Karolin Seeger [Tue, 19 Mar 2013 08:28:48 +0000 (09:28 +0100)]
VERSION: Bump version number up to 4.0.4.
Bug 9709: CVE-2013-1863: Remove forced set of 'create mask' to 0777.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 19 Mar 2013 08:27:57 +0000 (09:27 +0100)]
WHATSNEW: Prepare release notes for Samba 4.0.4
Bug 9709: CVE-2013-1863: Remove forced set of 'create mask' to 0777.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Andrew Bartlett [Sun, 10 Mar 2013 09:25:53 +0000 (20:25 +1100)]
Revert "Ensure the masks don't conflict with the ACL checks."
This reverts commit
78594909b8b22bd07978922b1c85dfd6f6456963 which was
needed by
7622aa16adeb00bf161a6dd07664c37125391272.
This change masked bug #9462 which was fixed by
2013bb9b4dbed747921df2591068e2765428f57d. The issue was that the
defaults for the substituted parameters did not match the old
parameter. Changing the values in our test suite hid the issue, but
did not fix the issue.
(Additional change in the revert is to correct the expected ACL value
in posixacl.py due to changed implied inherited permissions).
Andrew Bartlett
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Mar 11 19:46:24 CET 2013 on sn-devel-104
(cherry picked from commit
58e385a5ac37c072a4eef3baa7926b799a732e94)
The last 3 patches address bug #Bug 9709 - CVE-2013-1863; Remove forced set of
'create mask' to 0777.
CVE-2013-1863: World-writeable files may be created in additional shares on a
Samba 4.0 AD DC.
Andrew Bartlett [Fri, 8 Mar 2013 05:15:37 +0000 (16:15 +1100)]
smbd:posix_acls Remove incorrectly added lp_create_mask() and lp_dir_mask() calls
When
6adc7dad96b8c7366da042f0d93b28c1ecb092eb removed the calls to
lp_security_mask/lp_force_security_mode/lp_dir_security_mask/lp_force_dir_security_mode
these calls were replaced with lp_create_mask() and lp_dir_mask()
The issue is that while lp_security_mask() and lp_dir_security_mask defaulted to
0777, the replacement calls did not. This changes behaviour, and incorrectly
prevents a posix mode being specified by the client from being applied to
the disk in the non-ACL enabled case.
Andrew Bartlett
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
fc496ef323c908a6b621198d9dc8076f6857385e)
Andrew Bartlett [Fri, 8 Mar 2013 05:49:21 +0000 (16:49 +1100)]
param: Remove incorrectly added defaults in AD DC allowing WORLD WRITABLE files
These defaults were incorrectly added in
fc5caffbc139d63cab1ec105884863f73772586f in what turns out to be an
incorrect fix for bug #9462, which was in turn introduced by the
swapping of security mask (default 0777) for create mask (0755) in
6adc7dad96b8c7366da042f0d93b28c1ecb092eb.
While the permissions on sysvol and netlogon (the default shares) were
fixed by provision, any additional shares that did not yet have an
explit ACL set would create world-writable files by default.
Administrators will need to manually correct the file permissions on
any additional shares that were created after installation of the AD
DC.
Andrew Bartlett
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Mar 10 12:00:31 CET 2013 on sn-devel-104
(cherry picked from commit
287b5f6c0f40d3e3d09bc2ce80f5fee02cbae40f)
Karolin Seeger [Tue, 5 Feb 2013 09:17:59 +0000 (10:17 +0100)]
VERSION: Disable git snapshots for the 4.0.3 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 5 Feb 2013 09:14:38 +0000 (10:14 +0100)]
WHATSNEW: Update release notes.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Karolin Seeger [Tue, 5 Feb 2013 08:27:54 +0000 (09:27 +0100)]
WHATSNEW: Update release notes.
Karolin
Stefan Metzmacher [Mon, 4 Feb 2013 10:41:39 +0000 (11:41 +0100)]
samba-tool/domain provision: add support for utf-8 passwords for --adminpass
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Feb 4 18:54:32 CET 2013 on sn-devel-104
(cherry picked from commit
dc6c40b193e125e8810cf95129fc99f7d4f6db27)
The last 8 patches address bug #9105 - check_password_quality does not properly
handle non-ASCII characters.
Stefan Metzmacher [Mon, 4 Feb 2013 12:35:48 +0000 (13:35 +0100)]
samba-tool/user setpassword: fix help message
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
2e7bc87fa54148655ce13a59bd3274fb6285a579)
Stefan Metzmacher [Mon, 4 Feb 2013 10:41:39 +0000 (11:41 +0100)]
s4:scripting/python: add support for utf-8 passwords from the command line
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
d60be8167b7264dadae7d4735ee5977233d4cea9)
Stefan Metzmacher [Mon, 4 Feb 2013 07:45:48 +0000 (08:45 +0100)]
lib/util: improve check_password_quality() to handle utf8
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
65f2bba559a33edb3c352d552aebb259e5e008eb)
Stefan Metzmacher [Mon, 4 Feb 2013 08:19:54 +0000 (09:19 +0100)]
dsdb/util: rework samdb_check_password() to support utf8
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
e5ca813ffb4398faeefc96c224d3b2677e576c7a)
Stefan Metzmacher [Mon, 4 Feb 2013 08:47:31 +0000 (09:47 +0100)]
dsdb/password_hash: rename variable 'stat' to 'vstat'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
54cc3b1f42eba19170e611b0ee0ea464ea4ac604)
Stefan Metzmacher [Mon, 4 Feb 2013 08:18:59 +0000 (09:18 +0100)]
dsdb/password_hash: make sure that io->n.cleartext_utf8.data is a null terminated string
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
6eccfc74cd9a16e96a2b6214b943f5b2f9adfe65)
Stefan Metzmacher [Fri, 1 Feb 2013 12:14:05 +0000 (13:14 +0100)]
s3: use generate_random_password() instead of generate_random_str()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
9292e5b74310632e1f0b4b2b76a9ef4ccae6874e)
Karolin Seeger [Mon, 4 Feb 2013 10:30:18 +0000 (11:30 +0100)]
WHATSNEW: Start release notes for Samba 4.0.3.
Karolin
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Mon Feb 4 13:23:03 CET 2013 on sn-devel-104
Karolin Seeger [Wed, 30 Jan 2013 10:55:47 +0000 (11:55 +0100)]
VERSION: Bump version number up to 4.0.3.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin
Karolin Seeger [Wed, 30 Jan 2013 10:54:45 +0000 (11:54 +0100)]
Merge commit 'samba-4.0.2' into v4-0-test
Karolin Seeger [Tue, 29 Jan 2013 10:11:55 +0000 (11:11 +0100)]
VERSION: Bump version number up to 4.0.2.
Bug 9576 - CVE-2013-0213: Clickjacking issue in SWAT.
Bug 9577 - CVE-2013-0214: Potential XSRF in SWAT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 29 Jan 2013 10:09:41 +0000 (11:09 +0100)]
WHATSNEW: Update release notes for Samba 4.0.2.
Bug 9576 - CVE-2013-0213: Clickjacking issue in SWAT.
Bug 9577 - CVE-2013-0214: Potential XSRF in SWAT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Kai Blin [Sun, 20 Jan 2013 07:58:08 +0000 (08:58 +0100)]
swat: Use additional nonce on XSRF protection
If the user had a weak password on the root account of a machine running
SWAT, there still was a chance of being targetted by an XSRF on a
malicious web site targetting the SWAT setup.
Use a random nonce stored in secrets.tdb to close this possible attack
window. Thanks to Jann Horn for reporting this issue.
Signed-off-by: Kai Blin <kai@samba.org>
Fix bug #9577 - CVE-2013-0214: Potential XSRF in SWAT.
Kai Blin [Fri, 18 Jan 2013 22:11:07 +0000 (23:11 +0100)]
swat: Use X-Frame-Options header to avoid clickjacking
Jann Horn reported a potential clickjacking vulnerability in SWAT where
the SWAT page could be embedded into an attacker's page using a frame or
iframe and then used to trick the user to change Samba settings.
Avoid this by telling the browser to refuse the frame embedding via the
X-Frame-Options: DENY header.
Signed-off-by: Kai Blin <kai@samba.org>
Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT.
Jeremy Allison [Fri, 25 Jan 2013 00:20:14 +0000 (16:20 -0800)]
Regression test for bug #9571 - Unlink after open causes smbd to panic
Replicates the protocol activity that triggers the crash.
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Mon Jan 28 21:40:31 CET 2013 on sn-devel-104
Pavel Shilovsky [Wed, 16 Jan 2013 11:02:26 +0000 (15:02 +0400)]
Fix bug #9571 - Unlink after open causes smbd to panic.
s3:smbd: fix wrong lock order in posix unlink
Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 25 Jan 2013 18:21:48 +0000 (10:21 -0800)]
Fix bug #9588 - ACLs are not inherited to directories for DFS shares.
We can return with NT_STATUS_OK in an error code path. This
has a really strange effect in that it prevents the ACL editor
in Windows XP from recursively changing ACE entries on sub-directories
after a change in a DFS-root share (we end up returning a path
that looks like: \\IPV4\share1\xptest/testdir with a mixture
of Windows and POSIX pathname separators).
Signed-off-by: Jeremy Allison <jra@samba.org>
Andrew Bartlett [Fri, 25 Jan 2013 22:35:21 +0000 (09:35 +1100)]
ldb: Ensure to decrement the transaction_active whenever we delete a transaction
This is in the error path for prepare_commit, which rarely fails, but
when it does we need to ensure that when a new transaction is opened,
that it really starts a new transaction.
We bump the version to recognise critical fix for the AD DC
Without this fix, a single invalid inbound replicated link disables
all subsequent replication as we operate without a transaction (which
is refused by ldb_tdb).
Andrew Bartlett
Reviewed-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
1d1ea72574cfa22ee6207d0e9787d0271db3b5c2)
The last 13 patches address bug #9609 - backport tdb/ldb changes.
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Mon Jan 28 12:50:56 CET 2013 on sn-devel-104
Stefan Metzmacher [Thu, 24 Jan 2013 13:21:51 +0000 (14:21 +0100)]
ldb: fix a warning by converting from TDB_DATA to struct ldb_val
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1ea6fabcde6cbd57aed06926193ac68f5887e96b)
Stephen Gallagher [Wed, 2 Jan 2013 16:22:16 +0000 (11:22 -0500)]
ldb: Move doxygen comments for ldb_connect to the right place
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jan 14 16:21:02 CET 2013 on sn-devel-104
(cherry picked from commit
813bd0353fda0eb6d7c78392d5abd3002115da96)
Michael Adam [Wed, 28 Nov 2012 20:55:47 +0000 (21:55 +0100)]
ldb: fix a typo in the comment for ldb_req_is_untrusted()
Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Nov 30 15:44:46 CET 2012 on sn-devel-104
(cherry picked from commit
8f3f38ece4981d0047024019c6fc8dfde3fffed0)
Andrew Tridgell [Wed, 31 Oct 2012 05:06:03 +0000 (16:06 +1100)]
ldb: fixed callers for ldb_pack_data() and ldb_unpack_data()
with ltdb_pack_data() and ltdb_unpack_data() now moved into common, we
need to increase the minor version and fixup callers of the API
Note that this relies on struct ldb_val being the same shape as
TDB_DATA, in much the same way as we rely on ldb_val and DATA_BLOB
being the same shape.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
30ffdda45bd3ae602b453c9c1bbdb77ea3de8a8d)
Andrew Tridgell [Wed, 31 Oct 2012 04:39:09 +0000 (15:39 +1100)]
ldb: move ldb_pack.c into common
this code should not be tied to the ldb_tdb backend, both because it
could be used for any record oriented backend, and because it should
be exposed for use by diagnosis/repair tools such as the recently
added ldbdump tool
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
fc47b0d03c577730ce0ef9e09092f80c0712d5d0)
Andrew Bartlett [Tue, 30 Oct 2012 04:41:27 +0000 (15:41 +1100)]
ldb: Add ldbdump, based on tdbdump
This uses a tdb_traverse or (more usefully) the tdb_rescue API, like tdbdump.
The difference here is that it uses ldb helper functions to further
eliminate faulty records, which avoids creating duplicates in the output.
(The duplicates come from parts of records that are left in blank space
in the db, which tdb_rescue finds, but which are not actually a full
record).
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct 30 23:56:11 CET 2012 on sn-devel-104
(cherry picked from commit
a71ad96bd046f1199e67b4fe8fc7783cbd8dd771)
Andrew Bartlett [Mon, 29 Oct 2012 23:22:28 +0000 (10:22 +1100)]
ldb: Remove no-longer-existing ltdb_unpack_data_free from ldb_tdb.h (cherry picked from commit
4b2f3c6dec997b0dd4bcafeae662a71ebd34e12b)
Andrew Bartlett [Mon, 29 Oct 2012 23:21:42 +0000 (10:21 +1100)]
ldb: Change ltdb_unpack_data to take an ldb_context
It always de-references the module to find the ldb anyway.
Andrew Bartlett
(cherry picked from commit
cc6d0decc7980028293168aee267e7610752fc80)
Rusty Russell [Wed, 3 Oct 2012 23:34:23 +0000 (09:04 +0930)]
tdb: add -e option to tdbdump (and docment it).
This allows for an emergency best-effort dump. It's a little better than
strings(1).
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au>
Autobuild-Date(master): Thu Oct 4 03:16:06 CEST 2012 on sn-devel-104
(cherry picked from commit
100d38d6e0fae1dc666ae43941570c9f106b73c2)
Rusty Russell [Wed, 3 Oct 2012 23:34:23 +0000 (09:04 +0930)]
tdb: tdbdump should log errors, and fail in that case.
Dumping a corrupt database should not exit silently with 0 status!
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
(cherry picked from commit
ffde8678910ae838588ab380b48a544333f81241)
Rusty Russell [Wed, 3 Oct 2012 23:34:19 +0000 (09:04 +0930)]
tdb: add tdb_rescue()
This allows for an emergency best-effort dump. It's a little better than
strings(1).
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
(cherry picked from commit
90f463b25f7bb0bc944732773c56e356834ea203)
Volker Lendecke [Tue, 2 Oct 2012 10:21:20 +0000 (12:21 +0200)]
tdb: Fix a typo
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Oct 2 19:52:16 CEST 2012 on sn-devel-104
(cherry picked from commit
a168a7c791a4be1730a370d059b3a1073fbb0bdd)
Stefan Metzmacher [Sun, 27 Jan 2013 10:09:39 +0000 (11:09 +0100)]
s4:service_task: add missing imessaging_cleanup() to task_server_terminate()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jan 27 15:50:30 CET 2013 on sn-devel-104
(cherry picked from commit
bb3238b46f0ffaf0bc8c0e16bdcc1cf5d2cad197)
The last 7 patches address bug #9598 - some IRPC calls timeout.
Stefan Metzmacher [Sun, 27 Jan 2013 10:01:07 +0000 (11:01 +0100)]
s4:service_task: prevent a segfault if task->msg_ctx is not initialized yet
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
431692df422c3cac71ca12b7e89296172dfcf684)
Stefan Metzmacher [Sun, 27 Jan 2013 11:15:50 +0000 (12:15 +0100)]
selftest: rename 'promoted_vampire_dc' to 'promoted_dc'
Unix domain socket are limited to 104 characters on Linux.
Using something like this fails as it uses more than 104 characters:
'/memdisk/autobuild/flakey/
b232141/samba/bin/ab/promoted_vampire_dc/private/smbd.tmp/msg/msg.482379.
2147483647'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
7e7cd07c405f8b66f5979047cb1a50e1e7a55edd)
Andrew Bartlett [Fri, 25 Jan 2013 12:00:12 +0000 (23:00 +1100)]
s4-process_single: Use pid,task_id as cluster_id in process_single just like process_prefork
This avoids two different process single task servers (eg the drepl
server) sharing the same server id. The task id starts at 2^31 to
avoid collision with the fd based scheme for connections.
Fix-bug: https://bugzilla.samba.org/show_bug.cgi?id=9598
Reported-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 26 16:13:05 CET 2013 on sn-devel-104
(cherry picked from commit
b9f1c8887ed1c8c29259021d4f2b9a549caa4061)
Andrew Bartlett [Fri, 25 Jan 2013 22:09:23 +0000 (09:09 +1100)]
pymessaging: Pass around the server_id struct to python callbacks rather than the tuple
This is not used currently, but may avoid going to and from the python types when we do not need to.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
a321dd3aafa0f6ec8b39cd4fc64146dfbf24ce65)
Andrew Bartlett [Fri, 25 Jan 2013 21:58:46 +0000 (08:58 +1100)]
pymessaging: Use correct unsigned types for server ID tuple elememnts
This is needed if we start using the top bits of these values.
Andrew Bartlett
Reviewed-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
a3054323d3fa1dadff1675e7f8ec672a991d8e56)
Andrew Bartlett [Fri, 25 Jan 2013 02:15:51 +0000 (13:15 +1100)]
bug9598: s4-process_single: Use pid,fd as cluster_id in process_single just like process_prefork
This avoids two different process single servers (say LDAP and the RPC server) sharing the same
server id.
Fix-bug: https://bugzilla.samba.org/show_bug.cgi?id=9598
Reported-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Matthieu Patou <mat@matws.net>
Signed-off-by: Andrew Bartlett <abartlett@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jan 25 12:00:04 CET 2013 on sn-devel-104
(cherry picked from commit
c5db4eb9104f1a95220273ee2b0290d157053922)
Jeremy Allison [Thu, 24 Jan 2013 20:33:53 +0000 (12:33 -0800)]
Regression test for bug #9587 - archive flag is always set on directories.
Ensure we get the correct attributes on files
and directories after a rename.
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Thu, 24 Jan 2013 19:02:30 +0000 (11:02 -0800)]
Fix bug #9587 - archive flag is always set on directories.
Creating a directory to a Samba share sets the attributes to 'D' only
(correct) - only when creating a new file should the 'A' attribute
be set.
However, doing a rename of that directory sets the 'A' attribute in error.
This should only be done on a file rename. smbclient regression test to follow.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
(cherry picked from commit
3d46a077dd0999cc0c6032379147811c8bb660fb)
Jeremy Allison [Wed, 23 Jan 2013 22:39:09 +0000 (14:39 -0800)]
Fix bug #9586 - smbd[29175]: disk_free: sys_popen() failed" message logged in /var/log/message many times.
Ensure when reading lines from an interruptible
pipe source we ignore EINTR.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jan 24 10:45:48 CET 2013 on sn-devel-104
(cherry picked from commit
497febfe36354c4aff3696cd32c6c7e8fee55af8)
Jeremy Allison [Wed, 23 Jan 2013 17:57:50 +0000 (09:57 -0800)]
Fix bug #9572 - File corruption during SMB1 read by Mac OSX 10.8.2 clients.
Accept a large read if we told the client we have UNIX extensions
and the client sent a non-zero upper 16-bit size.
Do the non-zero upper 16-bit size check first to save a function
call in what is a hot path.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 24 21:01:51 CET 2013 on sn-devel-104
(cherry picked from commit
996a10cdea4a1ea23bc86c8bc57c4ca02e285b17)
Jeremy Allison [Tue, 22 Jan 2013 20:38:28 +0000 (12:38 -0800)]
Revert "s3:smbd: SMB ReadX with size > 0xffff should only possible for samba clients."
Part of fix for bug #9572 - File corruption during SMB1 read by Mac OSX 10.8.2 clients
This reverts commit
f8c26c16b82989e002b839fc9eba6386fc036f6a.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
033197958ec97140d5632ab875f24350257963dd)
Jelmer Vernooij [Sun, 16 Dec 2012 14:01:53 +0000 (15:01 +0100)]
wafsamba: python-config is not always a script.
(cherry picked from commit
e1a819ea18aa3ecfcddb76ec681f520db162338e)
Fix bug #9503 - waf assumes that pythonX.Y-config is a Python script.
Andrew Bartlett [Wed, 12 Sep 2012 13:34:29 +0000 (15:34 +0200)]
dsdb: Make secrets_tdb_sync cope with -H secrets.ldb
The issue was, without a / in the path, we did not cope.
Andrew Bartlett
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
945bc84818039b79f4d9b7982e24c1e0e7dd8a45)
Fix bug #9610 - dsdb: Make secrets_tdb_sync cope with -H secrets.ldb.
Andrew Bartlett [Fri, 11 Jan 2013 05:42:41 +0000 (16:42 +1100)]
dsdb: Make linked_attributes module GUID based for renames
This ensures that when we have the backlink out of sync with the forward link (perhaps due
to another operation that has put the backlink handling in an end-of-transaction
TODO list in repl_meta_data) that we do not error out, we just cope as well as we can.
The GUID is the unique identifier, not the DN.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 12 12:52:28 CET 2013 on sn-devel-104
(cherry picked from commit
95c891cf44143e12b2f90047f3fefe6d23c598fd)
Fix bug #9596 - linked attribute handling should be by GUID.
Günther Deschner [Tue, 22 Jan 2013 10:54:19 +0000 (11:54 +0100)]
s3-winbind: fix the build of idmap_ldap.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Jan 22 14:43:40 CET 2013 on sn-devel-104
(cherry picked from commit
d56b4560b585c613b65b05a9224c9e11f5038318)
The last 14 patches address bug #9595 - Build fixes from master not yet in 4.0.
Matthieu Patou [Thu, 3 Jan 2013 22:33:45 +0000 (14:33 -0800)]
Tests: Fix the display of test vars in screen --testenv
The form bash -c echo "important stuff blabla bla" && LD_LIBARY_PATH bash
is not working in screen when it's working in xterm and the in_screen
script already wrap all the command within a bash shell so there is no
need to re-force bash as the echo will execute in a bash shell
Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jan 22 13:03:52 CET 2013 on sn-devel-104
(cherry picked from commit
9aca52877a3f6f59887098ebb8e664922c8c7aad)
Matthieu Patou [Thu, 3 Jan 2013 22:34:13 +0000 (14:34 -0800)]
Tests: avoid adding python options that are functions in the env
This fix errors when running test --testenv --screen
Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
95fc53a37b9c75cbc1d13432887de095ff779a1e)
Andrew Bartlett [Mon, 19 Nov 2012 12:25:45 +0000 (23:25 +1100)]
heimdal_build: Try again to sort out the strerror_r mess
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
dda48146a2781fe685eeb9dc5194d142ee5ca0ef)
Michael Adam [Tue, 15 Jan 2013 14:35:09 +0000 (15:35 +0100)]
build(waf): fix the abi_match for the pdb library
The global wildcard match is automatically added by the parsing code
if the global match list is empty. Specifying an explicit '*' as the only
global match lets the parsing code add a second '*' to the local list,
which is an error tolerated on my linux by ld (the GNU linker), but
not by the stricter GNU ELF linker "gold".
Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Jan 16 21:31:00 CET 2013 on sn-devel-104
(cherry picked from commit
9ba44cc610426fb558b49aa9680b5bdf55c29082)
Björn Baumbach [Mon, 10 Dec 2012 10:52:08 +0000 (11:52 +0100)]
build(waf)-libreplace: remove redundant check for flistea function
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
41955b711f48ee2c8fe70a7e9967a2a96adf8a3d)
Andrew Bartlett [Wed, 9 Jan 2013 22:00:37 +0000 (09:00 +1100)]
build: Make install_with_python.sh more portable
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
5a1deec38a7ff7287b31a47ae61769c66e10de17)
Andrew Bartlett [Wed, 9 Jan 2013 21:51:34 +0000 (08:51 +1100)]
build: In install_with_python.sh force using the python from the install we just made
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
8e84c33a6094288ec2c8964588c679a71742e855)
Andrew Bartlett [Wed, 9 Jan 2013 21:50:53 +0000 (08:50 +1100)]
build: Make install_with_python.sh executable
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
7acacdfc05d3162b2879b6ac80d0809b5af96f1e)
Andrew Bartlett [Thu, 20 Dec 2012 07:36:40 +0000 (18:36 +1100)]
swat: move russian swat files alongside ja and tr
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
489ad498ab14340eb99f35a8814418db9db788a5)
Andrew Bartlett [Wed, 12 Dec 2012 23:33:04 +0000 (10:33 +1100)]
passdb: Add discard_const_p() to pdb_samba_dsdb
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
b9fbce20613952ead92dde3981a57f6d825c0584)
Andrew Bartlett [Tue, 8 Jan 2013 22:39:59 +0000 (09:39 +1100)]
build: Remove bashism from SAMBAMANPAGES rule
In sh, you must assign the variable, then export it.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
9dfd0a0dc980b521905399e0b409cb81fbbe6b37)
Jesper Larsen [Fri, 4 Jan 2013 12:03:58 +0000 (13:03 +0100)]
replace: Fix compilation of rep_mkstemp
Commit
1fbc185 removed the variable 'p'.
Use the equivalent variable 'template' instead.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jan 9 07:18:33 CET 2013 on sn-devel-104
(cherry picked from commit
411440d2d9085fe9db0e3c26c025c6b94d02c00f)
Ira Cooper [Thu, 27 Dec 2012 19:57:14 +0000 (19:57 +0000)]
s3: Fix vfs_zfsacl to compile.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
0615f68096569d00b1f262529024ad40136d445e)
(ported to 4.0 VFS interface, removing blob function references by abartlet)
Karolin Seeger [Thu, 24 Jan 2013 10:52:37 +0000 (11:52 +0100)]
docs: ldbsearch.1.xml: Correct meta data.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 24 16:09:37 CET 2013 on sn-devel-104
(cherry picked from commit
875a1721ae014cbb580d9596344675e890cf9964)
Fix bug #9591 - Meta data in ldb manpages wrong.
Karolin Seeger [Thu, 24 Jan 2013 10:52:15 +0000 (11:52 +0100)]
docs: ldbrename.1.xml: Correct meta data.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
99e2a63a0c64de4c3c26e66984a6c542052e97ba)
Karolin Seeger [Thu, 24 Jan 2013 10:51:49 +0000 (11:51 +0100)]
docs: ldbmodify.1.xml: Correct meta data.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
25cc400c64958e2e2e2e812a0d34064f1957d0c4)
Karolin Seeger [Thu, 24 Jan 2013 10:51:28 +0000 (11:51 +0100)]
docs: ldbedit.1.xml: Correct meta data.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
f585052d888a3bb4f9c81d9a9512eca7f7867c98)
Karolin Seeger [Thu, 24 Jan 2013 10:50:55 +0000 (11:50 +0100)]
docs: ldbdel.1.xml: Correct meta data.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
918057bd11e9ed1457cf0119f4c0c1f9c418c566)
Karolin Seeger [Thu, 24 Jan 2013 10:50:26 +0000 (11:50 +0100)]
docs: ldbadd.1.xml: Correct meta data.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
1d4346d4b7c7afc4f578afb3b8d0e08e36812b39)
Karolin Seeger [Thu, 24 Jan 2013 10:50:00 +0000 (11:50 +0100)]
docs: ldb.3.xml: Correct meta data.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
7d56b9401129c18a948bbd0bb4fea547d4b3a7c4)
Andrew Bartlett [Tue, 22 Jan 2013 03:45:14 +0000 (14:45 +1100)]
gensec: Allow login without a PAC by default (bug #9581)
The sense of this test was inverted. We only want to take the ACCESS_DENIED error
if gensec:require_pac=true.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
df004b5014b92b987f907047d2ca9f567e3d0ac1)
Matthieu Patou [Wed, 24 Oct 2012 05:09:20 +0000 (22:09 -0700)]
dbcheck: look in hasMasterNCs as well for determining the instance type of a NC
Forest of level 2000 don't hve the msDS-hasMasterNCs parameter
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Fix bug #9565 - Adding additional Samba 4.0 DC to W2k8 srv AD domain (in win200
functional level) produces dbcheck errors.
Andrew Bartlett [Tue, 22 Jan 2013 12:39:15 +0000 (23:39 +1100)]
selftest: Add test of upgradeprovision using the old alpha13 tree
This ensures that upgradeprovision works as expected on a known good old database.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jan 27 11:55:54 CET 2013 on sn-devel-104
(cherry picked from commit
0f8ef5a2c83e0496ef79c3d6f8b1188fdd1943a0)
Stefan Metzmacher [Fri, 25 Jan 2013 08:36:47 +0000 (09:36 +0100)]
samba_upgradeprovision: detect dns_backend for the reference provision
If we have a DomainDnsZone partition, we use BIND9_DLZ as backend
and fix errors in the ForestDnsZone and DomainDnsZone partitions.
Note: this should work fine also for SAMBA_INTERNAL.
If the current setup doesn't use dns specific partitions (e.g. alpha13 setups)
we pass dns_backend=BIND9_FLATFILE.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
58d6d884cf8a8de5a1fa2dfd4a0cbacdff0d2483)
Stefan Metzmacher [Fri, 25 Jan 2013 08:36:47 +0000 (09:36 +0100)]
provision: setup names.dns_backend
If we have a DomainDnsZone partition:
- we use BIND9_DLZ as backend if a dns-<netbiosname> account is available
- otherwise, we use SAMBA_INTERNAL
else:
- we use BIND9_FLATFILE if a dns or dns-<netbiosname> account is available
- otherwise, we use NONE
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b855df254de40d9de0b7f9042564f6d521ab1c5d)
Stefan Metzmacher [Thu, 13 Dec 2012 11:56:37 +0000 (12:56 +0100)]
samba_upgradeprovision: fix the nTSecurityDescriptor on more containers (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4752731c2eb4abeb0b5da3e33aa3096786301a19)
Stefan Metzmacher [Wed, 23 Jan 2013 15:27:17 +0000 (16:27 +0100)]
provision: fix nTSecurityDescriptor of containers in the DnsZones (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5cf98823cc804906833f7ea763f99de0147b0fee)
Stefan Metzmacher [Wed, 23 Jan 2013 15:27:17 +0000 (16:27 +0100)]
provision: fix nTSecurityDescriptor attributes of CN=*,${CONFIGDN} (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a477649e568577875be577c70a6b25cbeea6985a)
Stefan Metzmacher [Wed, 23 Jan 2013 15:27:17 +0000 (16:27 +0100)]
provision: fix nTSecurityDescriptor of CN={LostAndFound,System},${DOMAINDN} (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1de5c2f78544385d2fe270d766fc1ca6726d71fb)
Stefan Metzmacher [Wed, 23 Jan 2013 14:45:33 +0000 (15:45 +0100)]
provision: setup names.name_map['DnsAdmins']
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4775f9ab345072e63d671e83ae2c054fd2f80c3b)
Stefan Metzmacher [Wed, 23 Jan 2013 14:43:54 +0000 (15:43 +0100)]
provision: introduce names.name_map = {}
This will be used to translated names in SDDL values,
which are not wellknown, e.g. 'DnsAdmins'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e0712a70f5a437eb60df3cebedbbe1c6c08bd6ae)
Stefan Metzmacher [Wed, 23 Jan 2013 14:55:31 +0000 (15:55 +0100)]
provision: add get_dns_{forest,domain}_microsoft_dns_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ebb73f1c5d577c1d32c5c0519dcf3fb25c578c45)
Stefan Metzmacher [Wed, 23 Jan 2013 14:39:07 +0000 (15:39 +0100)]
provision: add get_config_ntds_quotas_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d00fb6aff2f54b470304d3d77a53328bcbb16851)
Stefan Metzmacher [Wed, 23 Jan 2013 09:51:10 +0000 (10:51 +0100)]
provision: add get_{config,domain}_delete_protected*_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1207cbd123375f0ff1bfc51403af5d611a621091)
Stefan Metzmacher [Wed, 23 Jan 2013 14:53:00 +0000 (15:53 +0100)]
schema.py: add optional name_map={} to get_schema_descriptor()
This is not used, but makes the prototype compatible with the
other get_*_descriptor() functions.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8880c2d0d356e7208ca859e17caf208952af0e17)
Stefan Metzmacher [Wed, 23 Jan 2013 14:51:37 +0000 (15:51 +0100)]
provision: add optional name_map={} argument to get_*_descriptor()
This will allow subsitute non-wellkown names in the SDDL,
e.g. 'DnsAdmins'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
27a99c6236ab270a592b4e3242f92f8923a3d7e4)
Stefan Metzmacher [Wed, 23 Jan 2013 08:05:36 +0000 (09:05 +0100)]
provision: import/export get_dns_partition_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d4653e99b8be35b6d86605a1c4c624d5db2294b1)
Stefan Metzmacher [Wed, 23 Jan 2013 07:56:00 +0000 (08:56 +0100)]
provision: setup names.dns{forest,domain}dn
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b54b58e75d3c1a3080e81c61156b75ef1d241b71)
Stefan Metzmacher [Wed, 23 Jan 2013 14:24:11 +0000 (15:24 +0100)]
samba_upgradeprovision: fix resetting of 'nTSecurityDescriptor' on schema objects
Without this schema_data_modify() will reject updates to schema objects
by default.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
f51248339ae7ba9843e477493a69b0c4f647935a)
Stefan Metzmacher [Wed, 23 Jan 2013 14:23:13 +0000 (15:23 +0100)]
samba_upgradeprovision: don't reset 'whenCreated' when resetting 'nTSecurityDescriptor'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b5cafa3b84e6cca5ca83fbcc0963def7d0c286d5)
Stefan Metzmacher [Sat, 19 Jan 2013 08:41:00 +0000 (09:41 +0100)]
dbckecker: fix nTSecurityDescriptor values from before 4.0.0rc6 (bug #9481)
They inherited effective ACE for the wrong object classes.
For SACL ACEs the problem was also present in 4.0.0.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ec466aa35656764c8a8af724cda692f2302a0c04)
Stefan Metzmacher [Thu, 24 Jan 2013 21:59:26 +0000 (22:59 +0100)]
dsdb-descriptor: get_default_group() should always return the DAG sid (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
38655a89cf902d0ea6657415e2f546c7622e279d)
Stefan Metzmacher [Thu, 24 Jan 2013 12:07:32 +0000 (13:07 +0100)]
tests/sec_descriptor: the default owner behavior depends on domainControllerFunctionality (bug #9481)
Not on the domainFunctionality.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
cd5cb843b4d698ed2fedf635a020ff978ae40558)
Stefan Metzmacher [Tue, 22 Jan 2013 14:38:07 +0000 (15:38 +0100)]
libcli/security: calculate INHERIT_ONLY correcty for AUDIT and ALARM aces (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
2413962d53c7923a453fc7579b24b90bc23173df)
Arvid Requate [Fri, 11 Jan 2013 13:17:06 +0000 (14:17 +0100)]
s4-resolve: Fix parsing of IPv6/AAAA in dns_lookup (bug #9555)
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
bdc172aca541046fd03b2b0cd69e054fe03d3a89)
git.samba.org / samba.git / log