Ralph Boehme [Wed, 12 Jul 2017 07:33:59 +0000 (09:33 +0200)]
vfs_fruit: don't use MS NFS ACEs with Windows clients
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12897
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Jul 13 22:21:08 CEST 2017 on sn-devel-144
Martin Schwenke [Wed, 12 Jul 2017 02:22:10 +0000 (12:22 +1000)]
ctdb-docs: Update documentation of ipreallocated event
This was out of date due to the removal of service_check_reconfigure()
and similar.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Thu Jul 13 17:57:11 CEST 2017 on sn-devel-144
Martin Schwenke [Wed, 12 Jul 2017 03:41:17 +0000 (13:41 +1000)]
ctdb-common: Set close-on-exec when creating PID file
Otherwise, for example, the file descriptor for the main PID file will
leak all the way down to event scripts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12898
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Volker Lendecke [Tue, 11 Jul 2017 14:04:01 +0000 (16:04 +0200)]
libwbclient: Fix CID
1414781 Dereference null return value
Basically a cut&paste error from somewhere else
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jul 12 22:12:22 CEST 2017 on sn-devel-144
Volker Lendecke [Tue, 11 Jul 2017 11:50:09 +0000 (13:50 +0200)]
spoolss: Fix CID
1414784 Uninitialized scalar variable
"struct tm" can contain more members than we explicitly initialize.
Initialize them all.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeffrey Altman [Wed, 12 Apr 2017 19:40:42 +0000 (15:40 -0400)]
CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894
(based on heimdal commit
6dd3eb836bbb80a00ffced4ad57077a1cdf227ea)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 12 17:44:50 CEST 2017 on sn-devel-144
Ralph Boehme [Tue, 11 Jul 2017 19:35:17 +0000 (21:35 +0200)]
dbwrap: Ask CTDB for local tdb open flags
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jul 12 13:25:11 CEST 2017 on sn-devel-144
Ralph Boehme [Tue, 11 Jul 2017 18:41:43 +0000 (20:41 +0200)]
ctdbd_conn: pass persistent bool instead of tdb_flags
ctdbd_db_attach() only needs to know the ctdb database model, not the
rest of the flags.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Ralph Boehme [Tue, 11 Jul 2017 18:36:35 +0000 (20:36 +0200)]
ctdbd_conn: move CTDB_CONTROL_ENABLE_SEQNUM control to db_open_ctdb
No change in behaviour.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Amitay Isaacs [Mon, 10 Jul 2017 14:38:59 +0000 (00:38 +1000)]
dbwrap: CTDB ignores tdb_flags passed to db attach controls
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Sun, 9 Jul 2017 14:23:20 +0000 (16:23 +0200)]
dbwrap: enable mutexes by default for volatile TDBs
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Ralph Boehme [Sun, 9 Jul 2017 14:20:11 +0000 (16:20 +0200)]
ctdb: enable mutexes for volatile TDBs by default
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12891
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Dustin L. Howett via samba-technical [Fri, 30 Jun 2017 23:10:01 +0000 (16:10 -0700)]
idmap_ad: Retry query_user exactly once if we get TLDAP_SERVER_DOWN
All other ldap-querying methods in idmap_ad make a single retry attempt if they get
TLDAP_SERVER_DOWN. This patch brings idmap_ad_query_user in line with that design.
This fixes the symptom described in 12720 at the cost of an additional reconnect per
failed lookup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12720
Signed-off-by: Dustin L. Howett <dustin@howett.net>
Reviewed-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Mon, 10 Jul 2017 14:20:23 +0000 (16:20 +0200)]
selftest: add some basic tests for idmap_ad
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Ralph Boehme [Mon, 10 Jul 2017 14:19:18 +0000 (16:19 +0200)]
selftest: add ad_member_idmap_ad server
Add a member server that uses idmap_ad. Gets used in the next commit.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Wed, 28 Jun 2017 16:10:28 +0000 (18:10 +0200)]
vfs_fruit: add fruit:model = <modelname> parametric option
fruit:model = iMac
fruit:model = MacBook
fruit:model = MacPro
fruit:model = Xserve
will all display a different icon inside Finder.
Formerly, we used "Samba" which resulted in a "?" icon in Finder, with
the new default "MacSamba" we appear with a computer box icon at least.
Guenther
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12840
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jul 12 03:17:57 CEST 2017 on sn-devel-144
Anoop C S [Wed, 5 Jul 2017 13:37:04 +0000 (19:07 +0530)]
ctdb-scripts: Fix inline comments in 10.interface
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Tue Jul 11 11:45:04 CEST 2017 on sn-devel-144
Ralph Boehme [Sun, 9 Jul 2017 12:34:10 +0000 (14:34 +0200)]
s3/vfs: rename SMB_VFS_STRICT_LOCK to SMB_VFS_STRICT_LOCK_CHECK
As per MS-SMB2 and MS-FSA and our SMB_VFS_STRICT_LOCK implementation,
we're merely testing for locks, not setting any.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12887
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 11 03:37:44 CEST 2017 on sn-devel-144
Ralph Boehme [Sun, 9 Jul 2017 12:21:21 +0000 (14:21 +0200)]
s3/vfs: remove SMB_VFS_STRICT_UNLOCK
It's just a noop, so let's remove it. SMB_VFS_STRICT_LOCK doesn't set
logs, it just checks for the presence of incompatible locks.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12887
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Mon, 10 Jul 2017 09:29:58 +0000 (11:29 +0200)]
s3:smbd: consistently use talloc_tos() memory for rpc_pipe_open_interface()
The result is only used temporary and should not be leaked on a long term
memory context as 'conn'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12890
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sun, 9 Jul 2017 06:32:16 +0000 (08:32 +0200)]
vfs_fruit: fix a typo
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jul 10 16:48:24 CEST 2017 on sn-devel-144
Herb Lewis [Fri, 7 Jul 2017 20:10:54 +0000 (13:10 -0700)]
delete duplicate test
Signed-off-by: Herb Lewis <herb@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Autobuild-User(master): Herb Lewis <herb@samba.org>
Autobuild-Date(master): Sat Jul 8 05:57:55 CEST 2017 on sn-devel-144
Ralph Boehme [Fri, 7 Jul 2017 11:12:19 +0000 (13:12 +0200)]
selftest: add a test for accessing previous version of directories with snapdirseverywhere
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12885
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Jul 8 00:33:51 CEST 2017 on sn-devel-144
Ralph Boehme [Fri, 7 Jul 2017 10:57:57 +0000 (12:57 +0200)]
s3/smbd: let non_widelink_open() chdir() to directories directly
If the caller passes O_DIRECTORY we just try to chdir() to smb_fname
directly, not to the parent directory.
The security check in check_reduced_name() will continue to work, but
this fixes the case of an open() for a previous version of a
subdirectory that contains snapshopt.
Eg:
[share]
path = /shares/test
vfs objects = shadow_copy2
shadow:snapdir = .snapshots
shadow:snapdirseverywhere = yes
Directory tree with fake snapshots:
$ tree -a /shares/test/
/shares/test/
├── dir
│ ├── file
│ └── .snapshots
│ └── @GMT-2017.07.04-04.30.12
│ └── file
├── dir2
│ └── file
├── file
├── .snapshots
│ └── @GMT-2001.01.01-00.00.00
│ ├── dir2
│ │ └── file
│ └── file
└── testfsctl.dat
./bin/smbclient -U slow%x //localhost/share -c 'ls @GMT-2017.07.04-04.30.12/dir/*'
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \@GMT-2017.07.04-04.30.12\dir\*
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12885
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Douglas Bagnall [Thu, 6 Jul 2017 00:41:07 +0000 (12:41 +1200)]
ldb/tests: more thoroughly test empty ldb_msg elements
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul 7 20:10:37 CEST 2017 on sn-devel-144
Douglas Bagnall [Wed, 5 Jul 2017 22:01:24 +0000 (10:01 +1200)]
ldb: avoid searching empty lists in ldb_msg_find_common_values
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Lukas Slebodnik [Tue, 4 Jul 2017 13:46:49 +0000 (15:46 +0200)]
ldb: Fix index out of bound in ldb_msg_find_common_values
cmocka unit test failed on i386
[==========] Running 2 test(s).
[ RUN ] test_ldb_msg_find_duplicate_val
[ OK ] test_ldb_msg_find_duplicate_val
[ RUN ] test_ldb_msg_find_common_values
[ FAILED ] test_ldb_msg_find_common_values
[==========] 2 test(s) run.
[ ERROR ] --- 0x14 != 0
[ LINE ] --- ../tests/ldb_msg.c:266: error: Failure!
[ PASSED ] 1 test(s).
[ FAILED ] 1 test(s), listed below:
[ FAILED ] test_ldb_msg_find_common_values
1 FAILED TEST(S)
But we were just lucky on other platforms because there is
index out of bound according to valgrind error.
==3298== Invalid read of size 4
==3298== at 0x486FCF6: ldb_val_cmp (ldb_msg.c:95)
==3298== by 0x486FCF6: ldb_msg_find_common_values (ldb_msg.c:266)
==3298== by 0x109A3D: test_ldb_msg_find_common_values (ldb_msg.c:265)
==3298== by 0x48E7490: ??? (in /usr/lib/libcmocka.so.0.4.1)
==3298== by 0x48E7EB0: _cmocka_run_group_tests (in /usr/lib/libcmocka.so.0.4.1)
==3298== by 0x1089B7: main (ldb_msg.c:352)
==3298== Address 0x4b07734 is 4 bytes after a block of size 48 alloc'd
==3298== at 0x483223E: malloc (vg_replace_malloc.c:299)
==3298== by 0x4907AA7: _talloc_array (in /usr/lib/libtalloc.so.2.1.9)
==3298== by 0x486FBF8: ldb_msg_find_common_values (ldb_msg.c:245)
==3298== by 0x109A3D: test_ldb_msg_find_common_values (ldb_msg.c:265)
==3298== by 0x48E7490: ??? (in /usr/lib/libcmocka.so.0.4.1)
==3298== by 0x48E7EB0: _cmocka_run_group_tests (in /usr/lib/libcmocka.so.0.4.1)
==3298== by 0x1089B7: main (ldb_msg.c:352)
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Thu, 6 Jul 2017 17:52:45 +0000 (10:52 -0700)]
s3: tests: Add test for new smbclient "deltree" command.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul 7 13:38:24 CEST 2017 on sn-devel-144
Jeremy Allison [Thu, 6 Jul 2017 00:23:48 +0000 (17:23 -0700)]
docs: Document new smbclient deltree command.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Thu, 6 Jul 2017 00:21:18 +0000 (17:21 -0700)]
s3: smbclient: Add new command deltree.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Wed, 5 Jul 2017 22:53:07 +0000 (15:53 -0700)]
s3: client: Move struct file_list code to using talloc from malloc.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Thu, 6 Jul 2017 05:44:28 +0000 (07:44 +0200)]
waf: Do not install _ldb_text.py if we have system libldb
_ldb_text.py is installed as part of the ldb package and also if you
compile Samba with the system ldb version. This way we have have the
file twice in the same location and run into file confilcts.
This has already been fixed some time ago:
60dc26bfe1573265dcbd87b9dd3439f945e57d97
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12882
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Volker Lendecke [Sat, 24 Jun 2017 07:01:46 +0000 (09:01 +0200)]
messaging: Remove messaging_handler_send
This did not really take off, notifyd was the only user
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 7 05:11:48 CEST 2017 on sn-devel-144
Volker Lendecke [Sat, 24 Jun 2017 06:57:18 +0000 (08:57 +0200)]
notifyd: Remove notifyd_handler_done
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 24 Jun 2017 06:56:35 +0000 (08:56 +0200)]
notifyd: Use messaging_register for MSG_SMB_NOTIFY_DB
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 24 Jun 2017 06:48:45 +0000 (08:48 +0200)]
notifyd: Use messaging_register for MSG_SMB_NOTIFY_GET_DB
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 24 Jun 2017 06:45:17 +0000 (08:45 +0200)]
notifyd: Use messaging_register for MSG_SMB_NOTIFY_TRIGGER
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 24 Jun 2017 06:38:53 +0000 (08:38 +0200)]
notifyd: Use messaging_register for MSG_SMB_NOTIFY_REC_CHANGE
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 24 Jun 2017 06:38:19 +0000 (08:38 +0200)]
messaging: make messaging_rec_create public
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 5 Jul 2017 07:37:14 +0000 (09:37 +0200)]
notifyd: Avoid an if-expression
Best reviewed with "git show -b -U10"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 5 Jul 2017 07:34:51 +0000 (09:34 +0200)]
notifyd: Consolidate two #ifdef CLUSTER into one
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 16 Jun 2017 13:20:22 +0000 (15:20 +0200)]
notifyd: Only ask for messaging_ctdb_conn when clustering
Without clustering, messaging_ctdb_conn will fail anyway.
Review with "git show -b".
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Richard Sharpe [Mon, 26 Jun 2017 16:43:31 +0000 (09:43 -0700)]
Add support for passing the max_referral_level into the cli call to get a DFS referral. This is being done so I can write tests of the DFS referral code on the server side.
Signed-off-by: Richard Sharpe <richard.sharpe@primarydata.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Wed, 5 Jul 2017 08:30:35 +0000 (10:30 +0200)]
unittests: Do not install the test_dummy rpc module
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12879
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul 5 22:21:06 CEST 2017 on sn-devel-144
Andreas Schneider [Wed, 5 Jul 2017 06:59:23 +0000 (08:59 +0200)]
unittests: Add missing stdint.h include
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12878
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Wed, 5 Jul 2017 08:08:49 +0000 (10:08 +0200)]
waf: Only build unit tests with selftest enabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12877
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Rowland Penny [Tue, 4 Jul 2017 14:07:53 +0000 (15:07 +0100)]
Add code to run the tests for 'samba-tool user edit'
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Jul 5 17:53:24 CEST 2017 on sn-devel-144
Rowland Penny [Tue, 4 Jul 2017 14:04:36 +0000 (15:04 +0100)]
Add test for 'samba-tool user edit'
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Rowland Penny [Tue, 4 Jul 2017 14:00:58 +0000 (15:00 +0100)]
Easily edit a users object in AD, as if using ldbedit.
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Stefan Metzmacher [Fri, 30 Dec 2016 15:06:49 +0000 (16:06 +0100)]
auth/spnego: pass spnego_in to gensec_spnego_parse_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 5 06:43:17 CEST 2017 on sn-devel-144
Stefan Metzmacher [Tue, 13 Jun 2017 21:56:47 +0000 (23:56 +0200)]
auth/spnego: remove useless indentation level for SPNEGO_SERVER_START
Check with git show -w
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 13 Jun 2017 21:55:00 +0000 (23:55 +0200)]
auth/spnego: move SERVER gensec_spnego_create_negTokenInit() handling to the top
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 29 Jun 2017 14:55:09 +0000 (16:55 +0200)]
auth/spnego: set spnego_state->{state_position,expected_packet} gensec_spnego_create_negTokenInit()
We should only do the state change in a defined place
and not with any error gensec_spnego_create_negTokenInit() might return.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 14 Jun 2017 00:46:29 +0000 (02:46 +0200)]
auth/spnego: don't pass 'in' to gensec_spnego_create_negTokenInit()
It's always en empty blob.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 14 Jun 2017 01:36:22 +0000 (03:36 +0200)]
auth/spnego: add a struct spnego_negTokenTarg *ta variable to make some lines shorter
This makes future modifications easier to review.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 14 Jun 2017 01:33:21 +0000 (03:33 +0200)]
auth/spnego: use a helper variable for spnego.negTokenInit.targetPrincipal
This makes the lines a bit shorter and the future diff easier to review.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 30 Jun 2017 09:00:12 +0000 (11:00 +0200)]
auth/spnego: rename gensec_spnego_server_negTokenTarg() into gensec_spnego_server_response()
gensec_spnego_server_negTokenTarg() will reappear as function that
handles the whole negTokenTarg processing.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Lumir Balhar [Tue, 4 Jul 2017 09:39:28 +0000 (11:39 +0200)]
python: tests: Add test for tdb_copy function from tdb_util module.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul 5 02:00:25 CEST 2017 on sn-devel-144
Lukas Slebodnik [Mon, 3 Jul 2017 22:32:31 +0000 (00:32 +0200)]
ldb: Use libraries from build dir for testsuite
There was a failure when tests were executed after after extracting
ldb tarball.
sh$ make -j8 check
WAF_MAKE=1 PATH=buildtools/bin:../../buildtools/bin:$PATH waf test
ldbadd: error while loading shared libraries: libldb.so.1: cannot open shared object file: No such file or directory
cat: write error: Broken pipe
Traceback (most recent call last):
File "tests/python/api.py", line 10, in <module>
import ldb
ImportError: libldb.so.1: cannot open shared object file: No such file or directory
Traceback (most recent call last):
File "tests/python/api.py", line 10, in <module>
import ldb
ImportError: libpyldb-util.so.1: cannot open shared object file: No such file or directory
bin/ldb_tdb_mod_op_test: error while loading shared libraries: libldb.so.1: cannot open shared object file: No such file or directory
testsuite returned 1
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Lukas Slebodnik [Mon, 3 Jul 2017 14:17:44 +0000 (16:17 +0200)]
talloc: Fix execution of test_magic_differs from tarball
make check failed in case of tarball because test_magic_differs.sh
is in top level directory and not in sub-directory lib/talloc
sh: ./lib/talloc/test_magic_differs.sh: No such file or directory
magic differs test returned 127
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Lukas Slebodnik [Mon, 3 Jul 2017 14:09:34 +0000 (16:09 +0200)]
talloc: Use libraries from build dir for testsuite
There was a failure when tests were executed after after extracting
talloc tarball.
sh$ make -j8 check
WAF_MAKE=1 PATH=buildtools/bin:../../buildtools/bin:$PATH waf test
bin/talloc_testsuite: error while loading shared libraries: libtalloc.so.2: cannot open shared object file: No such file or directory
sh: ./lib/talloc/test_magic_differs.sh: No such file or directory
Traceback (most recent call last):
File "test_pytalloc.py", line 11, in <module>
import talloc
ImportError: libtalloc.so.2: cannot open shared object file: No such file or directory
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Karolin Seeger [Mon, 3 Jul 2017 10:09:53 +0000 (12:09 +0200)]
WHATSNEW: Start release notes for Samba 4.8.0pre1.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Tue Jul 4 17:41:59 CEST 2017 on sn-devel-144
Karolin Seeger [Mon, 3 Jul 2017 10:06:30 +0000 (12:06 +0200)]
VERSION: Bump version up to 4.8.0pre1...
and re-enable GIT_SNAPSHOTS.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Karolin Seeger [Mon, 3 Jul 2017 09:33:38 +0000 (11:33 +0200)]
VERSION: Disable GIT_SNAPSHOTS for the 4.7.0rc1 release
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Karolin Seeger [Mon, 3 Jul 2017 09:30:27 +0000 (11:30 +0200)]
VERSION: Bump version up to 4.7.0rc1
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Karolin Seeger [Mon, 3 Jul 2017 09:26:36 +0000 (11:26 +0200)]
WHATSNEW: Prepare release notes for Samba 4.7.0rc1.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Amitay Isaacs [Tue, 4 Jul 2017 05:50:12 +0000 (15:50 +1000)]
ctdb-daemon: Increase priority of logs when recovery happens
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 4 Jul 2017 05:49:54 +0000 (15:49 +1000)]
ctdb-daemon: Increase priority of logs when shutting down
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 4 Jul 2017 05:49:19 +0000 (15:49 +1000)]
ctdb-daemon: Increase priority of logs when ctdb starts up disabled/stopped
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 4 Jul 2017 05:32:47 +0000 (15:32 +1000)]
ctdb-daemon: Increase priority of logs when node is stopped/continued
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 4 Jul 2017 05:31:51 +0000 (15:31 +1000)]
ctdb-daemon: Increase priority of logs for recmaster changes
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 4 Jul 2017 05:18:39 +0000 (15:18 +1000)]
ctdb-daemon: Increase priority of logs for node connect/disconnect
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Andrew Bartlett [Tue, 4 Jul 2017 03:16:57 +0000 (15:16 +1200)]
WHATSNEW: Fix typo
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 4 Jul 2017 03:16:05 +0000 (15:16 +1200)]
WHATSNEW: Add docs for ntlm auth changes
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 3 Jul 2017 16:36:29 +0000 (18:36 +0200)]
s3/tests: add a net cache samlogon test
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12875
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 4 Jul 2017 07:38:07 +0000 (09:38 +0200)]
net: fix net cache samlogon list output
Don't print the table header for every entry.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12875
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Alexander Bokovoy [Mon, 3 Jul 2017 08:58:50 +0000 (11:58 +0300)]
smbldap: expose bind callback via API and increase smbldap ABI version
Until we fully migrate to use gensec in smbldap, we need to continue
exposing bind callback to allow FreeIPA to integrate with smbldap.
Since smbldap API is now lacking direct access to 'struct
smbldap_state' and new API functions were added to give access to
individual members of this structure, it makes sense to increase ABI
version too.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jul 4 11:14:49 CEST 2017 on sn-devel-144
Andrew Bartlett [Mon, 3 Jul 2017 02:39:09 +0000 (14:39 +1200)]
samr: Disable NTLM-based password changes on the server if NTLM is disabled
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Tim Beale [Tue, 4 Jul 2017 01:40:31 +0000 (13:40 +1200)]
selftest: Disable NTLM authentication in ktest environment
This allows us to prove that "ntlm auth = disabled" works
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Andrew Bartlett [Mon, 3 Jul 2017 02:16:50 +0000 (14:16 +1200)]
param: Add new "disabled" value to "ntlm auth" to disable NTLM totally
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Tim Beale [Tue, 4 Jul 2017 01:31:11 +0000 (13:31 +1200)]
selftest: Add test to confirm NTLM authentication is enabled
(or later, that it is disabled)
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Andrew Bartlett [Mon, 3 Jul 2017 02:11:47 +0000 (14:11 +1200)]
param: Disable LanMan authentication unless NTLMv1 is also enabled
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Andrew Bartlett [Mon, 3 Jul 2017 22:31:40 +0000 (10:31 +1200)]
selftest: Use new ntlmv2-only and mschapv2-and-ntlmv2-only options
This will allow the py_credentials test to tell if these are in use
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 3 Jul 2017 00:11:51 +0000 (12:11 +1200)]
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth ='
The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>:
Commit
0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.
Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.
Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 3 Jul 2017 05:28:05 +0000 (17:28 +1200)]
selftest: Add test for support for MSCHAPv2 and NTLMv1 on a server
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Sun, 2 Jul 2017 23:28:06 +0000 (11:28 +1200)]
s3-rpc_server: Disable the NETLOGON server by default
The NETLOGON server is only needed when the classic/NT4 DC is enabled
and has been the source of security issues in the past. Therefore
reduce the attack surface.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Tim Beale [Mon, 3 Jul 2017 21:31:54 +0000 (09:31 +1200)]
tests: Add simple check whether netlogon server is running
Netlogon only needs to run in DC environment. This is a simple test to
check whether the netlogon service is running. This will allow us to
disable the netlogon service on setups that don't require it.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 3 Jul 2017 01:10:35 +0000 (13:10 +1200)]
auth: Disable SChannel authentication if we are not a DC
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 4 Jul 2017 04:11:12 +0000 (16:11 +1200)]
dns_server: Only install common library if AD DC is enabled.
The library is used in selftest, so must still be built
This reverts commit
d32b66b40c931fe8214faa2e1d40b34b86667d4c and
replaces the behaviour.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Ralph Boehme [Wed, 28 Jun 2017 05:14:36 +0000 (07:14 +0200)]
net: add net cache samlogon list|show|ndrdump|delete
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jul 4 00:12:46 CEST 2017 on sn-devel-144
Ralph Boehme [Tue, 27 Jun 2017 15:34:34 +0000 (17:34 +0200)]
samlogon_cache: add netsamlog_cache_for_all()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Ralph Boehme [Mon, 3 Jul 2017 10:38:22 +0000 (12:38 +0200)]
netlogon.idl: mark session keys with NDR_SECRET
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Ralph Boehme [Mon, 3 Jul 2017 13:16:13 +0000 (15:16 +0200)]
s4/torture: test fetching a resume key twice
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Sat, 10 Jun 2017 07:05:55 +0000 (09:05 +0200)]
s3/smbd: remove unneeded flags argument from SMB_VFS_OFFLOAD_WRITE_SEND
...and instead use the fsctl to infer required behaviour in the VFS
backends.
Note that this removes the check from vfs_default because there we only
handle FSCTL_SRV_COPYCHUNK(_WRITE) and must always perform the lock
checks.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 9 Jun 2017 15:27:17 +0000 (17:27 +0200)]
s3/smbd: get rid of files_struct.aapl_copyfile_supported
A previous commit removed the special hook from the SMB layer, so we
don't need this anymore.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 6 Jun 2017 12:36:38 +0000 (14:36 +0200)]
s4/torture: more tests for copy-chunk across shares
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 9 Jun 2017 11:02:49 +0000 (13:02 +0200)]
s3/vfs: make SMB_VFS_OFFLOAD_WRITE_SEND offload token based
Remove the source fsp argument and instead pass the offload token
generated with SMB_VFS_OFFLOAD_READ_SEND/RECV.
An actual offload fsctl is not implemented yet, neither in the VFS nor
at the SMB ioctl layer, and returns NT_STATUS_NOT_IMPLEMENTED
With these changes we now pass the copy-chunk-across-shares test.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 5 Jun 2017 06:31:19 +0000 (08:31 +0200)]
s4/torture: add a test for copy-chunk across shares
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 9 Jun 2017 14:50:05 +0000 (16:50 +0200)]
s3/smbd: redesign macOS copyfile copy-chunk
The copy-chunk request chunk_count can be 0 and Windows server just
returns success saying number of copied chunks is 0.
macOS client overload this after negotiating AAPL via their SMB2
extensions, meaning it's a so called copyfile request (copy whole file
and all streams).
We previously checked this at the SMB layer, with this patch we just
send this down the VFS, if vfs_fruit is loaded it implements the macOS
copyile semantics, otherwise we get Windows behavour..
No change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 9 Jun 2017 14:35:39 +0000 (16:35 +0200)]
s3/smbd: remove copy-chunk chunk merging optimisation
As we won't have the source fsp around with the coming token based
offload read/write based code, we can't merge chunks as that requires
checking against the source file size.
We could still merge chunks without checking, but getting the error
handling correct would require comlicated logic for the SMB2 ioctl
copy-chunk error reporting.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>