Karolin Seeger [Wed, 4 Dec 2019 09:03:55 +0000 (10:03 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.11.3 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Wed, 4 Dec 2019 09:02:16 +0000 (10:02 +0100)]
WHATSNEW: Add release notes for Samba 4.11.3.
o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
management server (dnsserver).
o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition
on Samba AD DC.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Isaac Boukris [Thu, 21 Nov 2019 10:12:48 +0000 (11:12 +0100)]
CVE-2019-14870: mit-kdc: enforce delegation_not_allowed flag
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Isaac Boukris [Mon, 28 Oct 2019 00:54:09 +0000 (02:54 +0200)]
CVE-2019-14870: heimdal: enforce delegation_not_allowed in S4U2Self
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Isaac Boukris [Wed, 30 Oct 2019 14:59:16 +0000 (15:59 +0100)]
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Isaac Boukris [Sun, 27 Oct 2019 12:02:00 +0000 (14:02 +0200)]
samba-tool: add user-sensitive command to set not-delegated flag
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Andrew Bartlett [Thu, 31 Oct 2019 17:53:56 +0000 (06:53 +1300)]
s4-torture: Reduce flapping in SambaToolDrsTests.test_samba_tool_replicate_local
This test often flaps in Samba 4.9 (where more tests and DCs run in the environment)
with obj_1 being 3. This is quite OK, we just need to see some changes get
replicated, not 0 changes.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
4ae0f9ce0f5ada99cf1d236377e5a1234c879ae3)
Andrew Bartlett [Tue, 29 Oct 2019 22:50:57 +0000 (11:50 +1300)]
CVE-2019-14861: Test to demonstrate the bug
This test does not fail every time, but when it does it casues a segfault which
takes out the rpc_server master process, as this hosts the dnsserver pipe.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 29 Oct 2019 01:15:36 +0000 (14:15 +1300)]
CVE-2019-14861: s4-rpc/dnsserver: Avoid crash in ldb_qsort() via dcesrv_DnssrvEnumRecords)
dns_name_compare() had logic to put @ and the top record in the tree being
enumerated first, but if a domain had both then this would break the
older qsort() implementation in ldb_qsort() and cause a read of memory
before the base pointer.
By removing this special case (not required as the base pointer
is already seperatly located, no matter were it is in the
returned records) the crash is avoided.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Sun, 20 Oct 2019 23:12:10 +0000 (12:12 +1300)]
CVE-2019-14861: s4-rpc_server: Remove special case for @ in dns_build_tree()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 29 Oct 2019 04:25:28 +0000 (17:25 +1300)]
CVE-2019-14861: s4-rpc/dnsserver: Confirm sort behaviour in dcesrv_DnssrvEnumRecords
The sort behaviour for child records is not correct in Samba so
we add a flapping entry.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Karolin Seeger [Tue, 3 Dec 2019 12:07:17 +0000 (13:07 +0100)]
VERSION: Re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 29 Oct 2019 10:10:52 +0000 (11:10 +0100)]
VERSION: Bump version up to 4.11.3.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit
e704eee3083658f7dcdd4238295f8e0b229a1688)
Karolin Seeger [Thu, 24 Oct 2019 08:52:52 +0000 (10:52 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.11.2 release.
* Bug 14071: CVE-2019-10218: Client code can return filenames containing path
separators.
* Bug 12438: CVE-2019-14833: Samba AD DC check password script does not receive
the full password.
* Bug 14040: CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP
server via dirsync.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Thu, 24 Oct 2019 08:42:16 +0000 (10:42 +0200)]
WHATSNEW: Add release notes for Samba 4.11.2.
* Bug 14071: CVE-2019-10218: Client code can return filenames containing path
separators.
* Bug 12438: CVE-2019-14833: Samba AD DC check password script does not receive
the full password.
* Bug 14040: CVE-2019-14847: User with "get changes" permission can crash AD DC
LDAP server via dirsync.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Andrew Bartlett [Tue, 15 Oct 2019 02:44:34 +0000 (15:44 +1300)]
CVE-2019-14847 dsdb: Correct behaviour of ranged_results when combined with dirsync
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 15 Oct 2019 03:28:46 +0000 (16:28 +1300)]
CVE-2019-14847 dsdb: Demonstrate the correct interaction of ranged_results style attributes and dirsync
Incremental results are provided by a flag on the dirsync control, not
by changing the attribute name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Björn Baumbach [Tue, 6 Aug 2019 14:32:32 +0000 (16:32 +0200)]
CVE-2019-14833 dsdb: send full password to check password script
utf8_len represents the number of characters (not bytes) of the
password. If the password includes multi-byte characters it is required
to write the total number of bytes to the check password script.
Otherwise the last bytes of the password string would be ignored.
Therefore we rename utf8_len to be clear what it does and does
not represent.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12438
Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 18 Sep 2019 23:50:01 +0000 (11:50 +1200)]
CVE-2019-14833: Use utf8 characters in the unacceptable password
This shows that the "check password script" handling has a bug.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12438
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Jeremy Allison [Tue, 6 Aug 2019 19:08:09 +0000 (12:08 -0700)]
CVE-2019-10218 - s3: libsmb: Protect SMB2 client code from evil server returned names.
Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Mon, 5 Aug 2019 20:39:53 +0000 (13:39 -0700)]
CVE-2019-10218 - s3: libsmb: Protect SMB1 client code from evil server returned names.
Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071
Signed-off-by: Jeremy Allison <jra@samba.org>
Karolin Seeger [Fri, 18 Oct 2019 09:03:16 +0000 (11:03 +0200)]
VERSION: Bump version up to 4.11.2...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit
7b8309398beab679cd4068da497661ce33616edc)
Karolin Seeger [Fri, 18 Oct 2019 09:02:36 +0000 (11:02 +0200)]
VERSION: Disable GIT_SNAPSHOT for Samba 4.11.1.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Fri, 18 Oct 2019 09:02:06 +0000 (11:02 +0200)]
WHATSNEW: Add release notes for Samba 4.11.1.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Isaac Boukris [Tue, 15 Oct 2019 14:01:48 +0000 (17:01 +0300)]
s3:libsmb: Link libsmb against pthread
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
7259197bf716f8b81dea74beefe6ee3b1239f172)
Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Wed Oct 16 20:39:04 UTC 2019 on sn-devel-184
Isaac Boukris [Tue, 15 Oct 2019 10:52:42 +0000 (13:52 +0300)]
nsswitch: Link stress-nss-libwbclient against pthread
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
d473f1e38c2822746030516269b4d70032cf9b2e)
Andreas Schneider [Wed, 9 Oct 2019 14:32:47 +0000 (16:32 +0200)]
s3:libads: Do not turn on canonicalization flag for MIT Kerberos
This partially reverts
303b7e59a286896888ee2473995fc50bb2b5ce5e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155
Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
123584294cfd153acc2d9a5be9d71c395c847a25)
Andreas Schneider [Wed, 9 Oct 2019 18:11:03 +0000 (20:11 +0200)]
lib:krb5_wrap: Do not create a temporary file for MEMORY keytabs
The autobuild cleanup script fails with:
The tree has 3 new uncommitted files!!!
git clean -n
Would remove MEMORY:tmp_smb_creds_SK98Lv
Would remove MEMORY:tmp_smb_creds_kornU6
Would remove MEMORY:tmp_smb_creds_ljR828
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
d888655244b4d8ec7a69a042e0ff3c074585b0de)
Isaac Boukris [Wed, 4 Sep 2019 14:04:12 +0000 (17:04 +0300)]
spnego: fix server handling of no optimistic exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
Isaac Boukris [Thu, 10 Oct 2019 21:20:16 +0000 (00:20 +0300)]
python/tests/gensec: add spnego downgrade python tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 11 Oct 2019 11:23:17 +0000 (13:23 +0200)]
python/tests/gensec: make it possible to add knownfail tests for gensec.update()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Isaac Boukris [Wed, 4 Sep 2019 13:39:43 +0000 (16:39 +0300)]
selftest: add tests for no optimistic spnego exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Isaac Boukris [Wed, 4 Sep 2019 13:31:21 +0000 (16:31 +0300)]
spnego: add client option to omit sending an optimistic token
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Isaac Boukris [Mon, 7 Oct 2019 20:51:19 +0000 (23:51 +0300)]
selftest: s3: add a test for spnego downgrade from krb5 to ntlm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 10 Oct 2019 14:18:21 +0000 (16:18 +0200)]
s3:libsmb: Do not check the SPNEGO neg token for KRB5
The list is not protected and this could be a downgrade attack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Isaac Boukris [Thu, 3 Oct 2019 10:09:29 +0000 (13:09 +0300)]
spnego: ignore server mech_types list
We should not use the mech list sent by the server in the last
'negotiate' packet in CIFS protocol, as it is not protected and
may be subject to downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 26 Sep 2019 17:41:37 +0000 (10:41 -0700)]
s3:smbd: add a comment explaining the File-ID semantics when a file is created
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
c190f3efa9eb4f633df28074b481ff884b67e65f)
Ralph Boehme [Tue, 24 Sep 2019 19:49:38 +0000 (12:49 -0700)]
s3:smbd: ensure a created stream picks up the File-ID from the basefile
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
90a14c90c4bcede1ef5414e0800aa4c84cbcf1c9)
Ralph Boehme [Thu, 26 Sep 2019 17:05:40 +0000 (10:05 -0700)]
s3:lib: add is_named_stream()
Add a new utility functions that checks whether a struct smb_filename points to
a real named stream, excluding the default stream "::$DATA".
foo -> false
foo::$DATA -> false
foo:bar -> true
foo:bar:$DATA -> true
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
091e3fdab61217251de1cf5111f070ff295d1649)
Ralph Boehme [Wed, 25 Sep 2019 18:29:04 +0000 (11:29 -0700)]
s3:lib: use strequal_m() in is_ntfs_default_stream_smb_fname()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
780a8dcba998471bb154e8bae4391786b793e332)
Ralph Boehme [Wed, 25 Sep 2019 18:19:26 +0000 (11:19 -0700)]
s3:lib: implement logic directly in is_ntfs_default_stream_smb_fname()
This allows changing the semantics of is_ntfs_stream_smb_fname() in the next
commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
3f8bc1ce3e094f943363921c46803fd5ec9f73bb)
Ralph Boehme [Thu, 26 Sep 2019 17:38:06 +0000 (10:38 -0700)]
s3:lib: expand a comment with the function doc for is_ntfs_stream_smb_fname
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
2584b4cdeae3f83962cd11538cd4e441104c8274)
Ralph Boehme [Wed, 25 Sep 2019 17:18:03 +0000 (10:18 -0700)]
s3:lib: factor out stream name asserts to helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
f9fdb8a2a6b9ad0fbb89a9734e81a8b1f527966f)
Ralph Boehme [Wed, 25 Sep 2019 17:15:27 +0000 (10:15 -0700)]
s3:lib: assert stream_name is NULL for POSIX paths
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
6c1647ca7a2f68825c34e9ccc18b86ef911e14ac)
Ralph Boehme [Wed, 25 Sep 2019 15:53:29 +0000 (08:53 -0700)]
s3:lib: rework a return expression into an if block
Needed to add additional stuff after the if block in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
d7dc85990a177954925644f9ff332b3481a03cc7)
Ralph Boehme [Mon, 23 Sep 2019 22:16:58 +0000 (15:16 -0700)]
s3:smbd: when storing DOS attribute call dos_mode() beforehand
This is required to ensure File-ID info is populated with the correct on-disk
value, before calling file_set_dosmode() which will update the on-disk value.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
49a754b82d33fb523cda4151a865584ae52a2e2f)
Ralph Boehme [Mon, 23 Sep 2019 22:15:31 +0000 (15:15 -0700)]
s3:smbd: change the place where we call dos_mode() when processing SMB2_CREATE
This is needed for ordinary file or directory opens so the QFID create context
response gets the correct File-ID value via dos_mode() from the DOS attributes
xattr.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
e1dfaa2b038d91e43d8d34bf1526b7728dba58a5)
Ralph Boehme [Tue, 24 Sep 2019 20:09:03 +0000 (13:09 -0700)]
torture:smb2: add a File-ID test on directories
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
300b47442b023532bd65417fcec04d811f40ef76)
Ralph Boehme [Mon, 23 Sep 2019 22:15:01 +0000 (15:15 -0700)]
torture:smb2: extend test for File-IDs
This now hopefully covers most possible combinations of creating and opening
files plus, checking the file's File-ID after every operation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
432202413f4d11d761c62f46a50747fcb9b6f0cf)
Günther Deschner [Fri, 20 Sep 2019 16:32:43 +0000 (18:32 +0200)]
auth/gensec: fix non-AES schannel seal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14134
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
709d54d68a9c2cb3cda91d9ab63228a7adbaceb4)
Günther Deschner [Wed, 25 Sep 2019 21:44:49 +0000 (23:44 +0200)]
libcli/auth: add test for gensec_schannel code
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
7eae4280d23404be7d27f65a0c817bea2e0084b6)
Andreas Schneider [Thu, 22 Aug 2019 14:31:30 +0000 (16:31 +0200)]
testprogs: Add test for 'net ads join createcomputer='
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Oct 9 08:26:17 UTC 2019 on sn-devel-184
(cherry picked from commit
459b43e5776180dc1540cd845b72ff78747ecd6f)
Andreas Schneider [Thu, 8 Aug 2019 12:40:04 +0000 (14:40 +0200)]
s3:libads: Just change the machine password if account already exists
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
14f320fa1e40ecc3a43dabb0cecd57430270a521)
Andreas Schneider [Wed, 14 Aug 2019 08:15:19 +0000 (10:15 +0200)]
s3:libnet: Improve debug messages
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
39b8c8b30a5d5bd70f8da3a02cf77f7592788b94)
Andreas Schneider [Tue, 13 Aug 2019 14:34:34 +0000 (16:34 +0200)]
s3:libads: Fix creating machine account using LDAP
This implements the same behaviour as Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
ce7762935051c862ecdd3e82d93096aac61dd292)
Andreas Schneider [Wed, 14 Aug 2019 10:17:20 +0000 (12:17 +0200)]
s3:libads: Don't set supported encryption types during account creation
This is already handled by libnet_join_post_processing_ads_modify()
which calls libnet_join_set_etypes() if encrytion types should be set.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
b755a6438022579dab1a403c81d60b1ed7efca38)
Andreas Schneider [Wed, 14 Aug 2019 11:01:19 +0000 (13:01 +0200)]
s3:libads: Fix detection if acount already exists in ads_find_machine_count()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
4f389c1f78cdc2424795e3b2a1ce43818c400c2d)
Andreas Schneider [Wed, 21 Aug 2019 10:22:32 +0000 (12:22 +0200)]
s3:libads: Use a talloc_asprintf in ads_find_machine_acct()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
35f3e4aed1f1c2ba1c8dc50921f238937f343357)
Andreas Schneider [Tue, 13 Aug 2019 14:30:07 +0000 (16:30 +0200)]
s3:libads: Cleanup error code paths in ads_create_machine_acct()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
8ed993789f93624b7b60dd5314fe5472e69e903a)
Andreas Schneider [Tue, 13 Aug 2019 15:41:40 +0000 (17:41 +0200)]
s3:libnet: Require sealed LDAP SASL connections for joining
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
b84abb3a46211dc84e52ef95750627e4dd081f2f)
Andreas Schneider [Tue, 13 Aug 2019 15:06:58 +0000 (17:06 +0200)]
s3:libads: Use ldap_add_ext_s() in ads_gen_add()
ldap_add_s() is marked as deprecated.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
456322a61319a10aaedda5244488ea4e5aa5cb64)
Andreas Schneider [Thu, 8 Aug 2019 12:35:38 +0000 (14:35 +0200)]
testprogs: Fix failure count in test_net_ads.sh
There are missing ` at the end of the line.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
320b5be4dce95d8dac4b3c0847faf5b730754a37)
Jeremy Allison [Thu, 3 Oct 2019 21:02:13 +0000 (14:02 -0700)]
s3: smbclient: Stop an SMB2-connection from blundering into SMB1-specific calls.
Fix in the same way this was done in SMBC_opendir_ctx() for libsmbclient.
This fix means the admin no longer has to remember to set 'min client protocol ='
when connecting to an SMB2-only server (MacOSX for example) and trying to
list shares.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14152
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
ea82bca8cef0d736305a7a40b3198fc55ea66af8)
Amitay Isaacs [Mon, 30 Sep 2019 06:34:35 +0000 (16:34 +1000)]
ctdb-vacuum: Process all records not deleted on a remote node
This currently skips the last record.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14147
RN: Avoid potential data loss during recovery after vacuuming error
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
33f1c9d9654fbdcb99c23f9d23c4bbe2cc596b98)
Michael Adam [Fri, 11 Jan 2019 09:44:30 +0000 (10:44 +0100)]
winbind: provide passwd struct for group sid with ID_TYPE_BOTH mapping (again)
https://git.samba.org/?p=samba.git;a=commitdiff;h=
394622ef8c916cf361f8596dba4664dc8d6bfc9e
originally introduced the above feature.
This functionality was undone as part of "winbind: Restructure get_pwsid"
https://git.samba.org/?p=samba.git;a=commitdiff;h=
bce19a6efe11980933531f0349c8f5212419366a
I think that this semantic change was accidential.
This patch undoes the semantic change and re-establishes the
functionality.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14141
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Fri Sep 27 17:25:29 UTC 2019 on sn-devel-184
(cherry picked from commit
63c9147f8631d73b52bdd36ff407e0361dcf5178)
Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Wed Oct 2 11:06:20 UTC 2019 on sn-devel-184
Christof Schmitt [Thu, 26 Sep 2019 00:19:27 +0000 (17:19 -0700)]
selftest: Test ID_TYPE_BOTH with idmap_rid module
ID_TYPE_BOTH means that each user and group has two mappings, a uid and
gid. In addition the calls to getpwent, getpwuid, getgrent and getgrgid
always return some information, so that uid and gid can be mapped to a
name. Establish a test to verify that the expected information is
returned.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14141
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
485874d6bb328c50c9a98785e85270f28ade7497)
Andreas Schneider [Mon, 23 Sep 2019 14:53:12 +0000 (16:53 +0200)]
waf:replace: Do not link against libpthread if not necessary
On Linux we should avoid linking everything against libpthread. Symbols
used my most application are provided by glibc and code which deals with
threads has to explicitly link against libpthread. This avoids setting
LDFLAGS=-pthread globally.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
9499db075b72b147e2ff9bb78e9d5edbaac14e69)
Andreas Schneider [Mon, 23 Sep 2019 15:40:13 +0000 (17:40 +0200)]
third_party: Link uid_wrapper against pthread
uid_wrapper uses pthread_atfork() which is only provided by libpthread. │····················
So we need an explicit dependency.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
bd0cd8e13234d684da77a65f6fdaea2572625369)
Andreas Schneider [Mon, 23 Sep 2019 15:39:29 +0000 (17:39 +0200)]
third_party: Link nss_wrapper against pthread
nss_wrapper uses pthread_atfork() which is only provided by libpthread.
So we need an explicit dependency.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
68d8a02ef57cce29e4ff3ef1b792adfc10d0b916)
Andreas Schneider [Mon, 23 Sep 2019 15:04:57 +0000 (17:04 +0200)]
third_party: Only link cmocka against librt if really needed
cmocka also uses clock_gettime().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
36e8d715bc8dc1e8466f5a5c9798df76310b7572)
Andreas Schneider [Mon, 23 Sep 2019 14:10:35 +0000 (16:10 +0200)]
pthreadpool: Only link pthreadpool against librt if we have to
This calls clock_gettime() which is available in glibc on Linux. If the
wscript in libreplace detected that librt is needed for clock_gettime()
we have to link against it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
4b28239d13b17e42eb5aa4b405342f46347f3de4)
Andreas Schneider [Mon, 23 Sep 2019 13:14:24 +0000 (15:14 +0200)]
replace: Only link against librt if really needed
fdatasync() and clock_gettime() are provided by glibc on Linux, so there
is no need to link against librt. Checks have been added so if there are
platforms which require it are still functional.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
480152dd6729d4c58faca6f3e4fa91ff4614c272)
Andreas Schneider [Mon, 23 Sep 2019 13:18:55 +0000 (15:18 +0200)]
s3:waf: Do not check for nanosleep() as we don't use it anywhere
We use usleep() in the meantime.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
952e1812fa9bdc1bac2a7ae5ebb5532f1ea31447)
Günther Deschner [Thu, 12 Sep 2019 14:39:10 +0000 (16:39 +0200)]
s3-winbindd: fix forest trusts with additional trust attributes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14130
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
d78c87e665e23e6470a19a69383ede7137172c26)
Björn Jacke [Mon, 23 Sep 2019 06:57:33 +0000 (08:57 +0200)]
fault.c: improve fault_report message text pointing to our wiki
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14139
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit
ec4c5975528f3d3ab9c8813e176c6d1a2f1ca506)
Stefan Metzmacher [Wed, 18 Sep 2019 06:10:26 +0000 (08:10 +0200)]
selftest/Samba3.pm: use "winbind use krb5 enterprise principals = yes" for ad_member
This demonstrates that can do krb5_auth in winbindd without knowning about trusted domains.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Sep 24 19:51:29 UTC 2019 on sn-devel-184
(cherry picked from commit
0ee085b594878f5e0e83839f465303754f015459)
Stefan Metzmacher [Wed, 18 Sep 2019 06:02:38 +0000 (08:02 +0200)]
selftest/Samba3.pm: use "winbind scan trusted domains = no" for ad_member
This demonstrates that we rely on knowning about trusted domains before
we can do krb5_auth in winbindd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
e2737a74d4453a3d65e5466ddc4405d68444df27)
Stefan Metzmacher [Sat, 10 Jun 2017 12:38:40 +0000 (14:38 +0200)]
selftest/tests.py: test pam_winbind for trusts domains
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
ad6f0e056ac27ab5c078dbdbff44372da05caab2)
Andreas Schneider [Mon, 20 Mar 2017 10:39:41 +0000 (11:39 +0100)]
selftest: Export TRUST information in the ad_member target environment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
13e3811c9510cf213881527877bed40092e0b33c)
Stefan Metzmacher [Wed, 18 Sep 2019 12:03:34 +0000 (14:03 +0200)]
selftest/tests.py: test pam_winbind with a lot of username variations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
f07b542c61f84a97c097208e10bf9375ddfa9a15)
Stefan Metzmacher [Wed, 18 Sep 2019 06:08:57 +0000 (08:08 +0200)]
selftest/tests.py: test pam_winbind with krb5_auth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
36e95e42ea8a7e5a4091a647215d06d2ab47fab6)
Stefan Metzmacher [Tue, 17 Sep 2019 23:25:23 +0000 (01:25 +0200)]
selftest/tests.py: prepare looping over pam_winbindd tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
72daf99fd1ffd8269fce25d69458de35e2ae32cc)
Stefan Metzmacher [Tue, 17 Sep 2019 23:25:58 +0000 (01:25 +0200)]
test_pam_winbind.sh: allow different pam_winbindd config options to be specified
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
3d38a8e9135bb72bc4ca079fab0eb5358942b3f1)
Stefan Metzmacher [Fri, 20 Sep 2019 06:13:28 +0000 (08:13 +0200)]
tests/pam_winbind.py: allow upn names to be used in USERNAME with an empty DOMAIN value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
653e90485854d978dc522e689cd78c19dcc22a70)
Stefan Metzmacher [Wed, 18 Sep 2019 06:04:42 +0000 (08:04 +0200)]
tests/pam_winbind.py: turn pypamtest.PamTestError into a failure
A failure generated by the AssertionError() checks can be added
to selftest/knownfail.d/*.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
cd3ffaabb568db26e0de5e83178487e5947c4f09)
Stefan Metzmacher [Fri, 19 Jul 2019 15:10:09 +0000 (15:10 +0000)]
s3:winbindd: implement the "winbind use krb5 enterprise principals" logic
We can use enterprise principals (e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM)
and delegate the routing decisions to the KDCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
a77be15d28390c5d12202278adbe6b50200a2c1b)
Stefan Metzmacher [Wed, 11 Sep 2019 14:44:43 +0000 (16:44 +0200)]
docs-xml: add "winbind use krb5 enterprise principals" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
9520652399696010c333a3ce7247809ce5337a91)
Stefan Metzmacher [Fri, 13 Sep 2019 13:52:25 +0000 (15:52 +0200)]
krb5_wrap: let smb_krb5_parse_name() accept enterprise principals
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
3bdf023956e861485be70430112ed38d0a5424f7)
Stefan Metzmacher [Fri, 13 Sep 2019 14:04:30 +0000 (16:04 +0200)]
s3:libads: ads_krb5_chg_password() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
303b7e59a286896888ee2473995fc50bb2b5ce5e)
Stefan Metzmacher [Fri, 13 Sep 2019 14:04:30 +0000 (16:04 +0200)]
s4:auth: kinit_to_ccache() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
162b4199493c1f179e775a325a19ae7a136c418b)
Stefan Metzmacher [Fri, 13 Sep 2019 14:04:30 +0000 (16:04 +0200)]
krb5_wrap: smb_krb5_kinit_password_ccache() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
5d0bf32ec0ad21d49587e3a1520ffdc8b5ae7614)
Stefan Metzmacher [Fri, 13 Sep 2019 14:04:30 +0000 (16:04 +0200)]
s3:libads/kerberos: always use the canonicalized principal after kinit
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
0bced73bed481a8846a6b3e68be85941914390ba)
Stefan Metzmacher [Tue, 17 Sep 2019 06:49:13 +0000 (08:49 +0200)]
s3:libsmb: let cli_session_creds_prepare_krb5() update the canonicalized principal to cli_credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
6ed18c12c57efb2a010e0ce5196c51b48e57a4b9)
Stefan Metzmacher [Tue, 17 Sep 2019 08:08:10 +0000 (10:08 +0200)]
s3:libsmb: avoid wrong debug message in cli_session_creds_prepare_krb5()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
361fb0efabfb189526c851107eee49161da2293c)
Stefan Metzmacher [Mon, 16 Sep 2019 15:14:11 +0000 (17:14 +0200)]
s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
bc473e5cf088a137395842540ed8eb748373a236)
Stefan Metzmacher [Tue, 17 Sep 2019 06:05:09 +0000 (08:05 +0200)]
s4:auth: use the correct client realm in gensec_gssapi_update_internal()
The function gensec_gssapi_client_creds() may call kinit and gets
a TGT for the user. The principal provided by the user may not
be canonicalized. The user may use 'given.last@example.com'
but that may be mapped to glast@AD.EXAMPLE.PRIVATE in the background.
It means we should use client_realm = AD.EXAMPLE.PRIVATE
instead of client_realm = EXAMPLE.COM
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
db8fd3d6a315b140ebd6ccd0dcdfdcf27cd1bb38)
Stefan Metzmacher [Wed, 18 Sep 2019 11:58:46 +0000 (13:58 +0200)]
nsswitch: add logging to wbc_auth_error_to_pam_error() for non auth errors
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
acbf922fc2963a42d6cbe652bb32eee231020958)
Noel Power [Thu, 8 Aug 2019 14:06:28 +0000 (15:06 +0100)]
s3/libads: clang: Fix Value stored to 'canon_princ' is never read
Fixes:
source3/libads/kerberos.c:192:2: warning: Value stored to 'canon_princ' is never read <--[clang]
canon_princ = me;
^ ~~
1 warning generated.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
(cherry picked from commit
52d20087f620704549f5a5cdcbec79cb08a36290)
Björn Jacke [Sat, 21 Sep 2019 11:24:59 +0000 (13:24 +0200)]
classicupgrade: fix a a bytes-like object is required, not 'str' error
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14136
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Björn Baumbach <bb@samba.org>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Mon Sep 23 12:58:20 UTC 2019 on sn-devel-184
(cherry picked from commit
465e518d6cc200eefa38643e720ce64e53abac2e)
Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Tue Sep 24 18:30:08 UTC 2019 on sn-devel-184
Mathieu Parent [Wed, 18 Sep 2019 03:15:47 +0000 (03:15 +0000)]
pod2man is no longer needed
Since
e24e344d0da58013fd5fa404529fe1d25ef403bf.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14131
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8df123e7f7cb591f6673ccffefffc30b946f1a5b)
Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Fri Sep 20 21:13:55 UTC 2019 on sn-devel-184