Karolin Seeger [Tue, 27 Aug 2019 11:16:44 +0000 (13:16 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.10.8 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 27 Aug 2019 11:13:48 +0000 (13:13 +0200)]
WHATSNEW: Add release notes for Samba 4.10.8.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
CVE-2019-10197 [SECURITY][EMBARGOED] permissions check deny can allow user to
escape from the share.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Stefan Metzmacher [Thu, 11 Jul 2019 15:02:15 +0000 (17:02 +0200)]
CVE-2019-10197: smbd: split change_to_user_impersonate() out of change_to_user_internal()
This makes sure we always call chdir_current_service() even
when we still impersonated the user. Which is important
in order to run the SMB* request within the correct working directory
and only if the user has permissions to enter that directory.
It makes sure we always update conn->lastused_count
in chdir_current_service() for each request.
Note that vfs_ChDir() (called from chdir_current_service())
maintains its own cache and avoids calling SMB_VFS_CHDIR()
if possible.
It means we still avoid syscalls if we get a multiple requests
for the same session/tcon tuple.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Tue, 16 Jul 2019 13:40:38 +0000 (15:40 +0200)]
CVE-2019-10197: test_smbclient_s3.sh: add regression test for the no permission on share root problem
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 30 Jul 2019 15:16:59 +0000 (17:16 +0200)]
CVE-2019-10197: selftest: make fsrvp_share its own independent subdirectory
The next patch will otherwise break the fsrvp related tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 18 Jun 2019 12:04:08 +0000 (14:04 +0200)]
CVE-2019-10197: smbd: make sure we reset current_user.{need,done}_chdir in become_root()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 11 Jul 2019 15:01:29 +0000 (17:01 +0200)]
CVE-2019-10197: smbd: make sure that change_to_user_internal() always resets current_user.done_chdir
We should not leave current_user.done_chdir as true if we didn't call
chdir_current_service() with success.
This caused problems in when calling vfs_ChDir() in pop_conn_ctx() when
chdir_current_service() worked once on one share but later failed on another
share.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 12 Jul 2019 19:10:35 +0000 (12:10 -0700)]
CVE-2019-10197: smbd: separate out impersonation debug info into a new function.
Will be called on elsewhere on successful impersonation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Karolin Seeger [Tue, 20 Aug 2019 09:09:43 +0000 (11:09 +0200)]
VERSION: Bump version up to 4.10.8...
and re-eanble GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit
baafb6fc060c0b61f3e744c041be871303fa9c66)
Karolin Seeger [Tue, 20 Aug 2019 09:09:02 +0000 (11:09 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.10.7 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 20 Aug 2019 09:08:32 +0000 (11:08 +0200)]
WHATSNEW: Add release notes for Samba 4.10.7.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Alexander Bokovoy [Sat, 10 Aug 2019 08:53:12 +0000 (11:53 +0300)]
smbtorture: extend rpc.lsa to lookup machine over forest-wide LookupNames
Add a simple test to resolve DOMAIN\MACHINE$ via LSA LookupNames3
using LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 level. This level would pass
zero lookup flags to lookup_name().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Aug 14 13:07:42 UTC 2019 on sn-devel-184
(cherry picked from commit
4d276a93fc624dc04d880f5b4157f272d3555be6)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Fri Aug 16 14:24:42 UTC 2019 on sn-devel-144
Alexander Bokovoy [Thu, 1 Aug 2019 12:48:58 +0000 (15:48 +0300)]
lookup_name: allow own domain lookup when flags == 0
In 2007, we've added support for multiple lookup levels for LSA
LookupNames family of calls. However, forest-wide lookups, as described
in MS-LSAT 2.2.16, never worked because flags passed to lookup_name()
were always set to zero, expecting at least default lookup on a DC to
apply. lookup_name() was instead treating zero flags as 'skip all
checks'.
Allow at least own domain lookup in case domain name is the same.
This should allow FreeIPA DC to respond to LSA LookupNames3 calls from a
trusted AD DC side.
For the reference, below is a request Windows Server 2016 domain
controller sends to FreeIPA domain controller when attempting to look up
a user from a trusted forest root domain that attemps to login to the
domain controller. Notice the level in the lsa_LookupNames3 call and
resulting flags in lookup_name().
[2019/08/03 07:14:24.156065, 1, pid=23639, effective(
967001000,
967001000), real(
967001000, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
0000004c-0000-0000-455d-
3018575c0000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x000a (10)
size : 0x000c (12)
string : *
string : 'XS\ab'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
[2019/08/03 07:14:24.156189, 6, pid=23639, effective(
967001000,
967001000), real(
967001000, 0), class=rpc_srv] ../../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 4C 00 00 00 00 00 00 00 45 5D 30 18 ....L... ....E]0.
[0010] 57 5C 00 00 W\..
[2019/08/03 07:14:24.156228, 4, pid=23639, effective(
967001000,
967001000), real(
967001000, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
push_sec_ctx(
967001000,
967001000) : sec_ctx_stack_ndx = 2
[2019/08/03 07:14:24.156246, 4, pid=23639, effective(
967001000,
967001000), real(
967001000, 0)] ../../source3/smbd/uid.c:552(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2019/08/03 07:14:24.156259, 4, pid=23639, effective(
967001000,
967001000), real(
967001000, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2019/08/03 07:14:24.156273, 5, pid=23639, effective(
967001000,
967001000), real(
967001000, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2019/08/03 07:14:24.156285, 5, pid=23639, effective(
967001000,
967001000), real(
967001000, 0)] ../../source3/auth/token_util.c:865(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2019/08/03 07:14:24.156311, 5, pid=23639, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/lsa/srv_lsa_nt.c:244(lookup_lsa_sids)
lookup_lsa_sids: looking up name XS\ab
[2019/08/03 07:14:24.156327, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:112(lookup_name)
lookup_name: XS\ab => domain=[XS], name=[ab]
[2019/08/03 07:14:24.156340, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:114(lookup_name)
lookup_name: flags = 0x00
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
685bb03de6ab733590831d1df4f5fd60d2ac427d)
Alexander Bokovoy [Thu, 1 Aug 2019 18:08:52 +0000 (21:08 +0300)]
torture/rpc/lsa: allow testing different lookup levels
Convert torture/rpc/lsa LookupNames/LookupSids code to allow testing
different LSA_LOOKUP_NAMES_* levels. Keep existing level 1
(LSA_LOOKUP_NAMES_ALL) for the current set of tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
317bc6a7342edfa2c503f5932142bf5883485cc9)
Garming Sam [Wed, 24 Jul 2019 02:53:33 +0000 (14:53 +1200)]
tests/drs_no_dns: Check dbcheck and ldapcmp pass
When joining a DC without DNS partitions, make sure that the alternate
flow of creating them afterwards results in a database with everything
that is necessary.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14051
RN: Allow a DC join without DNS partitions, to add them later
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
35c54007e6183829d9d85a24b3bd95f469739ad3)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Thu Aug 8 11:15:54 UTC 2019 on sn-devel-144
Garming Sam [Wed, 24 Jul 2019 03:13:43 +0000 (15:13 +1200)]
tests: Add samba_upgradedns to the list of possible cmds
This will be used to test the replication scenario with no DNS partitions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14051
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
7d2875bd70cf727730be8dc705bfd01eacaaaa6f)
Garming Sam [Wed, 24 Jul 2019 03:18:40 +0000 (15:18 +1200)]
netcmd: Allow drs replicate --local to create partitions
Currently, neither the offline (--local) or online (normal replica sync)
methods allow partition creation post-join. This overrides the Python
default to not create the DB, which allows TDB + MDB to work.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14051
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d90ccce59754bc833027c06683afac25f7a8d474)
Tim Beale [Tue, 23 Jul 2019 23:00:01 +0000 (11:00 +1200)]
join: Use a specific attribute order for the DsAddEntry nTDSDSA object
Joining a Windows domain can throw an error if the HasMasterNCs
attribute occurs before msDS-HasMasterNCs. This patch changes the
attribute order so that msDS-HasMasterNCs is always first.
Previously on python2, the dictionary hash order was arbitrary but
constant. By luck, msDS-HasMasterNCs was always before HasMasterNCs, so
we never noticed any problem. With python3, the dictionary hash order
now changes everytime you run the command, so the order is
unpredictable.
To enforce a order, we can change to use an OrderedDict, which will
return the keys in the order they're added.
I've asked Microsoft to clarify the protocol requirement here WRT
attribute order. However, in the meantime we may as well fix the problem
for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14046
RN: When trying to join a Windows domain (with functional level 2008R2)
as an AD domain controller, the 'samba-tool domain join' command could
throw a python exception: 'RuntimeError ("DsAddEntry failed")'. When
this problem occurred, you would also see the message "DsAddEntry failed
with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC')"
in the command output. This issue has now been resolved. Note that this
problem would only occur on Samba v4.10 when using the Python3 packages.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 24 04:18:21 UTC 2019 on sn-devel-184
(cherry picked from commit
256684c7a86301d26d6cf7298fb70e647bf45cf5)
Rafael David Tinoco [Thu, 27 Jun 2019 20:12:25 +0000 (20:12 +0000)]
ctdb-config: depend on /etc/ctdb/nodes file
CTDB should start as a disabled unit (systemd) in most of the
distributions and, when trying to enable it for the first time, user
should get an unconfigured, or similar, error.
Depending on /etc/ctdb/nodes file will give a clear direction to final
user on what is needed in order to get cluster up and running. It should
work like previous ENABLED=NO variables in SySV like initialization
scripts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14017
RN: ctdb.service should only start if /etc/ctdb/nodes is not empty
Signed-off-by: Rafael David Tinoco <rafaeldtinoco@ubuntu.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit
c5803507df7def388edcd5b6cbfee30cd217b536)
Ralph Boehme [Thu, 27 Jun 2019 10:50:37 +0000 (12:50 +0200)]
vfs_catia: pass stat info to synthetic_smb_fname()
This doesn't cause visible damage in vanilla Samba, but would affect downstream
consumers that add additional fields to struct smb_filename.
For the same reason there's no test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14015
RN: Ensure vfs_catia passes stat info to stacked VFS modules
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
ae6dd4853e3e651f6e56ce735bcb0a2264857385)
Björn Baumbach [Tue, 28 May 2019 12:52:36 +0000 (14:52 +0200)]
samba-tool: add 'import samba.drs_utils' to fsmo.py
On some systems we're seeing this:
ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils'
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 185, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 533, in run
transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 136, in transfer_dns_role
except samba.drs_utils.drsException as e:
E.g. it happens on debian stretch (9.9) with python 2.7.13 (on 4.10.4)
While it doesn't happen on ubuntu 18.04 with python 2.7.15rc1 or
with python 3.6.7.
There were also some reports on the mailing lists, see:
https://lists.samba.org/archive/samba-technical/2019-May/133624.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bbaumbach@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 30 08:27:24 UTC 2019 on sn-devel-184
(cherry picked from commit
320a5c5425e6ced18b1a9bf19b4f361ee16821ed)
Stefan Metzmacher [Tue, 28 May 2019 12:54:19 +0000 (14:54 +0200)]
samba-tool: use only one LDAP modify for dns partition fsmo role transfer
We should not risk that we end with no role owner.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
6a2e3a15585086bcceb18283216978a2fcb30da3)
Björn Baumbach [Tue, 28 May 2019 12:57:15 +0000 (14:57 +0200)]
s4:torture:fsmo.py: remove unused 'net_cmd' variable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Signed-off-by: Björn Baumbach <bbaumbach@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
0fbb013bef886e425602fdbbef14a4029719818f)
Stefan Metzmacher [Tue, 28 May 2019 12:53:09 +0000 (14:53 +0200)]
samba-tool: fix replication after dns partition fsmo role transfer
The new role owner need to replicate from the old role owner.
Before we told the old role owner to replicate from itself.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4793f8ed584a4e6d8a26b06b691ec636e77d8f2a)
Björn Baumbach [Fri, 24 May 2019 13:46:17 +0000 (15:46 +0200)]
s4:torture:fsmo.py: test role transfers of dns partitions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bbaumbach@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5e000a8487d788dd196980b77ec7299c8be74abf)
Stefan Metzmacher [Fri, 24 May 2019 16:36:48 +0000 (18:36 +0200)]
dnsp.idl: fix payload for DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun 21 11:02:21 UTC 2019 on sn-devel-184
(cherry picked from commit
aa2a3d95098231f48d7c308881bf66418164111e)
Stefan Metzmacher [Tue, 30 Apr 2019 12:21:22 +0000 (14:21 +0200)]
dnsp.idl: fix the dnsp_dns_addr_array definition
The endian changes are needed in order to get the following result
from the blobs Windows generated (see the torture test):
AddrArray: ARRAY(3)
AddrArray: struct dnsp_dns_addr
family : 0x0002 (2)
port : 0x0035 (53)
ipv4 : 172.31.99.33
ipv6 : 0000:0000:0000:0000:0000:0000:0000:0000
[MS-DNSP] states that the port is supposed to be ignored, but it's still
good to decode it as port '53' (0x0035) instead of '13568' (0x3500).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit
6fc7cc15048673d109042d7b40684ed63eb4ff9e)
Stefan Metzmacher [Tue, 30 Apr 2019 08:07:51 +0000 (10:07 +0200)]
dnsp.idl: fix dnsp_ip4_array definition
In future we should use ipv4address, but that would result in a much
larger change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit
6d958af0b4cb6fd45cfda0298243859b3b043c6f)
Stefan Metzmacher [Fri, 24 May 2019 15:39:17 +0000 (17:39 +0200)]
s4:torture: add local.ndr.dnsp tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit
9a0c3a475f29138c0c49e0d22cf52ab45178d16b)
Stefan Metzmacher [Mon, 29 Apr 2019 09:59:50 +0000 (11:59 +0200)]
dbcheck: fallback to the default tombstoneLifetime of 180 days
If a domain was provisioned by Windows 2000 this value is missing in the
database.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May 28 08:32:10 UTC 2019 on sn-devel-184
(cherry picked from commit
2ef79a4c1d695a3e498b142810a1317d85b9b6da)
Andreas Schneider [Mon, 3 Jun 2019 08:40:55 +0000 (10:40 +0200)]
third_party: Update waf to version 2.0.17
This fixes building Samba, libtalloc, libtevent, libtdb and libldb with
Python 3.8.
wget https://waf.io/waf-2.0.17.tar.bz2
tar -xf waf-2.0.17.tar.bz2
git rm third_party/waf/waflib/ -r
mkdir third_party/waf -p
rsync -a waf-2.0.17/waflib/ third_party/waf/waflib/
git add third_party/waf/waflib/
(Then update version number in buildtools/bin/waf and
buildtools/wafsamba/wafsamba.py)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13960
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
aabdcc91513e242c4f191e1bbbb70c890416d213)
Stefan Metzmacher [Fri, 26 Apr 2019 11:40:58 +0000 (13:40 +0200)]
lib/util: set current_msg_{level,class} also during a DEBUGADD[C]() call
In some situations we use DEBUGADDC() in order to print out content
without a related debug header line.
This is important with the new per class logfile with:
log level = 1 dsdb_json_audit:10@/var/log/samba/log.dsdb_json_audit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13915
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
0da12ff93d213ac742eeb865bfa5697ca8a2280a)
Stefan Metzmacher [Fri, 26 Apr 2019 11:32:43 +0000 (13:32 +0200)]
lib/util: remove unused prototypes in debug.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13915
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
d98a971247450d494c581c5454e6c270ad1b6880)
Stefan Metzmacher [Fri, 26 Apr 2019 11:21:15 +0000 (13:21 +0200)]
lib/util: fix call to dbghdrclass() for DEBUGC()
dbghdrclass() sets the global 'current_msg_class' and for that
DEBUGC() should pass the given dbgc_class instead of the per file
DBGC_CLASS.
This is important with the new per class logfile with:
log level = 1 dsdb_audit:10@/var/log/samba/log.dsdb_audit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13915
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
bb0ffbf38cb1955c9e400003add680eabcf706a6)
Tim Beale [Mon, 1 Jul 2019 05:06:31 +0000 (17:06 +1200)]
s4/libnet: Fix joining a Windows pre-2008R2 DC
From v4.8 onwards, Samba may not be able join a DC older than 2008R2
because the Windows DC doesn't support GET_TGT.
If the dsdb repl_md code can't resolve a link target it returns an
error, and the calling code (e.g. drs_util.py) should retry with
GET_TGT. However, GET_TGT is only supported on Windows 2008R2 and later,
so if you try to join an earlier Windows DC, the join will throw an
error that you can't work-around.
We can avoid this problem by setting the same DSDB flag that GET_TGT
sets to indicate that the link targets are as up-to-date as possible,
and so there's no point retrying. Missing targets are still logged, so
this at least allows the admin to fix up any problems after the join
completed.
I've only done this for the join case (problems during periodic
replication are probably still worth escalating to an error).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14021
RN: From Samba v4.8 onwards, joining a Windows 2003 or 2008 (non-R2) AD
DC may not have worked. When this problem occurred, the following
message would be displayed:
'Failed to commit objects: DOS code 0x000021bf'
This particular issue has now been resolved. Note that there may still
be other potential problems that occur when joining an older Windows DC.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b3a2508f2ad79e2f1007464da7dbe918933038a0)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Tue Jul 9 10:31:40 UTC 2019 on sn-devel-144
Michael Adam [Thu, 20 Jun 2019 13:14:57 +0000 (15:14 +0200)]
vfs:glusterfs_fuse: treat ENOATTR as ENOENT
The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.
Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.
This patch changes the glusterfs_fuse vfs module to treat ENOATTR as
ENOENT to be fully functional again with latest gluster.
- Without this patch, samba against a new gluster will work correctly,
but the get_real_filename optimization for a non-existing entry
is lost.
- With this patch, Samba will not work correctly any more against
very old gluster servers: Those (correctly) returned ENOATTR
always, which Samba originally interpreted as EOPNOTSUPP, triggering
the expensive directory scan. With this patch, ENOATTR is
interpreted as ENOENT, the authoritative answer that the requested
entry does not exist, which is wrong unless it really does not exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Jun 28 12:52:03 UTC 2019 on sn-devel-184
(cherry picked from commit
fee8cf326bfe240d3a8720569eab43f474349aff)
Michael Adam [Thu, 20 Jun 2019 13:14:57 +0000 (15:14 +0200)]
vfs:glusterfs: treat ENOATTR as ENOENT
The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.
Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.
This patch changes the glusterfs vfs module to treat ENOATTR as ENOENT
to be fully functional again with latest gluster.
- Without this patch, samba against a new gluster will work correctly,
but the get_real_filename optimization for a non-existing entry
is lost.
- With this patch, Samba will not work correctly any more against
very old gluster servers: Those (correctly) returned ENOATTR
always, which Samba originally interpreted as EOPNOTSUPP, triggering
the expensive directory scan. With this patch, ENOATTR is
interpreted as ENOENT, the authoritative answer that the requested
entry does not exist, which is wrong unless it really does not exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
8899eb21d48b7077328ae560490f9fb9715a6b83)
Tim Beale [Mon, 24 Jun 2019 22:10:17 +0000 (10:10 +1200)]
dsdb: Handle DB corner-case where PSO container doesn't exist
A 2003 AD DB with functional level set to >= 2008 was non-functional
due to the PSO checks.
We already check the functional level is >= 2008 before checking for the
PSO container. However, users could change their functional level
without ensuring their DB conforms to the corresponding base schema.
The objectclass DSDB module should prevent the PSO container from ever
being deleted. So the only way we should be able to hit this case is
through upgrading the functional level (but not the underlying schema
objects). If so, log a low-priority message and continue without errors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14008
RN: Previously, AD operations such as user authentication could fail
completely with the message 'Error 32 determining PSOs in system' logged
on the samba server. This problem would only affect a domain that was
created using a pre-2008 AD base schema and then had its functional
level manually raised to 2008 or greater. This issue has now been
resolved.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
295bf73e9b24b1f2b4594320a6501dc7410d4b43)
Stefan Metzmacher [Mon, 27 May 2019 11:12:14 +0000 (13:12 +0200)]
s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_check()
The gensec schannel module already asserts that at least
AUTH_LEVEL_INTEGRITY is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
0b6e37c9e801435e094194dd60d9213b4868c3de)
Stefan Metzmacher [Mon, 27 May 2019 10:38:43 +0000 (12:38 +0200)]
s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.
Note: NETLOGON_NEG_SCHANNEL is an alias to NEG_AUTHENTICATED_RPC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
fa5215ce5b93fb032df341e718d7011e619f0916)
Stefan Metzmacher [Mon, 27 May 2019 10:38:43 +0000 (12:38 +0200)]
s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
ead9b93ce5c2c67bbdb778232805d6d9e70112fc)
Gary Lockyer [Tue, 21 May 2019 23:43:54 +0000 (11:43 +1200)]
s4 librpc rpc pyrpc: Fix flapping dcerpc.bare tests
Commit
d65b7641c84976c543ded8f0de5ab2da3c19b407 had the parameters to
talloc_reparent reversed. This caused the dcerpc.bare tests to flap.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13932
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Wed May 22 03:03:43 UTC 2019 on sn-devel-184
(cherry picked from commit
3e6661fd73bb24ef5700a98f676f1df5eeca408b)
Gary Lockyer [Tue, 7 May 2019 23:30:20 +0000 (11:30 +1200)]
s4 librpc rpc pyrpc: Ensure tevent_context deleted last
Ensure that the tevent_context is deleted after the connection, to
prevent a use after free.
Note: Py_DECREF calls dcerpc_interface_dealloc so the
TALLOC_FREE(ret->mem_ctx) calls in the error paths of
py_dcerpc_interface_init_helper needed removal.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13932
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d65b7641c84976c543ded8f0de5ab2da3c19b407)
Douglas Bagnall [Wed, 2 May 2018 21:53:56 +0000 (09:53 +1200)]
s4/pyrpc_util: appropriately decrement refcounts on failure
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
e23b9f88cc1c8a8c8cda07fb25d639218c12d91a)
Andrew Bartlett [Wed, 20 Mar 2019 00:57:50 +0000 (13:57 +1300)]
build: Allow build when --disable-gnutls is set
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13844
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Mar 20 05:25:48 UTC 2019 on sn-devel-144
(cherry picked from commit
a40b0f452af5f393aa33c9d52673994effd0e31f)
Karolin Seeger [Mon, 8 Jul 2019 09:58:35 +0000 (11:58 +0200)]
VERSION: Bump version up to 4.10.7...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Mon, 8 Jul 2019 09:57:39 +0000 (11:57 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.10.6 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Mon, 8 Jul 2019 09:56:40 +0000 (11:56 +0200)]
WHATSNEW: Add release notes for Samba 4.10.6.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Stefan Metzmacher [Wed, 3 Jul 2019 10:14:03 +0000 (12:14 +0200)]
ldb: Release ldb 1.5.5
Compared to 1.5.4:
* LDAP_REFERRAL_SCHEME_OPAQUE was added
to ldb_module.h in order to fix bug #12478.
It means that Samba >= 4.10.6 will no longer be able to
build with ldb 1.5.4.
* We Skip @ records early in a search full scan
in order to address bug #13893.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Björn Baumbach [Wed, 12 Jun 2019 19:16:25 +0000 (21:16 +0200)]
python/ntacls: use correct "state directory" smb.conf option instead of "state dir"
samba-tool ntacl get testfile --xattr-backend=tdb --use-ntvfs
Fixes: Unknown parameter encountered: "state dir"
Signed-off-by: Björn Baumbach <bb@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
670a12df52df63a067b638d37bec71341bf18bdd)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14002
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Wed Jun 26 11:37:29 UTC 2019 on sn-devel-144
Björn Baumbach [Wed, 12 Jun 2019 19:00:01 +0000 (21:00 +0200)]
selftest: add test for samba-tool ntacl get/set --use-ntvfs --xattr-backend=tdb
Signed-off-by: Björn Baumbach <bb@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
1b0184a9562689a658e75a0cfc69bdd23277cff6)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14002
Andreas Schneider [Fri, 1 Feb 2019 17:51:53 +0000 (18:51 +0100)]
docs: Document DCEPRC binding string for rpcclient
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb 4 02:03:56 CET 2019 on sn-devel-144
(cherry picked from commit
cca48c1a1029685672e1c25e39e8be2be947238f)
Andreas Schneider [Tue, 18 Jun 2019 12:43:50 +0000 (14:43 +0200)]
s3:client: Link smbspool_krb5_wrapper against krb5samba
Heimdal doesn't provide krb5_free_unparsed_name(), so we need to use the
function we provide in krb5samba.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
9268919e046190c7b423133de3f9d0edada3f1b8)
Lukas Slebodnik [Wed, 12 Jun 2019 10:27:04 +0000 (12:27 +0200)]
wafsamba: Use native waf timer
__main__:1: DeprecationWarning: time.clock has been deprecated in Python 3.3
and will be removed from Python 3.8: use time.perf_counter
or time.process_time instead
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13998
Signed-off-by: Lukas Slebodnik <lslebodn@fedoraproject.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
8f082904ce580f1a6b8a06ebcc323c99e892bd1f)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Fri Jun 21 11:14:16 UTC 2019 on sn-devel-144
Ralph Boehme [Mon, 27 May 2019 10:27:57 +0000 (12:27 +0200)]
s3:mdssvc: fix flex compilation error
[4440/4495] Compiling bin/default/source3/rpc_server/mdssvc/sparql_lexer.lex.c
../../source3/rpc_server/mdssvc/sparql_lexer.l:26: error: "yyalloc" redefined [-Werror]
26 | #define yyalloc SMB_MALLOC
Looks like the dirty redefine trick doesn't work anymore with newer flex
versions. According to the flex manual the right thing to do is to provide own
functions for yyalloc and yyrealloc when passing the options "noyyalloc
noyyrealloc".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13987
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue May 28 11:49:06 UTC 2019 on sn-devel-184
(cherry picked from commit
9053391f86a529e0a7dbcd23fa3a555d85c2207c)
Rafael David Tinoco via samba-technical [Mon, 3 Jun 2019 02:44:15 +0000 (23:44 -0300)]
ctdb-scripts: Fix tcp_tw_recycle existence check
net.ipv4.tcp_tw_recycle has been removed from Linux 4.12 but, still,
makes sense to check its existence. Unfortunately, current check does
not test for the procfs file existence. This commit fixes the issue.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13984
Signed-off-by: Rafael David Tinoco <rafaeldtinoco@ubuntu.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 4 23:31:24 UTC 2019 on sn-devel-184
(cherry picked from commit
843fbb1207ee7ac84f3282974b66b9290d8da0ac)
Andrew Bartlett [Fri, 31 May 2019 21:04:48 +0000 (09:04 +1200)]
docs: Improve documentation of "lanman auth" and "ntlm auth" connection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13981
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
dbf3e81f7f0b28c69dca004b32ea3a7344b0cad3)
Ralph Boehme [Fri, 24 May 2019 13:15:59 +0000 (15:15 +0200)]
vfs_fruit: remove a now unnecessary include
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 30 22:12:50 UTC 2019 on sn-devel-184
(cherry picked from commit
9a2c9834cb1b77547b8b932c35870301afb9fc25)
Ralph Boehme [Fri, 24 May 2019 12:51:17 +0000 (14:51 +0200)]
vfs_fruit: use VFS functions in ad_read_rsrc_adouble()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
9fe84a6345bf5d9fdb1df87a853db3380e6fb0f7)
Ralph Boehme [Fri, 24 May 2019 10:51:15 +0000 (12:51 +0200)]
vfs_fruit: use fsp and remove syscalls from ad_convert_blank_rfork()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
70c4a8f0ac307009c26e857523192c95b42a92f5)
Ralph Boehme [Fri, 24 May 2019 10:07:55 +0000 (12:07 +0200)]
vfs_fruit: use VFS function in ad_convert_truncate()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
3739ad90cf2bbaa2094a34197c894363d2e24a5a)
Ralph Boehme [Fri, 24 May 2019 10:05:51 +0000 (12:05 +0200)]
vfs_fruit: add VFS handle to ad_convert_truncate()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
4e44b1da9357120f0ad74e24c650bc6386085c47)
Ralph Boehme [Fri, 24 May 2019 09:54:51 +0000 (11:54 +0200)]
vfs_fruit: use fsp and remove mmap in ad_convert_xattr()
No need to mmap() anyway, the xattr data is already available in ad->ad_data.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
4ff7ea0e0312c737aefd350f7b8fbed4c8602325)
Ralph Boehme [Thu, 23 May 2019 20:44:21 +0000 (22:44 +0200)]
vfs_fruit: remove use of mmap() from ad_convert_move_reso()
We now have an fsp that we can use, so we can get rid of mmap() and
sys_pread()/sys_pwrite().
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
0041855af0b05d6c47558880d6eebd1970179272)
Ralph Boehme [Thu, 23 May 2019 14:42:52 +0000 (16:42 +0200)]
vfs_fruit: convert ad_open_rsrc() to open a proper fsp with SMB_VFS_CREATE_FILE()
A first step in converting all raw syscalls to use proper VFS functions. All
existing users of the raw system filedescriptor continue to use the fd from
fsp->fh for now.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
29418c726be74feb1d8c3ac9f7b8c983901a2aab)
Ralph Boehme [Thu, 23 May 2019 14:22:39 +0000 (16:22 +0200)]
vfs_fruit: only do cross protocol locking on non-internal opens
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
f5f7d1e9bf7e39933ccf7c874e682f9df80a6fec)
Ralph Boehme [Thu, 23 May 2019 06:27:37 +0000 (08:27 +0200)]
vfs_fruit: remove a layer of indirection
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
97d485ff2cda85edeba163ea01b6abfa705db20f)
Ralph Boehme [Thu, 23 May 2019 06:14:18 +0000 (08:14 +0200)]
vfs_fruit: pass VFS handle to ad_convert_move_reso()
Not used for now, that comes next.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
3919ea048fe3b763657e14cdfb5920184a900d27)
Ralph Boehme [Wed, 22 May 2019 19:15:22 +0000 (21:15 +0200)]
vfs_fruit: remove xattr code from the AppleDouble subsystem
The subsystem consumers have been reworked in the previous commits, so this is
not used anymore. ad_init() doesn't need a handle argument anymore due to this,
remove it as well.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
e3cb1cb24f2a31d7fd03f3bdf417f4704fb4ac7c)
Ralph Boehme [Fri, 17 May 2019 12:31:15 +0000 (14:31 +0200)]
vfs_fruit: remove now unused AppleDouble code for resource fork in xattr
This was only needed to get the resourcefork size via the ad_* AppleDouble
function. This is now done with a fstat on the low level xattr fd (remember,
this is Solaris only code...), so we can remove the xattr special casing from
the AppleDouble functions.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
cb9dffa1c66294b6eed85e7576aa99c642d0b541)
Ralph Boehme [Wed, 22 May 2019 16:08:14 +0000 (18:08 +0200)]
vfs_fruit: use stream code for resource fork size calculation in readdir_attr_rfork_size()
This works as well, using an fstat() on the filehandle to get the size. This is
tested by the torture test "vfs.fruit.SMB2/CREATE context AAPL".
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
a23bcc1916a49bf3e0edece190e5434e39862d2c)
Ralph Boehme [Wed, 22 May 2019 15:02:20 +0000 (17:02 +0200)]
vfs_fruit: use correct case FRUIT_RSRC_STREAM in readdir_attr_rfork_size()
This is a genuine bug, but luckily this would only impact configs which nobody
uses:
fruit:metadata = netatalk
fruit:resource = stream
With the above configuration the switch in readdir_attr_rfork_size() would hit
the default case and so always report resource forks as 0 bytes in size.
All deployment that I've seen that use fruit:resource=stream also use
fruit:metadata=stream, so the switch takes FRUIT_META_STREAM case which runs the
correct code readdir_attr_rfork_size_stream().
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
83179a74119de84d20f796c241aae6bccb83a68b)
Ralph Boehme [Tue, 21 May 2019 09:42:47 +0000 (11:42 +0200)]
vfs_fruit: ignore AppleDouble files in fruit_unlink()
Otherwise, if SMB_VFS_UNLINK() is called for an AppleDouble path "._file", we
try to delete "._._file" which doesn't make sense. AppleDouble files don't have
AppleDouble themselves.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
797dc649456f39add4af8b54b60db0268ad4e90e)
Ralph Boehme [Tue, 21 May 2019 09:40:33 +0000 (11:40 +0200)]
vfs_fruit: add a missing else
Luckily the missing else has the same control flow due to the previous if and
else blocks calling return.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
44d8568001c87d28962dfc4e3fde6d0f7f409997)
Ralph Boehme [Tue, 21 May 2019 09:39:18 +0000 (11:39 +0200)]
vfs_fruit: add and use is_adouble_file()
This adds a helper function that checks whether the last component of a path is
an AppleDouble sidecar file with "._" name prefix.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
ad70c947c759aa0965ee57f973fb8dc1909e0e39)
Ralph Boehme [Fri, 17 May 2019 10:19:06 +0000 (12:19 +0200)]
vfs_fruit: finally, remove ad_handle from struct adouble
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
e266daaed149561b746dbb8d5e9523862f0057b5)
Ralph Boehme [Fri, 17 May 2019 10:17:28 +0000 (12:17 +0200)]
vfs_fruit: pass handle to ad_convert_delete_adfile()
On the course of removing ad_handle from struct adouble, step 10.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
5f4d16b40e07acf8d27fee62f1a56de175663a1d)
Ralph Boehme [Fri, 17 May 2019 10:05:07 +0000 (12:05 +0200)]
vfs_fruit: pass handle to ad_convert_finderinfo()
On the course of removing ad_handle from struct adouble, step 9.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
50874c1548d62ab0ddaaa6dd4124279ee5029fcf)
Ralph Boehme [Fri, 17 May 2019 10:02:46 +0000 (12:02 +0200)]
vfs_fruit: pass handle to ad_convert_blank_rfork()
On the course of removing ad_handle from struct adouble, step 8.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
adc7ac38b849b4dce4a85fd6442c8d4b9da57686)
Ralph Boehme [Fri, 17 May 2019 09:54:10 +0000 (11:54 +0200)]
vfs_fruit: pass handle to ad_convert_xattr()
On the course of removing ad_handle from struct adouble, step 7.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
fd2f4cf828ee4c31e3b5a27a79d3a0ee12a5877a)
Ralph Boehme [Fri, 17 May 2019 09:23:17 +0000 (11:23 +0200)]
vfs_fruit: indentation fix
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
400b3c2f8c82b1defe1e321e0cdae486b930344f)
Ralph Boehme [Fri, 17 May 2019 09:47:26 +0000 (11:47 +0200)]
vfs_fruit: pass handle to ad_read_rsrc() and all the way down
On the course of removing ad_handle from struct adouble, step 5.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
661dfa4a19673fdb30d5bf36279cdf867454b947)
Ralph Boehme [Fri, 17 May 2019 09:42:06 +0000 (11:42 +0200)]
vfs_fruit: use proper VFS function in ad_read_meta()
Continuing to ignore a possible error for now, this is in an error codepath
anyway.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
30ca328c698c2e035e240359bda7c9dcbeb646df)
Ralph Boehme [Fri, 17 May 2019 09:23:17 +0000 (11:23 +0200)]
vfs_fruit: indentation fix
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
47721d8d359ef78b8dd4f77f92c30c2caf2c4a80)
Ralph Boehme [Fri, 17 May 2019 09:22:24 +0000 (11:22 +0200)]
vfs_fruit: pass handle to ad_read_meta()
On the course of removing ad_handle from struct adouble, step 4.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
f8df09157f31b53dbe73eaf4349fc071bfcc1b90)
Ralph Boehme [Fri, 17 May 2019 09:19:53 +0000 (11:19 +0200)]
vfs_fruit: pass handle to ad_read()
On the course of removing ad_handle from struct adouble, step 3.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
d0abf945e683766029d28915541a4baf9f3879ab)
Ralph Boehme [Fri, 17 May 2019 08:43:55 +0000 (10:43 +0200)]
vfs_fruit: pass handle to ad_set()
On the course of removing ad_handle from struct adouble, step 2.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
c78ba30ac4534b7037b979ac96b77b834b2eb2fe)
Ralph Boehme [Fri, 17 May 2019 08:41:29 +0000 (10:41 +0200)]
vfs_fruit: pass handle to ad_fset()
On the course of removing ad_handle from struct adouble, step 1.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
585d4d49770b4ddc3f7d9dcbb3e322f072767781)
Ralph Boehme [Mon, 13 May 2019 18:16:47 +0000 (20:16 +0200)]
s3:auth: explicitly add BUILTIN\Guests to the guest token
This changes ensures that smbd always adds BUILTIN\Guests to the guest token
which is required for guest authentication.
Currently the guest token depends on the on-disk configured group mappings. If
there's an existing group mapping for BUILTIN\Guests, but LOCALSAM\Guest is not
a member, the final guest token won't contain BUILTIN\Guests.
For SMB2 the flag SMB2_SESSION_FLAG_IS_GUEST will not be set in the final SMB2
SESSION_SETUP response, because smbd sets it based on the token containing the
BUILTIN\Guests SID S-1-5-32-546.
At the same time, the packet is not signed which causes Windows clients and
smbclient to reject the unsigned SMB2 SESSION_SETUP response.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944
Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 5 16:55:26 UTC 2019 on sn-devel-184
(cherry picked from commit
a66af4c96accba4ee64eeb1958458b69f3ccec1d)
Ralph Boehme [Thu, 16 May 2019 10:47:34 +0000 (12:47 +0200)]
tests: add a test for guest authentication
This verifies that smbd always adds BUILTIN\Guests to the guest token which is
required for guest authentication.
Currently the guest token depends on the on-disk configured group mappings. If
there's an existing group mapping for BUILTIN\Guests, but LOCALSAM\Guest is not
a member, the final guest token won't contain BUILTIN\Guests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
0e88f98855e24cfddb55bef65c5910b8e662c630)
Ralph Boehme [Thu, 16 May 2019 10:43:40 +0000 (12:43 +0200)]
selftest: allow guest login in the ad_member_idmap_rid env
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ac2167eb2349dc1c453e14a65692f16c8ba6532e)
Ralph Boehme [Thu, 16 May 2019 10:42:54 +0000 (12:42 +0200)]
s3:smbd: call reinit_guest_session_info() in the conf updated handler
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
f4e340a48b6f059a1daa66deb9c26da9e8fcd5e7)
Ralph Boehme [Thu, 16 May 2019 10:42:29 +0000 (12:42 +0200)]
s3:auth: add reinit_guest_session_info()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8096cc7eb2b36b074ff17a52dc3540be4ecff6bb)
Stefan Metzmacher [Fri, 26 Apr 2019 14:31:46 +0000 (14:31 +0000)]
dsdb:audit_log: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."
We better print "... remote host [Unknown] SID [S-1-5-18] ..."
in 'dsdb_audit' message, this matches what we print for
'dsdb_json_audit'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13916
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
706aba5bf62e674ae12786f6ab275752b8714464)
Andrew Bartlett [Thu, 4 Apr 2019 21:46:50 +0000 (10:46 +1300)]
ldb_kv: Skip @ records early in a search full scan
@ records like @IDXLIST are only available via a base search on the specific name
but the method by which they were excluded was expensive, after the unpack the
DN is exploded and ldb_match_msg_error() would reject it for failing to match the
scope.
This uses the fact that @ records have the DN=@ prefix on their TDB/LMDB key
to quickly exclude them from consideration.
Based on analysis by Garming Sam.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13893
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 10 06:23:39 UTC 2019 on sn-devel-144
(cherry picked from commit
49b77d8df2d7113ac7ddb75e78de6628933ff852)
Andrew Bartlett [Sun, 10 Mar 2019 23:38:27 +0000 (23:38 +0000)]
samba-tool domain provision: Fix --interactive module in python3
The prompts were not being printed to the screen because the stream
was not being flushed.
As reported on the samba mailing list by Adam Xu:
https://lists.samba.org/archive/samba/2019-March/221753.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13828
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Tim Beale <timbeale@catalyst.net.nz>
(cherry picked from commit
31aecee1446c5006771aaa535ae85810bbfb5db0)
Gary Lockyer [Tue, 21 May 2019 01:17:22 +0000 (13:17 +1200)]
ldap server: generate correct referral schemes
Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 24 05:12:14 UTC 2019 on sn-devel-184
(cherry picked from commit
1958cd8a7fb81ec51b81944ecf4dd0fb5c4208fa)
Gary Lockyer [Tue, 21 May 2019 01:14:08 +0000 (13:14 +1200)]
ldap tests: test scheme for referrals
Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
6ccf74cf878c295903673e3a1d1ed924a5e87547)
Günther Deschner [Mon, 3 Jun 2019 14:28:36 +0000 (16:28 +0200)]
s3/vfs_glusterfs_fuse: Avoid using NAME_MAX directly
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13872
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Jun 11 00:29:19 UTC 2019 on sn-devel-184
Günther Deschner [Mon, 3 Jun 2019 14:25:46 +0000 (16:25 +0200)]
s3/vfs_glusterfs: Avoid using NAME_MAX directly
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13872
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>