Isaac Boukris [Thu, 5 Nov 2020 13:38:19 +0000 (15:38 +0200)]
Remove source4/scripting/devel/createtrust script
We now have the 'samba-tool domain trust' command.
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Isaac Boukris [Tue, 1 Sep 2020 17:14:29 +0000 (20:14 +0300)]
selftest: add a test for the CreateTrustedDomainRelax wrapper
Originally copied from 'source4/scripting/devel/createtrust'
(had to drop the TRUST_AUTH_TYPE_VERSION part though, as it
fails against samba DC).
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Isaac Boukris [Thu, 20 Aug 2020 10:49:17 +0000 (12:49 +0200)]
Use the new CreateTrustedDomainRelax()
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Isaac Boukris [Thu, 20 Aug 2020 10:47:12 +0000 (12:47 +0200)]
Add CreateTrustedDomainRelax wrapper for fips mode
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Isaac Boukris [Thu, 20 Aug 2020 10:44:08 +0000 (12:44 +0200)]
selftest: add a test for py dce transport_encrypted
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Isaac Boukris [Thu, 20 Aug 2020 10:35:01 +0000 (12:35 +0200)]
Add py binding for dcerpc_transport_encrypted
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Isaac Boukris [Thu, 20 Aug 2020 10:18:21 +0000 (12:18 +0200)]
Add dcerpc_transport_encrypted()
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Isaac Boukris [Thu, 20 Aug 2020 10:09:05 +0000 (12:09 +0200)]
Add smb2cli_session_get_encryption_cipher()
When 'session->smb2->should_encrypt' is true, the client MUST encrypt
all transport messages (see also MS-SMB2 3.2.4.1.8).
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andrew Walker [Mon, 2 Nov 2020 21:42:29 +0000 (16:42 -0500)]
s4:libnet:py_net - free event context in dealloc fn
Creation of a new Net() object initializes an event context under
a NULL talloc context and then creates a new talloc context as a
child of the event context. The deallocation function for the
net object only frees the child and not the parent. This leaks an
fd for the tevent context and associated memory.
Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Nov 6 04:58:31 UTC 2020 on sn-devel-184
Alexander Bokovoy [Wed, 4 Nov 2020 17:21:24 +0000 (19:21 +0200)]
Revert "lookup_name: allow lookup for own realm"
This reverts commit
f901691209867b32c2d7c5c9274eee196f541654.
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Nov 5 07:53:03 UTC 2020 on sn-devel-184
Alexander Bokovoy [Wed, 4 Nov 2020 17:21:20 +0000 (19:21 +0200)]
Revert "cli_credentials: add a helper to parse user or group names"
This reverts commit
00f4262ed0b22f6e333e5a29c5590b62c783905c.
Alexander Bokovoy [Wed, 4 Nov 2020 17:20:58 +0000 (19:20 +0200)]
Revert "cli_credentials_parse_string: fix parsing of principals"
This reverts commit
eb0474d27bae4592b25ac6bf600da29c6a1cb9f8.
Andreas Schneider [Wed, 4 Nov 2020 15:15:16 +0000 (16:15 +0100)]
bootstrap: Add Fedora 33
This removes Fedora 31 support.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov 5 00:17:55 UTC 2020 on sn-devel-184
Gary Lockyer [Mon, 26 Oct 2020 20:32:21 +0000 (09:32 +1300)]
tests python krb5: Add python kerberos canonicalization tests
Add python canonicalization tests, loosely based on the code in
source4/torture/krb5/kdc-canon-heimdal.c. The long term goal is to move
the integration level tests out of kdc-canon-heimdal, leaving it as a
heimdal library unit test.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 26 Oct 2020 20:31:24 +0000 (09:31 +1300)]
tests python krb5: Add canonicalize flag to ASN1
Add the canonicalize flag to KerberosFlags, so that it can be used in
python based canonicalization tests.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 26 Oct 2020 20:29:56 +0000 (09:29 +1300)]
tests python krb5: Make PrincipalName_create a class method
Make PrincipalName_create a class method, so it can be used in helper
classes.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 2 Nov 2020 20:25:48 +0000 (09:25 +1300)]
selftest: add mit kdc specific known fail
Add a MIT kerberos specific known fail, will be needed by subsequent
commits.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Mon, 2 Nov 2020 15:10:44 +0000 (16:10 +0100)]
s3-vfs_glusterfs: always disable write-behind translator
The "pass-through" option has now been merged upstream as of:
https://github.com/gluster/glusterfs/pull/1640
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Anoop C S <anoopcs@samba.org>
Pair-Programmed-With: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 4 22:53:49 UTC 2020 on sn-devel-184
Bradley M. Kuhn [Mon, 26 Oct 2020 21:29:00 +0000 (14:29 -0700)]
VFS-License-clarification: minor improvements aligning w/ GPLv3 text
The phrase "derived work" and word "derived" don't appear in GPLv3;
instead, GPLv3 uses the phrases "modified version" and "based on" to
implement the strong copyleft clause. Herein, align the VFS
statement with the phrases as they appear in the GPLv3 since Samba's
license is GPLv3-or-later.
Included are also a few other very minor wording changes as suggested
by legal counsel who is experienced with presenting these sorts of
licensing statements to company lawyers and suggests these changes
will comfort that constituency.
Finally, update both occurrences of the statement in the codebase in
two different files.
Signed-off-by: Bradley M. Kuhn <bkuhn@sfconservancy.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 31 Oct 2020 15:48:31 +0000 (16:48 +0100)]
libsmb: Remove cli_state->dfs_mountpoint
Not used anymore
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 4 20:17:47 UTC 2020 on sn-devel-184
Volker Lendecke [Fri, 30 Oct 2020 17:49:52 +0000 (18:49 +0100)]
libsmb: Remove "mntpoint" argument from cli_list_trans() callback
This was unused in the callers, also do this for symmetry.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 19 Oct 2020 08:09:23 +0000 (10:09 +0200)]
libsmb: Remove "mntpoint" argument from cli_list() callback
do_list()/do_list_helper() in source3/client/client.c was the only user of this
argument. And that use was wrong.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 19 Oct 2020 07:37:03 +0000 (09:37 +0200)]
smbclient: Fix recursive "ls" across DFS links
This is an a bit subtle patch: The main trick is that the previous
code a DFS-style \\server\share\dir1\dir2 path ended up in the list of
directories to enumerate. This was then processed by do_list again,
passing it to cli_resolve_path. However, cli_resolve_path always
expects non-DFS style paths as input. This patch passes the original,
non-DFS path to do_list_helper(), so that it ends up without the DFS
style \\server\share prefix in the directory queue.
From general failure it just fails on the SMB1-based environments,
like the other smbclient_s3 ones in knownfail.d/smb1-tests
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 18 Oct 2020 16:39:17 +0000 (18:39 +0200)]
smbclient: Add "mask" to do_list_helper_state
To me this is simpler to understand than to rely on the cli_list
callback which goes through some function call layers. Also, this
gives more obvious control over what we pass in the next patch.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 11 Oct 2020 05:41:01 +0000 (07:41 +0200)]
smbclient: Introduce struct do_list_helper_state
We'll pass more information to do_list_helper() soon
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 11 Oct 2020 05:35:52 +0000 (07:35 +0200)]
smbclient: Wrap a few long lines
Make the next patch simpler
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 29 Oct 2020 20:32:21 +0000 (21:32 +0100)]
smbclient: Move variable declarations closer to their use
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 27 Oct 2020 09:12:51 +0000 (10:12 +0100)]
torture: Show that recursive ls across dfs is broken
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 26 Oct 2020 08:18:57 +0000 (09:18 +0100)]
libsmb: Fix a signed/unsigned warning
"num_bytes" is uint32_t, "received" is uint16_t. The multiplication
seems to implicitly widen "received" to int, leading to a
signed/unsigned warning. This cast makes that warning go away.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 21 Oct 2020 10:59:29 +0000 (12:59 +0200)]
smbd: Align two integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 22 Oct 2020 09:32:29 +0000 (11:32 +0200)]
libreplace: Compare a pointer against NULL, not 0
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 31 Oct 2020 16:32:14 +0000 (17:32 +0100)]
libsmb: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 1 Nov 2020 08:58:23 +0000 (09:58 +0100)]
libsmb: Improve wording of a comment in cli_smb2_list
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Alexander Bokovoy [Wed, 4 Nov 2020 12:21:33 +0000 (14:21 +0200)]
lookup_name: allow lookup for own realm
When using a security tab in Windows Explorer, a lookup over a trusted
forest might come as realm\name instead of NetBIOS domain name:
--------------------------------------------------------------------
[2020/01/13 11:12:39.859134, 1, pid=33253, effective(
1732401004,
1732401004), real(
1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
0000000e-0000-0000-1c5e-
a750e5810000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'ipa.test\admins'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
--------------------------------------------------------------------
Allow this lookup using realm to be done against primary domain when we
are a domain controller. This corresponds to FreeIPA use of Samba as a
DC. For normal domain members a realm-based lookup falls back to a
lookup over to its own domain controller with the help of winbindd.
Refactor user name parsing code to reuse cli_credentials_* API to be
consistent with other places. cli_credentials_parse_name() handles
both domain and realm-based user name variants.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Nov 4 16:23:40 UTC 2020 on sn-devel-184
Alexander Bokovoy [Wed, 4 Nov 2020 12:00:58 +0000 (14:00 +0200)]
cli_credentials: add a helper to parse user or group names
cli_credentials_parse_string() parses a string specified for -U option
in command line tools. It has a side-effect that '%' character is always
considered to be a separator after which a password is specified.
Active Directory does allow to create user or group objects with '%' in
the name. It means cli_credentials_parse_string() will not be able to
properly parse such name.
Introduce cli_credentials_parse_name() for the cases when a password is
not expected in the name and call to cli_credentials_parse_name() from
cli_credentials_parse_string().
Test cli_credentials_parse_name() with its intended use in lookup_name()
refactoring.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Alexander Bokovoy [Wed, 7 Oct 2020 16:25:24 +0000 (19:25 +0300)]
cli_credentials_parse_string: fix parsing of principals
When parsing a principal-like name, user name was left with full
principal instead of taking only the left part before '@' sign.
>>> from samba import credentials
>>> t = credentials.Credentials()
>>> t.parse_string('admin@realm.test', credentials.SPECIFIED)
>>> t.get_username()
'admin@realm.test'
The issue is that cli_credentials_set_username() does a talloc_strdup()
of the argument, so we need to change order of assignment to allow
talloc_strdup() to copy the right part of the string.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Björn Baumbach [Thu, 29 Oct 2020 11:38:51 +0000 (12:38 +0100)]
selftest: add test for new "samba-tool user unlock" command
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Nov 4 00:19:25 UTC 2020 on sn-devel-184
Björn Baumbach [Thu, 22 Oct 2020 15:29:56 +0000 (17:29 +0200)]
samba-tool: add new "user unlock" command
Can be used to unlock a user when the badPwdCount has been reached.
Introduces SamDB error classes, as suggested by
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> - thanks!
This helps to handle expected failures.
Tracebacks of really unexpected failures will not be hidden.
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andreas Schneider [Tue, 3 Nov 2020 10:57:03 +0000 (11:57 +0100)]
s3:vfs: Document the encryption_required flag in vfs.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Nov 3 16:47:57 UTC 2020 on sn-devel-184
Andreas Schneider [Tue, 1 Sep 2020 10:32:28 +0000 (12:32 +0200)]
auth:creds:tests: Migrate test to a cmocka unit test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Thu, 20 Aug 2020 07:40:41 +0000 (09:40 +0200)]
auth:creds: Rename CRED_USE_KERBEROS values
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Jeremy Allison [Mon, 2 Nov 2020 23:46:51 +0000 (15:46 -0800)]
s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Nov 3 01:56:59 UTC 2020 on sn-devel-184
Douglas Bagnall [Fri, 23 Oct 2020 03:30:25 +0000 (16:30 +1300)]
dsdb/mod/operational: correct comment arithmetic
E + F is not 1F! E + F is 1D!
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Mon, 2 Nov 2020 11:30:36 +0000 (12:30 +0100)]
s3-vfs_glusterfs: refuse connection when write-behind xlator is present
s3-vfs_glusterfs: refuse connection when write-behind xlator is present
Once the new glusterfs api is available we will programmtically disable
the translator, for now we just refuse the connection as there is
a potential for serious data damage.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Sachin Prabhu <sprabhu@redhat.com>
Pair-Programmed-With: Anoop C S <anoopcs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 2 21:40:33 UTC 2020 on sn-devel-184
Sachin Prabhu [Thu, 15 Oct 2020 11:14:33 +0000 (12:14 +0100)]
docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs
Add warning about data corruption with the write-behind translator.
The data corruption is highlighted by the smbtorture test smb2.rw.rw1.
More information about this data corruption issue is available in the
bz.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Martin Schwenke [Wed, 28 Oct 2020 22:05:37 +0000 (09:05 +1100)]
selftest: Drop dummy environment variables for CTDB daemons
This existed to avoid UID_WRAPPER_ROOT=1 causing ctdbd to fail to
chown the socket. The chown is no longer done in test mode so remove
this confusing hack.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Mon Nov 2 10:20:45 UTC 2020 on sn-devel-184
Martin Schwenke [Sat, 24 Oct 2020 09:35:53 +0000 (20:35 +1100)]
ctdb-daemon: Do not attempt to chown Unix domain socket in test mode
If run with UID wrapper and UID_WRAPPER_ROOT=1 then securing the
socket will fail.
Test mode means that local daemons are in use, so securing the socket
is not important.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Martin Schwenke [Sat, 24 Oct 2020 10:54:21 +0000 (21:54 +1100)]
ctdb-daemon: Clean up call to bind socket
Variable res is only used once and ret is re-used many times. Drop
res, use ret, which doesn't need to be initialised. Modernise debug
macro.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Martin Schwenke [Sat, 24 Oct 2020 09:29:58 +0000 (20:29 +1100)]
ctdb-daemon: Clean up socket bind/secure/listen
Obey the coding style, modernise debug macros, clean up whitespace.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Rowland Penny [Fri, 30 Oct 2020 15:39:58 +0000 (15:39 +0000)]
idmap_nss.8.xml: update manpage as discussed on the samba mailing
list
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 30 17:11:02 UTC 2020 on sn-devel-184
Björn Jacke [Thu, 29 Oct 2020 16:47:37 +0000 (17:47 +0100)]
pam_winbind/ro.po: fix error from previous patch merge
fixes up
d619a57804d200e351b509d67a8c76042cb9daa8
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14491
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Björn Baumbach <bbaumbach@samba.org>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Thu Oct 29 20:49:16 UTC 2020 on sn-devel-184
Jule Anger [Tue, 20 Oct 2020 07:42:38 +0000 (09:42 +0200)]
tests: avoid returning an already used ID in randomXid()
The error 'uidNumber xxx is already being used.' in the samba tool tests
occurs when the random.randint functions returns the same value twice and
therefore a user or group with an already used gid or uid should be created.
Avoid this error by adding a list that stores the used IDs, so that the randomXid
function can check wheter a value is already used before returning it.
Signed-off-by: Jule Anger <ja@sernet.de>
Reviewed-by: Björn Baumbach <bb@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 29 18:54:24 UTC 2020 on sn-devel-184
Andreas Schneider [Wed, 21 Oct 2020 08:09:22 +0000 (10:09 +0200)]
python:tests: Add SAMR password change tests for fips
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Oct 29 15:41:37 UTC 2020 on sn-devel-184
Andreas Schneider [Wed, 21 Oct 2020 08:09:22 +0000 (10:09 +0200)]
python:tests: Add SAMR password change tests for fips
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Wed, 28 Oct 2020 16:05:36 +0000 (17:05 +0100)]
s4:param: Add 'weak crypto' getter to pyparam
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Isaac Boukris [Thu, 20 Aug 2020 10:45:49 +0000 (12:45 +0200)]
lib:crypto: Add py binding for set_relax/strict fips mode
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Fri, 15 Nov 2019 12:49:40 +0000 (13:49 +0100)]
s4:rpc_server: Allow to use RC4 for setting passwords
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Tue, 12 Nov 2019 15:56:45 +0000 (16:56 +0100)]
s3:rpc_server: Allow to use RC4 for setting passwords
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Fri, 28 Aug 2020 14:31:17 +0000 (16:31 +0200)]
s3:smbd: Use defines to set 'srv_smb_encrypt'
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Thu, 12 Mar 2020 13:11:56 +0000 (14:11 +0100)]
librpc: Add dcerpc helper dcerpc_is_transport_encrypted()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Fri, 7 Feb 2020 15:48:29 +0000 (16:48 +0100)]
s3:smbd: Add SMB3 connection information to session info
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Fri, 7 Feb 2020 15:48:16 +0000 (16:48 +0100)]
idl: Add SID_SAMBA_SMB3
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Jeremy Allison [Wed, 8 Jul 2020 01:25:23 +0000 (18:25 -0700)]
s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.
Remove knownfail entry.
CVE-2020-14318
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Oct 29 11:47:35 UTC 2020 on sn-devel-184
Jeremy Allison [Fri, 10 Jul 2020 22:09:33 +0000 (15:09 -0700)]
s4: torture: Add smb2.notify.handle-permissions test.
Add knownfail entry.
CVE-2020-14318
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
Signed-off-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 9 Jul 2020 19:48:57 +0000 (21:48 +0200)]
CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call
We can't add this test before the fix, add it to knownfail and have the fix
remove the knownfail entry again. As this crashes winbind, many tests after
this one will fail.
Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
Signed-off-by: Volker Lendecke <vl@samba.org>
Volker Lendecke [Thu, 9 Jul 2020 19:49:25 +0000 (21:49 +0200)]
CVE-2020-14323 winbind: Fix invalid lookupsids DoS
A lookupsids request without extra_data will lead to "state->domain==NULL",
which makes winbindd_lookupsids_recv trying to dereference it.
Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
Signed-off-by: Volker Lendecke <vl@samba.org>
Andrew Walker [Wed, 28 Oct 2020 18:38:48 +0000 (14:38 -0400)]
s3:rpcclient fix NULL - deref caused by misuse of chgpasswd3
Passing wrong number of arguments to chgpasswd3 will cause rpcclient to crash.
Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 29 03:31:56 UTC 2020 on sn-devel-184
Andreas Schneider [Wed, 28 Oct 2020 14:05:34 +0000 (15:05 +0100)]
s4:torture: Pass buffer correctly to write()
../../source4/torture/basic/denytest.c: In function ‘torture_createx_specific.isra’:
../../source4/torture/basic/denytest.c:2372:9: error: ‘write’ reading 56 bytes from a region of size 8 [-Werror=stringop-overflow=]
2372 | res = write(data_file_fd, &cxd, cxd_len);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14555
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Oct 28 17:52:19 UTC 2020 on sn-devel-184
Mikhail Novosyolov [Mon, 14 Sep 2020 23:27:51 +0000 (02:27 +0300)]
s3: update Russian translation of pam_winbind
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Wed Oct 28 15:31:05 UTC 2020 on sn-devel-184
Mikhail Novosyolov [Mon, 14 Sep 2020 23:07:50 +0000 (02:07 +0300)]
s3: Rerun genmsg to update pam_winbind after 10 years
Previous run was in 2010 (10 years ago!), a lot of strings have changed.
Also removed all fuzzies because many strings do not exist any more in nterr.c
and then regenerated pos to restore strings that do exist.
I ran:
$ ./genmsg (with previous commits applied)
$ for i in *.po ; do mv -v $i ${i}.t && msgattrib --no-fuzzy -o $i ${i}.t && rm -fv ${i}.t ; done
$ ./genmsg
bjacke edited: don't remove old nterr.c translations, we should keep those
translatins and translate the mappings to the new strings coming from
nterr_gen.c, see
b7b289f372535dc479a9c9b7ea80da4711edf4f8 for the related
change.
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Mikhail Novosyolov [Mon, 14 Sep 2020 23:05:38 +0000 (02:05 +0300)]
s3: update list of languages in genmsg of pam_winbind
Removed languages for which translations do not exist.
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Mikhail Novosyolov [Mon, 14 Sep 2020 22:58:37 +0000 (01:58 +0300)]
s3: update paths in genmsg of pam_winbind
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Mikhail Novosyolov [Mon, 14 Sep 2020 22:54:05 +0000 (01:54 +0300)]
s3: fix running genmsg in pure git
xgettext wants pam_winbind.po to exist.
Without this running ./genmsg in cloned git fails.
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Alexander Bokovoy [Sat, 24 Oct 2020 13:52:43 +0000 (16:52 +0300)]
daemons: report status to systemd even when running in foreground
When systemd launches samba services, the configuration we have in
systemd service files expects that the main process (/usr/sbin/*)
would use sd_notify() to report back its status. However, we only use
sd_notify() when running become_daemon().
As a result, samba/smbd/winbindd/nmbd processes never report back its
status and the status updates from other childs (smbd, winbindd, etc)
are not accepted as we now have implied NotifyAccess=main since commit
d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc
This leads to a timeout and killing samba process by systemd. Situation
is reproducible in Fedora 33, for example.
Make sure that we have required status updates for all daemons in case
we aren't runnning in interactive mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14552
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Oct 26 19:58:18 UTC 2020 on sn-devel-184
Alexander Bokovoy [Sat, 24 Oct 2020 09:17:44 +0000 (12:17 +0300)]
DNS Resolver: support both dnspython before and after 2.0.0
`dnspython` 2.0.0 has many changes and several deprecations like:
```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.
> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```
The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
to spend trying to get an answer to the question)
The compatibility shim was developed by Stanislav Levin for FreeIPA and
adopted for Samba by Alexander Bokovoy.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Fri, 23 Oct 2020 13:14:21 +0000 (15:14 +0200)]
test: Check that notifyd messages actually change the database
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Oct 24 07:20:17 UTC 2020 on sn-devel-184
Volker Lendecke [Thu, 22 Oct 2020 15:23:44 +0000 (17:23 +0200)]
test: Add a first unit test for notifyd
Use the notifyd "messaging" protocol to check if notifyd works at all
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 22 Oct 2020 09:52:27 +0000 (11:52 +0200)]
notifyd: Add fcn_wait_send()/recv()
tevent_req based functions to listen for file change
notifications. Mainly right now for testing purposes, but it could be
used to also implement smbd's file change notify in a more tevent_req
based fashion than it is implemented now.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 21 Oct 2020 15:28:14 +0000 (17:28 +0200)]
notifyd: Factor out notify_walk() into its own file
To be used in smbtorture, avoid having to include almost all of smbd
just for this
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 21 Oct 2020 15:26:30 +0000 (17:26 +0200)]
notifyd: Factor out notifyd_parse_entry() into its own file
The next step will be to factor out notifyd_parse_db() and and
notify_walk() for consumption outside of smbd. notifyd_parse_db()
needs access to the internal representation of notifyd's database, so
move it into a commonly usable file.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 21 Oct 2020 14:10:25 +0000 (16:10 +0200)]
notifyd: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 21 Oct 2020 10:59:45 +0000 (12:59 +0200)]
notify: Remove an unused structure definition
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 22 Oct 2020 09:47:27 +0000 (11:47 +0200)]
lib: Fix includes for messages.h
It references struct tevent_context
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 23 Oct 2020 14:25:06 +0000 (16:25 +0200)]
smbd: add and use SMB2_FILE_ALL_INFORMATION
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 23 19:06:40 UTC 2020 on sn-devel-184
Ralph Boehme [Fri, 23 Oct 2020 14:24:08 +0000 (16:24 +0200)]
smbd: add and use SMB2_FILE_FULL_EA_INFORMATION
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 23 Oct 2020 14:21:16 +0000 (16:21 +0200)]
s3: add and use MS-FSCC Codes from 2.4 and 2.5
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 23 Oct 2020 11:10:36 +0000 (13:10 +0200)]
smb: update comments on the NTCREATEX_FLAG_* flags
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 23 Oct 2020 11:08:50 +0000 (13:08 +0200)]
smb: rename NTCREATEX_OPTIONS_PRIVATE_STREAM_BASEOPEN to NTCREATEX_FLAG_STREAM_BASEOPEN
Just a shorter name, no change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 23 Oct 2020 15:45:59 +0000 (17:45 +0200)]
smb: rename NTCREATEX_OPTIONS_PRIVATE_DELETE_ON_CLOSE to NTCREATEX_FLAG_DELETE_ON_CLOSE
Just a shorter name, no change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 23 Oct 2020 15:42:28 +0000 (17:42 +0200)]
smb: rename NTCREATEX_OPTIONS_PRIVATE_DENY_FCB to NTCREATEX_FLAG_DENY_FCB
Just a shorter name, no change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 23 Oct 2020 15:41:33 +0000 (17:41 +0200)]
smb: rename NTCREATEX_OPTIONS_PRIVATE_DENY_DOS to NTCREATEX_FLAG_DENY_DOS
Just a shorter name, no change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Fri, 23 Oct 2020 09:56:19 +0000 (11:56 +0200)]
librpc/dcesrv_core: let dcesrv_call_dispatch_local() call context->iface->reply()
This is needed in order to get NDR_PRINT_FUNCTION_DEBUG(..., NDR_OUT) called.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14551
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Fri Oct 23 17:24:37 UTC 2020 on sn-devel-184
Stefan Metzmacher [Fri, 23 Oct 2020 09:54:29 +0000 (11:54 +0200)]
librpc/dcesrv_core: assert that dcesrv_call_dispatch_local() never gets async.
This is just not supported for now...
We would need a dcesrv_call_dispatch_local_send/recv in order to
support async calls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14551
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Stefan Metzmacher [Fri, 23 Oct 2020 09:52:57 +0000 (11:52 +0200)]
librpc/dcesrv_core: make use of dcerpc_fault_to_nt_status() in dcesrv_call_dispatch_local()
The caller wants to get a useful NTSTATUS instead of a generic
NT_STATUS_NET_WRITE_FAULT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14551
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Stefan Metzmacher [Fri, 23 Oct 2020 09:42:14 +0000 (11:42 +0200)]
librpc/dcesrv_core: move two rpcint_dispatch() copies into dcesrv_call_dispatch_local()
We only need this function once, so that we need to fix bugs only once...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14551
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Andreas Schneider [Fri, 23 Oct 2020 06:57:12 +0000 (08:57 +0200)]
examples:auth: Do not install example plugin
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Oct 23 15:32:08 UTC 2020 on sn-devel-184
Andreas Schneider [Fri, 23 Oct 2020 06:53:43 +0000 (08:53 +0200)]
s3:modules: Do not install vfs modules only used for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Thu, 22 Oct 2020 15:41:01 +0000 (17:41 +0200)]
unittests: Mark test binaries for selftest
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Thu, 22 Oct 2020 15:40:01 +0000 (17:40 +0200)]
buildtools: Do not install binaries which are for selftest
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Thu, 22 Oct 2020 09:08:19 +0000 (11:08 +0200)]
s3:script: Fix test_dfree_quota.sh
source3/script/tests/test_dfree_quota.sh: line 200: [: missing `]'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>