Günther Deschner [Mon, 1 Nov 2021 13:02:00 +0000 (14:02 +0100)]
Günther Deschner [Mon, 1 Nov 2021 13:01:20 +0000 (14:01 +0100)]
wip
Günther Deschner [Wed, 6 Oct 2021 14:26:37 +0000 (16:26 +0200)]
Revert "wip: use global option, not parametric"
This reverts commit
c39224e34170f9f90cdf4300f18eda6e1f2d6285.
Günther Deschner [Wed, 29 Sep 2021 14:22:46 +0000 (16:22 +0200)]
wip: use global option, not parametric
Günther Deschner [Mon, 1 Nov 2021 08:52:00 +0000 (09:52 +0100)]
s3-smbd: use memcache store of acl_xattr_name in samba_private_attr_name()
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Mon, 1 Nov 2021 08:50:10 +0000 (09:50 +0100)]
s3-memcache: add new memcache type XATTR_NAME_CACHE
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Thu, 9 Sep 2021 14:42:30 +0000 (16:42 +0200)]
docs: document xattr:unprotected_ntacl_name
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Thu, 9 Sep 2021 13:39:32 +0000 (15:39 +0200)]
python: pass down xattr names to copytree_with_xattrs() in xattr module
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Thu, 9 Sep 2021 13:14:23 +0000 (15:14 +0200)]
python: query parametric ntacls option for the xattr name
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Wed, 18 Nov 2020 17:26:43 +0000 (18:26 +0100)]
s4-ntvfs: use xattr_ntacl_name() in pvfs_xattr module
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Wed, 18 Nov 2020 17:25:31 +0000 (18:25 +0100)]
s4-ntvfs: use xattr_ntacl_name() in pvfs_acl_xattr module
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Wed, 18 Nov 2020 17:19:00 +0000 (18:19 +0100)]
s4-ntvfs: add xattr_ntacl_name()
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Wed, 18 Nov 2020 16:24:50 +0000 (17:24 +0100)]
s3-smbd: use get_xattr_acl_name() in samba_private_attr_name()
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Thu, 9 Sep 2021 14:11:33 +0000 (16:11 +0200)]
s3-smbd: pass down service to samba_private_attr_name()
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Wed, 18 Nov 2020 16:21:38 +0000 (17:21 +0100)]
s3-modules: add and use get_xattr_acl_name_from_config wrapper acl_xattr vfs module
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Wed, 29 Sep 2021 14:48:35 +0000 (16:48 +0200)]
s3-modules: store xattr ntacl value in common acl_config
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Wed, 18 Nov 2020 16:20:15 +0000 (17:20 +0100)]
s3-modules: add get_xattr_acl_name() helper, defaults to security.NTACL
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Ralph Boehme [Wed, 3 Nov 2021 13:40:01 +0000 (14:40 +0100)]
smbd: early out in is_visible_fsp()
This is used in a hot codepath (directory enumeration) so we should avoiding the
string comparisions by adding an early exit.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 3 17:33:00 UTC 2021 on sn-devel-184
Ralph Boehme [Tue, 2 Nov 2021 04:34:59 +0000 (05:34 +0100)]
vfs_fruit: remove a fsp check from ad_fset()
This comes from times before we had pathref fsps. Back then if you wanted to
check if fsp->fh->fd contained a valid value != -1, you'd also first check that
the passed in fsp and fsp->fh are non NULL. With pathref fsps we don't need this
anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14890
RN: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 2 Nov 2021 17:44:44 +0000 (10:44 -0700)]
s3: smbd: dirfsp is being used uninitialized inside rmdir_internals().
Not caught be the tests in bugs 14878, 14879 as can_delete_directory_fsp()
doesn't have the same bug.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14892
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Nov 3 14:33:49 UTC 2021 on sn-devel-184
Pavel Filipenský [Thu, 21 Oct 2021 13:01:48 +0000 (15:01 +0200)]
s3:librpc: Improve calling of krb5_kt_end_seq_get()
Remove indentation with early return, best reviewed with
git show -b
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 3 08:36:00 UTC 2021 on sn-devel-184
David Mulder [Thu, 14 Oct 2021 21:36:52 +0000 (15:36 -0600)]
gp: Apply Firewalld Policy
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 1 21:16:43 UTC 2021 on sn-devel-184
David Mulder [Tue, 12 Oct 2021 18:54:09 +0000 (12:54 -0600)]
gp: Test Firewalld Group Policy Apply
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
David Mulder [Wed, 6 Oct 2021 18:46:26 +0000 (12:46 -0600)]
gp: Add Firewalld ADMX templates
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Martin Schwenke [Sun, 31 Oct 2021 00:59:30 +0000 (11:59 +1100)]
debug: Add new smb.conf option "debug syslog format"
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Nov 1 07:29:47 UTC 2021 on sn-devel-184
Martin Schwenke [Thu, 28 Oct 2021 08:05:19 +0000 (19:05 +1100)]
debug: Add debug_syslog_format setting
Without debug_hires_timestamp this produces a syslog style header
containing:
"MON DD HH:MM:SS HOSTNAME PROGNAME[PID] "
With debug_hires_timestamp this produces a syslog style header
containing:
"RFC5424-TIMESTAMP HOSTNAME PROGNAME[PID] "
All other settings are ignored.
This will be made visible via smb.conf in a subsequent commit.
This commit adds some simple hostname handling. It avoids using
get_myname() from util.c because using that potentially pulls in all
manner of dependencies. No real error handling is done. In the worst
case debug_set_hostname() sets the hostname to a truncated version of
the given string. Similarly, in an even weirder world,
ensure_hostname() sets the hostname to a truncation of "unknown".
Both of these are unlikely in all reasonable cases.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Ralph Boehme <slow@samba.org>
Andrew Walker [Thu, 28 Oct 2021 20:01:42 +0000 (16:01 -0400)]
s3:modules:recycle - fix crash in recycle_unlink_internal
Original logic for separating path from base name assumed
that we were using same string to determine offset when
getting the parent dir name (smb_fname->base_name).
Simplify by using parent_dirname() to split the path
from base name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14888
Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Oct 30 04:34:53 UTC 2021 on sn-devel-184
eaglegai [Thu, 28 Oct 2021 13:51:13 +0000 (21:51 +0800)]
fix undefined-shift in put_res_rec fuzz error: ../../source3/libsmb/nmblib.c:451:4: runtime error: left shift of 65312 by 16 places cannot be represented in type 'int'
Author: eaglegai <eaglegai@163.com>
Signed-off-by: eaglegai <eaglegai@163.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 29 20:29:26 UTC 2021 on sn-devel-184
Jeremy Allison [Mon, 25 Oct 2021 19:42:02 +0000 (12:42 -0700)]
s3: docs-xml: Clarify the "delete veto files" paramter.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 29 14:57:14 UTC 2021 on sn-devel-184
Jeremy Allison [Mon, 25 Oct 2021 19:36:57 +0000 (12:36 -0700)]
s3: smbd: Fix logic in can_delete_directory_fsp() to cope with dangling symlinks.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Mon, 25 Oct 2021 19:32:29 +0000 (12:32 -0700)]
s3: smbd: Fix logic in rmdir_internals() to cope with dangling symlinks.
Still need to add the same logic in can_delete_directory_fsp()
before we can delete the knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Mon, 25 Oct 2021 19:21:37 +0000 (12:21 -0700)]
s3: smbd: Fix rmdir_internals() to do an early return if lp_delete_veto_files() is not set.
Fix the comments to match what the code actually does. The
exit at the end of the scan directory loop if we find a client
visible filename is a change in behavior, but the previous
behavior (not exist on visible filename, but delete it) was
a bug and in non-tested code. Now it's testd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Mon, 25 Oct 2021 19:02:43 +0000 (12:02 -0700)]
s3: VFS: xattr_tdb. Allow unlinkat to cope with dangling symlinks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Mon, 25 Oct 2021 19:01:58 +0000 (12:01 -0700)]
s3: VFS: streams_depot. Allow unlinkat to cope with dangling symlinks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Thu, 21 Oct 2021 23:37:27 +0000 (16:37 -0700)]
s3: smbd: Add two tests showing the ability to delete a directory containing a dangling symlink over SMB2 depends on "delete veto files" setting.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Thu, 21 Oct 2021 23:18:24 +0000 (16:18 -0700)]
s3: smbd: Fix recursive directory delete of a directory containing veto file and msdfs links.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Thu, 21 Oct 2021 22:06:20 +0000 (15:06 -0700)]
s3: smbd: Add two tests showing recursive directory delete of a directory containing veto file and msdfs links over SMB2.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Andreas Schneider [Tue, 26 Oct 2021 07:20:32 +0000 (09:20 +0200)]
editorconfig: Heimdal has mixed spaces and tabs with different width
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Oct 29 10:16:15 UTC 2021 on sn-devel-184
Andreas Schneider [Thu, 28 Oct 2021 08:50:30 +0000 (10:50 +0200)]
third_party: Update pam_wrapper to version 1.1.4
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 28 19:03:04 UTC 2021 on sn-devel-184
Ralph Boehme [Tue, 5 Oct 2021 13:10:33 +0000 (15:10 +0200)]
lib: handle NTTIME_THAW in nt_time_to_full_timespec()
Preliminary handling of NTTIME_THAW to avoid NTTIME_THAW is passed as some
mangled value down to the VFS set timestamps function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
RN: Avoid storing NTTIME_THAW (-2) as value on disk
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 28 Oct 2021 10:55:39 +0000 (12:55 +0200)]
torture: add a test for NTTIME_FREEZE and NTTIME_THAW
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 28 Oct 2021 08:18:54 +0000 (10:18 +0200)]
lib: add a test for null_nttime(NTTIME_THAW)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 28 Oct 2021 08:18:17 +0000 (10:18 +0200)]
lib: update null_nttime() of -1: -1 is NTTIME_FREEZE
NTTIME_FREEZE is not a nil sentinel value, instead it implies special, yet
unimplemented semantics. Callers must deal with those values specifically and
null_nttime() must not lie about their nature.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 28 Oct 2021 08:17:01 +0000 (10:17 +0200)]
lib: use NTTIME_FREEZE in a null_nttime() test
No change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Wed, 27 Oct 2021 15:02:48 +0000 (17:02 +0200)]
lib: fix null_nttime() tests
The test was checking -1 twice:
torture_assert(tctx, null_nttime(-1), "-1");
torture_assert(tctx, null_nttime(-1), "-1");
The first line was likely supposed to test the value "0".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 5 Oct 2021 13:10:10 +0000 (15:10 +0200)]
lib: add NTTIME_THAW
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Wed, 27 Oct 2021 11:45:15 +0000 (13:45 +0200)]
lib:cmdline: Fix -k option which doesn't expect anything
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14846
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Oct 28 13:23:34 UTC 2021 on sn-devel-184
Andreas Schneider [Wed, 27 Oct 2021 13:30:20 +0000 (15:30 +0200)]
testprogs: Use new cmdline option for kerberos
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14846
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
David Mulder [Tue, 26 Oct 2021 14:46:24 +0000 (08:46 -0600)]
Revert "samba-tool: Pick local host if calling samba-tool from DC"
This reverts commit
7c9195e28bc51ac375d609f8306db2456f348167.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Tue Oct 26 16:00:28 UTC 2021 on sn-devel-184
David Mulder [Mon, 25 Oct 2021 14:49:35 +0000 (08:49 -0600)]
samba-tool: Pick local host if calling samba-tool from DC
It is reasonable to assume, that if we are running a command from a DC,
that a user expects that the command will run against this DC.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Tue Oct 26 14:23:42 UTC 2021 on sn-devel-184
Andreas Schneider [Mon, 25 Oct 2021 12:29:56 +0000 (14:29 +0200)]
Revert "gp: Add Firewalld ADMX templates"
This reverts commit
7253405c35247dff192e86598b18d524e1602818.
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Mon Oct 25 15:04:18 UTC 2021 on sn-devel-184
Andreas Schneider [Mon, 25 Oct 2021 12:29:41 +0000 (14:29 +0200)]
Revert "gp: Test Firewalld Group Policy Apply"
This reverts commit
8f347449190c698ec4d2720bbf6ffced853ef797.
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Andreas Schneider [Mon, 25 Oct 2021 12:29:20 +0000 (14:29 +0200)]
Revert "gp: Apply Firewalld Policy"
This reverts commit
9ac2d5d991d16d1957c720fcda3ff6a9ac78dc13.
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Joseph Sutton [Thu, 21 Oct 2021 03:46:56 +0000 (16:46 +1300)]
tests/krb5: Check account name and SID in PAC for S4U tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Oct 25 09:23:35 UTC 2021 on sn-devel-184
David Mulder [Thu, 14 Oct 2021 21:36:52 +0000 (15:36 -0600)]
gp: Apply Firewalld Policy
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
David Mulder [Tue, 12 Oct 2021 18:54:09 +0000 (12:54 -0600)]
gp: Test Firewalld Group Policy Apply
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
David Mulder [Wed, 6 Oct 2021 18:46:26 +0000 (12:46 -0600)]
gp: Add Firewalld ADMX templates
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Andrew Bartlett [Thu, 21 Oct 2021 21:50:36 +0000 (10:50 +1300)]
lib/krb5_wrap: Fix missing error check in new salt code
CID
1492905: Control flow issues (DEADCODE)
This was a regression in
5eeb441b771a1ffe1ba1c69b72e8795f525a58ed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184
Andrew Bartlett [Tue, 19 Oct 2021 03:01:36 +0000 (16:01 +1300)]
dsdb: Allow special chars like "@" in samAccountName when generating the salt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
Joseph Sutton [Tue, 19 Oct 2021 23:46:36 +0000 (12:46 +1300)]
tests/krb5: Add tests for account salt calculation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 19 Oct 2021 23:45:47 +0000 (12:45 +1300)]
tests/krb5: Fix account salt calculation to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 19 Oct 2021 23:45:08 +0000 (12:45 +1300)]
tests/krb5: Allow specifying the UPN for test accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 19 Oct 2021 23:44:19 +0000 (12:44 +1300)]
tests/krb5: Allow creating machine accounts without a trailing dollar
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 19 Oct 2021 23:41:39 +0000 (12:41 +1300)]
tests/krb5: Allow specifying prefix or suffix for test account names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 19 Oct 2021 23:39:05 +0000 (12:39 +1300)]
tests/krb5: Decrease length of test account prefix
This allows us more room to test with different account names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 5 Oct 2021 14:42:00 +0000 (16:42 +0200)]
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
This is much more flexible and concentrates the logic in a single place.
We'll use winbindd => "offline" in other places soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 8 Oct 2021 16:04:55 +0000 (18:04 +0200)]
selftest/Samba3: remove unused close(USERMAP); calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 4 Oct 2021 11:02:35 +0000 (13:02 +0200)]
waf: Allow building with MIT KRB5 >= 1.20
gssrpc/xdr.h:105:1: error: function declaration isn’t a prototype
[-Werror=strict-prototypes]
105 | typedef bool_t (*xdrproc_t)();
| ^~~~~~~
This can't be fixed, as the protoype is variadic. It can take up to three
arguments.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 17 Oct 2021 22:55:14 +0000 (11:55 +1300)]
selftest: Improve error handling and perl style when setting up users in Samba4.pm
This catches errors and avoids using global varibles (the old
style file handles are global).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 18 Oct 2021 07:44:54 +0000 (20:44 +1300)]
selftest: Remove duplicate setup of $base_dn and $ldbmodify
These are already set up to the same values above for the full
DC and correct values for the (strange) s4member environment.
By not setting $base_dn again we avoid an error once we start
checking for them.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Douglas Bagnall [Thu, 19 Aug 2021 23:26:02 +0000 (11:26 +1200)]
pytest: s3_net_join: avoid name clash
The net_join test uses "NetJoinTest" (and doesn't properly clean up),
we must use a unique name for this test in s3_net_join.py.
[abartlet@samba.org The hilarious naming conventions come from a time when samba-tool
was known as "net" in the s4 branch]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Fri, 8 Oct 2021 02:40:09 +0000 (15:40 +1300)]
selftest: krb5 account creation: clarify account type as an enum
This makes the code clearer with a symbolic constant rather
than a True/False boolean.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Douglas Bagnall [Thu, 5 Aug 2021 23:08:10 +0000 (11:08 +1200)]
pytest: dynamic tests optionally add __doc__
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 20 Sep 2021 04:27:40 +0000 (16:27 +1200)]
selftest: Increase account lockout windows to make test more realiable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Douglas Bagnall [Wed, 8 Sep 2021 05:01:26 +0000 (17:01 +1200)]
pytest/rodc_rwdc: try to avoid race.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Viktor Dukhovni [Wed, 10 Aug 2016 23:31:14 +0000 (23:31 +0000)]
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
Commit
f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets. This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
(similar to heimdal commit
b1e699103f08d6a0ca46a122193c9da65f6cf837)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184
Joseph Sutton [Mon, 18 Oct 2021 03:07:11 +0000 (16:07 +1300)]
tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184
Joseph Sutton [Mon, 18 Oct 2021 03:05:19 +0000 (16:05 +1300)]
tests/krb5: Ensure PAC is not present if expect_pac is false
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 18 Oct 2021 03:00:45 +0000 (16:00 +1300)]
kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause
the PAC to be stripped not to given an error if the PAC was still
present.
Tested against Windows 2019
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 18 Oct 2021 02:21:50 +0000 (15:21 +1300)]
kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 16 Apr 2018 14:08:29 +0000 (16:08 +0200)]
netlogon_creds_cli: add netlogon_creds_cli_SendToSam_recv() and don't ignore result
This is a low level function that should not ignore results.
If the caller doesn't care it's his choice.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 19 20:20:00 UTC 2021 on sn-devel-184
Stefan Metzmacher [Tue, 28 Sep 2021 20:24:32 +0000 (22:24 +0200)]
libcli/smb: use MID=0 for SMB2 Cancel with ASYNC_ID and legacy signing algorithms
We can only assume that servers with support for AES-GMAC-128 signing
will except an SMB2 Cancel with ASYNC_ID and real MID.
This strategy is also used by Windows clients, because
some vendors don't cope otherwise.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14855
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 19 19:23:39 UTC 2021 on sn-devel-184
Martin Schwenke [Tue, 19 Oct 2021 00:00:22 +0000 (11:00 +1100)]
bootstrap: Debian 11 has liburing-dev
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14872
Signed-off-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct 19 09:14:10 UTC 2021 on sn-devel-184
Martin Schwenke [Thu, 14 Oct 2021 03:50:41 +0000 (14:50 +1100)]
bootstrap: Add Debian 11
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14872
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Oct 18 17:19:17 UTC 2021 on sn-devel-184
Joseph Sutton [Fri, 15 Oct 2021 01:29:26 +0000 (14:29 +1300)]
tests/krb5: Add tests for requesting a service ticket without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
Joseph Sutton [Fri, 15 Oct 2021 01:27:25 +0000 (14:27 +1300)]
tests/krb5: Add method to get the PAC from a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 15 Oct 2021 01:27:15 +0000 (14:27 +1300)]
tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 15 Oct 2021 01:26:40 +0000 (14:26 +1300)]
tests/krb5: Allow get_tgt() to request including or omitting a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 14 Oct 2021 23:12:30 +0000 (12:12 +1300)]
heimdal:kdc: Fix ticket signing without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 15 Oct 2021 00:09:20 +0000 (13:09 +1300)]
selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
The previous commit was correct on intention, but it was not noticed
as there is a race, that the incorrect rule was appended to.
These links are removed by remove_plausible_deleted_DN_links not
fix_all_old_dn_string_component_mismatch
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 15 10:00:47 UTC 2021 on sn-devel-184
Andrew Bartlett [Thu, 14 Oct 2021 19:22:17 +0000 (08:22 +1300)]
gitlab-ci: Do not download artifacts of unrelated builds
This needs: is overridden in many cases, but ensures none of the other
main jobs start until this build finishes. However this also
ensures we do not download artifacts from any build unless we
specifically depend on it, saving bandwidth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14863
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Thu, 14 Oct 2021 07:24:49 +0000 (20:24 +1300)]
gitlab-ci: Do not retry for job_execution_timeout
If we timeout, we should just stop at 2 hours, not waste 6 hours (3 x 2 hours).
This is for when the job runs long for any reason, currently the
reasons for a timeout are not transient, we need to either change
the timeout or fix the system. Likewise if the tests get into a loop
or deadlock we want to see that as a failure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14863
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Jeremy Allison [Wed, 13 Oct 2021 16:46:07 +0000 (09:46 -0700)]
s3: smbspool. Remove last use of 'extern char **environ;'.
This should come from lib/replace/replace.h to cope with
system (MacOSX etc.) differences.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14862
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 14 19:51:59 UTC 2021 on sn-devel-184
Nicolas Williams [Mon, 11 Oct 2021 02:55:59 +0000 (21:55 -0500)]
krb5: Fix PAC signature leak affecting KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Cherry-picked from Heimdal commit
54581d2d52443a9a07ed5980df331f660b397dcf]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 8 Oct 2021 03:08:39 +0000 (16:08 +1300)]
s4:kdc: Check ticket signature
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 8 Oct 2021 02:43:41 +0000 (15:43 +1300)]
heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
This lets us call it from Samba.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 11 Aug 2021 01:27:11 +0000 (13:27 +1200)]
s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Luke Howard [Thu, 23 Sep 2021 07:51:51 +0000 (17:51 +1000)]
kdc: correctly generate PAC TGS signature
When generating an AS-REQ, the TGS signature was incorrectly generated using
the server key, which would fail to validate if the server was not also the
TGS. Fix this.
Patch from Isaac Bourkis <iboukris@gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Backported from Heimdal commit
e7863e2af922809dad25a2e948e98c408944d551
- Samba's Heimdal version does not have the generate_pac() helper
function.
- Samba's Heimdal version does not use the 'r' context variable.
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Luke Howard [Thu, 23 Sep 2021 04:39:35 +0000 (14:39 +1000)]
kdc: use ticket client name when signing PAC
The principal in the PAC_LOGON_NAME buffer is expected to match the client name
in the ticket. Previously we were setting this to the canonical client name,
which would have broken PAC validation if the client did not request name
canonicalization
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Backported from Heimdal commit
3b0856cab2b25624deb1f6e0e67637ba96a647ac
- Renamed variable to avoid shadowing existing variable
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Luke Howard [Sun, 6 Jan 2019 06:54:58 +0000 (17:54 +1100)]
kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Backported from Heimdal commit
f1dd2b818aa0866960945edea02a6bc782ed697c
- Removed change to _kdc_find_etype() use_strongest_session_key
parameter since Samba's Heimdal version uses different logic
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>