Andreas Schneider [Wed, 6 Dec 2023 12:16:53 +0000 (13:16 +0100)]
s3:utils: Fix auth callback with smburl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
f2f7ed419e03e5ae8cc85f42af5b2bcf91abefe2)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Tue Dec 12 10:01:36 UTC 2023 on atb-devel-224
Andreas Schneider [Wed, 6 Dec 2023 14:58:08 +0000 (15:58 +0100)]
s3:tests: Add interactive smbget test for password entry
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5b38f3be8cb986aa2db3aab5c3c3d2e8739893ce)
Andreas Schneider [Wed, 6 Dec 2023 12:26:43 +0000 (13:26 +0100)]
auth:creds: Add cli_credentials_get_domain_and_obtained()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a7622bc7db093558c6f6e3da4d2a899a764dec09)
Andreas Schneider [Wed, 6 Dec 2023 12:06:42 +0000 (13:06 +0100)]
auth:creds: Fix cli_credentials_get_password_and_obtained() with callback
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1041dae03f0f7e9e2b6b4a649eb1d298a34ce699)
Andreas Schneider [Wed, 6 Dec 2023 12:16:26 +0000 (13:16 +0100)]
auth:creds:tests: Add test for password callback
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ab4b25964a43a1ef550f10580ad395e178fe647e)
Andreas Schneider [Thu, 7 Dec 2023 08:47:14 +0000 (09:47 +0100)]
s3:tests: Fix smbget test
Time to fix the smget share to not have `guest ok = yes` set. A new
[smbget_guest] will be used for guest only tests. This way we can
correctly test different authentication mechanisms.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c46769f3f10d21ed802e17aa79ae17e345168e63)
Andreas Schneider [Thu, 7 Dec 2023 12:11:46 +0000 (13:11 +0100)]
s3:tests: Remove the non-working test_kerberos_upn_denied of smbget
See TODO code comment for details.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1a04fd255c2c94e01bda9840bfd6b372007bb3c7)
Andreas Schneider [Thu, 7 Dec 2023 10:43:33 +0000 (11:43 +0100)]
s3:tests: Fix the test_kerberos_trust in smbget testsuite
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
468fb05d6357779228e411076e286abcdb70cf96)
Andreas Schneider [Thu, 7 Dec 2023 09:51:32 +0000 (10:51 +0100)]
s3:tests: Fix test_kerberos in smbget tests
We switched to a temporary directory, so $PREFIX doesn't exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
62b0b79ce065246417996dec61afa6a10f6ab99b)
Andreas Schneider [Thu, 7 Dec 2023 08:45:54 +0000 (09:45 +0100)]
s3:tests: Pass down a normal domain user for test_smbget.sh
It is better to test with a normal user than administrator.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
337034e675aaeb366d360a791ec0d003426230af)
Andreas Schneider [Fri, 8 Dec 2023 12:07:19 +0000 (13:07 +0100)]
selftest: Add DOMAIN_ADMIN and DOMAIN_USER variables
We should start using those in future. So we can distinguish which
privileges we want. Currently DC_USERNAME is the Administrator. Whatever
possible should use DOMIAN_USER instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
56d0c3a0263ed166452c129219e7a391ba4d014c)
Andreas Schneider [Fri, 8 Dec 2023 12:06:27 +0000 (13:06 +0100)]
selftest: Remove trailing tabs/white spaces in Samba4.pm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a2af6946f5e53b7d954aa54d3d115dbe4975b1c4)
Andreas Schneider [Thu, 7 Dec 2023 08:18:26 +0000 (09:18 +0100)]
s3:tests: Fix authentication with smbget_user in smbget tests
Currently the smget share is broken. We set `guest ok = yes` so if you
specify invalid names, the authentication will still succeed as we
are mapped to guest.
The smbget_user is a local ad_member user. We need to set the
workstation as the "domain" for the user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c14c5dec09fe1c86b29b3091ad521e73a2e1c3e9)
Andreas Schneider [Wed, 6 Dec 2023 07:48:34 +0000 (08:48 +0100)]
s3:utils: Fix setting the debug level
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
763b2efe69dc74e1c0cd954607031012f832486d)
Andreas Schneider [Tue, 5 Dec 2023 14:46:48 +0000 (15:46 +0100)]
s3:tests: Add smbget test for smb://DOAMIN;user%password@server/share/file
This is supported according to the smbget manpage!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e5fe856e76eba26e3b85a391bcea02dfe045c26e)
Volker Lendecke [Thu, 26 Oct 2023 14:12:29 +0000 (16:12 +0200)]
smbd: Fix read_symlink_reparse()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15505
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 27 21:19:35 UTC 2023 on atb-devel-224
(cherry picked from commit
952d6c2cf48b19807e96a49b95c19c224bd6e732)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Mon Dec 11 09:45:32 UTC 2023 on atb-devel-224
Shachar Sharon [Thu, 16 Nov 2023 09:57:02 +0000 (11:57 +0200)]
vfs_ceph: call 'ceph_fgetxattr' only if valid fd
Align getxattr logic with the rest of xattr hooks: call ceph_fgetxattr
with appropriate io-fd when 'is_pathref' is false; otherwise, call
ceph_getxattr.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15440
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Nov 30 12:32:29 UTC 2023 on atb-devel-224
(cherry picked from commit
83edfcff5ccd8c4c710576b6d5612e0578d168c8)
Andreas Schneider [Thu, 30 Nov 2023 09:54:07 +0000 (10:54 +0100)]
s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a local token
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
00034d022896f879bf91bb78eb9e2972162c99ce)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Tue Dec 5 11:04:17 UTC 2023 on atb-devel-224
Andreas Schneider [Fri, 8 Sep 2023 10:50:32 +0000 (12:50 +0200)]
s3:auth: Remove trailing white spaces from auth_util.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
8f496161463f110e494201303b96dd14ab3774cd)
Andreas Schneider [Mon, 4 Sep 2023 14:29:46 +0000 (16:29 +0200)]
selftest: Show that 'allow trusted domains = no' firewalls Unix User|Group
UNEXPECTED(failure): samba3.blackbox.smbclient_auth.plain.local_creds.smbclient //LOCALSHARE4/forceuser_unixonly as user(simpleserver)
REASON: Exception: Exception: tree connect failed: NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
ad0c0dd071401d98f0b7f595efbdf5312a165ab4)
Samuel Cabrero [Mon, 4 Sep 2023 14:49:52 +0000 (16:49 +0200)]
testprogs: Add net offlinejoin composeodj tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Sep 5 22:11:46 UTC 2023 on atb-devel-224
(cherry picked from commit
f3c632e74ba100b455eeac66e8914b11d1d9b0a0)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Wed Nov 29 15:59:17 UTC 2023 on atb-devel-224
Samuel Cabrero [Mon, 4 Sep 2023 14:18:35 +0000 (16:18 +0200)]
testprogs: Cleanup machine account in net offlinejoin tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e92e4b9544231c15eaf0bdbba4505345cd0f6ab5)
Samuel Cabrero [Wed, 30 Aug 2023 18:53:18 +0000 (20:53 +0200)]
s3:net: Allow to load ODJ blob from stdin
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c14a4f51443f67bc46a670a342eed8cb9e81f37d)
Samuel Cabrero [Wed, 30 Aug 2023 18:25:17 +0000 (20:25 +0200)]
s3:net: Load ODJ blob from file only if "loadfile" parameter is present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b2399b6994c89404f245e1a97ba1c1cf13d7fc86)
Samuel Cabrero [Thu, 31 Aug 2023 10:46:52 +0000 (12:46 +0200)]
s3:net: Add "net offlinejoin composeodj" command
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4a1f2071a6028a761bbe7efee20e9654851b51f0)
Samuel Cabrero [Thu, 31 Aug 2023 10:45:42 +0000 (12:45 +0200)]
s3:libnetapi: Implement NetComposeOfflineDomainJoin_l()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a8bd8f22aac2c223e85e318dba7af8b64052b053)
Samuel Cabrero [Thu, 31 Aug 2023 10:44:26 +0000 (12:44 +0200)]
s3:libnetapi: Add NetComposeOfflineDomainJoin() to API.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
7cabbec2eaf5aefd3751c635c12556eca590f506)
Samuel Cabrero [Thu, 31 Aug 2023 10:43:22 +0000 (12:43 +0200)]
s3:libnetapi: Add NetComposeOfflineDomainJoin() boilerplate
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
532701e3cce9d15e95166ee7c24cd1e4af51fcc4)
Samuel Cabrero [Thu, 31 Aug 2023 10:39:04 +0000 (12:39 +0200)]
s3:libnetapi: Add NetComposeOfflineDomainJoin() to IDL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
740e704bd68a6b618b62336ba1583c0edeb82d6f)
Samuel Cabrero [Mon, 4 Sep 2023 08:47:06 +0000 (10:47 +0200)]
s3:libnetapi: Add some comments to document ODJ blob charset conversions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
bdab834dfad55776155915f7ec410b5a192406fa)
Samuel Cabrero [Wed, 30 Aug 2023 17:59:04 +0000 (19:59 +0200)]
s3:libnetapi: Return error from RequestOfflineJoin
The error code must be returned to caller even if the error string is not set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e4afb211fe32f2aa92cc903df948874046f60305)
Jule Anger [Mon, 27 Nov 2023 12:05:29 +0000 (13:05 +0100)]
VERSION: Bump version up to Samba 4.19.4...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 27 Nov 2023 12:04:53 +0000 (13:04 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.19.3 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 27 Nov 2023 12:04:13 +0000 (13:04 +0100)]
WHATSNEW: Add release notes for Samba 4.19.3.
Signed-off-by: Jule Anger <janger@samba.org>
Christof Schmitt [Thu, 9 Nov 2023 19:44:02 +0000 (12:44 -0700)]
vfs_zfsacl: Call stat CAP_DAC_OVERRIDE functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Wed Nov 15 19:55:07 UTC 2023 on atb-devel-224
(cherry picked from commit
12e5c15a97b45aa01fc3f4274f8ba9cf7d1ddbe9)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Sat Nov 25 19:40:32 UTC 2023 on atb-devel-224
Christof Schmitt [Thu, 9 Nov 2023 19:42:13 +0000 (12:42 -0700)]
vfs_aixacl2: Call stat DAC_CAP_OVERRIDE functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
9cac91542128888bde79391ca99291a76752f334)
Christof Schmitt [Thu, 9 Nov 2023 19:39:57 +0000 (12:39 -0700)]
nfs4_acls: Make fstat_with_cap_dac_override static
No other module is calling this function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
bffd8bd8c32fea738824b807eb9e5f97a609493e)
Christof Schmitt [Thu, 9 Nov 2023 19:38:46 +0000 (12:38 -0700)]
nfs4_acls: Make stat_with_cap_dac_override static
No other module is calling this function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
0f664f016207894e0a156b9e1f4db7677c264205)
Christof Schmitt [Thu, 9 Nov 2023 19:37:25 +0000 (12:37 -0700)]
nfs4_acls: Make fstatat_with_cap_dac_override static
No other module is calling this function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
8831eeca1d70c909e15c86c8af6a7b1d7b0d3b5b)
Christof Schmitt [Thu, 9 Nov 2023 19:35:21 +0000 (12:35 -0700)]
vfs_gpfs: Move vfs_gpfs_fstatat to nfs4_acls.c and rename function
All stat DAC_CAP_OVERRIDE code is being moved to nfs4_acls.c to allow
reuse. Move the vfs_gpfs_fstatat function and rename it to the more
generic name nfs4_acl_fstat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
5fd73e93af9d015c9e65a6d4d16229476a541cfc)
Christof Schmitt [Thu, 9 Nov 2023 19:30:27 +0000 (12:30 -0700)]
vfs_gpfs: Move vfs_gpfs_lstat to nfs4_acls.c and rename function
All stat CAP_DAC_OVERRIDE code is being moved to nf4_acls.c to allow
reuse. Move the vfs_gpfs_lstat function and rename to the more generic
name nfs4_acl_lstat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
2c1195678d34516744ba4f8b1c5582f4046cba35)
Christof Schmitt [Thu, 9 Nov 2023 19:27:58 +0000 (12:27 -0700)]
vfs_gpfs: Move vfs_gpfs_fstat to nfs4_acls.c and rename function
All stat DAC_CAP_OVERRIDE code is moving to nfs4_acls.c to allow reuse.
Move the vfs_gpfs_fstat function and rename to the more generic name
nfs4_acl_fstat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
f9301871c61b066c1ea464e6e9109bb2cde71598)
Christof Schmitt [Thu, 9 Nov 2023 19:23:49 +0000 (12:23 -0700)]
vfs_gpfs: Move vfs_gpfs_stat to nfs4_acls.c and rename function
All stat DAC_CAP_OVERRIDE code is moving to nfs4_acls.c to allow reuse
by other file system modules. Also rename the function to the more
generic name nfs4_acl_stat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
f8a23d960e02f783119c2aef38a6e293ee548df3)
Christof Schmitt [Thu, 9 Nov 2023 19:20:38 +0000 (12:20 -0700)]
vfs_gpfs: Move stat_with_capability to nfs4_acls.c and rename function
All stat CAP_DAC_OVERRIDE code is moving to nfs4_acls.c to allow reuse
by other filesystem modules. Also rename the function to the slightly
more precise name stat_with_cap_dac_overide.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
6b1e066c4f354f297fbf99ad93acfaf44e3b89cb)
Christof Schmitt [Thu, 9 Nov 2023 19:17:21 +0000 (12:17 -0700)]
vfs_gpfs: Move fstatat_with_cap_dac_override to nfs4_acls.c
All stat DAC_CAP_OVERRIDE code is being moved to nfs4_acls.c to allow
reuse by other filesystem modules.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
316c96ea83a7b70d35879e4743193bb1e9cb566c)
Christof Schmitt [Thu, 9 Nov 2023 19:01:56 +0000 (12:01 -0700)]
nfs4_acls: Implement fstat with DAC_CAP_OVERRIDE
AT_EMTPY_PATH does not exist on AIX. Address this by implementing an
override for fstat. Implement the new override function in nfs4_acls.c
since all stat functions with DAC_CAP_OVERRIDE will be moved there to
allow reuse by other filesystems.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
05f1ee1ae2d8439af0ac9baf64ebba1a3374ea83)
Christof Schmitt [Thu, 26 Oct 2023 22:51:02 +0000 (15:51 -0700)]
vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstatat
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Nov 8 18:42:13 UTC 2023 on atb-devel-224
(cherry picked from commit
963fc353e70b940f4009ca2764e966682400e2dc)
Christof Schmitt [Thu, 26 Oct 2023 21:45:34 +0000 (14:45 -0700)]
vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstat
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
cbdc16a7cfa225d1cf9109fafe85e9d14729700e)
Christof Schmitt [Thu, 26 Oct 2023 21:39:46 +0000 (14:39 -0700)]
vfs_gpfs: Move fstatat with DAC_CAP_OVERRIDE to helper function
Allow reuse of this code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
95319351e37b8b968b798eee66c93852d9ad2d81)
Christof Schmitt [Thu, 26 Oct 2023 21:37:15 +0000 (14:37 -0700)]
vfs_gpfs: Use O_PATH for opening dirfd for stat with CAP_DAC_OVERRIDE
Use O_PATH when available; this avoids the need for READ/LIST access on
that directory. Keep using O_RDONLY if the system does not have O_PATH.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
b317622a8fed0ee195ffe40129eb5bcad28dd985)
Andreas Schneider [Thu, 9 Nov 2023 21:27:03 +0000 (22:27 +0100)]
python:tests: SHA1 is no longer supported by cryptography module
See https://github.com/pyca/cryptography/issues/8213#issuecomment-
1419060001
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15513
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
938afb8b28973b0065cc3509b70ebe3f6986de47)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Tue Nov 21 11:15:30 UTC 2023 on atb-devel-224
Andreas Schneider [Thu, 9 Nov 2023 20:43:54 +0000 (21:43 +0100)]
python:tests: Fix assertEquals which doesn't exist in Python 3.12
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15513
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
362b0d69b16c5bbcd0ff7dd7ba12e1ac037a6b3d)
Andreas Schneider [Thu, 9 Nov 2023 16:16:17 +0000 (17:16 +0100)]
third_party: Build pypamtest with -Wno-error=declaration-after-statement
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15513
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c290052fd28bbfa5b885119f322cb0718073e507)
Andreas Schneider [Thu, 9 Nov 2023 10:35:56 +0000 (11:35 +0100)]
Use python.h from libreplace
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15513
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
9621a3d7a6949aa833425884cd22379387738cfa)
Andreas Schneider [Thu, 9 Nov 2023 10:32:58 +0000 (11:32 +0100)]
lib:replace: Add python.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15513
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
f337fd995024283f6e1b3f8ec1cc2b3aeb55a2a6)
Ralph Boehme [Thu, 16 Nov 2023 09:50:32 +0000 (10:50 +0100)]
smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor()
VFS modules like streams_xattr use the function fsp_is_alternate_stream() on the
fsp to determine in an fsp is a stream, eg in streams_xattr_close(). If
fspo->base_fsp is arlready set to NULL, this won't work anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15521
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 16 18:31:17 UTC 2023 on atb-devel-224
(cherry picked from commit
4481a67c1b20549a71d6c5132b637798a09f966d)
Douglas Bagnall [Wed, 15 Nov 2023 00:03:27 +0000 (13:03 +1300)]
pytests: sid_strings: do not fail if epoch ending has zeros
To avoid collisions in random OID strings, we started using the epoch
date modulus 100 million. The trouble is we did not strip out the
leading zeros, so the field might be '
00000123' when it should be
'123', if the date happened not to correspond to an epoch with a zero
in the eighth to last place. This has been the case for most of the
last 1041 days, but fortunately the bug was only introduced earlier
this year.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15520
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
(cherry picked from commit
426ca4cf4b667aae03f0344cee449e972de90ac7)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Mon Nov 20 10:00:15 UTC 2023 on atb-devel-224
Björn Jacke [Thu, 9 Nov 2023 13:56:06 +0000 (14:56 +0100)]
system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't usable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15093
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
(cherry picked from commit
a1738e8265dd256c5a1064482a6dfccbf9ca44f1)
Ralph Boehme [Wed, 20 Sep 2023 21:21:44 +0000 (14:21 -0700)]
s3: smbd: Ignore fstat() error on deleted stream in fd_close().
In the fd_close() fsp->fsp_flags.fstat_before_close code path.
If this is a stream and delete-on-close was set, the
backing object (an xattr from streams_xattr) might
already be deleted so fstat() fails with
NT_STATUS_NOT_FOUND. So if fsp refers to a stream we
ignore the error and only bail for normal files where
an fstat() should still work. NB. We cannot use
fsp_is_alternate_stream(fsp) for this as the base_fsp
has already been closed at this point and so the value
fsp_is_alternate_stream() checks for is already NULL.
Remove knownfail.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Oct 10 09:39:27 UTC 2023 on atb-devel-224
(cherry picked from commit
633a3ee6894cc1d05b44dbe47a278202803d9b21)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Mon Nov 13 10:02:51 UTC 2023 on atb-devel-224
Stefan Metzmacher [Wed, 11 Oct 2023 13:58:22 +0000 (15:58 +0200)]
s4:kdc: fix user2user tgs-requests for normal user accounts
User2User tgs requests use the session key of the additional
ticket instead of the long term keys based on the password.
In addition User2User also asserts that client and server
are the same account (cecked based on the sid).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224
(cherry picked from commit
bf79979f847de36db9da9646a396cdfe6b0e1c6f)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Tue Nov 7 14:00:20 UTC 2023 on atb-devel-224
Stefan Metzmacher [Sun, 15 Oct 2023 23:33:15 +0000 (12:33 +1300)]
third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-
202310152331 (commit
a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4))
This allows HDB backends to do special handling for
User2User TGS-REQs. The main reason is to let
the HDB_F_GET_SERVER lookup to succeed even for
non-computer accounts. In Samba these are typically
not returned in HDB_F_GET_SERVER in order to avoid
generating tickets with the user password.
But for User2User the account password is not used,
so it is safe to return the server entry.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Adapted to be an import from lorikeet-heimdal as requested]
(cherry picked from commit
cbb8145d0c58b34b76a579afd81f0e19ec7106b6)
Stefan Metzmacher [Wed, 11 Oct 2023 13:54:15 +0000 (15:54 +0200)]
tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Wed, 18 Oct 2023 09:32:57 +0000 (11:32 +0200)]
s3:winbindd: Improve logging for failover scenarios in winbindd_cm.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15499
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
21bb84ed1c30b863b4ef17fcebdd79f147142b9f)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Mon Oct 23 09:43:03 UTC 2023 on atb-devel-224
Pavel Filipenský [Wed, 18 Oct 2023 09:32:57 +0000 (11:32 +0200)]
s3:libads: Improve logging for failover scenarios
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15499
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Wed Oct 18 15:47:09 UTC 2023 on atb-devel-224
(cherry picked from commit
14600a3128c6b66de4f9291eeec52e34725030c5)
Pavel Filipenský [Wed, 18 Oct 2023 09:32:57 +0000 (11:32 +0200)]
s3:libsmb: Improve logging for failover scenarios
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15499
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
5f7a834effea56d683f76a801924c7125385e534)
Pavel Filipenský [Wed, 18 Oct 2023 09:32:57 +0000 (11:32 +0200)]
s3:winbindd: Improve logging for failover scenarios in winbindd_pam.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15499
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
6063f3ee733348855d6b144091bbdbbe6862494c)
Stefan Metzmacher [Fri, 29 Jan 2016 22:35:31 +0000 (23:35 +0100)]
CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566)
Stefan Metzmacher [Wed, 7 Jun 2023 16:18:58 +0000 (18:18 +0200)]
CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
70586061128f90afa33f25e104d4570a1cf778db)
Stefan Metzmacher [Mon, 26 Jun 2023 13:14:24 +0000 (15:14 +0200)]
CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry()
This makes the next change easier to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
498542be0bbf4f26558573c1f87b77b8e3509371)
Stefan Metzmacher [Fri, 29 Jan 2016 22:34:15 +0000 (23:34 +0100)]
CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container
This revealed a bug in our dirsync code, so we mark
test_search_with_dirsync_deleted_objects as knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
7f8b15faa76d05023c987fac2c4c31f9ac61bb47)
Stefan Metzmacher [Fri, 29 Jan 2016 22:33:37 +0000 (23:33 +0100)]
CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
0c329a0fda37d87ed737e4b579b6d04ec907604c)
Stefan Metzmacher [Fri, 29 Jan 2016 22:30:59 +0000 (23:30 +0100)]
CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor()
samba-tool drs clone-dc-database was quite useful to find
the true value of nTSecurityDescriptor of the CN=Delete Objects
containers.
Only the auto inherited SACL is available via a ldap search.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
3be190dcf7153e479383f7f3d29ddca43fe121b8)
Jule Anger [Mon, 16 Oct 2023 13:41:56 +0000 (15:41 +0200)]
VERSION: Bump version up to Samba 4.19.3...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 16 Oct 2023 13:41:42 +0000 (15:41 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.19.2 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 16 Oct 2023 13:41:13 +0000 (15:41 +0200)]
WHATSNEW: Add release notes for Samba 4.19.2.
Signed-off-by: Jule Anger <janger@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 22:59:34 +0000 (11:59 +1300)]
CVE-2023-5568 third_party/heimdal: Fix PKINIT freshness token memory handling (Import lorikeet-heimdal-
202310092148 (commit
38aa80e35b6b1e16b081fa9c005c03b1e6994204))
The issue here is that only the size of the pointer, not the size
of the struture was allocated with calloc().
This means that the malloc() for the freshness token bytes would
have the memory address written beyond the end of the allocated memory.
Additionally, the allocation was not free()ed, resulting in a memory
leak. This means that a user could trigger ongoing memory allocation
in the server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15491
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
3280893ae80507e36653a0c7da03c82b88ece30b)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Mon Oct 16 08:28:32 UTC 2023 on atb-devel-224
Martin Schwenke [Tue, 19 Sep 2023 07:47:36 +0000 (17:47 +1000)]
ctdb-daemon: Call setproctitle_init()
Commit
19c82c19c009eefe975ae95c8b709fc93f5f4c39 changed the behaviour
of prctl_set_comment() so it now calls setproctitle(3bsd) by default.
In some Linux distributions (e.g. Rocky Linux 8.8), this results in
messages like this spamming the logs:
ctdbd: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
Most Samba daemons seem to call setproctitle_init(), so do it here.
In the longer term CTDB should also switch to using lib/util's
process_set_title(), like the rest of Samba, for more flexible process
names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15479
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Sep 21 00:46:50 UTC 2023 on atb-devel-224
(cherry picked from commit
8b9f464420b66cebaf00654cf8b19165b301b8b6)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Tue Oct 10 17:42:25 UTC 2023 on atb-devel-224
Jule Anger [Tue, 10 Oct 2023 15:56:21 +0000 (17:56 +0200)]
VERSION: Bump version up to Samba 4.19.2...
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Tue, 10 Oct 2023 15:46:38 +0000 (17:46 +0200)]
Merge branch 'v4-19-stable' into v4-19-test
Jule Anger [Tue, 10 Oct 2023 15:05:22 +0000 (17:05 +0200)]
Merge tag 'samba-4.19.1' into v4-19-stable
samba: tag release samba-4.19.1
Jule Anger [Tue, 10 Oct 2023 09:04:49 +0000 (11:04 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.19.1 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Tue, 10 Oct 2023 09:04:03 +0000 (11:04 +0200)]
WHATSNEW: Add release notes for Samba 4.19.1.
Signed-off-by: Jule Anger <janger@samba.org>
Andrew Bartlett [Tue, 12 Sep 2023 04:23:49 +0000 (16:23 +1200)]
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.
This means that any duplicates will be noticed early not just
in a race condition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 12 Sep 2023 00:28:49 +0000 (12:28 +1200)]
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.
Most critically of course this applies to netlogon, lsa and samr.
This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 12 Sep 2023 07:01:03 +0000 (19:01 +1200)]
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact. Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 12 Sep 2023 06:59:44 +0000 (18:59 +1200)]
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 8 Aug 2023 05:58:27 +0000 (17:58 +1200)]
CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.
Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.
The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access. Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).
Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.
The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 22 Aug 2023 03:08:17 +0000 (15:08 +1200)]
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 8 Aug 2023 02:30:19 +0000 (14:30 +1200)]
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication. Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 7 Aug 2023 23:18:46 +0000 (11:18 +1200)]
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Sun, 6 Aug 2023 23:56:56 +0000 (11:56 +1200)]
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 7 Aug 2023 02:44:28 +0000 (14:44 +1200)]
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
Rather than fail, if the last run failed to reset things, just force
the DC into the required state.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 7 Aug 2023 01:15:40 +0000 (13:15 +1200)]
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
Thie helps ensure this test is reliable even in spite of errors while
running.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Sun, 6 Aug 2023 23:55:55 +0000 (11:55 +1200)]
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.
We rename tests that would otherwise have duplicate names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 2 Aug 2023 08:44:32 +0000 (10:44 +0200)]
CVE-2023-4154 s4:dsdb:tests: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit
b29793ffdee5d9b9c1c05830622e80f7faec7670)
Ralph Boehme [Tue, 1 Aug 2023 11:04:36 +0000 (13:04 +0200)]
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Tue, 1 Aug 2023 10:30:00 +0000 (12:30 +0200)]
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Wed, 26 Jul 2023 00:54:41 +0000 (17:54 -0700)]
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).
Remove knowfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Wed, 26 Jul 2023 00:49:21 +0000 (17:49 -0700)]
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.
The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.
Add the knownfail.
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Wed, 26 Jul 2023 00:41:04 +0000 (17:41 -0700)]
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>