLLOW)) done
properly from within fd_openat(). The callers of non_widelink_open()
expect the stat information to be correct in "smb_fname". Copy it in
case of not opening a symlink in the posix case.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 30 Dec 2021 15:49:45 +0000 (16:49 +0100)]
smbd: Don't require a valid stat for openat_pathref_fsp()
With the simplifications in non_widelink_open() (don't depend on the
is_directory fsp flag) the main reason for requiring a valid stat
struct in openat_pathref_fsp() is gone. With this change
openat_pathref_fsp() is now capable of being the very first (and
authoritative) name-referencing operation with openat(O_PATH) for a
name.
Without having the stat information around before calling
openat_pathref_fsp(), the call to check_same_dev_ino() becomes
obsolete here.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Tue, 8 Mar 2022 13:31:32 +0000 (14:31 +0100)]
smbd: No need to set O_DIRECTORY in openat_pathref_fsp()
If I read Linux' man 2 open right (and susv4 agrees), O_DIRECTORY is
around to make sure opendir() is not raced against non-directory
files. opendir() needs to make sure the underlying object is actually
a directory. O_DIRECTORY is not required for opening directories in
RDONLY mode, regardless of having O_PATH or not.
At this point in openat_pathref_fsp() we don't care about the type of
the underlying object, we do fstat() and distinguish between files and
directories later according to the mode returned from fstat().
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Tue, 8 Mar 2022 11:57:13 +0000 (12:57 +0100)]
smbd: Mark fsp as directory after calling fstat()
Everything else is racy, and this is cheap to check.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Tue, 8 Mar 2022 11:44:33 +0000 (12:44 +0100)]
smbd: Always use O_NONBLOCK in openat_pathref_fsp()
There's no reason why we would ever want to block on open(O_PATH). The
only cases that to me right now seem relevant is oplock breaks and
FIFOs, which can block forever. Oplock breaks don't happen for
O_PATH (hopefully...) but for the non-O_PATH case we don't want to
block either but we do handle this higher up.
We're handling EWOULDBLOCK for the oplock case correctly in
open_file_ntcreate() by setting up polling. So far we haven't done
this for the implicit openat_pathref_fsp() from filename_convert()
yet. But as our kernel oplock implementation lacks in functionality
big time anyway I would rather fail an open with NETWORK_BUSY than to
sit waiting for an oplock break for 30 seconds.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Tue, 18 Jan 2022 20:19:40 +0000 (21:19 +0100)]
smbd: Pass "dirfsp" and "smb_fname" to reopen_from_fsp()
Lift the conn->cwd_fsp reference one level, we might want to pass in a
real dirfsp in the future.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Tue, 18 Jan 2022 18:46:43 +0000 (19:46 +0100)]
smbd: Pass dirfsp instead of fname to inherit_new_acl
Move to referencing directories via fsp's instead of names where we
have them around
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 10 Mar 2022 18:24:31 +0000 (19:24 +0100)]
smbd: Simplify dos_mode_from_name() with ISDOT()/ISDOTDOT()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 10 Mar 2022 18:18:44 +0000 (19:18 +0100)]
smbd: Simplify dos_mode_check_compressed()
btrfs_fget_compression() is the only real implementation of
VFS_GET_COMPRESSION. It does not use the mem_ctx argument, so it seems
unnecessary to do a full malloc()/free() cycle here. Moreover, if this
was actually required, talloc_stackframe() would be more appropriate
these days as deep within the smbd even loop it does not go through
the libc malloc, but just increments a pointer.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 10 Mar 2022 18:30:28 +0000 (19:30 +0100)]
smbd: get_acl_group_bits() needs a fsp, not a name
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 10 Mar 2022 15:44:44 +0000 (16:44 +0100)]
smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 10 Mar 2022 14:56:07 +0000 (15:56 +0100)]
smbd: Avoid an else
We continue; in the if clause
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Thu, 10 Mar 2022 14:50:42 +0000 (15:50 +0100)]
smbd: Avoid two else statements
We return in the if-clause
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Wed, 9 Mar 2022 10:05:32 +0000 (11:05 +0100)]
vfs: Format a comment
I know, whitespace change, but this was just too ugly :-)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Tue, 8 Mar 2022 14:16:04 +0000 (15:16 +0100)]
printing: Fix a DBG message
openat_pathref_fsp() returns NTSTATUS, errno might be wrong here
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Fri, 11 Mar 2022 12:22:58 +0000 (13:22 +0100)]
smbd: Avoid some casts
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 10 Mar 2022 16:49:52 +0000 (17:49 +0100)]
third_party/heimdal: import lorikeet-heimdal-
202203101710 (commit
df8d801544144949931cd742169be1207b239c3d)
This fixes the regressions against KDCs without FAST support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 11 18:06:47 UTC 2022 on sn-devel-184
Stefan Metzmacher [Wed, 9 Mar 2022 11:53:18 +0000 (12:53 +0100)]
selftest: use 'kdc enable fast = no' for fl2000 fl2003
This makes sure we still run tests against KDCs without FAST support
and it already found a few regressions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Stefan Metzmacher [Wed, 9 Mar 2022 11:39:07 +0000 (12:39 +0100)]
s4:kdc: make use of the 'kdc enable fast' option
This will useful to test against a KDC without FAST support
and find/prevent regressions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Stefan Metzmacher [Wed, 9 Mar 2022 11:39:07 +0000 (12:39 +0100)]
docs-xml: add 'kdc enable fast' option
This will be useful to test against a KDC without FAST support
and find/prevent regressions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Stefan Metzmacher [Thu, 10 Mar 2022 15:12:43 +0000 (16:12 +0100)]
third_party/heimdal: import lorikeet-heimdal-
202203101709 (commit
47863866da25cc21d292ce335a976b8b33fa1864)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Tue, 8 Mar 2022 09:46:02 +0000 (22:46 +1300)]
s4-kdc: Fix memory leak in FAST cookie handling
The call to sdb_free_entry() was forgotten.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15000
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 11 11:05:55 UTC 2022 on sn-devel-184
Volker Lendecke [Fri, 4 Mar 2022 13:56:24 +0000 (14:56 +0100)]
smbd: Simplify non_widelink_open()
Don't depend on fsp->fsp_flags.is_directory: We can always take the
parent directory fname, chdir into it and openat(O_PATH|O_NOFOLLOW)
the relative file name. To properly handle the symlink case without
having O_PATH, upon failure we need the call to
fstatat(AT_SYMLINK_NOFOLLOW) as a replacement for the fstat-call that
we can do when we successfully opened the relative file name with
O_NOFOLLOW.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 10 19:19:06 UTC 2022 on sn-devel-184
Volker Lendecke [Mon, 7 Mar 2022 17:00:20 +0000 (18:00 +0100)]
vfs: Convert get_real_filename() to NTSTATUS
This makes it possible to more easily handle STOPPED_ON_SYMLINK vs
OBJECT_PATH_NOT_FOUND vs OBJECT_NAME_NOT_FOUND and so on. The next
patch needs this to properly handle symlinks.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 6 Jan 2022 14:59:05 +0000 (15:59 +0100)]
vfs: Add SMB_VFS_FSTATAT
Useful if you want to stat/fstat/lstat relative to a directory without
doing chdir first.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 4 Mar 2022 15:38:34 +0000 (16:38 +0100)]
vfs: Don't mask shadow_copy2_convert()'s errno
If it's really ENOMEM, shadow_copy2_convert() did set this itself. It
might also return ENOENT for example. Found this while working on
other patches.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
git.samba.org / samba.git / log