Günther Deschner [Wed, 17 Nov 2021 08:56:09 +0000 (09:56 +0100)]
pam_winbind: add new pwd_change_prompt option (defaults to off).
This change disables the prompt for the change of an expired password by
default (using the PAM_RADIO_TYPE mechanism if present).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Joseph Sutton [Mon, 6 Dec 2021 01:54:31 +0000 (14:54 +1300)]
tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors
A skew error means the client just tried using PADATA-ENC-TIMESTAMP or
PADATA-ENCRYPTED-CHALLENGE, so it might not be necessary to announce
them in that case.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 7 08:32:42 UTC 2021 on sn-devel-184
Joseph Sutton [Mon, 6 Dec 2021 00:06:52 +0000 (13:06 +1300)]
tests/krb5: Allow 'renew-till' element to be present if STRICT_CHECKING=0
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 Nov 2021 07:17:27 +0000 (20:17 +1300)]
tests/krb5: Don't require claims PAC buffers if STRICT_CHECKING=0
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 Nov 2021 07:16:32 +0000 (20:16 +1300)]
tests/krb5: Adjust unknown critical FAST option test
Heimdal does not check FAST options when no preauth data is supplied, so
the original test could not pass against Heimdal.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 Nov 2021 07:15:12 +0000 (20:15 +1300)]
tests/krb5: Add test for FAST with invalid ticket checksum
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 17 Nov 2021 07:14:50 +0000 (20:14 +1300)]
tests/krb5: Remove magic flag constants
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 6 Dec 2021 21:59:27 +0000 (10:59 +1300)]
tests/krb5: Allow additional unexpected padata types
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 7 Dec 2021 02:45:06 +0000 (15:45 +1300)]
tests/krb5: Make edata checking less strict
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 18 Nov 2021 00:44:32 +0000 (13:44 +1300)]
tests/krb5: Add tests for FAST with use-session-key flag and armor ticket
This flag should be ignored and the FAST armor key used instead.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 16 Nov 2021 06:56:24 +0000 (19:56 +1300)]
tests/krb5: Add test for AD-fx-fast-armor in enc-authorization-data
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 16 Nov 2021 06:55:44 +0000 (19:55 +1300)]
tests/krb5: Don't request renewable tickets
This is not necessary for testing FAST, and was causing some of the
tests to fail.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 16 Nov 2021 06:55:17 +0000 (19:55 +1300)]
tests/krb5: Adjust expected error codes for FAST tests
This allows more of the tests to pass.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 7 Dec 2021 00:15:38 +0000 (13:15 +1300)]
kdc: Canonicalize realm for enterprise principals
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 7 04:54:35 UTC 2021 on sn-devel-184
Andrew Bartlett [Mon, 6 Dec 2021 22:30:10 +0000 (11:30 +1300)]
heimdal_build: Do not build samba4kinit unless building embedded Heimdal
We should not attempt to build local copies of Heimdal utilities against
a system krb5 library.
Inspired by a WIP commit by Stefan Metzmacher <metze@samba.org> in his
lorikeet-heimdal import branch of patches to upgrade to a modern Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Tue, 6 Jul 2021 00:26:44 +0000 (12:26 +1200)]
lib/replace: For heimdal_build: Try to use the OS or compiler provided atomic operators
This provides the defines that may be needed to use the
compiler-provided atomics, rather than a fallback.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Thu, 2 Dec 2021 22:58:53 +0000 (11:58 +1300)]
s4:torture: Remove pre-send and post-receive callbacks
The client-side testing done by these callbacks is no longer needed, and
the server-side testing is covered by Python-based tests. Removing these
leaves us with a more manageable test of the Kerberos API.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 2 Dec 2021 22:58:40 +0000 (11:58 +1300)]
s4:torture: Remove test combination with enterprise principal without canonicalize flag
This test combination is not needed. Removing it allows us to avoid
modifying requests prior to sending them, which can cause problems with
an upgraded Heimdal version.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 6 22:57:54 UTC 2021 on sn-devel-184
Joseph Sutton [Thu, 2 Dec 2021 22:57:49 +0000 (11:57 +1300)]
s4:torture: Remove AS_REQ_SELF test stage
This behaviour is already covered by existing Python tests. This test
stage also modifies the request prior to sending it, which can cause
problems with an upgraded Heimdal version.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 29 Nov 2021 20:42:00 +0000 (09:42 +1300)]
tests/krb5: Add tests for enterprise principals with canonicalization
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 25 Nov 2021 03:22:58 +0000 (16:22 +1300)]
tests/krb5: Add tests for AS-REQ with an SPN
Using a SPN should only be permitted if it is also a UPN, and is not an
enterprise principal.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 3 Dec 2021 00:13:29 +0000 (13:13 +1300)]
tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption types
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 25 Nov 2021 03:16:52 +0000 (16:16 +1300)]
tests/krb5: Check ticket cname for Heimdal
This is currently not checked in several places due to STRICT_CHECKING
being set to 0.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 2 Dec 2021 03:51:26 +0000 (16:51 +1300)]
tests/krb5: Check logon name in PAC for canonicalization tests
This allows us to ensure that the correct name makes it through to the
PAC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 2 Dec 2021 03:50:55 +0000 (16:50 +1300)]
tests/krb5: Only create testing accounts once per test run
This decreases the time that the tests take to run.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 6 Dec 2021 17:01:40 +0000 (18:01 +0100)]
waf:mitkrb5: Always define lib so we get the header include path
If you have libkrb5 in a non-standard include path, we would not check the
latest version but search default paths (e.g. /usr/include) first.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 3 Dec 2021 07:49:24 +0000 (08:49 +0100)]
waf:mitkrb5: Fix MIT KRB5 detection if not in default system location
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 3 Dec 2021 08:13:52 +0000 (09:13 +0100)]
waf:mitkrb5: Detect com_err with pkgconfig first
It is needed as a dependency later!
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 6 Dec 2021 17:00:33 +0000 (18:00 +0100)]
wafsamba: Pass lib to CHECK_DECLS()
This is needed if you have headers in non-standard include paths.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 6 Dec 2021 17:17:35 +0000 (18:17 +0100)]
s3:waf: Fix dependendies for libads
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 6 Dec 2021 17:13:58 +0000 (18:13 +0100)]
s4:waf: Fix dependencies for TORTURE_UTIL
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 6 Dec 2021 17:08:54 +0000 (18:08 +0100)]
s3:param: Only include smb_ldap.h for LDAP_* defines
There is no need for ads.h which would pull in krb5.h and much more ...
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 6 Dec 2021 17:08:37 +0000 (18:08 +0100)]
s3:param: Remove trailing spaces in loadparm.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Tue, 23 Nov 2021 15:59:01 +0000 (08:59 -0700)]
samba-tool: Test DNS record creation on member join
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Fri, 5 Nov 2021 20:43:18 +0000 (14:43 -0600)]
samba-tool: Create DNS entries on member join
The net ads join command already handles this,
and the call was missing from the python bindings
for samba-tool domain join member.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 2 Dec 2021 00:25:07 +0000 (13:25 +1300)]
heimdal_build: Prepare for Heimdal upgrade by only building HEIMDAL_ASN1_GEN_HOSTCC when needed.
This will otherwise break the system-heimdal build.
This is correct regardless.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 6 21:48:30 UTC 2021 on sn-devel-184
Andrew Bartlett [Wed, 1 Dec 2021 22:47:35 +0000 (11:47 +1300)]
build: Remove kdc_include except where needed
This include was being set on too many subsystems, including some MIT-related.
This was a problem because it would then trigger the mixing of MIT and Heimdal
krb5.h files. It is now only set on the plugins and services that use the
embedded Heimdal KDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 1 Dec 2021 22:33:02 +0000 (11:33 +1300)]
build: Only use embedded Heimdal include paths in an embedded Heimdal build
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Ralph Boehme [Mon, 6 Dec 2021 14:16:36 +0000 (15:16 +0100)]
docs: fix documentation for default of "fruit:zero_file_id"
This got changed by
6e65c283120e3e627f0d8570601263f904529996 without updating
the manpage.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14926
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Dec 6 18:24:24 UTC 2021 on sn-devel-184
Douglas Bagnall [Wed, 17 Nov 2021 20:17:53 +0000 (20:17 +0000)]
pytest/source_char: check for mixed direction text
As pointed out in https://lwn.net/Articles/875964, forbidding bidi
marker characters is not always going to be enough to avoid
right-to-left vs left-to-right confusion. Consider this:
$ python -c's = "b = x # 2 * n * m"; print(s); print(s.replace("x", "א").replace("n", "ח"))'
b = x # 2 * n * m
b = א # 2 * ח * m
Those two lines are semantically the same, with the Hebrew letters
"א" and "ח" replacing "x" and "n". But they look like they mean
different things.
It is not enough to say we only allow these scripts (or indeed
non-ascii) in strings and comments, as demonstrated in this example:
$ python -c's = "b = \"x#\" # n"; print(s); print(s.replace("x", "א").replace("n", "ח"))'
b = "x#" # n
b = "א#" # ח
where the second line is visually disordered but looks valid. Any series
of neutral characters between teo RTL characters will be reversed (and
possibly mirrored).
In practice this affects one file, which is a text file for testing
unicode normalisation.
I think, for the reasons shown above, we are unlikely to see legitimate
RTL code outside perhaps of documentation files — but if we do, we can
add those files to the allow-list.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec 3 18:53:43 UTC 2021 on sn-devel-184
Douglas Bagnall [Tue, 30 Nov 2021 21:20:48 +0000 (10:20 +1300)]
samba-tool domain backup: backup but do not follow symlinks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14918
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 24 Nov 2021 20:26:54 +0000 (09:26 +1300)]
samba-tool domain backup: cope better with dangling symlinks
Our previous behaviour was to try to os.stat() the non-existent
target.
The new code greatly improves efficiency for this little task.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14918
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Ralph Boehme [Fri, 26 Nov 2021 10:59:45 +0000 (11:59 +0100)]
smbd: s3-dsgetdcname: handle num_ips == 0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184
Ralph Boehme [Fri, 26 Nov 2021 09:57:17 +0000 (10:57 +0100)]
CVE-2020-25717: s3-auth: fix MIT Realm regression
This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.
As a quick solution it might be possible to use the username map script based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
sure this behaves identical, but it might work in the standalone server case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 11 Nov 2021 23:44:44 +0000 (12:44 +1300)]
dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 18 Nov 2021 12:46:26 +0000 (13:46 +0100)]
libcli:auth: Allow to connect to netlogon server offering only AES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec 2 14:49:35 UTC 2021 on sn-devel-184
Günther Deschner [Thu, 18 Nov 2021 10:52:18 +0000 (11:52 +0100)]
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 18 Nov 2021 10:47:26 +0000 (11:47 +0100)]
s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 18 Nov 2021 10:43:08 +0000 (11:43 +0100)]
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 24 Nov 2021 12:21:28 +0000 (13:21 +0100)]
s3:libsmb: Remove trailing white spaces from passchange.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 18 Nov 2021 10:31:00 +0000 (11:31 +0100)]
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 18 Nov 2021 10:38:42 +0000 (11:38 +0100)]
s3:libnet: Remove tailing whitespaces in libnet_join.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 18 Nov 2021 10:32:42 +0000 (11:32 +0100)]
s3:rpcclient: Remove trailing white spaces in rpcclient.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 18 Nov 2021 10:18:59 +0000 (11:18 +0100)]
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 18 Nov 2021 10:14:16 +0000 (11:14 +0100)]
s3:rpc_client: Remove trailing white spaces from cli_pipe.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 17 Nov 2021 10:46:04 +0000 (11:46 +0100)]
testprogs: Add rpcclient schannel tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 15 Sep 2021 17:29:40 +0000 (19:29 +0200)]
smb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTERFACE_INFO
We should not fail this just because the user doesn't have
permissions on the share root.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Dec 1 11:51:50 UTC 2021 on sn-devel-184
Stefan Metzmacher [Mon, 29 Nov 2021 18:56:20 +0000 (19:56 +0100)]
s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO should work on noperm share
Demonstrate that smbd fails FSCTL_QUERY_NETWORK_INTERFACE_INFO
only because the user doesn't have permissions on the share root.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 15 Sep 2021 18:27:12 +0000 (20:27 +0200)]
smb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file ids
smbd_smb2_request_process_ioctl() already detailed checks for file_ids,
which not reached before.
.allow_invalid_fileid = true was only used for SMB2_OP_IOCTL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Mon, 29 Nov 2021 18:56:20 +0000 (19:56 +0100)]
s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO gives INVALID_PARAMETER with invalid file ids
An invalid file id for FSCTL_QUERY_NETWORK_INTERFACE_INFO gives
INVALID_PARAMETER instead of FILE_CLOSED.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 15 Sep 2021 18:26:58 +0000 (20:26 +0200)]
smb2_ioctl: return BUFFER_TOO_SMALL in smbd_smb2_request_ioctl_done()
We should not send more data than the client requested.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Mon, 29 Nov 2021 18:44:12 +0000 (19:44 +0100)]
s4:torture/smb2: test FSCTL_QUERY_NETWORK_INTERFACE_INFO with BUFFER_TOO_SMALL
It seems that we currently don't have BUFFER_TOO_SMALL handling
for FSCTL/IOCTL calls.
FSCTL_QUERY_NETWORK_INTERFACE_INFO is just an easy example
to demonstrate it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Mon, 16 Aug 2021 15:28:05 +0000 (17:28 +0200)]
smb2_server: skip tcon check and chdir_current_service() for FSCTL_VALIDATE_NEGOTIATE_INFO
We should not fail this just because the user doesn't have permissions
on the share root.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 15 Sep 2021 15:25:53 +0000 (17:25 +0200)]
smb2_server: decouple IOCTL check from signing/encryption states
There's no reason to handle FSCTL_SMBTORTURE_FORCE_UNACKED_TIMEOUT
differently if signing/encryption is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 15 Sep 2021 15:22:39 +0000 (17:22 +0200)]
smb2_server: make sure in_ctl_code = IVAL(body, 0x04); reads valid bytes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 15 Sep 2021 16:31:06 +0000 (18:31 +0200)]
s4:torture/smb2: add smb2.ioctl.bug14788.VALIDATE_NEGOTIATE
Demonstrate that smbd fails FSCTL_VALIDATE_NEGOTIATE_INFO
only because the user doesn't have permissions on the share root.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 16 Sep 2021 08:51:43 +0000 (10:51 +0200)]
libcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon*
This will be used in tests in order to separate the tcon from
validate_negotiate_info.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Andrew Bartlett [Thu, 20 Dec 2018 03:24:28 +0000 (16:24 +1300)]
heimdal_build: Remove memset_s from roken, already in libreplace
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Nov 30 19:18:59 UTC 2021 on sn-devel-184
Gary Lockyer [Thu, 28 Sep 2017 21:22:20 +0000 (10:22 +1300)]
heimdal_build: Use HAVE___ATTRIBUTE__ for unused, noreturn and unused_result
[abartlet@samba.org Squashed with TODO commit from Gary that provided
HEIMDAL_UNUSED_ATTRIBUTE etc]
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 23 Nov 2021 22:49:37 +0000 (11:49 +1300)]
heimdal_build: Do not list hx509 files twice
This makes maintaining the file lists easier.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 7 Jul 2021 03:23:17 +0000 (15:23 +1200)]
Allow overflow in lib/hx509.c and lib/gssapi/mech/gss_inquire_cred.c
This is in preperation for the Heimdal upgrade (which otherwise
can be compiled with stricter flags).
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 6 Jul 2021 00:26:17 +0000 (12:26 +1200)]
heimdal_build: Allow errors integer overflow errors in gen.c (only)
This is in preperation for the Heimdal upgrade.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 30 Nov 2021 16:03:06 +0000 (17:03 +0100)]
heimdal_build: consistently pass extra_cflags=cflags to HEIMDAL_CFLAGS()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 27 Aug 2021 11:06:00 +0000 (13:06 +0200)]
s4:samba: split out a samba_service_init() helper function
The loading function should be in the same SAMBA_LIBRARY()
as the modules.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Nov 30 16:44:57 UTC 2021 on sn-devel-184
Stefan Metzmacher [Fri, 27 Aug 2021 11:10:41 +0000 (13:10 +0200)]
vfs_not_implemented: mark all functions with _PUBLIC_
These functions are used directly by other modules.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 23 Aug 2021 12:56:15 +0000 (12:56 +0000)]
script/autobuild.py: make sure nss, pam and krb5 plugins don't provide unexpected symbols
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 23 Aug 2021 12:56:15 +0000 (12:56 +0000)]
script/autobuild.py: make sure nss and pam plugins don't link any samba libraries
Note that we exclude libtalloc.so.2 in pam_winbind.so as that simulates
a system libtalloc.so.2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 1 Jul 2021 10:08:16 +0000 (12:08 +0200)]
nsswitch: reduce dependecies to private libraries and link static/builtin if possible
Over the last month I got more and more reports,
that it's not possible to use a custom Samba version
on systems with sssd being installed, which depends on some
specific samba libraries installed in the system.
One major problem is that the custom libnss_winbind.so.2
depends on the libreplace-samba4.so of the custom build
and also injects an RPATH into the running process.
When sssd uses any nss library call it will get this,
when it then tries to load some of its plugins via dlopen(),
e.g.
ldd /usr/lib64/sssd/libsss_ad.so| grep samba
libsamba-util.so.0 => /lib64/libsamba-util.so.0
libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so
libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so
libsamba-errors.so.1 => /lib64/libsamba-errors.so.1
libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so
libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so
libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so
libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so
libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so
libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so
When that loads dlopen() will fail as a soname libreplace-samba4.so is
already loaded, but the symbol version within the other one don't match, as the
contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3.
This is just an example and similar things can happen in all situations
where we provide libraries, which are potentially injected into every
process of the running system. These should only depend on libc.so and
related basic system libraries in order to avoid the problem.
We have the following libraries, which are in the that category:
- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so
- async_dns_krb5_locator.so
The rules of library loading are really complex and symbol versioning
is not enough to solve it, only the combination of unique soname and
unique symbol version suffix seem to solve the problem, but injecting
an RPATH is still a problem.
In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM()
definitions with 'hide_symbols=True' in order to do some static linking
of selected components, e.g.
bld.SAMBA_SUBSYSTEM('replace-hidden',
source=REPLACE_SOURCE,
group='base_libraries',
hide_symbols=True,
deps='dl attr' + extra_libs)
It's relatively simple to get to the point where the following are
completely static:
- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so
But 'async_dns_krb5_locator.so' links in almost everything!
It seems we install the krb5 plugins into our own $MODULESDIR/krb5/,
so it may not be so critical, as long it's the admin who created
the desired symlinks into the location the kerberos libraries search
for plugins. Note the at least the locator plugins are always loaded
without any configuration, every .so in a special path are loaded with dlopen().
This is done by every application using kerberos, so we load a lot of samba libraries
into them.
Packagers should not put async_dns_krb5_locator.so (nor a symlink) into
the path that's reachable by libkrb5.so.
As a longterm solution we may want to change async_dns_krb5_locator.so
to use a helper process with posix_spawn() instead of doing everything
within the process.
Note I added hiden_symbols=True to the nss modules for Linux and
FreeBSD only, because these are the only platforms I'm able to test
on. We most likely should do the same on other platforms, but some
with access to the platform should provide a tested patch.
In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with
'-hidden', I added the 'provide_builtin_linking=True' option,
as the logic is very similar to what we already have with the
'--builtin-libraries=BUILTIN_LIBRARIES' configure option.
SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order
to make it more strict that these plugins can't be used as
normal depedency by other subsystems and libraries.
While being there it was easy enough to make libwbclient.so
also standalone without dependecies to other samba libraries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 5 Aug 2021 16:03:14 +0000 (18:03 +0200)]
lib/replace: use dlsym(RTLD_DEFAULT,) for {nss,nss_host,uid,socket}_wrapper_enabled()
We should not provide the symbols ourself instead we should just check
if they are already available when we want to check the result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 12 Oct 2021 12:30:09 +0000 (14:30 +0200)]
nsswitch/libwbclient: explicitly mark all wbc* symbols as _PUBLIC_
Some private functions from wbclient_internal.h already
leaked into the ABI. With hide_symbols=True we make sure
this doesn't happen again.
Having wbcRequestResponse[Priv]() as part of the ABI helps us
in order to hide winbindd_[priv_]request_response() soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 1 Jul 2021 10:08:16 +0000 (12:08 +0200)]
nsswitch: explicitly mark nss_module_register() _PUBLIC_ on FreeBSD
This is the only symbol which is used via dlopen()/dlsym() and
needs to be exported, in future we'll do hide all other symbols.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 1 Jul 2021 10:08:16 +0000 (12:08 +0200)]
nsswitch: explicitly mark NSS_STATUS _nss_winbind_* symbols as _PUBLIC_ on Linux
The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.
On other platforms, which are implemented as wrappers above the
Linux implementation, we mark the symbols as _PRIVATE_
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 1 Jul 2021 10:08:16 +0000 (12:08 +0200)]
nsswitch: explicitly mark PAM_EXTERN pam_sm_* symbols as _PUBLIC_
The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 1 Jul 2021 10:08:16 +0000 (12:08 +0200)]
nsswitch: explicitly mark magic krb5 plugin symbols as _PUBLIC_
The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 22 Nov 2021 16:59:48 +0000 (17:59 +0100)]
nsswitch/wbinfo: use wbcRequestResponse() instead of winbindd_request_response()
We should try to route everything through libwbclient.so, because we'll
soon don't have a single library providing winbindd_request_response().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 22 Nov 2021 17:11:27 +0000 (18:11 +0100)]
nsswitch: move winbindd_free_response() as inline function to winbind_struct_protocol.h
nsswitch/wb_common.c will be made completely internal soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 22 Nov 2021 16:59:48 +0000 (17:59 +0100)]
s4:torture/winbind: use wbcRequestResponse() instead of winbindd_request_response()
We should try to route everything through libwbclient.so, because we'll
soon don't have a single library providing winbindd_request_response().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 22 Nov 2021 16:59:48 +0000 (17:59 +0100)]
s3:ntlm_auth: use wbcRequestResponse[Priv]() instead of winbindd_request_response()
We should try to route everything through libwbclient.so, because we'll
soon don't have a single library providing winbindd_request_response().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 26 Nov 2021 00:39:40 +0000 (01:39 +0100)]
s3:utils: remove notify_msg.c from smbstatus sources
This is not needed for smbstatus and the symbols are also available
via 'smbd_base', which already contains notify_msg.c.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 4 Aug 2021 16:03:13 +0000 (18:03 +0200)]
libwbclient: fix strict-overflow warning in wbcSidToString()
../../nsswitch/libwbclient/wbc_sid.c:83:5: error: assuming signed overflow does not occur when simplifying conditional [-Werror=strict-overflow]
if (len+1 > sizeof(buf)) {
^
Even this would fail:
../../nsswitch/libwbclient/wbc_sid.c:83:5: error: assuming signed overflow does not occur when simplifying conditional [-Werror=strict-overflow]
if (len >= sizeof(buf)) {
^
Note that this only seems to happen with gcc 7 and when -O3 and
-fvisibility=hidden are used together. E.g. in the opensuse151-samba-o3
builds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 18 Aug 2021 15:55:25 +0000 (17:55 +0200)]
heimdal_build: let HEIMDAL_LIBRARY() use SAMBA_LIBRARY()
This simplifies a lot and makes sure we always use the
same rules for private libraries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 18 Aug 2021 13:47:33 +0000 (15:47 +0200)]
heimdal_build: avoid using hardcoded vnum values passed to HEIMDAL_LIBRARY()
For private libraries we don't want versioned sonames,
it's also pointless to use the upstream heimdal vnum values
for our private libraries as the soname is different anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 18 Aug 2021 13:47:33 +0000 (15:47 +0200)]
heimdal_build: remove unused cflags argument of HEIMDAL_LIBRARY()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 18 Aug 2021 15:34:09 +0000 (17:34 +0200)]
wafsamba: allow SAMBA_LIBRARY() to get and use original 'version-script.map' for private libraries
We'll soon use this for the internal Heimdal build and take the raw
version-script.map files in order to create our own .vscript file
with our private version suffix.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 20 Aug 2021 21:05:57 +0000 (23:05 +0200)]
wafsamba: introduce SAMBA[3]_PLUGIN()
This will be used to define plugins we provide to be used
via dbopen/dlsym to external consumers.
SAMBA_PLUGIN() is used instead of SAMBA_LIBRARY() in order
to make it more strict that these plugins can't be used as
normal depedency by other subsystems and libraries.
With require_builtin_deps=True we make sure that only
symbols explicitly marked with _PUBLIC_ are exported
and we only link to system libraries and include all
internal depedencies as builtin subsystems.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 19 Aug 2021 15:31:24 +0000 (17:31 +0200)]
wafsamba: introduce require_builtin_deps/provide_builtin_linking/builtin_cflags to SAMBA_{SUBSYSTEM,LIBRARY}
The 'provide_builtin_linking=True' option that allows wscript files
to specify that a SAMBA_{SUBSYSTEM,LIBRARY} will also create a
builtin version of them in addition.
The logic behind this is very similar to what we already have with the
'--builtin-libraries=BUILTIN_LIBRARIES' configure option.
This avoids the need for manual definitions of SAMBA_SUBSYSTEMS() with
like this:
bld.SAMBA_SUBSYSTEM('replace-hidden',
source=REPLACE_SOURCE,
group='base_libraries',
hide_symbols=True,
deps='dl attr' + extra_libs)
The builtin version will also make sure that it will include all
dependecies (of internal code) also in the builtin variant.
Note that this is also possible if the dependency also
provided 'provide_builtin_linking=True' in order to limit
the scope.
We now imply '-D_PUBLIC_=_PRIVATE_' and 'hide_symbols=True' for
builtin libraries and subsystems in order to avoid exporting
the symbols of them.
With 'require_builtin_deps=True' a library can specify that it
is only able to use libraries/subsystems marked with
provide_builtin_linking=True. As a result it won't
link against any other SAMBA_LIBRARY() dependency,
but link in everything internal. Only system libraries
still get linked dynamically.
Use 'git show -w' to see a reduced diff.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 20 Aug 2021 14:25:02 +0000 (16:25 +0200)]
wafsamba: let reduce_objects() not remove duplicates of BUILTINS even if there are more than one
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 20 Aug 2021 12:27:17 +0000 (12:27 +0000)]
wafsamba: add SAMBA_SUBSYSTEM(force_empty=False)
We will need to define empty subsystems without any dependency.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 18 Aug 2021 15:20:12 +0000 (17:20 +0200)]
wafsamba: assert for *.sigs source files in abi_build_vscript()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 1 Jul 2021 13:29:46 +0000 (15:29 +0200)]
wafsamba: the symbol version string of private libraries should be based on the toplevel project
If we build a private library all symbols should be made private based
on a unique suffix.
When we use a unique soname and a unique symbol version suffix it's very unlikely
to hit conflicts due to inherited libraries.
For the abi checking we still use the original vnum as abi_vnum.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>