Tim Beale [Sun, 3 Feb 2019 23:20:34 +0000 (12:20 +1300)]
ldb: Bump ldb version to 1.4.5
* ldb: Avoid inefficient one-level searches
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13762
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(v4-9-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-9-test): Wed Feb 13 18:26:30 CET 2019 on sn-devel-144
Tim Beale [Sun, 3 Feb 2019 21:49:03 +0000 (10:49 +1300)]
ldb: Avoid inefficient one-level searches
Commit
88ae60ed186c9 introduced a problem that made one-level
searches inefficient if there were a lot of child objects in the same
level, and the requested object didn't exist. Basically, it ignored the
case where ldb_kv_index_dn() returned LDB_ERR_NO_SUCH_OBJECT, i.e. the
indexed lookup was successful, but didn't find a match. At which point,
there was no more processing we needed to do.
The behaviour after
88ae60ed186c9 was to fall-through and run the
ldb_kv_index_filter() function over *all* the children. This still
returned the correct result, but could be costly if there were a lot of
children.
The case
88ae60ed186c9 was trying to fix was where we could not do
an indexed search (e.g. trying to match on a 'attribute=*' filter). In
which case we want to ignore the LDB_ERR_OPERATIONS_ERROR and just run
ldb_kv_index_filter() over all the children. This is still more
efficient than the fallback of doing a full database scan.
This patch adds in a short-circuit for the NO_SUCH_OBJECT case, so we
can skip the unnecessary ldb_kv_index_filter() work.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13762
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(Manual merge of commit
9a893f9613bd6440ab in master)
Anoop C S [Wed, 23 Jan 2019 10:10:43 +0000 (15:40 +0530)]
s3-vfs: Use ENOATTR in errno comparison for getxattr
* ENODATA is not defined in FreeBSD
* ENOATTR is defined to be a synonym for ENODATA in Linux
* In its absence Samba already defines ENOATTR to either
ENODATA or ENOENT
Thus it is safe and correct to compare with ENOATTR rather
than ENODATA.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13774
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 23 21:59:10 CET 2019 on sn-devel-144
(cherry picked from commit
c99402724a65f4e1f8ed4dcd236a43e0603bef0a)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Tue Feb 5 19:13:57 CET 2019 on sn-devel-144
Günther Deschner [Thu, 17 Jan 2019 14:21:07 +0000 (15:21 +0100)]
s3-vfs: add glusterfs_fuse vfs module.
This module only implements the get_real_filename function by accessing
a distinct extended attribute that is available over a glusterfs fuse
mount.
By implementing this vfs function users of a glusterfs fuse mount
achieve a much better performance in create based workloads where samba
then can avoid trying multiple case folding options to detect the real
filename.
Patch is based on an initial patch provided by
Poornima G <pgurusid@redhat.com>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13774
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Jan 22 18:37:56 CET 2019 on sn-devel-144
(cherry picked from commit
adffe0dcf002aa4721dc7897261895e3486d5271)
Stefan Metzmacher [Thu, 17 Jan 2019 22:50:45 +0000 (23:50 +0100)]
selftest:Samba4: use 'smbcontrol samba shutdown'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13752
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Baumbach <bbaumbach@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jan 30 01:51:48 CET 2019 on sn-devel-144
(cherry picked from commit
d03991f569b54ae0a11911b622107fbae701715d)
Stefan Metzmacher [Thu, 17 Jan 2019 15:27:10 +0000 (16:27 +0100)]
s4:server: add support for 'smbcontrol samba shutdown'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13752
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Baumbach <bbaumbach@samba.org>
(cherry picked from commit
832776c0fcf7cc658c128765514755c2d15b06a6)
Stefan Metzmacher [Mon, 28 Jan 2019 15:29:51 +0000 (16:29 +0100)]
s4:server: avoid using pid=0 for the parent 'samba' process
It confuses the 'samba-tool processes' output and log messages.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13752
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Baumbach <bbaumbach@samba.org>
(cherry picked from commit
5bd7a8e5685caa09067745b108ef7e53e3108e97)
Stefan Metzmacher [Tue, 15 Jan 2019 00:39:06 +0000 (01:39 +0100)]
s4:messaging: add support 'smbcontrol <pid> debug/debuglevel'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13752
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Baumbach <bbaumbach@samba.org>
(cherry picked from commit
3a0c1da432c53de234b54bac90a3fb84534994eb)
Stefan Metzmacher [Thu, 17 Jan 2019 15:29:37 +0000 (16:29 +0100)]
manpages/samba.7.xml: smbcontrol can also work with 'samba'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13752
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Baumbach <bbaumbach@samba.org>
(cherry picked from commit
12b9adec3ff48f4356f9ff865891dc3c652ff86b)
Tim Beale [Wed, 16 Jan 2019 02:37:00 +0000 (15:37 +1300)]
join: Throw CommandError instead of Exception for simple errors
Throwing an exception here still dumps out the Python stack trace, which
can be a little disconcerting for users.
In this case, the stack trace isn't going to really help at all (the
problem is pretty obvious), and it obscures the useful message
explaining what went wrong.
Throw a CommandError instead, which samba-tool will catch and display
more nicely.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13747
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Jeremy Allison <rpenny@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 16 22:11:04 CET 2019 on sn-devel-144
(cherry picked from commit
9e4b08f4c384b8cae5ad853a7be7cf03e2749be5)
Tim Beale [Wed, 16 Jan 2019 02:17:38 +0000 (15:17 +1300)]
join: Fix TypeError when handling exception
When we can't resolve a domain name, we were inadvertently throwing a
TypeError whilst trying to output a helpful message. E.g.
ERROR(<class 'TypeError'>): uncaught exception - 'NTSTATUSError' object
does not support indexing
Instead of indexing the object, we want to index the Exception.args so
that we just display the string portion of the exception error.
The same problem is also present for the domain trust commands.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13747
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Jeremy Allison <rpenny@samba.org>
(cherry picked from commit
3bb7808984c163a7bba66fb983411d1281589722)
Anoop C S [Tue, 20 Mar 2018 06:02:20 +0000 (11:32 +0530)]
vfs_glusterfs: Adapt to changes in libgfapi signatures
VFS module for GlusterFS fails to compile due to recent changes done to
some API signatures. Therefore adding missing arguments to those APIs
adapting to new signatures.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13330
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Feb 3 17:00:33 CET 2019 on sn-devel-144
(cherry picked from commit
0e3eda5bab5ae9316a42725aea048fb350020ec7)
Ralph Wuerthner [Tue, 15 Jan 2019 08:55:50 +0000 (09:55 +0100)]
vfs_fileid: fix fsname_norootdir algorithm
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13744
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jan 17 01:36:54 CET 2019 on sn-devel-144
(cherry picked from commit
2723d900ef35f4797058675f298f4a4364b29cd3)
Volker Lendecke [Mon, 14 Jan 2019 14:04:59 +0000 (15:04 +0100)]
ctdb: Print locks latency in machinereadable stats
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13742
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 16 05:34:17 CET 2019 on sn-devel-144
(cherry picked from commit
193a0d6f01372604b925d1972591062a0bb2400f)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Fri Feb 1 15:18:15 CET 2019 on sn-devel-144
Ralph Wuerthner [Thu, 10 Jan 2019 13:28:14 +0000 (14:28 +0100)]
vfs_fileid: fix get_connectpath_ino
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13741
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 15 04:13:15 CET 2019 on sn-devel-144
(cherry picked from commit
12398a2d1ddcd326e02e5d8b0749e0e796145165)
Philipp Gesang [Tue, 18 Dec 2018 15:09:19 +0000 (16:09 +0100)]
lib/audit_logging: actually create talloc
Heal damage of
79f494e51e..
That context is being passed around and freed but is never
actually allocated on that stack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13737
Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
5c928d7cd1d0ac994fe95892eec235b939ad2ec9)
Tim Beale [Mon, 7 Jan 2019 02:28:12 +0000 (15:28 +1300)]
s3:libsmb: cli_smb2_list() can sometimes fail initially on a connection
cli_smb2_list() appears to be a slightly unique SMB operation in that it
specifies the max transaction size for the response buffer size. The
Python bindings highlighted a problem where if cli_smb2_list() were one
of the first operations performed on the SMBv2 connection, it would fail
due to insufficient credits. Because the response buffer size is
(potentially) so much larger, it requires more credits (128) compared
with other SMB operations.
When talking to a samba DC, the connection credits seem to start off at
1, then increase by 32 for every SMB reply we receive back from the
server. After cli_full_connection(), the connection has 65 credits. The
cli_smb2_create_fnum() in cli_smb2_list() adds another 32 credits, but
this is still less than the 128 that smb2cli_query_directory() requires.
This problem doesn't happen for smbclient because the cli_cm_open() API
it uses ends up sending more messages, and so the connection has more
credits.
This patch changes cli_smb2_list(), so it requests a smaller response
buffer size if it doesn't have enough credits available for the max
transaction size. smb2cli_query_directory() is already in a loop, so it
can span multiple SMB messages if for some reason the transaction size
isn't big enough for the listings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13736
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 10 02:40:16 CET 2019 on sn-devel-144
(cherry picked from commit
fd355dff906f5f4832901bce76544f1a4e50c33d)
Tim Beale [Sun, 6 Jan 2019 23:06:15 +0000 (12:06 +1300)]
libcli: Add error log if insufficient SMB2 credits
Although it's unusual to hit this case, I was seeing it happen while
working on the SMB python bindings. Even with debug level 10, there was
nothing coming out to help pin down the source of the
NT_STATUS_INTERNAL_ERROR.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13736
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
bf229de7926f12e329cdb3201f68f20ae776fe32)
Ralph Boehme [Tue, 20 Mar 2018 14:27:44 +0000 (15:27 +0100)]
s3: libsmb: use smb2cli_conn_max_trans_size() in cli_smb2_list()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13736
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
580ff206431969dc2924d520053b956b7169ca07)
Justin Stephenson [Mon, 14 Jan 2019 15:36:47 +0000 (10:36 -0500)]
s3:libsmb: Honor disable_netbios option in smbsock_connect_send
If disable_netbios is set, return before the tevent timer is triggered
to prevent outgoing netbios connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
c324f84a2fa25e29d2f7879fbcd35ce0e76a78f8)
Justin Stephenson [Mon, 17 Dec 2018 20:17:24 +0000 (15:17 -0500)]
s3:utils:net: Print debug message about Netbios
With a preceding patch, cli_connect_nb() will return
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
Print an informative error message to indicate Netbios is disabled
if this occurs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
08867de2efde05e4730b41a335d13f775e44e397)
Justin Stephenson [Mon, 17 Dec 2018 19:57:59 +0000 (14:57 -0500)]
s3:smbpasswd: Print debug message about Netbios
With a preceding patch, cli_connect_nb() will return
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
Print an informative error message to indicate Netbios is disabled
if this occurs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
ecbb2f78cec6d9e6f5180c8ba274a1da2152f098)
Justin Stephenson [Mon, 17 Dec 2018 19:40:33 +0000 (14:40 -0500)]
s3:libsmb: Print debug message about Netbios
With a preceding patch, cli_connect_nb() will return
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
Print an informative error message to indicate Netbios is disabled
if this occurs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
499f051c9d527a14f9712365f8403a1ee0662c5b)
Justin Stephenson [Thu, 3 Jan 2019 17:07:01 +0000 (12:07 -0500)]
s3:libsmb: Check disable_netbios in socket connect
If the disable_netbios option is set then return NT_STATUS_NOT_SUPPORTED
for a port 139 connection in the low level socket connection code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
78f51a1d3c53248159c1e7643364b62e52457bb9)
Andrew Bartlett [Thu, 13 Dec 2018 00:53:08 +0000 (13:53 +1300)]
audit_logging: Remove debug log header and JSON Authentication: prefix
Feedback from real-world users is that they really want raw JSON
strings in the log.
We can not easily remove the leading " " but the other strings above
and before the JSON are really annoying to strip back off
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13714
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
(cherry-picked from
edab1318f9138c0d87de7cc7cfa5da8e29c906f8 and modified
for v4-9 by Gary Lockyer)
Gary Lockyer [Thu, 12 Jul 2018 21:14:09 +0000 (09:14 +1200)]
json: Modify API to use return codes
Modify the auditing JSON API to return a response code, as the consensus
was that the existing error handling was aesthetically displeasing.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
cherry picked from commit
79f494e51eabb5176747fcf3b9f2efad10ec7f97 and
adapted to compile on 4.9 by Gary Lockyer)
Noel Power [Mon, 14 Jan 2019 10:38:10 +0000 (10:38 +0000)]
ldb: Bump ldb version to 1.4.4
Python: Ensure ldb.Dn can doesn't rencoded str with py2 (bug 13616)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13616
Signed-off-by: Noel Power <noel.power@suse.com>
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Mon Jan 21 12:55:04 CET 2019 on sn-devel-144
Noel Power [Mon, 12 Nov 2018 16:06:10 +0000 (16:06 +0000)]
lib/ldb: Use new PYARG_ES format for parseTuple
While 'es' format works great for unicode (in python2) and
str (in python3) The behaviour with str (in python2) is unexpected.
In python2 the str type is (re-encoded) with the specified encoding.
In python2 the 'et' type would be a better match, that ensures 'str'
type is treated like it was with 's' (no reencoding) and unicode is
encoded with the specified encoding. However in python3 'et' allows
byte (or bytearray) params to be accepted (with no reencoding), we
don't want this. This patch adds a new PYARG_STR_UNI format code which
is a hybrid, in python2 it evaluates to 'et' and in python3 'es' and
so gives the desired behaviour for each python version.
Additionally remove the associated known fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13616
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Sun Jan 13 03:53:00 CET 2019 on sn-devel-144
(cherry picked from commit
8900e0b4cb05613df9cbeeb8b8253273b06b3c17)
Noel Power [Thu, 17 Jan 2019 10:05:04 +0000 (10:05 +0000)]
lib/ldb/tests/python: Add test to pass utf8 encoded bytes to ldb.Dn
This test should demonstrate an error with the 'es' format in python
where a 'str' byte-string is passed (containing utf8 encoded bytes)
with some characters that cannot be decoded as ascii. The same
code if run in python3 should generate an error (needs string not
bytes)
Also Add knownfail for ldb.Dn passed utf8 encoded byte string
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13616
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
f8758b3b1f98476469501dd45a7c898950294e05)
Noel Power [Tue, 11 Dec 2018 15:58:44 +0000 (15:58 +0000)]
s4/libnet: use 'et' as format for ParseTuple with python2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13616
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
b6c8ef5fb70c65c04c8269ff95e661e219968767)
Noel Power [Tue, 11 Dec 2018 15:18:10 +0000 (15:18 +0000)]
python: Add new compat PYARG_STR_UNI format
In python2 PYARG_STR_UNI evaluates to et which allows str type
(e.g bytes) pass through unencoded and accepts unicode objects
encoded as utf8
In python3 PYARG_STR_UNI evaluates to es which allows str type
encoded as named/specified encoding
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13616
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
253af8b85450c2830a442084e98734ca338c1b2f)
Jeremy Allison [Mon, 12 Nov 2018 19:37:31 +0000 (11:37 -0800)]
s3: lib: nmbname: Ensure we limit the NetBIOS name correctly. CID:
1433607
Firstly, make the exit condition from the loop explicit (we must
never write into byte n, where n >= sizeof(name->name).
Secondly ensure exiting from the loop that n==MAX_NETBIOSNAME_LEN,
as this is the sign of a correct NetBIOS name encoding (RFC1002)
in order to properly read the NetBIOS name type (which is always
encoded in byte 16 == name->name[15]).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11495
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Nov 13 20:54:56 CET 2018 on sn-devel-144
(cherry picked from commit
3634e20c7603103b0f2e00e5b61cc63f905d780d)
Justin Stephenson [Mon, 17 Dec 2018 16:26:11 +0000 (11:26 -0500)]
s3: net: Do not set NET_FLAGS_ANONYMOUS with -k
This affects net rpc getsid and net rpc changetrustpw commands.
This avoids an anonymous IPC connection being made when -k is used,
this only affects net rpc getsid and net rpc changetrustpw commands.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13726
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Mon Jan 14 13:34:32 CET 2019 on sn-devel-144
Günther Deschner [Tue, 18 Dec 2018 16:18:33 +0000 (17:18 +0100)]
s3-vfs-fruit: add close call
https://bugzilla.samba.org/show_bug.cgi?id=13725
We cannot always rely on vfs_default to close the fake fds. This mostly is
relevant when used with another non-local VFS filesystem module such as
gluster.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 21 07:20:49 CET 2018 on sn-devel-144
(cherry picked from commit
ba016939aa91e0806f509c8b8ce9506bebceb7e5)
Günther Deschner [Tue, 18 Dec 2018 16:20:29 +0000 (17:20 +0100)]
s3-vfs-streams_xattr: add close call
https://bugzilla.samba.org/show_bug.cgi?id=13725
We cannot always rely on vfs_default to close the fake fds. This mostly is
relevant when used with another non-local VFS filesystem module such as
gluster.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 20 07:18:20 CET 2018 on sn-devel-144
(cherry picked from commit
1b263ed631c86bf4117c9388fce3fa1f24cea4c9)
Gary Lockyer [Sun, 13 Jan 2019 20:53:13 +0000 (09:53 +1300)]
audit_logging: auth_json_audit required auth_json
To log JSON the human-readable logs must also have been enabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13715
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec 14 14:32:25 CET 2018 on sn-devel-144
(cherry picked from commit
31957c7fe9d0f67bef08177e982043a23b172c7d)
Edited to apply to y4.9: Gary Lockyer <gary@catalyst.net.nz>
Aaron Haslett [Wed, 9 Jan 2019 03:22:40 +0000 (16:22 +1300)]
dns: changing onelevel search for wildcard to subtree
SCOPE_ONELEVEL is used on wildcard dns searches, but onelevel searches
currently have a performance problem related to GUID indexing, so this
patch changes the search scope to SCOPE_SUBTREE.
In this case, as the onelevel and subtree sets of records are roughly
the same, and the query is matching against the DN itself, we don't
believe there's any benefit in using SCOPE_ONELEVEL over SCOPE_SUBTREE.
The onelevel performance problem will be fixed separately later, but in
the meantime this solves the DNS performance problem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13738
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
(cherry picked from commit
ef379880037c10589ceeab7f985e3245817908a4)
Björn Jacke [Tue, 18 Dec 2018 11:58:53 +0000 (12:58 +0100)]
samba-tool: don't print backtrace on simple DNS errors
samba-tool throws backtraces even for simple DNS error
messages, we should not frighten users for no good reason.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13721
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Wed Dec 19 20:58:52 CET 2018 on sn-devel-144
(cherry picked from commit
49dc04f9f553c443c78c8073c07ea2a38cde61b2)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Thu Jan 10 16:55:06 CET 2019 on sn-devel-144
Stefan Metzmacher [Sat, 8 Dec 2018 22:25:40 +0000 (23:25 +0100)]
s3:auth_winbind: ignore a missing winbindd as NT4 PDC/BDC without trusts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Dec 20 12:15:09 CET 2018 on sn-devel-144
(cherry picked from commit
63dc60767eb13d8fc09ed4bc44faa538581b18f1)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Wed Jan 9 14:01:30 CET 2019 on sn-devel-144
Stefan Metzmacher [Sat, 8 Dec 2018 21:53:21 +0000 (22:53 +0100)]
s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
ec3adc1e5b3cc953576efa795dfb25af08a8ab79)
Stefan Metzmacher [Sat, 8 Dec 2018 21:48:33 +0000 (22:48 +0100)]
s3:auth_winbind: remove fallback to optional backend
This is not possible anymore, as the trustdomain backend
was removed in commit
75c152c0d764165a4a9dd0a85390af063dd0192a.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
f3bac8c91121871bf8ce852bc3e3ea2e834d3f27)
Günther Deschner [Tue, 18 Dec 2018 10:10:04 +0000 (11:10 +0100)]
s3-smbd: avoid assuming fsp is always intact after close_file call.
Instead use the already copied smb_fname directly.
https://bugzilla.samba.org/show_bug.cgi?id=13720
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Dec 18 20:11:07 CET 2018 on sn-devel-144
(cherry picked from commit
90fab07f0710bb2061d3f14326c874dd049823fc)
Martin Schwenke [Fri, 14 Dec 2018 03:43:57 +0000 (14:43 +1100)]
lib/util: Count a trailing line that doesn't end in a newline
If the final line of a file does not contain a newline then it isn't
included in the line count.
Change i to point to the next slot in the array instead of the current
one. This means that that the current line won't be thrown away if no
newline is seen.
Without changing i to unsigned int, the -O3 --picky -developer build
fails with:
[ 745/4136] Compiling lib/util/util_file.c
==> /builds/samba-team/devel/samba/samba-o3.stderr <==
../../lib/util/util_file.c: In function ‘file_lines_parse’:
../../lib/util/util_file.c:251:8: error: assuming signed overflow does not occur when simplifying conditional to constant [-Werror=strict-overflow]
while (i > 0 && ret[i-1][0] == 0) {
^
cc1: all warnings being treated as errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13717
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 19 08:08:28 CET 2018 on sn-devel-144
(cherry picked from commit
5118985841aa0363147d552f243ab5a7d90dbdaf)
Douglas Bagnall [Wed, 10 Oct 2018 22:59:52 +0000 (11:59 +1300)]
samba-tool drs showrepl: do not crash if no dnsHostName found
This should not happen, but it does sometimes in an autobuild
environment. Rather than reporting this by crashing, we report it by
showing there is no DNS name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13716
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Oct 12 15:27:07 CEST 2018 on sn-devel-144
(cherry picked from commit
2fc855e7d2458249ca6fc8ffdf1d7633ab84cc55)
Stefan Metzmacher [Wed, 19 Dec 2018 08:38:33 +0000 (09:38 +0100)]
s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration
This happens on standalone servers, where winbindd is automatically
started by init scripts if it's installed. But it's not really
used and may not have a valid idmap configuration (
"idmap config * : range" has no default!)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13697
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
865538fabaea33741f5fa542dbc3f2e08308c2c1)
Christian Ambach [Tue, 23 Oct 2018 18:05:04 +0000 (20:05 +0200)]
s3:utils/smbget fix recursive download with empty source directories
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13199
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Oct 26 09:58:07 CEST 2018 on sn-devel-144
(cherry picked from commit
fce0d1b290c7a2205f2454b268b55909d1044f1b)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Mon Jan 7 14:23:36 CET 2019 on sn-devel-144
Christian Ambach [Mon, 22 Oct 2018 14:28:21 +0000 (16:28 +0200)]
s3:utils/smbget add error handling for mkdir() calls
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
b89732c31be350828110fe46f2c655f77cb488f3)
Christian Ambach [Mon, 22 Oct 2018 14:22:00 +0000 (16:22 +0200)]
s3:script/tests reduce code duplication
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
525b19fafb43bd97e3dfc1d3e7dc13955c0f387f)
Karolin Seeger [Thu, 20 Dec 2018 08:25:20 +0000 (09:25 +0100)]
VERISON: Bump version up to 4.9.5...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Thu, 20 Dec 2018 08:23:46 +0000 (09:23 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.9.4 release.
Karolin Seeger [Thu, 20 Dec 2018 08:23:09 +0000 (09:23 +0100)]
WHATSNEW: Add release notes for Samba 4.9.4.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Ralph Boehme [Wed, 21 Nov 2018 16:20:30 +0000 (17:20 +0100)]
vfs_shadow_copy2: in fstat also convert fsp->fsp_name and fsp->base_fsp->fsp_name
Stacked VFS modules might use the file name, not the file
handle. Looking at you, vfs_fruit...
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13455
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
aa1fac696956f96e89e54ddd4535a6e2844161b0)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Thu Dec 13 16:47:40 CET 2018 on sn-devel-144
Ralph Boehme [Sat, 24 Nov 2018 09:54:06 +0000 (10:54 +0100)]
s3:smbd: pass down twrp from SMB2_CREATE to filename_convert()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13455
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
9c462e1b324ebad60c51bd6e8e659b39a31ec02e)
Ralph Boehme [Sat, 24 Nov 2018 09:45:49 +0000 (10:45 +0100)]
s3:smbd: add twrp args to filename_convert()
All existing callers pass NULL, no change in behaviour.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13455
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
14b6e6842b76d7c3e53249ba026a3ff51615ebd7)
Ralph Boehme [Sat, 24 Nov 2018 08:05:37 +0000 (09:05 +0100)]
s3:smbd: add twrp processing to filename_convert_internal()
Not used for now, existing callers pass NULL.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13455
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
c69bd336a17ca04dbfb4f5d04a963d25b9925118)
Ralph Boehme [Sat, 24 Nov 2018 07:56:49 +0000 (08:56 +0100)]
s3:smbd: prepare filename_convert_internal() for twrp
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13455
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
bffc540bc8459cbb1bd1a98528fb1d3b2b54d1d2)
Ralph Boehme [Fri, 23 Nov 2018 13:36:56 +0000 (14:36 +0100)]
s3:selftest: add a VSS test reading a stream
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13455
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
cfffa2e2428b42db65a4ece00602e0cef8ceb5a3)
Günther Deschner [Wed, 10 Oct 2018 15:32:25 +0000 (17:32 +0200)]
s3-vfs: Prevent NULL pointer dereference in vfs_glusterfs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13708
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Dec 11 17:26:31 CET 2018 on sn-devel-144
(cherry picked from commit
75d15484f3b71b1a2684c4a73e53aaa467f9932b)
Ralph Boehme [Fri, 23 Nov 2018 13:08:15 +0000 (14:08 +0100)]
vfs_shadow_copy2: nicely deal with attempts to open previous version for writing
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
cf95756235f718478e556ce1fbf7c032f9c9acfb)
Ralph Boehme [Thu, 22 Nov 2018 10:04:54 +0000 (11:04 +0100)]
vfs_shadow_copy2: add shadow_copy2_strip_snapshot_converted
Can be used by callers to determine if a path is in fact pointing at a
file in a snapshot. Will be used in the next commit.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
14d6488d355e960ab02e72c414cbbc316f1db718)
Ralph Boehme [Thu, 22 Nov 2018 10:02:24 +0000 (11:02 +0100)]
vfs_shadow_copy2: add _already_converted arg to shadow_copy2_strip_snapshot_internal()
Not used for now, all existing callers pass NULL.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
87bf06ed790dad8a4f650c0cd1b6781864666cbf)
Ralph Boehme [Fri, 23 Nov 2018 09:18:44 +0000 (10:18 +0100)]
s3:script/tests: add a test for VSS write behaviour
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(backported from commit
12778f015988f7e8755016c72c26939998758dae)
Ralph Boehme [Wed, 14 Nov 2018 12:45:11 +0000 (13:45 +0100)]
s4:torture: add a test-suite for VSS
This test will not be run from the main torture test runner in selftest,
as there we don't pass the required arguments 'twrp_file' and
'twrp_snapshot'.
The test needs a carefully prepared environment with provisioned
snapshot data, so the test will be started from a blackbox test
script. That comes next.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
48ddb87a32ca44c2fcc5aac0cc28c5527dc7eade)
Ralph Boehme [Fri, 23 Nov 2018 09:18:10 +0000 (10:18 +0100)]
vfs_error_inject: add EBADF error
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
523a9b312c9f09178a5afefb48343e684e41d817)
Ralph Boehme [Fri, 23 Nov 2018 09:07:29 +0000 (10:07 +0100)]
vfs_error_inject: add pwrite
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
55a82f907f6410ff478e82b0cf7f1caeacaf5ddd)
Justin Stephenson [Wed, 27 Jun 2018 15:32:31 +0000 (11:32 -0400)]
s3:libads: Add net ads leave keep-account option
Add the ability to leave the domain with --keep-account argument to avoid
removal of the host machine account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13498
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
d881f0c8a0ce2fc7cabf1966c5724e72c70d6694)
Ralph Boehme [Wed, 28 Nov 2018 14:39:21 +0000 (15:39 +0100)]
winbindd: Route predefined domains through the BUILTIN domain child
Without this eg "NT Authority" didn't work:
$ bin/wbinfo -n "NT Authority/Authenticated Users"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name NT Authority/Authenticated Users
$ bin/wbinfo --group-info="NT Authority/Authenticated Users"
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group NT Authority/Authenticated Users
With the patch:
$ bin/wbinfo -n "NT Authority/Authenticated Users"
S-1-5-11 SID_WKN_GROUP (5)
$ bin/wbinfo --group-info="NT Authority/Authenticated Users"
NT AUTHORITY\authenticated users:x:10002:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Dec 5 11:27:22 CET 2018 on sn-devel-144
(cherry picked from commit
8b8d9fdad4a4e2c479141b3d40e9a7320a49c0dd)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Mon Dec 10 13:43:15 CET 2018 on sn-devel-144
Ralph Boehme [Wed, 28 Nov 2018 16:20:41 +0000 (17:20 +0100)]
winbindd: fix predefined domains routing in find_lookup_domain_from_sid()
Route predefined domains through the BUILTIN domain child, not passdb.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
b512a58bbd7361cbbcf68f6713943377338fc2a1)
Ralph Boehme [Tue, 27 Nov 2018 16:32:09 +0000 (17:32 +0100)]
winbindd: add some braces
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
e0f784baeaa73096534d9a1ed941028d99f84ece)
Ralph Boehme [Wed, 28 Nov 2018 16:19:39 +0000 (17:19 +0100)]
libcli/security: add dom_sid_lookup_is_predefined_domain()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
2de5f06d399109009c343b0acfef822db38502a1)
Ralph Boehme [Tue, 27 Nov 2018 19:32:09 +0000 (20:32 +0100)]
selftest: test wbinfo -n and --gid-info with "NT Authority"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
c46b6b111e8adcd7cf029e5c3293cbdc471793db)
Stefan Metzmacher [Wed, 28 Nov 2018 14:21:56 +0000 (15:21 +0100)]
CVE-2018-14629 dns: fix CNAME loop prevention using counter regression
The loop prevention should only be done for CNAME records!
Otherwise we truncate the answer records for A, AAAA or
SRV queries, which is a bad idea if you have more than 20 DCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 4 08:52:29 CET 2018 on sn-devel-144
(cherry picked from commit
34f4491d79b47b2fe2457b8882f11644cf773bc4)
Aaron Haslett [Fri, 30 Nov 2018 05:37:27 +0000 (18:37 +1300)]
CVE-2018-14629: Tests to expose regression from dns cname loop fix
These tests expose the regression described by Stefan Metzmacher in
discussion on the bugzilla paged linked below.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
14399fd818b130a6347eec860460929c292d5996)
Martin Schwenke [Fri, 30 Nov 2018 01:44:26 +0000 (12:44 +1100)]
ctdb-daemon: Exit with error if a database directory does not exist
Since 4.9.0, the log messages can be confusing if a required database
directory does not exist. Explicitly check for database directories,
logging a clear error and exiting if one is missing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13696
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Mon Dec 3 06:56:41 CET 2018 on sn-devel-144
(cherry picked from commit
dd7574afd1b2fb6a88defa154bc3d15e94f9ce0d)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Wed Dec 5 13:01:52 CET 2018 on sn-devel-144
Isaac Boukris [Wed, 7 Nov 2018 20:53:35 +0000 (22:53 +0200)]
CVE-2018-16853: fix crash in expired passowrd case
When calling encode_krb5_padata_sequence() make sure to
pass a null terminated array as required.
Fixes expired passowrd case in samba4.blackbox.kinit test.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Tue Dec 4 17:27:18 CET 2018 on sn-devel-144
Andreas Schneider [Wed, 28 Sep 2016 05:22:32 +0000 (07:22 +0200)]
CVE-2018-16853: Do not segfault if client is not set
This can be triggered with FAST but we don't support this yet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Isaac Boukris [Sat, 18 Aug 2018 13:01:59 +0000 (16:01 +0300)]
CVE-2018-16853: Add a test to verify s4u2self doesn't crash
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Isaac Boukris [Fri, 17 Aug 2018 21:40:30 +0000 (00:40 +0300)]
CVE-2018-16853: The ticket in check_policy_as can actually be a TGS
This happens when we are called from S4U2Self flow, and in that case
kdcreq->client is NULL. Use the name from client entry instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Isaac Boukris [Sat, 18 Aug 2018 12:32:43 +0000 (15:32 +0300)]
CVE-2018-16853: Fix kinit test on system lacking ldbsearch
By fixing bindir variable name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Wed, 7 Nov 2018 13:00:25 +0000 (14:00 +0100)]
libcli/smb: don't overwrite status code
The original commit
c5cd22b5bbce724dcd68fe94320382b3f772cabf from bug
9175 never worked, as the preceeding signing check overwrote the status
variable.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9175
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Nov 13 17:28:45 CET 2018 on sn-devel-144
(cherry picked from commit
5a8583ed701be97c33a20b2a20f6bbb8ac2f8e99)
Ralph Boehme [Tue, 13 Nov 2018 11:08:10 +0000 (12:08 +0100)]
s4:torture/smb2/session: test smbXcli_session_set_disconnect_expired() works
This adds a simple test that verifies that after having set
smbXcli_session_set_disconnect_expired() a session gets disconnected
when it expires.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9175
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
a5d1bb5c5b5a57a2d7710dc5ab962683fe5c8e68)
Garming Sam [Tue, 13 Nov 2018 21:29:01 +0000 (10:29 +1300)]
ldb_controls: Add some talloc error checking for controls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ad8bb6fcd08be28c40f2522d640333e9e69b7852)
Garming Sam [Sun, 18 Nov 2018 22:05:59 +0000 (11:05 +1300)]
sync_passwords: Remove dirsync cookie logging for continuous operation
Under normal operation, users shouldn't see giant cookies in their logs.
We still log the initial cookie retrieved from the cache database, which
should still be helpful for identifying corrupt cookies.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ac90c9faa783fc133229e7c163471d96440ff30e)
Garming Sam [Fri, 26 Oct 2018 00:38:02 +0000 (13:38 +1300)]
dirsync: Allow arbitrary length cookies
The length of the cookie is proportional to the number of DCs ever in
the domain (as it stores the uptodateness vector which has stale
invocationID).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b7a0d3b110697923a31e353905d3b1bd9385ea9b)
Joe Guo [Mon, 30 Jul 2018 06:19:05 +0000 (18:19 +1200)]
PEP8: fix E231: missing whitespace after ','
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(part of commit
12d3fbe15cb58b57c60499103101e3a845378859 from master
cherry-picked to v4-9-test)
Karolin Seeger [Tue, 27 Nov 2018 10:05:40 +0000 (11:05 +0100)]
VERSION: Bump version up to 4.9.4.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 27 Nov 2018 10:05:18 +0000 (11:05 +0100)]
Merge tag 'samba-4.9.3' into v4-9-test
samba: tag release samba-4.9.3
Karolin Seeger [Sun, 25 Nov 2018 14:24:31 +0000 (15:24 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.9.3 release.
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
Internal DNS server)
o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers)
o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported))
o CVE-2018-16857 (Bad password count in AD DC not always effective)
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Sun, 25 Nov 2018 14:23:23 +0000 (15:23 +0100)]
WHATSNEW: Add release notes for Samba 4.9.3.
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
Internal DNS server)
o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers)
o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported))
o CVE-2018-16857 (Bad password count in AD DC not always effective)
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Tim Beale [Tue, 13 Nov 2018 00:22:41 +0000 (13:22 +1300)]
CVE-2018-16857 dsdb/util: Add better default lockOutObservationWindow
Clearly the lockOutObservationWindow value is important, and using a
default value of zero doesn't work very well.
This patch adds a better default value (the domain default setting of 30
minutes).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Tue, 13 Nov 2018 00:19:04 +0000 (13:19 +1300)]
CVE-2018-16857 dsdb/util: Fix lockOutObservationWindow for PSOs
Fix a remaining place where we were trying to read the
msDS-LockoutObservationWindow as an int instead of an int64.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Mon, 12 Nov 2018 23:24:16 +0000 (12:24 +1300)]
CVE-2018-16857 dsdb/util: Correctly treat lockOutObservationWindow as 64-bit int
Commit
442a38c918ae1666b35 refactored some code into a new
get_lockout_observation_window() function. However, in moving the code,
an ldb_msg_find_attr_as_int64() inadvertently got converted to a
ldb_msg_find_attr_as_int().
ldb_msg_find_attr_as_int() will only work for values up to -
2147483648
(about 3.5 minutes in MS timestamp form). Unfortunately, the automated
tests used a low enough timeout that they still worked, however,
password lockout would not work with the Samba default settings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Mon, 12 Nov 2018 22:49:56 +0000 (11:49 +1300)]
CVE-2018-16857 tests: Sanity-check password lockout works with default values
Sanity-check that when we use the default lockOutObservationWindow that
user lockout actually works.
The easiest way to do this is to reuse the _test_login_lockout()
test-case, but stop at the point where we wait for the lockout duration
to expire (because we don't want the test to wait 30 mins).
This highlights a problem currently where the default values don't work.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joe Guo [Mon, 30 Jul 2018 06:19:21 +0000 (18:19 +1200)]
CVE-2018-16857 PEP8: fix E251: unexpected spaces around keyword / parameter equals
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Partial backport of commit
1ccc36b4010cd63 (only password_lockout_base.py
change) as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Joe Guo [Mon, 30 Jul 2018 06:15:34 +0000 (18:15 +1200)]
CVE-2018-16857 PEP8: fix E127: continuation line over-indented for visual indent
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Partial backport of commit
bbb9f57603d (only password_lockout_base.py
change) as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Andrew Bartlett [Sun, 2 Sep 2018 06:03:06 +0000 (18:03 +1200)]
CVE-2018-16857 selftest: Split up password_lockout into tests with and without a call to sleep()
This means we can have a long observation window for many of the tests and
so make them much more reliable. Many of these cause frustrating flapping
failures in our CI systems.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Sep 3 06:14:55 CEST 2018 on sn-devel-144
(cherry picked from commit
74357bf347348d3a8b7483c58e5250e98f7e8810)
Backported as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Joe Guo [Mon, 30 Jul 2018 06:21:29 +0000 (18:21 +1200)]
CVE-2018-16857 PEP8: fix E305: expected 2 blank lines after class or function definition, found 1
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Partial backport of commit
115f2a71b88 (only password_lockout.py
change) as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Andrew Bartlett [Sun, 2 Sep 2018 05:34:03 +0000 (17:34 +1200)]
CVE-2018-16857 selftest: Prepare to allow override of lockout duration in password_lockout tests
This will make it easier to avoid flapping tests.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
(cherry picked from commit
a740a6131c967f9640b19a6964fd5d6f85ce853a)
Backported as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
Andrew Bartlett [Tue, 6 Nov 2018 00:32:05 +0000 (13:32 +1300)]
CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental
This matches https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13678
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Garming Sam [Mon, 5 Nov 2018 03:18:18 +0000 (16:18 +1300)]
CVE-2018-16851 ldap_server: Check ret before manipulating blob
In the case of hitting the talloc ~256MB limit, this causes a crash in
the server.
Note that you would actually need to load >256MB of data into the LDAP.
Although there is some generated/hidden data which would help you reach that
limit (descriptors and RMD blobs).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>