git.samba.org - samba.git/log

VERSION: Disable GIT_SNAPSHOT for the 4.18.3 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.18.3.

Signed-off-by: Jule Anger <janger@samba.org>

smbd: also reset struct stat_ex.cached_dos_attributes in SET_STAT_INVALID()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15375

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 24 21:42:50 UTC 2023 on atb-devel-224

(cherry picked from commit 412373984db6d0c20ba38076d06d0a87631890d0)

Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Wed May 31 10:47:15 UTC 2023 on atb-devel-224

smbd: zero intialize SMB_STRUCT_STAT in vfswrap_readdir()

Avoid returning an uninitialized st.cached_dos_attributes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15375

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 0391120079b032077c3914c10189b85e61dc8498)

CI: add a test that checks the dosmode of symlinks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15375

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit b4af281b2d7bfddbdb7289dadbed9db623bf0e84)

vfs_fruit: add fruit:convert_adouble parameter

https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri May 26 00:52:29 UTC 2023 on atb-devel-224

(cherry picked from commit 035f6d914d133cf3248f15b1be06a9e1837238da)

vfs_fruit: just log failing AppleDouble conversion

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 3bf97f19c36d26b4178f7cb6202bbdd44de0c1aa)

libadouble: allow FILE_SHARE_DELETE in ad_convert_xattr()

Not specifying FILE_SHARE_DELETE wasn't done intentionally. Not setting the flag
triggers the following problem:

* client sends a CREATE with delete access

* this triggers a call to open_streams_for_delete() where we check for
conflicting opens on any of the streams of the file or directory

* if the file (or directory) has a stream like ":com.apple.quarantine" the
stream is opened with DELETE_ACCESS and kept open when the next step might:

* if the file (or directory) has a Mac specific :AFP_AfpInfo stream, the
ad_convert() routine in fruit_create_file() is triggered

* ad_convert() checks if the file (or ...) has a sidecar ._ AppleDouble file, if
it has:

* in ad_convert_xattr() we unpack any set of xattrs encoded in the AppleDouble
file and recreate them as streams with the VFS. Now, if any of these xattrs
happens to be converted to a stream that we still have open in
open_streams_for_delete() (see above) we get a NT_STATUS_SHARING_VIOLATION

This error gets passed up the stack back to open_streams_for_delete() so the
client CREATE request fails and the client is unhappy.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 55bd10456486628cad2bd085618e873598401c3b)

vfs_fruit: never return AFP_Resource stream for directories

The macOS client creates ._ AppleDouble files for directories that do contain
an (empty) resource fork AppleDouble entry. So when going from a Samba server
config without streams module (or when migrating data from another server
without streams support), to a Samba config with a streams module and vfs_fruit,
fruit_streaminfo() will wrongly return the AFP_Resource from the AppleDouble
file as stream to the client.

To address this, just never return an AFP_Resource stream for directories when
listing streams in fruit_streaminfo(). ad_convert(), when configured with

fruit:delete_empty_adfiles = true
fruit:wipe_intentionally_left_blank_rfork = true

will happily discard the AFP_Resource from the AppleDouble file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 06f0c070a0b18313f48362aa326e3e7e6a096492)

vfs_fruit: return ENOENT instead of EISDIR when trying to open AFP_Resource for a directory

Translates to NT_STATUS_OBJECT_NAME_NOT_FOUND which is the same error macOS
returns in this case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 9b91a8bad2ff8da9eb56f1f9d640bcea294a5a0a)

CI: add a test for fruit AppleDouble conversion when deletion triggers conversion

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 59eadfe21aca6d563f86ea656517216036421bca)

rpc_server3: Pass winbind_env_set() state through to rpcd_*

Winbind can ask rpcd_lsad for LookupNames etc. This can recurse back
into winbind for getpwnam. We have the "_NO_WINBINDD" environment
variable set in winbind itself for this case, but this is lost on the
way into rpcd_lsad. Use a flag in global_sid_Samba_NPA_Flags to pass
this information to dcerpc_core, where it sets the variable on every
call if requested.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May 16 11:54:32 UTC 2023 on atb-devel-224

(cherry picked from commit 59694ad0a4cc489f1baa4c2c94c6322c0f22c1df)

Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Fri May 26 13:29:20 UTC 2023 on atb-devel-224

lib: Add security_token_del_npa_flags() helper function

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit bb3ea36e10079ad9c73c68d7ed8fce51ecb40ebe)

rpc: Remove named_pipe_auth_req_info6->need_idle_server

Involves bumping up the version number

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit bdba027a33e35aab7bb322bc3167cdd7babfc059)

rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle"

More code, but will be more flexible in the future.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 31180e0e6d9e43d54e7656a56ed3af129f578105)

named_pipe_auth: Bump info5 to info6

In the next commit, we shall replace the 'authenticated' field of
named_pipe_auth_req_info.info5.session_info.session_info.info with a
more general 'user_flags' field.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8aef16bbbc1e55f0a9f5a8ec87e5348688d93785)

rpc: Add global_sid_Samba_NPA_Flags SID

This will be used as a flexible way to pass per-RPC-connection flags
over ncalrpc to the RPC server without having to modify
named_pipe_auth_req_info6 every time something new needs to be
passed. It's modeled after global_sid_Samba_SMB3.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ebbb93cc7a57a118b82b8f383d25f1eb022397d6)

librpc: Simplify dcerpc_is_transport_encrypted()

Simplify logic by using security_token_count_flag_sids()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1d11e0489b2c91fc05c6befc0463695d7102abcc)

smbd: Use security_token_count_flag_sids() in open_np_file()

Simpler logic in the caller

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 244ee8ad75c2c968997dfdd5eeb9e9cb97a191fb)

libcli: Add security_token_count_flag_sids()

To be used in a few places when checking special-case Samba SIDs.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5e8c7192ba5469547ba3101885dfbaba2f8181f4)

samba-tool domain: Run in interactive mode if no args are supplied

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15363

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(backported from commit f1281b80c1ad68d380ce91c13076f6a60fbc627e)

[jsutton@samba.org Adapted to provisioning code refactor in commit
5986937d12c237121d4e62fa6dfa0f5dadec263d]

librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms

We should not limit the possible encryption algorithms to the currently
known ones.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15374

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed May 17 07:34:28 UTC 2023 on atb-devel-224

(cherry picked from commit e03e738dfc96b3c8ce54e2d280143965713f4778)

winbind: Fix "wbinfo -u" on a Samba AD DC with >1000 users

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May 9 02:58:45 UTC 2023 on atb-devel-224

(cherry picked from commit 6206e15b4de0ba67d713124c2be353dabf3878c8)

Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Fri May 12 15:58:34 UTC 2023 on atb-devel-224

winbind: Test wbinfo -u with more than 1000 users

winbind asks dcerpc_samr_LookupRids in one batch, where samr.idl has

NTSTATUS samr_LookupRids(
[in,ref]      policy_handle *domain_handle,
[in,range(0,1000)] uint32 num_rids,
[in,size_is(1000),length_is(num_rids)] uint32 rids[],
[out,ref]     lsa_Strings *names,
[out,ref]     samr_Ids *types
);

limiting num_rids to 1000 entries. Test this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f633389f36e79d3e772777ad7ca13012e3616273)

s3:locking: fix debug level for NT_STATUS_NOT_FOUND messanges in get_static_share_mode_data

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15362

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Apr 24 14:13:35 UTC 2023 on atb-devel-224

(cherry picked from commit eafcef18584c264dc68dd95fbd8aa39218199446)

Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Tue May 9 13:15:57 UTC 2023 on atb-devel-224

dsgetdcname: do not assume local system uses IPv4

Return the first IPv4 and the first IPv6 address found for each DC.
This is slightly inelegant, but resolves an issue where IPv6-only
systems were unable to run "net ads join" against domain controllers
that have both A and AAAA records in DNS.

While this impacts performance due to the additional LDAP ping attempts,
in practice an attempt to connect to an IPv6 address on an IPv4-only
system (or vice versa) will fail immediately with
NT_STATUS_NETWORK_UNREACHABLE, and thus the performance impact should be
negligible.

The alternative approach, using an smb.conf setting to control whether
the logic prefers a single address of one family or the other ends up
being a bit awkward, as it pushes the problem onto admins and tools such
as "realm join" that want to dynamically synthesize an smb.conf on the
fly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15325

Signed-off-by: Nathaniel W. Turner <nturner@exagrid.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 9 19:12:15 UTC 2023 on atb-devel-224

(cherry picked from commit f55a357c6b9387883a7628a1b1083263a10121a6)

Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Mon May 8 10:17:16 UTC 2023 on atb-devel-224

s3:lib: Do not try to match '.' and '..' directories in is_in_path()

This fixes setting veto files to '.*' to not list hidden files and
directories starting with a dot.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15360

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 9eb44306623fc4897b373b04763e475f696ab92d)

Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Fri Apr 28 15:17:25 UTC 2023 on atb-devel-224

s3:tests: Add test that veto files works for hidden files

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15360

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit a2acbd3f3cff8d1cac63acdead4b7be14a7092b2)

s3:tests: Create a temporary directory for test_veto_files.sh

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15360

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit b5a66840e3057cbff85fe6cd231310c4a9cfb34b)

libcli/security: rewrite calculate_inherited_from_parent()

This allows us to pass the new tests we just added.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bb09c06d6d58a04e1d270a9f99d1179cfa9acbda)

VERSION: Bump version up to Samba 4.18.3...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.18.2 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.18.2.

Signed-off-by: Jule Anger <janger@samba.org>

shadow_copy2: Fix stream open for streams_depot paths

streams_depot hands us absolute paths with : filename components
instead of having set smb_fname_in->stream_name.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15358

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Apr 17 18:11:07 UTC 2023 on atb-devel-224

(cherry picked from commit 526f381f413d1cb5cde93b9542034f5ebfcfcc10)

Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Tue Apr 18 19:06:55 UTC 2023 on atb-devel-224

tests: Show that streams_depot and shadow_copy2 don't play together

See the next patch, we assert in shadow_copy2_openat() over paths
passed in from shadow_copy2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15358

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 0327334c89cfda9020c6044a7b2b182138e46d03)

streams_depot: Create files when requested

If you set "create mask = 0600" no streams will be created....

Tested manually. Not creating an automated test for this, there are so
many places where this can go wrong that testing this individual
glitch does not gain us much confidence.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15357

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 081e808ab4ac6e187b9791da322eb7173e1e133c)

rpcd_mdssvc: initialize POSIX locking

Otherwise the posix_pending_close_db is NULL and we crash when trying to close a
file descriptor:

   #4 /usr/lib64/samba/libdbwrap-samba4.so(dbwrap_parse_record+0xe) [0x7fbc5d05c8ae]
   #5 /usr/lib64/samba/libdbwrap-samba4.so(dbwrap_fetch_int32+0x38) [0x7fbc5d05d438]
   #6 /usr/lib64/samba/libsmbd-base-samba4.so(fd_close_posix+0x7b) [0x7fbc5e276f8b]
   #7 /usr/lib64/samba/libsmbd-base-samba4.so(+0x57900) [0x7fbc5e28a900]
   #8 /usr/lib64/samba/libsmbd-base-samba4.so(fd_close+0x68) [0x7fbc5e2b7ea8]
   #9 /usr/lib64/samba/libsmbd-base-samba4.so(+0x62608) [0x7fbc5e295608]
   #10 /usr/lib64/samba/libtalloc-samba4.so(_talloc_free+0x51b) [0x7fbc5d9f439b]
   #11 /usr/lib64/samba/vfs/fruit.so(+0xcac2) [0x7fbc45fcdac2]
   #12 /usr/lib64/samba/vfs/fruit.so(+0xcbdd) [0x7fbc45fcdbdd]
   #13 /usr/lib64/samba/vfs/fruit.so(+0xf603) [0x7fbc45fd0603]
   #14 /usr/lib64/samba/libsmbd-base-samba4.so(+0x56375) [0x7fbc5e289375]
   #15 /usr/lib64/samba/vfs/nothingtoseeherereally.so(+0x196c) [0x7fbc467f996c]
   #16 /usr/lib64/samba/vfs/streams_xattr.so(+0x51fc) [0x7fbc461e71fc]
   #17 /usr/lib64/samba/libsmbd-base-samba4.so(+0xade3a) [0x7fbc5e2e0e3a]
   #18 /usr/lib64/samba/libsmbd-base-samba4.so(create_conn_struct_cwd+0x44) [0x7fbc5e2e1cf4]
   #19 /usr/libexec/samba/rpcd_mdssvc(mds_init_ctx+0x2c3) [0x563fdac08f03]
   #20 /usr/libexec/samba/rpcd_mdssvc(_mdssvc_open+0x141) [0x563fdac0b4d1]

The corresponding open is done as part of initializing a connection_struct
object, where we chdir() and stat() the root path of the share. The stat() in
vfs_fruit causes an expensive metadata request on the path which triggers an
internal open of a pathref handle. Note that this only affects servers that have
fruit:metadata = netatalk set, which is the default unfortunately.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15354

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Apr  7 21:12:21 UTC 2023 on atb-devel-224

(cherry picked from commit 3633027e49aec064e7d890a1f7ec4d81711a5de7)

Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Sun Apr 16 16:39:24 UTC 2023 on atb-devel-224

net_ads: fill ads->auth.realm from c->creds

We get the realm we use for authentication needs to
the realm belonging to the username we use.

We derive the username from c->creds, so we need to
do the same for the realm.

Otherwise we try to authenticate as the wrong user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0ef53b948e13eb36b536228cccd89aa4c2adbb90)

testprogs/blackbox: add test_net_ads_search_server.sh

This reproduces a regression with
'net ads search -P --server server.of.trusted.domain'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 3b585f9e8cc320841fab4cd5c3be53788d0a87ac)

smbXsrv_tcon: avoid storing temporary (invalid!) records.

We used to store smbXsrv_tcon_global.tdb records in two steps,
first we created a record in order to allocate the tcon id.
The temporary record had a NULL share_name, which translated
into 0 bytes for the string during ndr_push_smbXsrv_tcon_global0.

The problem is that ndr_pull_smbXsrv_tcon_global0 fails on
this with something like:

Invalid record in smbXsrv_tcon_global.tdb:key '2CA0ED4A' ndr_pull_struct_blob(length=85) - Buffer Size Error

The blob looks like this:

[0000] 00 00 00 00 01 00 00 00   00 00 00 00 00 00 02 00   ........  ........
[0010] 00 00 00 00 4A ED A0 2C   4A ED A0 2C 00 00 00 00   ....J.., J..,....
[0020] F8 4B 00 00 00 00 00 00   00 00 00 00 FF FF FF FF   .K......  ........
[0030] 4D 59 9B 9F 83 F4 35 20   36 D2 B0 82 62 68 D9 01   MY....5 6...bh..
[0040] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........  ........
[0050] 00 00 00 00 00                                      .....

The reason for having a temporary entry was just based on
the fact, that it was easier to keep the logic in
make_connection_snum() untouched.

But we have all information available in order to store
the final record directly. We only need to do the
"max connections" check first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15353

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e0e58ed0e2429f01265d544b444bf0e4075549e2)

smbd: Fix case normalization in for directories

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Feb 24 08:46:14 UTC 2023 on atb-devel-224

(cherry picked from commit bf9130d375b6c401bb79fc1a0911975814759e3b)

Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Tue Apr 11 16:30:25 UTC 2023 on atb-devel-224

tests: Show that the case sensitive large dir optimization is broken

We don't normalize the directories

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 342d8f6a0a8bc2229332783a840c882f85a1dd4e)

tests: Move libsmb-basic to fileserver_smb1 environment

This has the lower-case share, used in the next commit

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit a9301d8f2956409a6d36e7776d0237d03bfbdbf6)

s3: smbd: Fix log spam. Change a normal error message from DBG_ERR (level 0) to DBG_INFO (level 5).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15302

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb 11 08:48:05 UTC 2023 on atb-devel-224

(cherry picked from commit e8abe52df2d3ae533b3f874a885856f26ba5ec7e)

smbd: Prevent creation of vetoed files

The problem is when checking for vetoed names on the last path component in
openat_pathref_fsp_case_insensitive() we return
NT_STATUS_OBJECT_NAME_NOT_FOUND. The in the caller
filename_convert_dirfsp_nosymlink() this is treated as the "file creation case"
causing filename_convert_dirfsp_nosymlink() to return NT_STATUS_OK.

In order to correctly distinguish between the cases

1) file doesn't exist, we may be creating it, return
2) a vetoed a file

we need 2) to return a more specific error to
filename_convert_dirfsp_nosymlink(). I've chosen NT_STATUS_OBJECT_NAME_INVALID
which gets mapped to the appropriate errror NT_STATUS_OBJECT_PATH_NOT_FOUND or
NT_STATUS_OBJECT_NAME_NOT_FOUND depending on which path component was vetoed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr 6 23:03:50 UTC 2023 on atb-devel-224

(cherry picked from commit 8b23a4a7eca9b8f80cc4113bb8cf9bb7bd5b4807)

CI: add a test creating a vetoed file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 2e8954d5be3336f1c4c2cf033209f632ad84e712)

dsdb/tests: Double number of expressions in large_ldap.py ldap_timeout test

By slowing the filter down more this makes the test reliable on the
autobuild host.

This is not a long-term solution, but is a quick tweak that can be done
today to address current issues with getting commits past the host-based
(compared with cloud-based) autobuild.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit 479634e4cd6543d489eb4700aebde1a479b94fe5)

Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Tue Apr 11 08:36:03 UTC 2023 on atb-devel-224

dsdb/tests: Move SD modification on class-created objects to classSetUp

These modifications persist, so should be done at the class level,
not in the test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit e1c0c2066c2f29bb614e3386b796eec3cb289aea)

selftest: fix flapping samba-tool drs showrepl test

Test should have been using "schema_pair_dc", it was picking this up from the variable env in the loop above it.

However, it was hardcoded to use promoted_dc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15316

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit 3687ab318a9553883d8c0d1214e2d49b83ec91ba)

Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Wed Apr 5 13:02:59 UTC 2023 on atb-devel-224

selftest: make two samba-tool drs tests generic

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15316

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit 1368e359b2a75b6b683aff274b2b2084f3cd469b)

python: Replace calls to deprecated methods

These aliases are deprecated and have been removed in Python 3.12.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15343
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15316

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 41aa379abb391ffab77238d65ee5ba11b9ab8538)

[abartlet@samba.org BUG tag added as required patch for bug 15316]

s3: libcli: Refuse to connect to any server with zero values for max_trans_size, max_read_size, max_write_size.

There's nothing we can do to such a server (this
now matches the behavior for SMB1).

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15306

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 29 18:58:33 UTC 2023 on atb-devel-224

(cherry picked from commit 76573d6d8f168d6e6107af26a434b8c71aaf93af)

tests: Add samba3.blackbox.zero_readsize test.

smbclient crashes when smbd has "smb2 max read = 0"
in the [global] section of smb.conf.

We should fail the protocol negotiation with
NT_STATUS_INVALID_NETWORK_RESPONSE in this case.

Adds knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15306

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 006fe806782c42e860ed2cf2bc9f6b1b82c3a307)

python:netcmd: Decode return value of find_netbios() from bytes into string

ERROR(<class 'TypeError'>): uncaught exception - replace() argument 1 must be
str, not bytes
  File "bin/python/samba/netcmd/__init__.py", line 230, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "bin/python/samba/netcmd/ldapcmp.py", line 966, in run
    if b1.diff(b2):
       ^^^^^^^^^^^
  File "bin/python/samba/netcmd/ldapcmp.py", line 790, in diff
    if object1 == object2:
       ^^^^^^^^^^^^^^^^^^
  File "bin/python/samba/netcmd/ldapcmp.py", line 557, in __eq__
    return self.cmp_attrs(other)
           ^^^^^^^^^^^^^^^^^^^^^
  File "bin/python/samba/netcmd/ldapcmp.py", line 656, in cmp_attrs
    p = [self.fix_domain_netbios(j) for j in m]
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "bin/python/samba/netcmd/ldapcmp.py", line 656, in <listcomp>
    p = [self.fix_domain_netbios(j) for j in m]
         ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "bin/python/samba/netcmd/ldapcmp.py", line 542, in fix_domain_netbios
    res = res.replace(self.con.domain_netbios.lower(), self.con.domain_netbios.upper())
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

BUGS: https://bugzilla.samba.org/show_bug.cgi?id=15330

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4fa0242b9d34decd8dbd813be40655a593df3db9)

Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Wed Apr  5 11:41:32 UTC 2023 on atb-devel-224

dsdb: Avoid ERROR(ldb): uncaught exception - Deleted target CN=NTDS Settings... in join

"samba-tool domain join" uses the replication API in a strange way, perhaps no longer
required, except that we often still have folks upgrading from very old Samba versions.

When deferring the writing out to the DB of link replication to the very end, there
is a greater opportunity for the deletion of an object to have been sent with the
other objects, and have the link applied later.

This tells the repl_meta_data code to behave as if GET_TGT had been sent at the
time the link was returned, allowing a link to a deleted object to be silently
discarded.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15329

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit bfc33b47bb428233e100f75e7a725ac52179f823)

selftest/drs: Demonstrate ERROR(ldb): uncaught exception - Deleted target CN=NTDS Settings... in join

"samba-tool domain join" uses the replication API in a strange way, perhaps no longer
required, except that we often still have folks upgrading from very old Samba versions.

By deferring the writing out to the DB of link replication to the very end, we have a
better chance that all the objects required are present, however the situation may
have changed during the cycle, and a link could still be sent, pointing to a deleted
object.

We currently fail in this situation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15329

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit 2d41bcce83a976b85636c92d6fc38c63fdde5431)

tsocket: Increase tcp_user_timeout max_loops

Often, on rackspace GitLab CI runners, we get:

UNEXPECTED(failure): samba.unittests.tsocket_tstream.test_tstream_more_tcp_user_timeout_spin(none)
REASON: Exception: Exception: 0xf == 0xf
../../lib/tsocket/tests/test_tstream.c:405: error: Failure!

This allows us more spins before we fail the test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15328
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit 5a7a28cc45870949fc11d30586a06c309aa517dc)

idmap_hash: remember new domain sids in idmap_hash_sid_to_id()

This change means that idmap_hash_id_to_sid() can return mappings
for new domains learned in idmap_hash_sid_to_id().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 10 11:35:06 UTC 2023 on atb-devel-224

(cherry picked from commit 7ee725f2860d835e9619fa594a2ee6faedbc6d21)

idmap_hash: don't return ID_REQUIRE_TYPE if the domain is known in the netsamlogon cache

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ee820553fd2c6ada966a0160cbb0240049f9d9f7)

idmap_hash: only return ID_REQUIRE_TYPE if we don't know about the domain yet

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ede88d9f83fb77fa8eff226fb6a85ac71e415098)

idmap_hash: return ID_REQUIRE_TYPE only if there's a chance to get a mapping later

If we are going to return ID_UNMAPPED later anyway, there's no need to
defer that decision by returning ID_REQUIRE_TYPE first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 42dcb3db05530179a991fe58e7b96b52bbbcc607)

idmap_hash: split out a idmap_hash_sid_to_id() helper function

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit c158b075b0b5035615fa8848f1f3d8ef27696861)

idmap_hash: split out a idmap_hash_id_to_sid() helper function

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 57150b463fb8e27c048670f7b4902bd091ee3ae9)

idmap_hash: mirror the NT_STATUS_NONE_MAPPED/STATUS_SOME_UNMAPPED logic from idmap_autorid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 14102b05f3744c67178bd719d41e67fc3e049ee4)

idmap_hash: we don't need to call idmap_hash_initialize() over an over again

It's always the first function that's called from idmap_methods.

This also demonstrates that we currently always return NT_STATUS_OK,
even if we haven't mapped all map entries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 0da13ab3ad7278eafdcd988f39e891242eb46d37)

idmap_hash: remove unused error checks

id_map_ptrs_init() is used in the callers in order to
set everything up as expected.

Other backends also just trust the caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 2cfcff3101fce94b365eccde114432dfa980bbd0)

idmap_hash: fix comments about the algorithm

Only support ~ 50k users per domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0f96c4b419a59ea884e68a460910e5c8a45bfcec)

idmap_hash: provide ID_TYPE_BOTH mappings also for unixids_to_sids

While sids_to_unixids returns ID_TYPE_BOTH mappings,
unixids_to_sids() returns the callers asked for, which
fills gencache with the non ID_TYPE_BOTH mappings.
As a result also the sids_to_unixids fast path via
gencache won't return ID_TYPE_BOTH mappings.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 9a24570d3d69f51b6d50bb04b739815ec67c1a3d)

idmap_autorid: fix ID_REQUIRE_TYPE for more than one SID for an unknown domain

When we see a trusted domain SID for the first time,
idmap_autorid returns ID_REQUIRE_TYPE only for the first sid
and leaves the others with ID_TYPE_NOT_SPECIFIED.
It means the winbindd parent only retries the first sid.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15318

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit a9583b5f96fe3fbf9c1ee545fa868fd705aef3e0)

winbindd: don't call set_domain_online_request() in the idmap child

Most idmap backends don't need access to the domain controllers.
And the related code is not needed for the backends.

Commit 17c86a2c5a5a5e2b194362e5f36f0f99910222c5 changed
the logic of set_domain_online_request() completely!
Instead of triggering a dc probe in the background,
it is now doing a blocking connection.
And doing this in the idmap child is completely useless.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15317

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ad242a20643c930eb00a8b700f7bd9638f8821a8)

VERSION: Bump version up to Samba 4.18.2...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.18.1 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.18.1.

Signed-off-by: Jule Anger <janger@samba.org>

CVE-2023-0922 set default ldap client sasl wrapping to seal

This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no values

This early return would mistakenly allow an unprivileged user to delete
the dNSHostName attribute by making an LDAP modify request with no
values. We should no longer allow this.

Add or replace operations with no values and no privileges are
disallowed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged user

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 ldb: Release LDB 2.7.2

* CVE-2023-0614 Not-secret but access controlled LDAP attributes can be discovered (bug 15270)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN

Setting the LDB_HANDLE_FLAG_UNTRUSTED tells the acl_read module to operate on this request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2023-0614 lib/ldb-samba: Add test for SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and ACL hidden attributes

The chain for transitive evaluation does consider ACLs, avoiding the disclosure of
confidential information.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in match_rules tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED

This will allow our dsdb helper search functions to mark the new
request as untrusted, forcing read ACL evaluation (per current behaviour).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed

In the unlikely case that someone adds a confidential indexed attribute
to the schema, LDAP search expressions on that attribute could disclose
information via timing differences. Let's not use the index for searches
on confidential attributes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 ldb: Filter on search base before redacting message

Redaction may be expensive if we end up needing to fetch a security
descriptor to verify rights to an attribute. Checking the search scope
is probably cheaper, so do that first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 ldb: Centralise checking for inaccessible matches

This makes it less likely that we forget to handle a case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 ldb: Use binary search to check whether attribute is secret

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help it

If the AS_SYSTEM control is present, we know we have system privileges,
and have no need to call dsdb_module_am_system().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 ldb: Prevent disclosure of confidential attributes

Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
marks inaccessible any message elements used by an LDAP search filter
that the user has no right to access. Make the various ldb_match_*()
functions check whether message elements are accessible, and refuse to
match any that are not. Remaining message elements, not mentioned in the
search filter, are checked in aclread_callback(), and any inaccessible
elements are removed at this point.

Certain attributes, namely objectClass, distinguishedName, name, and
objectGUID, are always present, and hence the presence of said
attributes is always allowed to be checked in a search filter. This
corresponds with the behaviour of Windows.

Further, we unconditionally allow the attributes isDeleted and
isRecycled in a check for presence or equality. Windows is not known to
make this special exception, but it seems mostly harmless, and should
mitigate the performance impact on searches made by the show_deleted
module.

As a result of all these changes, our behaviour regarding confidential
attributes happens to match Windows more closely. For the test in
confidential_attr.py, we can now model our attribute handling with
DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by
Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 s4-acl: Split out function to set up access checking variables

These variables are often used together, and it is useful to have the
setup code in one place.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf()

This function parses a SID from an ldb_message, similar to
samdb_result_dom_sid(), but does it without allocating anything.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 s4-acl: Split out logic to remove access checking attributes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 tests/krb5: Add test for confidential attributes timing differences

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 schema_samba4.ldif: Allocate previously added OID

DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID was added in commit
08187833fee57a8dba6c67546dfca516cd1f9d7a.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in confidential attributes test

The object returned by schema_format_value() is a bytes object.
Therefore the search expression would resemble:

(lastKnownParent=<GUID=b'00000000-0000-0000-0000-000000000000'>)

which, due to the extra characters, would fail to match anything.

Fix it to be:

(lastKnownParent=<GUID=00000000-0000-0000-0000-000000000000>)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a search tree we don't own

In extended_dn_fix_filter() we had:

req->op.search.tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree);

which overwrote the parse tree on an existing ldb request with a fixed
up tree. This became a problem if a module performed another search with
that same request structure, as extended_dn_in would try to fix up the
already-modified tree for a second time. The fixed-up tree element now
having an extended DN, it would fall foul of the ldb_dn_match_allowed()
check in extended_dn_filter_callback(), and be replaced with an
ALWAYS_FALSE match rule. In practice this meant that <GUID={}> searches
would only work for one search in an ldb request, and fail for
subsequent ones.

Fix this by creating a new request with the modified tree, and leaving
the original request unmodified.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 ldb: Make use of ldb_filter_attrs_in_place()

Change all uses of ldb_kv_filter_attrs() to use
ldb_filter_attrs_in_place() instead. This function does less work than
its predecessor, and no longer requires the allocation of a second ldb
message. Some of the work is able to be split out into separate
functions that each accomplish a single task, with a purpose to make the
code clearer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place() work in place

ldb_filter_attrs() previously did too much. Now its replacement,
ldb_filter_attrs_in_place(), only does the actual filtering, while
taking ownership of each element's values is handled in a separate
function, ldb_msg_elements_take_ownership().

Also, ldb_filter_attrs_in_place() no longer adds the distinguishedName
to the message if it is missing. That is handled in another function,
ldb_msg_add_distinguished_name().

As we're now modifying the original message rather than copying it into
a new one, we no longer need the filtered_msg parameter.

We adapt a test, based on ldb_filter_attrs_test, to exercise the new
function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 ldb: Add function to filter message in place

At present this function is an exact duplicate of ldb_filter_attrs(),
but in the next commit we shall modify it to work in place, without the
need for the allocation of a second message.

The test is a near duplicate of the existing test for
ldb_filter_attrs().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 ldb: Add function to add distinguishedName to message

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 ldb: Add function to remove excess capacity from an ldb message

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>