Jule Anger [Tue, 8 Aug 2023 07:12:57 +0000 (09:12 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.19.0rc2 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Tue, 8 Aug 2023 07:11:57 +0000 (09:11 +0200)]
WHATSNEW: Add release notes for Samba 4.19.0rc2.
Signed-off-by: Jule Anger <janger@samba.org>
Joseph Sutton [Thu, 3 Aug 2023 01:57:20 +0000 (13:57 +1200)]
third_party/heimdal: Import lorikeet-heimdal-
202308030152 (commit
2a036a6fd80833799316b8a85623cdea3a1135df)
This import fixes the build on 32-bit FreeBSD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15443
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Thu Aug 3 05:40:28 UTC 2023 on atb-devel-224
(cherry picked from commit
06d673a1a0c54e78773cc951124486b547ca880d)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Fri Aug 4 09:31:54 UTC 2023 on atb-devel-224
Noel Power [Thu, 27 Jul 2023 12:26:21 +0000 (13:26 +0100)]
s3/modules: Fix DFS links when widelinks = yes
In openat(), even if we fail to open the file,
propagate stat if and only if the object is a link in
a DFS share. This allows calling code to further process
the link.
Also remove knownfail
Pair-Programmed-With: Jeremy Alison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jul 29 00:43:52 UTC 2023 on atb-devel-224
(cherry picked from commit
0bf8b25aacdf2f5c746922320b32e3f0886c81f5)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Thu Aug 3 14:30:32 UTC 2023 on atb-devel-224
Noel Power [Thu, 27 Jul 2023 16:36:29 +0000 (17:36 +0100)]
s3/modules: Add flag indicating if connected share is a dfs share
Not used yet, will be used in the next commit to avoid testing
if the connected share is a dfs one.
Pair-Programmed-With: Jeremy Alison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
2668dcd0968133cca4f8410bf8c41ed0483f5d87)
Noel Power [Fri, 28 Jul 2023 08:41:59 +0000 (09:41 +0100)]
sefltest: Add new regression test dfs with widelinks = yes
Adds a new test trying to cd into dfs path on share with
widelinks enabled, should generate an error (see BUG:)
Add a knownfail so CI continues
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
3d2e9db8b95f9f45d486f8272e53584975f177fa)
Noel Power [Fri, 28 Jul 2023 08:40:57 +0000 (09:40 +0100)]
selftest: Add new dfs share (with widelinks enabled)
Adds share (to be used in later test) that has dfs node
but additionally has widelinks set to yes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
b57cdfd7efb161cf96b3a39dc7a1652db817e602)
Jones Syue [Wed, 2 Aug 2023 01:48:40 +0000 (09:48 +0800)]
vfs_aio_pthread: fix segfault if samba-tool ntacl get
If configured as AD DC and aio_pthread appended into 'vfs objects'[1],
run these commands would get segfault:
1. sudo samba-tool ntacl get .
2. sudo net vfs getntacl sysvol .
gdb said it goes through aio_pthread_openat_fn() @ vfs_aio_pthread.c[2],
and the fsp->conn->sconn->client is null (0x0).
'sconn->client' memory is allocated when a new connection is accpeted:
smbd_accept_connection > smbd_process > smbXsrv_client_create
While running local commands looks like it would not go through
smbXsrv_client_create so the 'client' is null, segfault might happen.
We should not dereference 'client->server_multi_channel_enabled',
if 'client' is null.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15441
[1] smb.conf example, samba-4.18.5, ubuntu 22.04.2
[global]
dns forwarder = 127.0.0.53
netbios name = U22-JONES-88X1
realm = U22-JONES-88X1.X88X1.JONES
server role = active directory domain controller
workgroup = X88X1
idmap_ldb:use rfc2307 = yes
vfs objects = dfs_samba4 acl_xattr aio_pthread
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/u22-jones-88x1.x88x1.jones/scripts
read only = No
[2] gdb
(gdb) run /usr/local/samba/bin/samba-tool ntacl get .
Starting program: /usr/local/Python3/bin/python3 /usr/local/samba/bin/samba-tool ntacl get .
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0)
at ../../source3/modules/vfs_aio_pthread.c:467
warning: Source file is more recent than executable.
467 if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) bt
at ../../source3/modules/vfs_aio_pthread.c:467
at ../../source3/smbd/pysmbd.c:320
---Type <return> to continue, or q <return> to quit---
(gdb) f
at ../../source3/modules/vfs_aio_pthread.c:467
467 if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) p fsp->conn->sconn->client
$1 = (struct smbXsrv_client *) 0x0
(gdb)
Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
8f4c1c67b4f118a9a47b09ac7908cd3d969b19c2)
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Thu Aug 3 09:45:34 UTC 2023 on atb-devel-224
Andrew Bartlett [Thu, 27 Jul 2023 05:18:45 +0000 (17:18 +1200)]
dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*()
This makes more calls to add children, but avoids the cn=system string in the
codebase which makes it easier to audit that this is always being built
correctly.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jul 31 07:20:21 UTC 2023 on atb-devel-224
(cherry picked from commit
5571ce9619d856d3c9545099366f4e0259aee8ef)
RN: A second container with name CN=System would disable the operation
of the Samba AD DC. Samba now finds the CN=System container by exact
DN and not a search.
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Tue Aug 1 12:12:30 UTC 2023 on atb-devel-224
Andrew Bartlett [Thu, 27 Jul 2023 05:14:30 +0000 (17:14 +1200)]
dsdb: Use samdb_system_container_dn() in dsdb_trust_*()
This is now exactly the same actions, but just uses common code to do it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
4250d07e4dcd43bf7450b1ae603ff46fdc892d02)
Andrew Bartlett [Thu, 27 Jul 2023 05:11:39 +0000 (17:11 +1200)]
s4-rpc_server/backupkey: Use samdb_system_container_dn() in get_lsa_secret()
This is now exactly the same actions, but just uses common code to do it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
9b4f3f3cb4ed17bb233d3b5ccd191be63f01f3f4)
Andrew Bartlett [Thu, 27 Jul 2023 05:09:31 +0000 (17:09 +1200)]
s4-rpc_server/backupkey: Use samdb_system_container_dn() in set_lsa_secret()
This is now exactly the same actions, but just uses common code to do it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
13eed1e0e7d0bdef6b5cdb6b858f124b812adbea)
Andrew Bartlett [Thu, 27 Jul 2023 05:00:21 +0000 (17:00 +1200)]
s4-rpc_server/netlogon: Use samdb_system_container_dn() in fill_trusted_domains_array()
This is now exactly the same actions, but just uses common code to do it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
a900f6aa5d909d912ee3ca529baa4047c9c4da87)
Andrew Bartlett [Thu, 27 Jul 2023 04:58:13 +0000 (16:58 +1200)]
s4-rpc_server/lsa: Use samdb_system_container_dn() in dcesrv_lsa_get_policy_state()
This is now exactly the same actions, but just uses common code to do it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
4e18066fa243da1c505f782ba87187c3bb1078ee)
Andrew Bartlett [Thu, 27 Jul 2023 04:44:10 +0000 (16:44 +1200)]
dsdb: Use samdb_get_system_container_dn() to get Password Settings Container
By doing this we use the common samdb_get_system_container_dn() routine and we
avoid doing a linerize and parse step on the main DN, instead using the
already stored parse of the DN. This is more hygenic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
3669caa97f76d3e893ac6a1ab88341057929ee6a)
Andrew Bartlett [Thu, 27 Jul 2023 04:29:34 +0000 (16:29 +1200)]
dsdb: Use samdb_system_container_dn() in samldb.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
97b682e0eb0450513dcecb74be672e18e84fe7a2)
Andrew Bartlett [Thu, 27 Jul 2023 04:12:11 +0000 (16:12 +1200)]
dsdb: Add new function samdb_system_container_dn()
This will replace many calls crafting or searching for this DN
elsewhere in the code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
25b0e1102e1a502152d2695aeddf7c65555b16fb)
Arvid Requate [Fri, 26 Aug 2016 14:20:34 +0000 (16:20 +0200)]
Bug #9959: Don't search for CN=System
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
2d461844a201fbca55ebc9a46a15e1d16048055b)
Arvid Requate [Fri, 26 Aug 2016 14:18:57 +0000 (16:18 +0200)]
For Bug #9959: local talloc frame for next commit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959
Signed-off-by: Arvid Requate <requate@univention.de>
[abartlet@samba.org Added additional talloc_free() in failure paths]
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
b6e80733c3a589f9d784eec86fc713f1ec9c1049)
Jule Anger [Fri, 28 Jul 2023 12:11:30 +0000 (14:11 +0200)]
VERSION: Bump version up to Samba 4.19.0rc2...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 28 Jul 2023 09:49:28 +0000 (11:49 +0200)]
VERSION: Disable GIT_SNAPSHOT for the Samba 4.19.0rc1 release.
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Jule Anger [Tue, 25 Jul 2023 13:59:19 +0000 (15:59 +0200)]
WHATSNEW: Up to Samba 4.19.0rc1.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Tue, 18 Jul 2023 08:48:57 +0000 (10:48 +0200)]
ldb: release 2.8.0 for use in Samba 4.19.x
* CVE-2023-0614 Not-secret but access controlled LDAP attributes can be discovered (bug 15270)
* pyldb: Raise an exception if ldb_dn_get_parent() fails
* Implement ldap_whoami in pyldb and add the RFC4532 LDB_EXTENDED_WHOAMI_OID definition
* Documentation and spelling fixes
* Add ldb_val -> bool,uint64,int64 parsing functions
* Split out ldb_val_as_dn() helper function
* add LDB_CHANGETYPE_MODRDN support to ldb_ldif_to_pyobject()
* add LDB_CHANGETYPE_DELETE support to ldb_ldif_to_pyobject()
* let ldb_ldif_parse_modrdn() handle names without 'rdn_name=' prefix
* Don't create error string if there is no error
* Avoid allocation and memcpy() for every wildcard match candidate
* Make ldb_msg_remove_attr O(n)
* pyldb: Throw error on invalid controls
* pyldb: remove py2 ifdefs
* Call tevent_set_max_debug_level(TEVENT_DEBUG_TRACE)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Martin Schwenke [Wed, 12 Jul 2023 00:39:06 +0000 (10:39 +1000)]
ctdb-tools: Improve printing of multi-line event script output
Multi-line output currently prints like this:
OUTPUT: aaa
bbb
ccc
This is less beautiful than it could be.
Instead, print multi-line output with no inlining and each line
indented:
OUTPUT:
aaa
bbb
ccc
However, continue to inline single line output:
OUTPUT: foo
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 12 Jul 2023 00:39:06 +0000 (10:39 +1000)]
ctdb-tools: Always print script output in event status
When event scripts succeed they generally produce no output. However,
when a script succeeds and produces output, such output almost
certainly contains warnings. So, always print script output.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Andrew Bartlett [Wed, 26 Jul 2023 20:06:48 +0000 (08:06 +1200)]
librpc/idl: Remove DCOM and WMI IDL
As hinted in
f2416493c0c779356606aebf0aceca8fa416b55c the DCOM and WMI
IDL is now unused. These generate code with PIDL, costing a small
amount of build time but more importantly are fuzzed, which costs an
ongoing amount of CPU time as oss-fuzz tries to find parsing issues.
We do not need to continue this waste, and these can be restored
if this effort is ever to start again.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 26 Jul 2023 20:17:07 +0000 (08:17 +1200)]
dcom: Remove remainder of DCOM test client code
This follows
f2416493c0c779356606aebf0aceca8fa416b55c, removing the remaining parts
of our DCOM effort. This can be resumed at a later time, but for now this is untested
(as we have no server) and just uses build time.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Thu, 27 Jul 2023 14:30:00 +0000 (16:30 +0200)]
librpc:crypto: SAFE_FREE() -> krb5_free_enctypes()
Reported by Red Hat internal covscan
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Thu, 27 Jul 2023 14:29:19 +0000 (16:29 +0200)]
librpc:crypto: SAFE_FREE() -> krb5_free_string()
Reported by Red Hat internal covscan
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Thu, 27 Jul 2023 14:28:48 +0000 (16:28 +0200)]
auth:credentials: SAFE_FREE() -> krb5_free_string()
Reported by Red Hat internal covscan
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Thu, 27 Jul 2023 14:26:57 +0000 (16:26 +0200)]
auth:credentials: SAFE_FREE() -> krb5_free_enctypes()
Reported by Red Hat internal covscan
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Thu, 27 Jul 2023 20:01:00 +0000 (22:01 +0200)]
krb5_wrap: add krb5_free_string()
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Thu, 27 Jul 2023 14:22:22 +0000 (16:22 +0200)]
krb5_wrap: add krb5_free_enctypes()
MIT Kerberos implements krb5_free_enctypes(), Heimdal is missing it and
offers krb5_xfree() instead.
This introduces a wrapper krb5_free_enctypes() around krb5_xfree() for
Heimdal.
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 28 Jul 2023 09:16:04 +0000 (11:16 +0200)]
smbd: move tevent_req_post() out of smbd_smb2_create_after_exec()
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Jeremy Allison [Wed, 26 Jul 2023 23:39:51 +0000 (16:39 -0700)]
s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove UNIX separators.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jul 27 10:52:50 UTC 2023 on atb-devel-224
Jeremy Allison [Wed, 26 Jul 2023 23:37:11 +0000 (16:37 -0700)]
s3: torture: Add test to show an SMB1 DFS path of "\\x//\\/" crashes smbd.
Adds knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15419
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Thu, 18 May 2023 16:12:19 +0000 (18:12 +0200)]
mdssvc: fix returning file modification date for older Mac releases
Mac 10.10 uses kMDItemContentModificationDate instead of
kMDItemFSContentChangeDate.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15427
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul 26 23:42:44 UTC 2023 on atb-devel-224
Ralph Boehme [Wed, 17 May 2023 14:38:39 +0000 (16:38 +0200)]
mdssvc: fix date marshalling
Did this ever work? Possible just copied over from Netatalk and was always
broken... The Mac client expects the timevalue as seconds relative to
2001-01-01 00:00:00 UTC, packed as IEEE float.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15427
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Wed, 17 May 2023 14:37:36 +0000 (16:37 +0200)]
mdssvc: prepare for returning timestamps with sub-seconds granularity
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15427
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 20 Apr 2023 15:27:20 +0000 (17:27 +0200)]
mdssvc: reduce pagesize to 50
Lastest macOS queries additional file metadata per search result, which causes
the mashalled paged result set including metadata to exceed the 64 KB result
fragment buffer.
Lacking fragementation support in mdssvc (it's supported by the protocol), for
now just reduce the maximum number of results per search page.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 21 Apr 2023 05:07:13 +0000 (07:07 +0200)]
tests/mdssvc: match hits:total:value to be the actual amount of entries in hits
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 20 Apr 2023 15:58:38 +0000 (17:58 +0200)]
mdssvc: fix enforcement of "elasticsearch:max results"
This wasn't enforced at all thus a query would return all available matches
without limit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 20 Apr 2023 15:24:30 +0000 (17:24 +0200)]
mdssvc: add and use SL_PAGESIZE
SL_PAGESIZE is the number of entries we want to process per paged search result
set. This is different from MAX_SL_RESULTS which ought to be a default maximum
value for total number of results returned for a search query.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 23 Mar 2023 15:39:11 +0000 (16:39 +0100)]
mdssvc: fix long running backend queries
If a query is still running in the backend and we have no results yet, returning
0 triggers a search termination by the client in latest macOS releases. macOS
returns 0x23 in this case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Wed, 19 Apr 2023 12:38:45 +0000 (14:38 +0200)]
mdssvc: set query state for continued queries to SLQ_STATE_RUNNING
SLQ_STATE_RESULTS implies that there are already results attached to the slq
which is not the case. Instead the backend will start processing from where it
left off when it hits the maximum result limit and had set the state to
SLQ_STATE_FULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andrew Bartlett [Fri, 21 Jul 2023 04:56:49 +0000 (16:56 +1200)]
WHATSNEW: Add TLS cert reload feature
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jul 25 21:02:35 UTC 2023 on atb-devel-224
Andrew Bartlett [Fri, 21 Jul 2023 04:44:54 +0000 (16:44 +1200)]
doc-xml: Add entry for reload-certs for new LDAP certificate reload function
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 21 Jul 2023 04:42:23 +0000 (16:42 +1200)]
docs-xml: Fix invalid XML in smbcontrol manpage
This was picked by a mode in Emacs.
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Jule Anger [Mon, 5 Jun 2023 13:23:11 +0000 (15:23 +0200)]
testprogs/blackbox: add test_ldap_tls_reload.sh
This tests the reload (and if needed regeneration) of
tls certificates.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jule Anger [Wed, 1 Mar 2023 09:53:53 +0000 (09:53 +0000)]
s4:ldap_server: reload tls certificates on smbcontrol reload-certs
Reload certificates with the command 'smbcontrol ldap_server reload-certs'.
The message is send to the master process, who forwards it to the workers
processes.
The master process reload and, if necessary, create the certificates first,
then the workers processes reload them.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jule Anger [Tue, 31 Jan 2023 12:50:06 +0000 (13:50 +0100)]
s4:ldap_server: remember dns_host_name in ldap_service
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jule Anger [Wed, 1 Mar 2023 09:53:53 +0000 (09:53 +0000)]
s4:ldap_server: don't store task_server in ldapsrv_service
We store individual pointers we need and adjust them
as needed in ldapsrv_post_fork() and the newly added
ldapsrv_before_loop().
This will be required for the next steps.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jule Anger [Tue, 31 Jan 2023 14:08:31 +0000 (15:08 +0100)]
s4:tls_tstream: create tstream_tls_params_internal
The following commits will implement the reloading of tls certificates.
Therefore we need to overwrite the interal memory.
Note we need to make sure x509_cred and dh_params from
tstream_tls_params_internal stay alive for the whole lifetime
of this session!
See 'man gnutls_credentials_set' and
'man gnutls_certificate_set_dh_params'.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
jule [Mon, 6 Feb 2023 13:28:36 +0000 (13:28 +0000)]
s3:smbcontrol: improve destination resolution using names db
With this change it's possible to use 'smbcontrol ldap_server ...'
instead of 'smbcontrol prefork-master-ldap ...'
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jule Anger [Wed, 1 Mar 2023 10:02:00 +0000 (10:02 +0000)]
s4:process_prefork: create new messaging context for the master process
In order to allow the before_loop() hook to register messages or event
handlers, we need to fix up task->event_ctx and create a new
task->msg_ctx. It also means the struct task_server pointer
changes in the master before_loop() hook.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jule Anger [Wed, 1 Mar 2023 09:48:18 +0000 (09:48 +0000)]
s4:process: add method called before entering the tevent_loop_wait
This gives the service a chance to register messaging and/or event handlers
on the correct contexts.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jule Anger [Wed, 1 Mar 2023 09:47:09 +0000 (09:47 +0000)]
s4:process_prefork: avoid memory leaks caused by messaging_post_self
Sending a message to a process with multiple tevent contexts
can cause a message to get stuck and cause a data leak.
In general it's safer to call imessaging_dgm_unref_ev() before
talloc_free()...
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pavel Filipenský [Tue, 25 Jul 2023 09:16:56 +0000 (11:16 +0200)]
s3:winbindd: Fix double close(fd)
Reported by Red Hat internal coverity
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15433
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Jul 25 12:08:49 UTC 2023 on atb-devel-224
Ralph Boehme [Thu, 20 Apr 2023 13:12:49 +0000 (15:12 +0200)]
mdscli: correct handling of in-progress searches
If a query is still being processed on the server and there no results yet,
macOS returns 0x23.
For now just implements this as dumb polling once a second in mdsearch and the
Python bindings.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jul 24 16:15:16 UTC 2023 on atb-devel-224
Ralph Boehme [Thu, 20 Apr 2023 14:54:13 +0000 (16:54 +0200)]
mdscli: increase MAX_SLQ_COUNT
Now that the client supports fragementation, when procesing reassambled large
result sets from macOS Spotlight server, it's possible to hit this limit in the
client. Let's just increase it to some larger value.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Ralph Boehme [Thu, 20 Apr 2023 14:52:19 +0000 (16:52 +0200)]
mdscli: increase MAX_SLQ_TOCIDX
Now that the client supports fragementation, when procesing reassambled large
result sets from macOS Spotlight server, it's possible to hit this limit in the
client. Let's just increase it to some larger value.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Ralph Boehme [Thu, 20 Apr 2023 14:50:58 +0000 (16:50 +0200)]
mdssvc: increase MAX_SLQ_TOC
Now that the client supports fragementation, when procesing reassambled large
result sets from macOS Spotlight server, it's possible to hit this limit in the
client. Let's just increase it to some larger value.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Ralph Boehme [Mon, 17 Jul 2023 12:51:54 +0000 (14:51 +0200)]
mdssvc: introduce MAX_MDSCMD_SIZE
Allow larger value for the reassembled mdscmd's. Now that the client supports
fragementation, when processing reassambled large result sets from macOS
Spotlight server, it's possible to hit this limit in the unmarshalling
code. Let's just increase it to some larger value.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Ralph Boehme [Thu, 20 Apr 2023 08:45:52 +0000 (10:45 +0200)]
mdscli: add fragmentation support
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Ralph Boehme [Thu, 20 Apr 2023 12:59:12 +0000 (14:59 +0200)]
mdssvc: remove duplicate define of MAX_SL_FRAGMENT_SIZE
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Ralph Boehme [Thu, 20 Apr 2023 08:44:58 +0000 (10:44 +0200)]
librpc/idl: mdssvc: unkn4 field is a fragment indicator
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Ralph Boehme [Thu, 20 Jul 2023 15:08:19 +0000 (17:08 +0200)]
libsmb: increase a debug level when site-aware DC lookup failed
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jul 21 16:19:35 UTC 2023 on atb-devel-224
Ralph Boehme [Tue, 20 Jun 2023 13:33:02 +0000 (15:33 +0200)]
CVE-2023-3347: smbd: fix "server signing = mandatory"
This was broken by commit
1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when
calling srv_init_signing() very early after accepting the connection in
smbd_add_connection(), conn->protocol is still PROTOCOL_NONE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
Signed-off-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Fri Jul 21 13:03:09 UTC 2023 on atb-devel-224
Ralph Boehme [Tue, 20 Jun 2023 16:13:23 +0000 (18:13 +0200)]
CVE-2023-3347: smbd: remove comment in smbd_smb2_request_process_negprot()
This is just going to bitrot. Anyone who's interested can just grep for
"signing_mandatory" and look up what it does.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Wed, 21 Jun 2023 13:10:58 +0000 (15:10 +0200)]
CVE-2023-3347: smbd: inline smb2_srv_init_signing() code in srv_init_signing()
It's now a one-line function, imho the overall code is simpler if that code is
just inlined.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Wed, 21 Jun 2023 13:06:12 +0000 (15:06 +0200)]
CVE-2023-3347: smbd: pass lp_ctx to smb[1|2]_srv_init_signing()
No change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Tue, 20 Jun 2023 10:46:31 +0000 (12:46 +0200)]
CVE-2023-3347: CI: add a test for server-side mandatory signing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Mon, 5 Jun 2023 16:02:20 +0000 (18:02 +0200)]
CVE-2023-34968: mdssvc: return a fake share path
Instead of returning the real server-side absolute path of shares and search
results, return a fake absolute path replacing the path of the share with the
share name, iow for a share "test" with a server-side path of "/foo/bar", we
previously returned
/foo/bar and
/foo/bar/search/result
and now return
/test and
/test/search/result
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Sat, 17 Jun 2023 11:53:27 +0000 (13:53 +0200)]
CVE-2023-34968: mdscli: return share relative paths
The next commit will change the Samba Spotlight server to return absolute paths
that start with the sharename as "/SHARENAME/..." followed by the share path
relative appended.
So given a share
[spotlight]
path = /foo/bar
spotlight = yes
and a file inside this share with a full path of
/foo/bar/dir/file
previously a search that matched this file would returns the absolute
server-side pato of the file, ie
/foo/bar/dir/file
This will be change to
/spotlight/dir/file
As currently the mdscli library and hence the mdsearch tool print out these
paths returned from the server, we have to change the output to accomodate these
fake paths. The only way to do this sensibly is by makeing the paths relative to
the containing share, so just
dir/file
in the example above.
The client learns about the share root path prefix – real server-side of fake in
the future – in an initial handshake in the "share_path" out argument of the
mdssvc_open() RPC call, so the client can use this path to convert the absolute
path to relative.
There is however an additional twist: the macOS Spotlight server prefixes this
absolute path with another prefix, typically "/System/Volumes/Data", so in the
example above the full path for the same search would be
/System/Volumes/Data/foo/bar/dir/file
So macOS does return the full server-side path too, just prefixed with an
additional path. This path prefixed can be queried by the client in the
mdssvc_cmd() RPC call with an Spotlight command of "fetchPropertiesForContext:"
and the path is returned in a dictionary with key "kMDSStorePathScopes". Samba
just returns "/" for this.
Currently the mdscli library doesn't issue this Spotlight RPC
request (fetchPropertiesForContext), so this is added in this commit. In the
end, all search result paths are stripped of the combined prefix
kMDSStorePathScopes + share_path (from mdssvc_open).
eg
kMDSStorePathScopes = /System/Volumes/Data
share_path = /foo/bar
search result = /System/Volumes/Data/foo/bar/dir/file
relative path returned by mdscli = dir/file
Makes sense? :)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 19 Jun 2023 16:16:57 +0000 (18:16 +0200)]
CVE-2023-34968: mdssvc: introduce an allocating wrapper to sl_pack()
sl_pack_alloc() does the buffer allocation that previously all callers of
sl_pack() did themselves.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 20 Jun 2023 09:05:22 +0000 (11:05 +0200)]
CVE-2023-34968: mdssvc: switch to doing an early return
Just reduce indentation of the code handling the success case. No change in
behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 20 Jun 2023 09:42:10 +0000 (11:42 +0200)]
CVE-2023-34968: mdssvc: remove response blob allocation
This is alreay done by NDR for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 20 Jun 2023 09:35:41 +0000 (11:35 +0200)]
CVE-2023-34968: rpcclient: remove response blob allocation
This is alreay done by NDR for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 20 Jun 2023 09:28:47 +0000 (11:28 +0200)]
CVE-2023-34968: smbtorture: remove response blob allocation in mdssvc.c
This is alreay done by NDR for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 19 Jun 2023 16:28:41 +0000 (18:28 +0200)]
CVE-2023-34968: mdscli: remove response blob allocation
This is handled by the NDR code transparently.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 19 Jun 2023 15:14:38 +0000 (17:14 +0200)]
CVE-2023-34968: mdscli: use correct TALLOC memory context when allocating spotlight_blob
d is talloc_free()d at the end of the functions and the buffer was later used
after beeing freed in the DCERPC layer when sending the packet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Sat, 17 Jun 2023 11:39:55 +0000 (13:39 +0200)]
CVE-2023-34968: mdssvc: add missing "kMDSStoreMetaScopes" dict key in slrpc_fetch_properties()
We were adding the value, but not the key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 6 Jun 2023 13:17:26 +0000 (15:17 +0200)]
CVE-2023-34968: mdssvc: cache and reuse stat info in struct sl_inode_path_map
Prepare for the "path" being a fake path and not the real server-side
path where we won't be able to vfs_stat_fsp() this fake path. Luckily we already
got stat info for the object in mds_add_result() so we can just pass stat info
from there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 26 May 2023 13:06:38 +0000 (15:06 +0200)]
CVE-2023-34967: mdssvc: add type checking to dalloc_value_for_key()
Change the dalloc_value_for_key() function to require an additional final
argument which denotes the expected type of the value associated with a key. If
the types don't match, return NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Wed, 31 May 2023 14:26:14 +0000 (16:26 +0200)]
CVE-2023-34967: CI: add a test for type checking of dalloc_value_for_key()
Sends a maliciously crafted packet where the value in a key/value style
dictionary for the "scope" key is a simple string object whereas the server
expects an array. As the server doesn't perform type validation on the value, it
crashes when trying to use the "simple" object as a "complex" one.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Fri, 26 May 2023 11:06:19 +0000 (13:06 +0200)]
CVE-2023-34966: mdssvc: harden sl_unpack_loop()
A malicious client could send a packet where subcount is zero, leading to a busy
loop because
count -= subcount
=> count -= 0
=> while (count > 0)
loops forever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Wed, 31 May 2023 13:34:26 +0000 (15:34 +0200)]
CVE-2023-34966: CI: test for sl_unpack_loop()
Send a maliciously crafted packet where a nil type has a subcount of 0. This
triggers an endless loop in mdssvc sl_unpack_loop().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Fri, 16 Jun 2023 10:28:47 +0000 (12:28 +0200)]
CVE-2022-2127: ntlm_auth: cap lanman response length value
We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the
lm_resp buffer, but we don't cap the length indicator.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072
Signed-off-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Fri, 20 May 2022 08:55:23 +0000 (10:55 +0200)]
CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks
With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you
can crash winbind. We don't independently check lm_resp_len
sufficiently.
Discovered via Coverity ID
1504444 Out-of-bounds access
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072
Signed-off-by: Volker Lendecke <vl@samba.org>
Andrew Bartlett [Fri, 21 Jul 2023 03:39:28 +0000 (15:39 +1200)]
lib/cmdline: Also redact --newpassword in samba_cmdline_burn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 06:16:30 UTC 2023 on atb-devel-224
Andrew Bartlett [Fri, 21 Jul 2023 02:35:20 +0000 (14:35 +1200)]
lib/cmdline: Also burn the --password2 parameter if given
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 21 Jul 2023 01:30:39 +0000 (13:30 +1200)]
samba-tool: Use samba.glue.get_burnt_cmdline rather than regex
This use avoids having two different methods to match on command-line
passwords. We already have a dependency on the setproctitle python
module, and this does not change as the (C) libbsd setproctitle()
can't be run from within a python module.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 21 Jul 2023 01:29:22 +0000 (13:29 +1200)]
python: Add glue.burn_commandline() method
This uses samba_cmdline_burn() to as to have common
command line redaction code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 21 Jul 2023 02:32:46 +0000 (14:32 +1200)]
python: Remove const from PyList_AsStringList()
The returned strings are not owned by python, so need not be const.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 21 Jul 2023 02:31:30 +0000 (14:31 +1200)]
python: Move PyList_AsStringList to common code so we can reuse
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 21 Jul 2023 03:27:00 +0000 (15:27 +1200)]
lib/cmdline: Return if the commandline was redacted in samba_cmdline_burn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Joseph Sutton [Wed, 19 Jul 2023 23:14:23 +0000 (11:14 +1200)]
claims.idl: Fix AD claims encoding
Up to now we have been absorbing the discriminant in the NDR padding,
and setting it to zero in the push. But if the discriminant is not set
correctly, Windows will refuse to regard any of the claims.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 02:19:48 UTC 2023 on atb-devel-224
Andrew Bartlett [Thu, 20 Jul 2023 02:10:43 +0000 (14:10 +1200)]
lib/fault: During smb_panic() print process comment and setprocname() title
The purpose of this is to make it clear which part of the AD DC (in particular)
has faulted without having to deduce it from the stacktrace.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Noel Power [Fri, 14 Jul 2023 13:53:29 +0000 (14:53 +0100)]
python/samba: Adjust tarfile extraction filter
The 'data_filter' is far too restrictive, this filter doesn't apply any
mode bits to directories which in turn will result in unexpected
directory permissions of the amongst others msg.[ls]ock directories.
With 'data_filter' and a 'patched' python at best we experience
CI failures with samba-ad-back1 & samba-ad-back2 CI jobs due to server
startup failures, at worst user/admins will need to adjust directory
permissions post backup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 20 Jul 2023 03:49:08 +0000 (15:49 +1200)]
WHATSNEW: Mention new unicodePwd only over encrypted LDAP restriction
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>