Joseph Sutton [Tue, 14 Jun 2022 09:09:53 +0000 (21:09 +1200)]
CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Jule Anger [Mon, 4 Apr 2022 12:41:26 +0000 (14:41 +0200)]
VERSION: Bump version up to Samba 4.14.14...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 4 Apr 2022 12:40:24 +0000 (14:40 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.14.13 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 4 Apr 2022 12:39:56 +0000 (14:39 +0200)]
WHATSNEW: Add release notes for Samba 4.14.13.
Signed-off-by: Jule Anger <janger@samba.org>
Andreas Schneider [Mon, 14 Feb 2022 06:59:52 +0000 (07:59 +0100)]
builtools: Make abi_gen.sh less prone to errors
The mold linker has more hidden symbols and we would need to filter them out
with nm, where objdump tells us which symbols are actually hidden. So we just
need to filter out whatever is hidden.
The use of awk makes it also easier to get what we want.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
2b9917d7a3cb88cf48517e4a93a94fa3ca6ff3d9)
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Mar 30 08:25:14 UTC 2022 on sn-devel-184
Stefan Metzmacher [Wed, 16 Feb 2022 13:11:10 +0000 (14:11 +0100)]
s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos
Even if the msDS-KeyVersionNumber of the main krbtgt
account if larger than 65535, we need to have
the 16 upper bits all zero in order to avoid
mixing the keys with an RODC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14951
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit
ab0946a75d51b8f4826d98c61c3ad503615009fe)
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Tue Mar 29 10:32:05 UTC 2022 on sn-devel-184
Andrew Bartlett [Thu, 17 Mar 2022 05:47:48 +0000 (18:47 +1300)]
WHATSNEW: Mention our matrix room as well
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Thomas Debesse [Tue, 15 Feb 2022 13:11:45 +0000 (14:11 +0100)]
WHATSNEW: IRC is irc.libera.chat according to https://samba.org/samba/irc.html
Signed-off-by: Thomas Debesse <dev@illwieckz.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 18 Feb 2022 16:17:02 +0000 (17:17 +0100)]
s4:kdc: redirect pre-authentication failured to an RWDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(similar to commit
0f5d7ff1a9fd14fd412b09883d413d1d660fa7be)
Autobuild-User(v4-14-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-14-test): Fri Mar 18 11:55:11 UTC 2022 on sn-devel-184
Stefan Metzmacher [Fri, 18 Feb 2022 16:17:02 +0000 (17:17 +0100)]
HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in HDB_ERR_NOT_FOUND_HERE
On an RODC we need to redirect failing preauthentication to an RWDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(similar to commit heimdal commit
df655cecd12712e7f7df5128b123eee0066a8216)
Elia Geretto [Fri, 11 Mar 2022 18:32:30 +0000 (19:32 +0100)]
s3:libsmb: Fix errno for failed authentication in SMBC_server_internal()
In SMBC_server_internal(), when authentication fails, the errno value is
currently hard-coded to EPERM, while it should be EACCES instead. Use the
NT_STATUS map to set the appropriate value.
This bug was found because it breaks listing printers protected by
authentication in GNOME Control Panel.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14983
Signed-off-by: Elia Geretto <elia.f.geretto@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 16 19:44:18 UTC 2022 on sn-devel-184
(cherry picked from commit
70b9977a46e5242174b4461a7f49d5f640c1db62)
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Thu Mar 17 09:45:53 UTC 2022 on sn-devel-184
Stefan Metzmacher [Thu, 3 Mar 2022 10:10:00 +0000 (11:10 +0100)]
s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names
authenticate_ldap_simple_bind*() needs to pass the
result of the cracknames operation into the auth stack
as user_info->client.{account,domain}_name, because
user_info->client.{account,domain}_name is also used
when forwarding the request via netrLogonSamLogon*
to a remote server, for exactly that the values are
also used in order to map a AUTH_PASSWORD_PLAIN into
AUTH_PASSWORD_RESPONSE, where the NTLMv2 response
contains the account and domain names passed in the
netr_IdentityInfo value.
Otherwise it would not be possible to forward the
LDAP simple bind authentication request to a remote
DC.
Currently this only applies to an RODC that forwards
the request to an RWDC.
But note that LDAP simple binds (as on Windows) only
work for users in the DCs forest, as the DsCrackNames
need to work and it can't work for users of remote
forests. I tested that in a DC of a forest root domain,
if rejected the LDAP simple bind against a different forest,
but allowed it for a users of a child domain in the
same forest. The NTLMSSP bind worked in both cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 10 04:10:54 UTC 2022 on sn-devel-184
(cherry picked from commit
40f2070d3b2b1b13cc08f7844bfe4945e9f0cd86)
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Mar 16 15:37:02 UTC 2022 on sn-devel-184
Stefan Metzmacher [Thu, 3 Mar 2022 10:10:00 +0000 (11:10 +0100)]
auth: let auth logging prefer user_info->orig_client.{account,domain}_name if available
The optional user_info->orig_client.{account,domain}_name are
the once really used by the client and should be used in
audit logging. But we still fallback to
user_info->client.{account,domain}_name.
This will be important for the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
24b580cae23860a0fe6c9d3a285d60564057043d)
Stefan Metzmacher [Thu, 3 Mar 2022 10:10:00 +0000 (11:10 +0100)]
s4:auth: rename user_info->mapped_state to user_info->cracknames_called
This makes it much clearer what it is used for and
it is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in
authsam_check_password_internals().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
427125d182252d8aee3dd906ee34a909cdbb8ef3)
Stefan Metzmacher [Thu, 3 Mar 2022 22:23:21 +0000 (23:23 +0100)]
winbindd: don't set mapped_state in winbindd_dual_auth_passdb()
mapped_state is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in authsam_check_password_internals()
This doesn't apply here. We should also handle wbinfo -a
authentication UPN names, e.g. administrator@DOMAIN,
even if the account belongs to the local sam.
With this change the behavior is consistent also locally on DCs and
also an RODC can handle these requests locally for cached accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15003
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8dfdbe095a4c8a7bedd29341656a7c3164517713)
Stefan Metzmacher [Mon, 7 Mar 2022 19:57:52 +0000 (20:57 +0100)]
nsswitch: let test_wbinfo.sh also test wbinfo -a $USERNAME@$DOMAIN
When winbindd forwards wbinfo -a via netrLogonSamLogon* to a remote
DC work fine for upn names, e.g. administrator@DOMAIN.
But it currently fails locally on a DC against the local sam.
For the RODC only work because it forwards the request to
an RWDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15003
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e1d2c59d360fb4e72dafe788b5d9dbb0572bf811)
Stefan Metzmacher [Thu, 3 Mar 2022 22:24:25 +0000 (23:24 +0100)]
s3:auth: make_user_info_map() should not set mapped_state
mapped_state is only evaluated in authsam_check_password_internals()
of auth_sam.c in source4, so setting it in the auth3 code
doesn't make any difference. I've proved that with
an SMB_ASSERT() and a full pipeline not triggering it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c56cb12f347b7582290ce1d4dfe3959d69050bd9)
Stefan Metzmacher [Mon, 7 Mar 2022 20:16:51 +0000 (21:16 +0100)]
s4:auth: fix confusing DEBUG message in authsam_want_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a12683bd1206df4d4d87a3842d92e34a69e172b7)
Stefan Metzmacher [Thu, 3 Mar 2022 22:14:10 +0000 (23:14 +0100)]
s4:auth: check for user_info->mapped.account_name if it needs to be filled
mapped_state is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in authsam_check_password_internals().
But that code will be changed in the next commits, so we can simplify
the logic and only check for user_info->mapped.account_name being NULL.
As it's the important factor that user_info->mapped.account_name is
non-NULL down in the auth stack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c7b8c71b2b71bb9d95c33d403c4204376f443852)
Stefan Metzmacher [Thu, 3 Mar 2022 22:16:13 +0000 (23:16 +0100)]
s4:rpc_server/samr: don't set mapped_state in auth_usersupplied_info for audit logging
mapped_state is completely irrelevant for audit logging and
will also be removed in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
52787b9c1e9370133ff4481c62c2e7b9393c2439)
Stefan Metzmacher [Thu, 3 Mar 2022 22:16:13 +0000 (23:16 +0100)]
s4:kdc: don't set mapped_state in auth_usersupplied_info for audit logging
mapped_state is completely irrelevant for audit logging and
will also be removed in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ca6948642bc2ff821ec4ca8ab24902b1ba9e8397)
Stefan Metzmacher [Thu, 3 Mar 2022 22:16:13 +0000 (23:16 +0100)]
s4:dsdb: don't set mapped_state in auth_usersupplied_info for audit logging
mapped_state is completely irrelevant for audit logging and
will also be removed in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
99efe5f4e9ce426b28cef94d858849707ce15739)
Stefan Metzmacher [Thu, 3 Mar 2022 22:16:13 +0000 (23:16 +0100)]
s4:smb_server: don't set mapped_state explicitly in auth_usersupplied_info
We already use talloc_zero() and mapped_state will be removed in the
next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
859c7817350553259eb09c889bc40afebb60064a)
Stefan Metzmacher [Thu, 3 Mar 2022 22:15:31 +0000 (23:15 +0100)]
auth/ntlmssp: don't set mapped_state explicitly in auth_usersupplied_info
We already use talloc_zero() and mapped_state will be removed in the
next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
9a4ac8ab2e2c8ee48f6bf5a6ecf7988c435ba1c6)
Stefan Metzmacher [Thu, 3 Mar 2022 22:14:38 +0000 (23:14 +0100)]
s4:auth: encrypt_user_info() should set password_state instead of mapped_state
user_info->mapped_state has nothing to do with enum auth_password_state,
user_info->password_state is the one that holds the auth_password_state value.
Luckily user_info->password_state was never referenced in the
encrypt_user_info() callers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a6fb598d9dcbfe21ef285b5f30fabcb88a259c93)
Stefan Metzmacher [Wed, 2 Mar 2022 13:32:41 +0000 (14:32 +0100)]
s4:auth: a simple bind uses the DCs name as workstation
I've seen that in LogonSamLogonEx request triggered
by a simple bind with a user of a trusted domain
within the same forest. Note simple binds don't
work with users for another forest/external domain,
as the DsCrackNames call on the bind_dn fails.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14641
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
31db704882bbcd569c2abb764ac1d3691ee0a267)
Stefan Metzmacher [Fri, 4 Mar 2022 10:41:20 +0000 (11:41 +0100)]
s3:rpc_client: let rpccli_netlogon_network_logon() fallback to workstation = lp_netbios_name()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14641
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5c04c01354944fc3a64bb109bf3e9bf89086cc6f)
Garming Sam [Mon, 1 Apr 2019 02:46:48 +0000 (15:46 +1300)]
rodc: Add tests for simple BIND alongside NTLMSSP binds
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
62fb6c1dc8527db6cf0f08d4d06e8813707f767a)
Stefan Metzmacher [Fri, 4 Mar 2022 18:09:41 +0000 (19:09 +0100)]
s4:auth_sam: use USER_INFO_INTERACTIVE_LOGON as inducation for an interactive logon
Using != AUTH_PASSWORD_RESPONSE is not the correct indication
due to the local mappings from AUTH_PASSWORD_PLAIN via
AUTH_PASSWORD_HASH to AUTH_PASSWORD_RESPONSE.
It means an LDAP simble bind will now honour
'old password allowed period'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
2ad44686229ba02f98de5769c26a3dfeaf5ada2b)
Stefan Metzmacher [Tue, 8 Mar 2022 14:14:09 +0000 (15:14 +0100)]
s3:auth: let make_user_info_netlogon_interactive() set USER_INFO_INTERACTIVE_LOGON
This is not really relevant for now, as USER_INFO_INTERACTIVE_LOGON is
not evaluated in the source3/auth stack. But better add it to
be consistent.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
012bd9f5b780f7a90cf3bd918f044ea67fae7017)
Stefan Metzmacher [Fri, 4 Mar 2022 20:53:06 +0000 (21:53 +0100)]
dsdb/tests: add test_login_basics_simple()
This demonstrates that 'old password allowed period' also
applies to LDAP simple binds and not only to GSS-SPNEGO/NTLMSSP binds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
3625d1381592f7af8ec14715c6c2dfa4d9f02676)
Stefan Metzmacher [Fri, 4 Mar 2022 20:53:06 +0000 (21:53 +0100)]
dsdb/tests: prepare BasePasswordTestCase for simple bind tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
0b1fbc9d56e2a25e3f1527ee5bc54880bdc65fc6)
Stefan Metzmacher [Fri, 4 Mar 2022 22:35:26 +0000 (23:35 +0100)]
dsdb/tests: introduce assertLoginSuccess
This makes it possible to catch failures with knownfail entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
751ce671a4af32bc1c56433a5a1c8161377856c5)
Stefan Metzmacher [Fri, 4 Mar 2022 22:35:26 +0000 (23:35 +0100)]
dsdb/tests: make use of assertLoginFailure helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
03ba5af3d9eaeb5f0c7c1a1a61ef2ac454eb8392)
Stefan Metzmacher [Fri, 4 Mar 2022 23:09:17 +0000 (00:09 +0100)]
dsdb/tests: let all BasePasswordTestCase tests provide self.host_url[_ldaps]
This will make further changes easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5a3214c99048a88b0a9f509e3b5b38326529b02c)
Stefan Metzmacher [Sat, 5 Mar 2022 00:36:50 +0000 (01:36 +0100)]
dsdb/tests: passwords.py don't need to import BasePasswordTestCase
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
90754591a7e4d5a3af70c01425930f4ec063c516)
Stefan Metzmacher [Fri, 4 Mar 2022 20:50:15 +0000 (21:50 +0100)]
python:tests: let insta_creds() also copy the bind_dn from the template
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a30a7626254c863f95b98c97ea46ff54b98078ad)
Jeremy Allison [Thu, 17 Feb 2022 19:12:39 +0000 (11:12 -0800)]
s3: smbd: Fix our leases code to return the correct error in the non-dynamic share case.
We now return INVALID_PARAMETER when trying to open a
different file with a duplicate lease key on the same
(non-dynamic) share. This will enable us to pass another
Windows test suite leases test.
We now behave the same as Windows10.
Remove knownfail.d/smb2-lease-duplicateopen
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 18 20:12:12 UTC 2022 on sn-devel-184
(cherry picked from commit
408be54323861c24b6377b804be4428cf45b471e)
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Mon Mar 7 14:14:53 UTC 2022 on sn-devel-184
Jeremy Allison [Thu, 17 Feb 2022 18:58:32 +0000 (10:58 -0800)]
s4: torture: Add new SMB2 lease test test_lease_duplicate_open().
Checks we return INVALID_PARAMETER when trying to open a
different file with a duplicate lease key on the same share.
Checked against Windows10. Currently fails against smbd
so add knownfail.d/smb2-lease-duplicateopen
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
(cherry picked from commit
ca3896b6f8bbcad68f042720feceedfa29ddbd83)
Jeremy Allison [Thu, 17 Feb 2022 17:58:27 +0000 (09:58 -0800)]
s4: torture: Add new SMB2 lease test test_lease_duplicate_create().
Checks we return INVALID_PARAMETER when trying to create a
new file with a duplicate lease key on the same share.
Checked against Windows10. Samba already passes this
but we didn't have a test before.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
(cherry picked from commit
bf22548d11fe67ea3f4ec10dff81773d626e4703)
Stefan Metzmacher [Mon, 21 Feb 2022 14:28:53 +0000 (15:28 +0100)]
s3:trusts_utils: use a password length of 120 for machine accounts
This is important when we change the machine password against
an RODC that proxies the request to an RWDC.
An RODC using NetrServerPasswordSet2() to proxy PasswordUpdateForward via
NetrLogonSendToSam() ignores a return of NT_STATUS_INVALID_PARAMETER
and reports NT_STATUS_OK as result of NetrServerPasswordSet2().
This hopefully found the last hole in our very robust machine account
password handling logic inside of trust_pw_change().
The lesson is: try to be as identical to how windows works as possible,
everything else may use is untested code paths on Windows.
A similar problem was fixed by this commit:
commit
609ca657652862fd9c81fd11f818efb74f72ff55
Author: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed Feb 24 02:03:25 2021 +1300
provision: Decrease the length of random machine passwords
The current length of 128-255 UTF-16 characters currently causes
generation of crypt() passwords to typically fail. This commit
decreases the length to 120 UTF-16 characters, which is the same as
that used by Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 23 08:49:54 UTC 2022 on sn-devel-184
(cherry picked from commit
5e2386336c49fab46c1192db972af5da1e916b32)
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Mon Mar 7 11:30:22 UTC 2022 on sn-devel-184
Stefan Metzmacher [Mon, 21 Feb 2022 14:23:54 +0000 (15:23 +0100)]
upgradehelpers.py: add a comment to update_krbtgt_account_password()
The backend generates its own random krbtgt password values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
ad0b5561b492dfa28acfc9604b2358bb8b490703)
Stefan Metzmacher [Mon, 21 Feb 2022 14:22:50 +0000 (15:22 +0100)]
provision: add a comment that the value of krbtgtpass is ignored in the backend
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
725c94d57d3d656bc94633dacbac683a4c11d3e6)
Stefan Metzmacher [Mon, 21 Feb 2022 14:22:06 +0000 (15:22 +0100)]
upgradehelpers.py: let update_machine_account_password() use 120 character passwords
We already changed provision to use 120 character passwords with commit
609ca657652862fd9c81fd11f818efb74f72ff55.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
6bb7c0f24918329804b7f4fb71908e8fab99e266)
Stefan Metzmacher [Mon, 21 Feb 2022 14:08:34 +0000 (15:08 +0100)]
provision: use 120 characters for the dns account password
We should use the same as for the computer account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
3b91be36581de1007427d539daffdaa62752412d)
Joseph Sutton [Tue, 23 Feb 2021 13:03:25 +0000 (02:03 +1300)]
provision: Decrease the length of random machine passwords
The current length of 128-255 UTF-16 characters currently causes
generation of crypt() passwords to typically fail. This commit
decreases the length to 120 UTF-16 characters, which is the same as
that used by Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit
609ca657652862fd9c81fd11f818efb74f72ff55)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Douglas Bagnall [Thu, 23 Dec 2021 01:37:29 +0000 (14:37 +1300)]
s4/auth/simple_bind: correctly report TLS state
It went wrong in
366f8cf0903e3583fda42696df62a5337f22131f
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 26 12:39:52 UTC 2022 on sn-devel-184
(cherry picked from commit
309f1982263677045d407463eb19a2444c165a63)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14996
Douglas Bagnall [Wed, 26 Jan 2022 02:53:45 +0000 (15:53 +1300)]
pytest:auth_log: expect TLS connections when using ldaps
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
f37682747898591b37405f9e96a8135c15638637)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14996
Stefan Metzmacher [Fri, 25 Feb 2022 06:40:17 +0000 (07:40 +0100)]
s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()
This is most likely not a problem for the current callers,
but that it is unexpected and will likely cause problems with future
changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14993
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
f6fe86924c2ca756083d3628d5dbace0b12d06b0)
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Mar 2 11:13:02 UTC 2022 on sn-devel-184
Björn Jacke [Wed, 26 Dec 2018 00:03:29 +0000 (01:03 +0100)]
waf: re-add missing readlink test
this was another portability regression that came with the moving to waf
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13631
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 18 23:12:51 UTC 2022 on sn-devel-184
(cherry picked from commit
45cb14ac80889ac913f7f76dbfaebcb4d5ee14fd)
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Sun Feb 27 17:48:46 UTC 2022 on sn-devel-184
Björn Jacke [Wed, 26 Dec 2018 00:01:14 +0000 (01:01 +0100)]
readlink test: inverse return code
We need to return 0 in case readlink is *broken* here - this is because our waf
CHECK_CODE function does only allow generating defines in case the test succeeds
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13631
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
e225ab70db0cc01454d319eaca5265d7e33f396c)
Pavel Filipenský [Mon, 7 Feb 2022 22:06:10 +0000 (23:06 +0100)]
s3:modules: Fix virusfilter_vfs_openat
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184
(cherry picked from commit
3f1c958f6fa9d2991185f4e281a377a295d09f9c)
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Fri Feb 25 11:36:06 UTC 2022 on sn-devel-184
Pavel Filipenský [Tue, 8 Feb 2022 14:35:48 +0000 (15:35 +0100)]
s3:selftest: Add test for virus scanner
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544)
Pavel Filipenský [Tue, 8 Feb 2022 14:34:56 +0000 (15:34 +0100)]
selftest: Fix trailing whitespace in Samba3.pm
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
547b4c595a8513a4be99177edbaa39ce43840f7a)
Pavel Filipenský [Tue, 8 Feb 2022 21:35:29 +0000 (22:35 +0100)]
docs-xml:manpages: Document 'dummy' virusfilter and 'virusfilter:infected files'
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
2fd518e5cc63221c162c9b3f8526b9b7c9e34969)
Pavel Filipenský [Tue, 8 Feb 2022 11:07:03 +0000 (12:07 +0100)]
s3:modules: Implement dummy virus scanner that uses filename matching
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
9f34babec7c6aca3d91f226705d3b3996792e5f1)
Samuel Cabrero [Tue, 22 Feb 2022 13:28:44 +0000 (14:28 +0100)]
s3:winbind: Use the canonical principal name to renew the credentials
The principal name stored in the winbindd ccache entry might be an
enterprise principal name if enterprise principals are enabled. Use
the canonical name to renew the credentials.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
8246ccc23d064147412bb3475e6431a9fffc0d27)
Samuel Cabrero [Tue, 22 Feb 2022 12:19:02 +0000 (13:19 +0100)]
s3:winbind: Store canonical principal and realm in ccache entry
They will be used later to refresh the tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b)
Samuel Cabrero [Tue, 22 Feb 2022 12:08:56 +0000 (13:08 +0100)]
s3:libads: Return canonical principal and realm from kerberos_return_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
00b1f44a7e8f66976757535bcbc6bea97fb1c29f)
Samuel Cabrero [Tue, 22 Feb 2022 13:28:28 +0000 (14:28 +0100)]
lib:krb5_wrap: Fix wrong debug message and use newer debug macro
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
1b5b4107a5081f15ba215f3025056d509fcfcf2a)
Samuel Cabrero [Tue, 22 Feb 2022 12:00:05 +0000 (13:00 +0100)]
lib:krb5_wrap: Improve debug message and use newer debug macro
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
ed14513be055cc56eb39785323df2c538a813865)
Samuel Cabrero [Tue, 22 Feb 2022 11:59:44 +0000 (12:59 +0100)]
s3:libads: Fix memory leak in kerberos_return_pac() error path
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
3dbcd20de98cd28683a9c248368e5082b6388111)
Stefan Metzmacher [Mon, 31 Jan 2022 19:33:43 +0000 (20:33 +0100)]
libcli/smb: let smb2_signing_decrypt_pdu() cope with gnutls_aead_cipher_decrypt() ptext_len bug
The initial implementation of gnutls_aead_cipher_decrypt() had a bug and
used:
*ptext_len = ctext_len;
instead of:
*ptext_len = ctext_len - tag_size;
This got fixed with gnutls 3.5.2.
As we only require gnutls 3.4.7 we need to cope with this...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 2 18:29:08 UTC 2022 on sn-devel-184
(cherry picked from commit
735f3d7dde3daf5d0af2e8a1de60422b88663992)
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Mon Feb 14 10:34:10 UTC 2022 on sn-devel-184
Stefan Metzmacher [Mon, 31 Jan 2022 19:33:43 +0000 (20:33 +0100)]
libcli/smb: fix error checking in smb2_signing_decrypt_pdu() invalid ptext_len
When the ptext_size != m_total check fails, we call this:
status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
goto out;
As rc is 0 at that point we'll exit smb2_signing_decrypt_pdu()
with NT_STATUS_OK, but without copying the decrypted data
back into the callers buffer. Which leads to strange errors
in the caller.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
99182af4ab5a3413311e27c2a193e09babceb01c)
Stefan Metzmacher [Tue, 1 Feb 2022 09:52:27 +0000 (10:52 +0100)]
selftest/quick: add smb2.session
We run the quicktest on each linux distro as part of samba-o3 builds.
We should make sure smb2 signing/enctyption works on all of them
and all different system libraries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
68e62962b08497da8359ddbe4324443818c05cd1)
Ralph Boehme [Fri, 28 Jan 2022 16:51:10 +0000 (17:51 +0100)]
s3/libads: ensure a sockaddr variable is correctly zero initialized
is_zero_addr() doesn't work with addresses that have been zero-initialized.
This fixes the logic added in
c863cc2ba34025731a18ac735f714b5b888504da.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14674
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2354
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Feb 8 20:24:12 UTC 2022 on sn-devel-184
(cherry picked from commit
3ee690455eb963dedc7955b79316481387d4ac8c)
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Feb 9 11:42:37 UTC 2022 on sn-devel-184
Ralph Boehme [Mon, 31 Jan 2022 11:54:12 +0000 (12:54 +0100)]
s3/libads: simplify storing existing ads->ldap.ss
We just need temporal storage for ads->ldap.ss, no need to store it as a struct
samba_sockaddr.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14674
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2354
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
c266ed40aeb1b1f59a1811cd4511e32e44a4a719)
Jeremy Allison [Thu, 3 Feb 2022 23:59:51 +0000 (15:59 -0800)]
s3: libsmb: Call cli_dfs_target_check() from cli_smb2_rename_send().
Strips off any DFS prefix from the target if passed in.
Remove knownfail selftest/knownfail.d/msdfs-rename.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Feb 4 12:02:36 UTC 2022 on sn-devel-184
(cherry picked from commit
b9b82f3611c56e837e9189f5275ae9a78e647262)
Jeremy Allison [Thu, 3 Feb 2022 23:56:51 +0000 (15:56 -0800)]
s3: libsmb: Call cli_dfs_target_check() from cli_cifs_rename_send().
Strips off any DFS prefix from the target if passed in.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
4473aea926fe4ddd23a6e0913009bb1a0a1eaa90)
Jeremy Allison [Thu, 3 Feb 2022 23:54:55 +0000 (15:54 -0800)]
s3: libsmb: Call cli_dfs_target_check() from cli_smb1_rename_send().
Strips off any DFS prefix from the target if passed in.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
dd0317f6ecb572a80893405daa83e079dbcdf113)
Jeremy Allison [Thu, 3 Feb 2022 22:54:26 +0000 (14:54 -0800)]
s3: libsmb: Call cli_dfs_target_check() from cli_ntrename_internal_send().
Currently we don't pass MSDFS names as targets here, but a caller
may erroneously do this later, and for non-DFS names this is a no-op.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
cf3e5724422d8becd045542be196dfea6ac9ec2b)
Jeremy Allison [Thu, 3 Feb 2022 22:51:13 +0000 (14:51 -0800)]
s3: libsmb: Call cli_dfs_target_check() from cli_smb2_hardlink_send().
Currently we don't pass MSDFS names as targets here, but a caller
may erroneously do this later, and for non-DFS names this is a no-op.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
4bdbe3c2fc0c35635474ae526896b28f55142aca)
Jeremy Allison [Thu, 3 Feb 2022 19:15:30 +0000 (11:15 -0800)]
s3: libsmb: Add cli_dfs_target_check() function.
Strips any DFS prefix from a target name that will be passed
to an SMB1/2/3 rename or hardlink call. Returns a pointer
into the original target name after the prefix. Not yet used.
If the incoming filename is *NOT* a DFS prefix, the
original filename is returned unchanged.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
2abba0ea109d7a3a0b0cb4a7030293f70c2d9d8a)
Jeremy Allison [Thu, 3 Feb 2022 22:21:26 +0000 (14:21 -0800)]
s3: tests: Add a new test test_msdfs_rename() that does simple renames on MSDFS root shares.
We fail this on SMB2 for a subtle reason.
Our client code called from smbclient only sets the SMB2_HDR_FLAG_DFS flag
in the outgoing packet on the SMB2_CREATE call, and SMB2 rename does the
following operations:
SMB2_CREATE(src_path) // We set SMB2_HDR_FLAG_DFS here for a MSDFS share.
SMB2_SETINFO: SMB2_FILE_RENAME_INFO(dst_path). // We don't set SMB2_HDR_FLAG_DFS
However, from smbclient, dst_path is a MSDFS path but we don't set the flag,
so even though the rename code inside smbd will cope with a MSDFS path
(as used in the SMB1 SMBmv call) it fails as the correct flag isn't set.
Add knownfail selftest/knownfail.d/msdfs-rename.
Note we need to add the new test to "selftest/knownfail.d/smb1-tests"
as test_smbclient_s3.sh is run against the (ad_member|nt4_member)
environments first using NT1 (SMB1) protocol and then using SMB3,
but the (ad_member|nt4_member) environments don't support SMB1.
Seems a bit strange to me, but all the other SMB1 tests inside
test_smbclient_s3.sh have already been added to "selftest/knownfail.d/smb1-tests"
so just go with the test environment.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
44cc9fb0e01b3635804f41e03f9b20afc3bfe36c)
Jeremy Allison [Thu, 3 Feb 2022 21:58:28 +0000 (13:58 -0800)]
s3: tests: Add a new test test_msdfs_hardlink() that does simple hardlinks on MSDFS root shares.
We pass this already as the cmd_hardlink in smbclient doesn't
do the DFS path conversion on the hardlink target. But it's
good to have the test.
Note we need to add the new test to "selftest/knownfail.d/smb1-tests"
as test_smbclient_s3.sh is run against the (ad_member|nt4_member)
environments first using NT1 (SMB1) protocol and then using SMB3,
but the (ad_member|nt4_member) environments don't support SMB1.
Seems a bit strange to me, but all the other SMB1 tests inside
test_smbclient_s3.sh have already been added to "selftest/knownfail.d/smb1-tests"
so just go with the test environment.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
d7deb876053ef45313026b4dea9ee1b376153611)
Jeremy Allison [Wed, 2 Feb 2022 18:52:09 +0000 (10:52 -0800)]
lib: libsmbclient: Ensure cli_rename() always sets cli->raw_status.
Identical change as used in cli_unlink(), cli_mkdir(), cli_rmdir()
cli_chkpath() to ensure SMB2 calls correctly set raw_status for
libsmbclient uses.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14938
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 2 21:50:31 UTC 2022 on sn-devel-184
(cherry picked from commit
ca60f6350d566b7ecc822bcbb44fb65a1d150bbe)
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Sun Feb 6 12:39:25 UTC 2022 on sn-devel-184
Jeremy Allison [Wed, 2 Feb 2022 18:49:17 +0000 (10:49 -0800)]
s4: test: Add samba4.libsmbclient.rename test. Currently fails for SMB3.
Add knownfail.d/libsmbclient_rename
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14938
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
0ecc58858360bcc0181a02e52ada3e8327f97c5b)
Jule Anger [Mon, 31 Jan 2022 13:40:13 +0000 (14:40 +0100)]
VERSION: Bump version up to Samba 4.14.13...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Jule Anger [Mon, 31 Jan 2022 13:38:48 +0000 (14:38 +0100)]
Merge tag 'samba-4.14.12' into v4-14-test
samba: tag release samba-4.14.12
Jule Anger [Sun, 30 Jan 2022 14:35:12 +0000 (15:35 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.14.12 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Sun, 30 Jan 2022 14:31:44 +0000 (15:31 +0100)]
WHATSNEW: Add release notes for Samba 4.14.12.
Signed-off-by: Jule Anger <janger@samba.org>
Ralph Boehme [Thu, 13 Jan 2022 16:03:02 +0000 (17:03 +0100)]
CVE-2021-44142: libadouble: harden parsing code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 25 Nov 2021 14:04:03 +0000 (15:04 +0100)]
CVE-2021-44142: libadouble: add basic cmocka tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
[slow@samba.org: conflict due to missing test in selftest/tests.py]
Ralph Boehme [Fri, 26 Nov 2021 06:19:32 +0000 (07:19 +0100)]
CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC,
which is used for parsing ._ AppleDouble sidecar files, and the buffer
ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all
buffer out-of-bounds access checks in ad_unpack_xattrs().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sat, 20 Nov 2021 15:36:42 +0000 (16:36 +0100)]
CVE-2021-44142: smbd: add Netatalk xattr used by vfs_fruit to the list of private Samba xattrs
This is an internal xattr that should not be user visible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
[slow@samba.org: conflict due to changed includes in source3/smbd/trans2.c]
Ralph Boehme [Thu, 13 Jan 2022 15:48:01 +0000 (16:48 +0100)]
CVE-2021-44142: libadouble: add defines for icon lengths
From https://www.ietf.org/rfc/rfc1740.txt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Joseph Sutton [Mon, 17 Jan 2022 23:02:45 +0000 (12:02 +1300)]
CVE-2022-0336: s4/dsdb/samldb: Don't return early when an SPN is re-added to an object
If an added SPN already exists on an object, we still want to check the
rest of the element values for conflicts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Joseph Sutton [Mon, 17 Jan 2022 22:56:38 +0000 (11:56 +1300)]
CVE-2022-0336: pytest: Add a test for an SPN conflict with a re-added SPN
This test currently fails, as re-adding an SPN means that later checks
do not run.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Stefan Metzmacher [Fri, 21 Jan 2022 19:42:45 +0000 (20:42 +0100)]
blackbox.ndrdump: fix test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test
This actually reveals that ndr_push_string() for TargetName="" was
failing before because it resulted in 1 byte for a subcontext with
TargetLen=0.
This is fixed now and we no longer expect ndrdump to exit with 1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 24 16:18:34 UTC 2022 on sn-devel-184
(cherry picked from commit
12464bd4c222d996aac6d6250b7945d63f20f4bc)
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Sun Jan 30 10:21:21 UTC 2022 on sn-devel-184
Stefan Metzmacher [Wed, 3 Nov 2021 12:57:50 +0000 (13:57 +0100)]
librpc/ndr: let ndr_push_string() let s_len == 0 result in d_len = 0
convert_string_talloc_handle() tries to play an the safe side
and always returns a null terminated array.
But for NDR we need to be correct on the wire...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
43648e95a514020da4c7efa62df55d0882e3db85)
Stefan Metzmacher [Fri, 21 Jan 2022 00:09:23 +0000 (01:09 +0100)]
s4:torture/ndr: demonstrate the ndr_push_string(STR_NOTERM|REMAINING) of "" is wrong
convert_string_talloc() never returns a string with len=0 and always
implies zero termination byte(s).
For ndr_push_string this is unexpected as we need to be compatible on
the wire and push 0 bytes for an empty string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
8da26cb6725b5d853ab481a348a3a672966715b5)
Stefan Metzmacher [Fri, 21 Jan 2022 19:28:59 +0000 (20:28 +0100)]
blackbox.ndrdump: adjust example files to the usage of dump_data_diff output.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
1dc385cb648f0c37b04f4ede6b1c96916e379b23)
Stefan Metzmacher [Wed, 3 Nov 2021 12:32:48 +0000 (13:32 +0100)]
ndrdump: make use of dump_data_file_diff() in order to show differences
This makes it much easier to detect differences in the given and
generated buffers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
d1a7f392a8ceef111a5d6c3d2a3bdb9dcb90db5e)
Stefan Metzmacher [Wed, 3 Nov 2021 10:40:13 +0000 (11:40 +0100)]
lib/util: add dump_data_diff*() helpers
That will make it easy to see the difference
between two memory buffers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
b489b7feda19b3c0f0fe2300f2c76d416776355b)
Stefan Metzmacher [Fri, 21 Jan 2022 19:06:40 +0000 (20:06 +0100)]
blackbox.ndrdump: adjust example files to changed dump_data() output.
The cleanup using dump_data_block16() fixed the space handling.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
9110a8854a518befa2908c26076e17a085c5ec48)
Stefan Metzmacher [Wed, 3 Nov 2021 10:05:52 +0000 (11:05 +0100)]
lib/util: split out a dump_data_block16() helper
This simplifies the logic a lot for me.
It also fixes some corner cases regarding whitespaces in the
output, that's why we have to mark a few tests as knownfail,
they will be fixed in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
58b09e107cadd7fb8191822d4e7e42657b1ed4c7)
Stefan Metzmacher [Sat, 22 Jan 2022 00:08:26 +0000 (01:08 +0100)]
dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
This is important for the source3/rpc_server code as it might
be called embedded in smbd and may not run as root with access
to our private tdb/ldb files.
Note this is only really needed for 4.15 and older, as
we no longer run the rpc_server embedded in smbd,
but we better be consistent for now.
This should be able to fix the problem the printing no longer works
on Windows 7 with 2021-10 monthly rollup patch (KB5006743).
Windows uses NTLMSSP with privacy at the DCERPC layer on top
of NCACN_NP (smb).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(similar to commit
0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9)
Stefan Metzmacher [Wed, 19 Jan 2022 14:57:08 +0000 (15:57 +0100)]
s4:dsdb/vlv_pagination: fix segfault in vlv_results()
It can happen that the vlv_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 20 10:04:39 UTC 2022 on sn-devel-184
(cherry picked from commit
7d16a56b9d1cde8a5174381ef4924a2ea7be59bc)
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Jan 26 11:02:44 UTC 2022 on sn-devel-184
Stefan Metzmacher [Wed, 19 Jan 2022 14:57:08 +0000 (15:57 +0100)]
s4:dsdb/paged_results: fix segfault in paged_results()
It can happen that the paged_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.
We also should not call ldb_module_done() if paged_results()
fails, as it was already called.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
19fa22b1fbcf33dbc4defe4dd2e487a642786c49)
Stefan Metzmacher [Tue, 21 Dec 2021 13:00:34 +0000 (14:00 +0100)]
s4:rpc_server/netlogon: let CSDVersion="" wipe operatingSystemServicePack
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14936
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 11 22:03:03 UTC 2022 on sn-devel-184
(cherry picked from commit
1243f52f7ae58de1005c431e20563f2f1902dfce)