With the hide unreadable option set, snapshots are be displayed
as empty because the shadow_copy2 module did not implement the
fget_nt_acl call that is used by the hide unreadable code and
so the paths were not corrected internally.
To prevent multiple conversions of the paths when the acl call
does a VFS_STAT (like the nfs4acl code does), a check was added
to convert_shadow2_name() so it will not touch paths any more
that look like they have already been converted.
Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
libwbclient: Re-Fix a bug that was fixed with e5741e27c4c
> r21878: Fix a bug with smbd serving a windows terminal server: If winbind
> decides smbd to be idle it might happen that smbd needs to do a winbind
> operation (for example sid2name) as non-root. This then fails to get the
> privileged pipe. When later on on the same connection another authentication
> request comes in, we try to do the CRAP auth via the non-privileged pipe.
>
> This adds a winbindd_priv_request_response() request that kills the existing
> winbind pipe connection if it's not privileged.
The fix for this was lost during the conversion to libwbclient.
Thanks to Ira Cooper <samba@ira.wakeful.net> for pointing this out!
When the notify_array cannot be loaded correctly,
do not keep the half-baked parsing results in the global variable.
This can lead to segfaults next time notify_load is entered and
the seqnum has not changed. This has been seen in a case
where mixed smbd versions were running in a CTDB cluster
(versions with and w/o commit c216d1e6 that changed the
notify_entry structure).
There will be missed notifications until all smbds are at the
same software level, but this should be acceptable and is better
than crashing and interrupting client operations.
This fix cleans up the notify_array, removes the unparseable data
from the TDB and returns a fresh notify_array that can be worked
with.
The NDR_PRINT_DEBUG had to be moved to only be called when the
parsing succeeded, it was seen to cause additional segfaults.
The status variable is intentionally left to NT_STATUS_OK to not
make callers abort and report errors to the clients and make them
disconnect.
Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
s3-schannel: Fix Bug #6697. Interdomain trusts with Windows 2008 R2 DCs.
The Schannel verifier (aka NL_AUTH_SIGNATURE) structure (32 byte) sent from a
W2k8r2 DC is passed in a buffer with the size of a NL_AUTH_SHA2_SIGNATURE (56
byte). We should just ignore the remaining 12 zeroed bytes and proceed.
Jeremy Allison [Mon, 28 Sep 2009 11:52:57 +0000 (13:52 +0200)]
Fix for CVE-2009-2813.
===========================================================
== Subject: Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#: CVE-2009-2813
==
== Versions: All versions of Samba later than 3.0.11
==
== Summary: If a user in /etc/passwd is misconfigured to have
== an empty home directory then connecting to the home
== share of this user will use the root of the filesystem
== as the home directory.
===========================================================
Jeff Layton [Fri, 25 Sep 2009 11:03:44 +0000 (07:03 -0400)]
mount.cifs: don't leak passwords with verbose option
When running mount.cifs with the --verbose option, it'll print out the
option string that it passes to the kernel...including the mount
password if there is one. Print a placeholder string instead to help
ensure that this info can't be used for nefarious purposes.
Also, the --verbose option printed the option string before it was
completely assembled anyway. This patch should also make sure that
the complete option string is printed out.
Finally, strndup passwords passed in on the command line to ensure that
they aren't shown by --verbose as well. Passwords used this way can
never be truly kept private from other users on the machine of course,
but it's simple enough to do it this way for completeness sake.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl> Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Steve French <sfrench@us.ibm.com> Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
Jeff Layton [Fri, 25 Sep 2009 11:03:44 +0000 (07:03 -0400)]
mount.cifs: check access of credential files before opening
It's possible for an unprivileged user to pass a setuid mount.cifs a
credential or password file to which he does not have access. This can cause
mount.cifs to open the file on his behalf and possibly leak the info in the
first few lines of the file.
Check the access permissions of the file before opening it.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl> Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Steve French <sfrench@us.ibm.com> Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
Tim Prouty [Wed, 4 Feb 2009 07:17:48 +0000 (23:17 -0800)]
s3 oplocks: Remove oplocks before handling delete on close semantics
Unlinking a file while still holding an oplock can cause problems with
kernel oplocks. This simply releases the oplock before actually
unlinking the file.
streamline some log levels for invalid servicenames
I don't think we need to log the fact that a user gave a wrong sharename in Explorer with the highest log level.
The level of this was not very consistent:
service.c: DEBUG(3,("find_service() failed to find service %s\n", service));
service.c: DEBUG(0,("%s (%s) couldn't find service %s\n",
smb2_tcon.c: DEBUG(1,("smbd_smb2_tree_connect: couldn't find service %s\n",
This changes the last two to 3 as the first one.
Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
Jeremy Allison [Wed, 25 Feb 2009 20:53:45 +0000 (12:53 -0800)]
Fix bug in processing of open modes in POSIX open. Was missing case of "If file exists open. If file doesn't exist error." Damn damn damn. CIFSFS client will have to have fallback cases for this error for a long time. Jeremy.
do not merge ACEs with different SMB_ACE4_INHERIT_ONLY_ACE flag, this leads to wrong inheritance flags in the ACL e.g. (on GPFS) user:10000036:rwxc:allow (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED
so the explicit right for the user on the parent directory will be gone (the InheritOnly flag only accounts to subdirectories)
thus leaving the user without access to the directory itself
Volker Lendecke [Wed, 26 Aug 2009 12:56:41 +0000 (14:56 +0200)]
Add a parameter to disable the automatic creation of krb5.conf files
This is necessary because MIT 1.5 can't deal with certain types (Tree Root) of
transitive AD trusts. The workaround is to add a [capaths] directive to
/etc/krb5.conf, which we don't automatically put into the krb5.conf winbind
creates.
The alternative would have been something like a "krb5 conf include", but I
think if someone has to mess with /etc/krb5.conf at this level, it should be
easy to add the site-local KDCs as well.
Next alternative is to correctly figure out the [capaths] parameter for all
trusted domains, but for that I don't have the time right now. Sorry :-)
Volker Lendecke [Thu, 13 Aug 2009 04:33:16 +0000 (06:33 +0200)]
Make refusal of SEC_DESC_DACL_PROTECTED configurable
This adds a parameter "gpfs:refuse_dacl_protected" that defaults to false.
GPFS has no place to store the SEC_DESC_DACL_PROTECTED ACL bit. With this
parameter we give customers an option to either ignore this bit or refuse
setting an ACL with it.
This optimizes non-recursive notifys. For non-recursive notifies we can use a
per-directory file-id indexed notify record. This matters for the Windows
Explorer and IIS cases which do not use recursive notifies. In these cases, we
do not have to shuffle around the whole notify record on every change.
For the cluster case, this improves correctness of the notifies, ctdb only
distributes the tdb seqnum once a second, so we can lose notifies.
Steven Danneman [Fri, 20 Feb 2009 21:23:53 +0000 (13:23 -0800)]
s3: Modifications to generic notify structures to allow implementation of OneFS notify.
The OneFS kernel based change notify system takes an fd of the directory
to watch in it's initialization syscall. Since we already have this
directory open, this commit plumbs that fd down to the VFS layer via the
notify_entry struct.
We also need to know if the watch is taken out on a snapshot directory.
The full file_id struct is also passed down to make this determination.
The file_id marshalling wrappers are hand written here, but should
eventually be auto-generated by moving the struct file_id into the idl.
as GPFS does not support the ACE4_FLAG_NO_PROPAGATE NFSv4 flag (which would be the mapping for the DESC_DACL_PROTECTED flag), the status of this flag is currently silently ignored by Samba. That means that if you deselect the "Allow inheritable permissions..." checkbox in Windows' ACL dialog and then apply the ACL, the flag will be back immediately.
To make sure that automatic migration with e.g. robocopy does not lead to ACLs silently (and unintentionally) changed, this patch adds an explicit check for this flag and if set, it will return NT_STATUS_NOT_SUPPORTED so errors are shown up on the Windows side and the Administrator is aware of the ACLs not being settable like intended
Signed-off-by: Christian Ambach <christian.ambach@de.ibm.com>
Volker Lendecke [Tue, 30 Jun 2009 12:26:32 +0000 (14:26 +0200)]
shadow_copy2: The system getrealfilename() can't deal with a 0-length fname
This fixes viewing the content of snapshots in the share root directory. We
have to treat the filename that *just* consists of "@GMT-YYYY.MM.DD-HH.MM.SS"
like the share root, which is the current working directory.
We have to deny a level 2 oplock if kernel oplocks are enabled
The second r/o opener of a file is supposed to get a level2 oplock. The first
opener due to the protection in process_oplock_break_message() has been forced
to break to no oplock. The second opener according to locking.tdb gets a level2
oplock. Further down in open_file_ntcreate we try to set this level2 oplock in
the kernel, and the non-clustered Linux kernel disallows this. The rules for
the kernel leases are a bit baroque, but the attempt to do the SETLEASE
correctly fails and we end up with no oplock for any client.
In the clustered case however the linux kernel on the second opening node has
not seen the open fd of the first node, it is only the cluster fs that has this
information. If the cluster fs does not have the very same notion of leases as
the local kernel has, we can end up with a WRLCK style kernel lease for the
second opener where locking.tdb only indicates a level2 oplock. Getting a
kernel oplock break signal with just a level2 oplock in locking.tdb is
something smbd is not prepared for. For example after sending out the break in
response to the kernel signal we set a timeout, waiting for a reply.
More work needs to be done to make level2 kernel oplocks real for us. This
patch addresses a real problem we have right now without them.
Volker Lendecke [Mon, 18 May 2009 11:30:16 +0000 (13:30 +0200)]
Move down the become_root()/unbecome_root() calls into the VFS modules
The aio_fork module does not need this, as it does not communicate via signals
but with pipes. Watching a strace log with those become_root() calls in aio.c
is absolutely awful, and it does affect performance.
Michael Adam [Thu, 14 May 2009 23:48:55 +0000 (01:48 +0200)]
s3:first cut at dbwrap_tool - a tdb tool that is CTDB-aware.
This tool (in contrast to tdbtool) reads Samba's configuration
and if clustering = yes, it talks to CTDB instead of accessing
the TDB data bases directly. This is done by simply using
the dbwrap mechanim, just like the Samba daemons.
This first version can read and write int32 and uint32 values
and delete records from a (c)tdb database.
More operations will follow.
This tool can already be useful in CTDB environments, e.g. when
"net idmap restore" fails to set the USER and GROUP HWM keys,
because the methods are deliberately not implemented in
idmap_tdb2.c. You can manually set the high water marks
with
"dbwrap_tool store idmap_tdb2.tdb 'USER HWM' int32 12345"
and
"dbwrap_tool store idmap_tdb2.tdb 'GROUP HWM' int32 67890"
Michael Adam [Tue, 28 Apr 2009 23:49:53 +0000 (01:49 +0200)]
s3:smbd/service: switch load_registry_service/shares to use loadparm routines
instead of reading the registry directly with tdb and activating the
configure options by hand.
This eliminates the need for repeating checks done in loadparm.
For instance it disables registry shares without path in the server
as is the case with text based shares.
Michael Adam [Mon, 27 Apr 2009 16:10:14 +0000 (18:10 +0200)]
s3:loadparm: prevent infinite include nesting.
This introduces a hard coded MAX_INCLUDE_DEPTH of 100.
When this is exceeded, handle_include (and hence lp_load) fails.
One could of course implement a more intelligent loop detection
in the include-tree, but this would require some restructuring
of the internal loadparm housekeeping. Maybe as a second improvement
step.
Fix annoying debug messages when no snapshots are used
Not being able to open the shadow copy directory is the same as having no
shadow copy support at all. The VFS module should in this case not log with
debug level 0 and set ENOSYS to indicate "no shadow copies used" to the higher
levels.
Jeremy Allison [Wed, 15 Apr 2009 21:09:32 +0000 (14:09 -0700)]
Fix bug #6089 - Winbind samr_OpenDomain not possible with Samba 3.2.6+
What a difference a name makes... :-). Just because something is missnamed
SA_RIGHT_SAM_OPEN_DOMAIN, when it should actually be SA_RIGHT_SAM_LOOKUP_DOMAIN,
don't automatically use it for a security check in _samr_OpenDomain().
Jeremy.