Stefan Metzmacher [Wed, 11 Oct 2023 13:58:22 +0000 (15:58 +0200)]
s4:kdc: fix user2user tgs-requests for normal user accounts
User2User tgs requests use the session key of the additional
ticket instead of the long term keys based on the password.
In addition User2User also asserts that client and server
are the same account (cecked based on the sid).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 10 Oct 2023 13:23:35 +0000 (15:23 +0200)]
TODO lorikeet-first HEIMDAL:kdc: introduce HDB_F_USER2USER_PRINCIPAL
This allows HDB backends to do special handling for
User2User TGS-REQs. The main reason is to let
the HDB_F_GET_SERVER lookup to succeed even for
non-computer accounts. In Samba these are typically
not returned in HDB_F_GET_SERVER in order to avoid
generating tickets with the user password.
But for User2User the account password is not used,
so it is safe to return the server entry.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 11 Oct 2023 13:54:15 +0000 (15:54 +0200)]
tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 17:25:30 +0000 (17:25 +0000)]
auth/credentials_krb5: make use of smb_gss_krb5_prepare_acceptor_cred()
We should check all keys in our in memory keytab
and skip the transited checks unless we're
in standalone/MIT-realm mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 17:25:09 +0000 (17:25 +0000)]
auth/credentials_krb5: let cli_credentials_get_server_gss_creds() use an early return
This will simplify the next commits.
Check with: git show -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 17:13:41 +0000 (17:13 +0000)]
s3:gse: let gse_init_server() use smb_gss_krb5_prepare_acceptor_cred()
We should check all keys in our in memory keytab
and skip the transited checks unless we're in
standalone/MIT-realm mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 16:52:15 +0000 (16:52 +0000)]
krb5_wrap: add smb_gss_krb5_prepare_acceptor_cred()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 16:09:47 +0000 (16:09 +0000)]
configure_mitkrb5: check for GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 16:09:47 +0000 (16:09 +0000)]
s4:heimdal_build: define HAVE_GSS_KRB5_CRED_{SKIP_TRANSIT_CHECK,ITERATE_ACCEPTOR_KEYTAB}_X
We can only do that for our own copy of heimdal, see
https://github.com/heimdal/heimdal/pull/656
In future we may want to use
source4/heimdal_build/wscript_configure only for
our in tree copy of heimdal and do real configure
checks for the system heimdal build.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 08:30:01 +0000 (10:30 +0200)]
HEIMDAL:lib/gssapi/krb5: add GSS_KRB5_CRED_ITERATE_ACCEPTOR_KEYTAB_X
This allows krb5_rd_req_in_set_iterate_keytab() to be used via the
gssapi layer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Sat, 20 Jul 2019 10:15:04 +0000 (10:15 +0000)]
HEIMDAL:lib/krb5: add krb5_rd_req_in_set_iterate_keytab()
A caller might not know the kvno maintained by the KDC.
And most often there's need to know it.
So this function makes it possible to force the keytab
iteration in order to get a consistent behavior.
Otherwise it's possible to get a different behavior
if the guessed kvno in the keytab accidentally matches
the kvno of the ticket and we'll give up if the
key is not able to decrypt the ticket.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Sat, 20 Jul 2019 10:15:04 +0000 (10:15 +0000)]
HEIMDAL:lib/krb5: let krb5_rd_req_ctx() fallback only on KRB5KRB_AP_ERR_BAD_INTEGRITY
This avoids hidding a real error like KRB5KRB_AP_ERR_ILL_CR_TKT.
We only want to retry with the next key if the decryption
failed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 18 Aug 2017 13:33:17 +0000 (15:33 +0200)]
HEIMDAL:lib/gssapi/krb5: add GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X
This allows KRB5_VERIFY_AP_REQ_SKIP_TRANSITED_CHECK (on the acceptor)
to be controlled via the gssapi layer.
Members of Active Directory domains should just rely on there
KDCs (domain controllers) to do SID-Filtering (and name checking)
on trust boundaries, I have verified this with a modified Samba KDC
and a Windows 2012R2 DC. The Windows DC rejects invalid cross-realm tickets
with KRB5KDC_ERR_POLICY, before generating a new (service or referral)
ticket. So any service ticket is already policy checked by the KDC
even if this does not result in setting the transited_policy_checked in the ticket.
This means an accepting service can tell gss_accept_sec_context()
to skip any transited checking, as the trust topoligy is only
fully known to the KDC anyway.
The detailed background for this can be found in the bug report
and the mailing list:
https://lists.samba.org/archive/samba-technical/2019-September/thread.html#134285
https://lists.samba.org/archive/samba-technical/2019-November/thread.html#134553
http://mailman.mit.edu/pipermail/krbdev/ should also have references.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 18 Aug 2017 13:33:17 +0000 (15:33 +0200)]
HEIMDAL:lib/krb5: add [libdefaults] acceptor_skip_transit_check and KRB5_VERIFY_AP_REQ_SKIP_TRANSITED_CHECK
In active directory a domain member replies on (trusts) the [K]DCs
of the domain. It's the job of the [K]DCs to only generate useful
tickets as they know about the trust topology.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 18 Aug 2017 13:33:17 +0000 (15:33 +0200)]
HEIMDAL:lib/krb5: add krb5_rd_req_in_set_verify_ap_req_flags()
In the next commits we want to be able to pass down
things like KRB5_VERIFY_AP_REQ_NO_TRANSITED_CHECK.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 17 Aug 2021 15:35:27 +0000 (17:35 +0200)]
schema_samba4.ldif: allocate GSS_KRB5_CRED_ITERATE_ACCEPTOR_KEYTAB_X from our OID space
This will be in (at least our own copy of) Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 17 Aug 2021 15:35:27 +0000 (17:35 +0200)]
samba.schema: allocate GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X from our OID space
This will be used in MIT kerberos and (at least our own copy of) Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 29 Dec 2022 10:19:02 +0000 (11:19 +0100)]
HEIMDAL: kdc: don't announce KRB5_PADATA_GSS unless gss_preauth is enabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 29 Dec 2022 10:18:22 +0000 (11:18 +0100)]
HEIMDAL: kdc: don't announce KRB5_PADATA_PKINIT_KX unless anonymous is allowed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 29 Dec 2022 10:16:06 +0000 (11:16 +0100)]
HEIMDAL: kdc: don't announce KRB5_PADATA_FX_FAST unless fast is enabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 8 Nov 2017 12:18:29 +0000 (13:18 +0100)]
HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137
WAS
59087a123b6754d2d99ce0a9e5ec035eca8d1d24
WAS
525c9c1cda89194536f2c090d23e96f8f517dcc3
Stefan Metzmacher [Wed, 20 Sep 2017 21:05:09 +0000 (23:05 +0200)]
HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the keys from evidence_tkt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 20 Sep 2017 21:05:09 +0000 (23:05 +0200)]
HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()
We do this after checking for constraint delegation (S4U2Proxy).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 20 Sep 2017 21:05:09 +0000 (23:05 +0200)]
HEIMDAL:kdc: fix memory leak when decryption AuthorizationData
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 7 Feb 2022 18:32:08 +0000 (19:32 +0100)]
s4:kdc: translate sdb_entry->old[er]_keys into hdb_add_history_key()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 25 Feb 2022 04:16:36 +0000 (05:16 +0100)]
s4:dsdb/tests: Test Kerberos login with old password fails (but badPwdCount=0)
This demonstrates the pre-authentication failures with passwords from
the password history don't incremend badPwdCount, similar to the
NTLMSSP and simple bind cases. But it's still an interactive logon,
which doesn't use 'old password allowed period'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 17 Feb 2022 06:12:10 +0000 (07:12 +0100)]
s4:kdc: handle passwords from the history in hdb_samba4_auth_status()
This is important in order to prevent ACCOUNT_LOCKED_OUT
with cached credentials.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 4 Mar 2022 23:39:14 +0000 (00:39 +0100)]
kdc: remember kvno numbers for longterm key pre-auth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Upstream: https://github.com/heimdal/heimdal/pull/970
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 15 Feb 2022 17:26:55 +0000 (18:26 +0100)]
kdc: add KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY support in pa_enc_chal_validate()
If the pre-authentication fails using the keys belonging to the current
kvno, we'll retry it with 2 passwords from the password history.
If we find such passwords were used for the pre-authentication,
we change KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY into
KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Upstream: https://github.com/heimdal/heimdal/pull/970
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 15 Feb 2022 16:16:47 +0000 (17:16 +0100)]
kdc: add KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY support in pa_enc_ts_validate()
If the pre-authentication fails using the keys belonging to the current
kvno, we'll retry it with 2 passwords from the password history.
If we find such passwords were used for the pre-authentication,
we change KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY into
KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Upstream: https://github.com/heimdal/heimdal/pull/970
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 7 Feb 2022 18:48:18 +0000 (19:48 +0100)]
kdc: add KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY value
This will be used to indicate that a historic password was
able to fullfil the pre-authentication. We'll still
fail the pre-authentication but pass
KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY instead of
KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY. It will allow
the hdb backend to avoid to lock out the account in that case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Upstream: https://github.com/heimdal/heimdal/pull/970
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 4 Mar 2022 23:24:41 +0000 (00:24 +0100)]
kdc: add success logging to pa_enc_chal_validate()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Upstream: https://github.com/heimdal/heimdal/pull/970
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 15 Feb 2022 17:13:23 +0000 (18:13 +0100)]
kdc: split out pa_enc_chal_decrypt_kvno() from pa_enc_chal_validate()
This will simplify support for historic passwords in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Upstream: https://github.com/heimdal/heimdal/pull/970
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 15 Feb 2022 16:15:57 +0000 (17:15 +0100)]
kdc: split out pa_enc_ts_decrypt_kvno() from pa_enc_ts_validate()
This will simplify support for historic passwords in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Upstream: https://github.com/heimdal/heimdal/pull/970
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 15 Aug 2023 06:57:57 +0000 (08:57 +0200)]
s3:ctdbd_conn: fix ctdbd_public_ip_foreach() for ipv6 addresses
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15534
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec 21 11:09:30 UTC 2023 on atb-devel-224
(cherry picked from commit
828f3c99122fb033ecb79e24ed24821b8510f0f8)
Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Thu Dec 28 17:09:25 UTC 2023 on atb-devel-224
Martin Schwenke [Tue, 12 Dec 2023 23:29:05 +0000 (10:29 +1100)]
ctdb-server: Drop unnecessary copy of destination address
Modernise debug while touching the code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec 15 12:09:21 UTC 2023 on atb-devel-224
(cherry picked from commit
4b7329f15820f1b4d9a7b7f0947719c4217b312a)
Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Sat Dec 16 15:26:50 UTC 2023 on atb-devel-224
Martin Schwenke [Tue, 12 Dec 2023 23:22:04 +0000 (10:22 +1100)]
ctdb-daemon: Use ctdb_connection_to_buf() to simplify
The one case that is no longer handled specially is when the
destination address is IPv4 loopback. This may previously have been
used to avoid flooding the logs when testing. However, that seems
unnecessary - if testing with 127.0.0.1 then make it a public address.
Modernise debug while touching the code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
8fc3872557f715dc38f9898754a785fd073ace96)
Volker Lendecke [Thu, 12 Oct 2023 15:19:45 +0000 (17:19 +0200)]
smbd: Remove callback for release_ip when "state" is free'ed
If a client connects to a non-public address first followed by a connect
to public address with the same client_guid and a connection to
the non-public address gets disconnected first, we hit by a use-after-free
talloc_get_type_abort() called from release_ip() as
"xconn" is already gone, taking smbd_release_ip_state with it.
We need to decide between calling ctdbd_unregister_ips() by default, as
it means the tcp connection is really gone and ctdb needs to remove the
'tickle' information. But when a connection was passed to a different
smbd process, we need to use ctdbd_passed_ips() as the tcp connection is
still alive and the 'tickle' information should not be removed within
ctdb.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
ddf47e7fe314e0f5bf71ff53e35350e0ba530d08)
Stefan Metzmacher [Fri, 17 Nov 2023 10:46:27 +0000 (11:46 +0100)]
s3:selftest: add samba3.blackbox.smbXsrv_client_ctdb_registered_ips
This demonstrates the crash that happens if a client connects to a
non-public address first followed by a connect
to public address with the same client_guid and a connection to
the non-public address gets disconnected first, we hit by a
use-after-free talloc_get_type_abort() called from release_ip() as
"xconn" is already gone, taking smbd_release_ip_state with it.
Note that we also need to mark some subtests as flapping
as there's a 2nd problem that happens in the interaction
between smbd processes and ctdb when passing a multichannel
connection to an existing process, it means we sometimes
loose the 'tickle' information within ctdb to that tcp connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
082c7df4d04c2a94c5413c1d6b7eae7be610f950)
Stefan Metzmacher [Fri, 17 Nov 2023 10:45:30 +0000 (11:45 +0100)]
selftest: export/use CTDB related envvars in order to run the ctdb command
This makes it easier to test things...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
38b74d4ca9a59e7f12850c20c410f9df26cbad0a)
Stefan Metzmacher [Mon, 20 Nov 2023 13:57:46 +0000 (14:57 +0100)]
ctdbd_conn: add ctdbd_passed_ips()
This is similar to ctdbd_unregister_ips(), but with the
difference that ctdb keeps the 'tickle' information for
the tcp connection alive, because another smbd process
took care of that tcp connection in a multichannel scenario.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
2e784789d78d09dfbc599085e5eb1c70c5b866b8)
Stefan Metzmacher [Thu, 16 Nov 2023 12:18:03 +0000 (13:18 +0100)]
ctdbd_conn: add ctdbd_unregister_ips()
This reverts the effect of ctdbd_register_ips().
We'll use this in order to disconnect individual
multichannel connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
f3a03f3f774f0795fc1a163f12cccb9cedeebec1)
Volker Lendecke [Thu, 12 Oct 2023 15:11:42 +0000 (17:11 +0200)]
ctdbd_conn: Add deregister_from_ctdbd()
This is to remove a callback during rundown of smbds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
75aa6693940201a928b46f6880b43820c0e1c555)
Stefan Metzmacher [Thu, 16 Nov 2023 12:04:12 +0000 (13:04 +0100)]
ctdbd_conn: let register_with_ctdbd() call CTDB_CONTROL_REGISTER_SRVID just once
We do the dispatching to multiple handlers in ctdbd_msg_call_back()
and we don't need more than one message from ctdb.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
77a559432ffde2d435e29bed126d20a09d33f48e)
Stefan Metzmacher [Thu, 16 Nov 2023 12:29:18 +0000 (13:29 +0100)]
ctdbd_conn: don't use uninitialized memory in ctdbd_register_ips()
We dump the structure into the socket, so we need to zero the content
including possible padding.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
240139370aa19f53dd3de0ff468afd994d3bd973)
Stefan Metzmacher [Fri, 17 Nov 2023 14:59:57 +0000 (15:59 +0100)]
ctdb: add/implement CTDB_CONTROL_TCP_CLIENT_PASSED
With multichannel a tcp connection is registered first with
a temporary smbd process, that calls CTDB_CONTROL_TCP_CLIENT
first and then passes the tcp connection to the longterm smbd
that already handles all connections belonging to the specific
client_guid. That smbd process calls CTDB_CONTROL_TCP_CLIENT
again, but the 'tickle' information is already there.
When the temporary smbd process exists/disconnects from ctdb
or calls CTDB_CONTROL_TCP_CLIENT_DISCONNECTED, the 'tickle'
information is removed, while the longterm smbd process
still serves the tcp connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
037e8e449deb136ad5ed5e4de05439411b545b6d)
Stefan Metzmacher [Wed, 15 Nov 2023 15:31:53 +0000 (16:31 +0100)]
ctdb: add/implement CTDB_CONTROL_TCP_CLIENT_DISCONNECTED
With multichannel a ctdb connection from smbd may hold multiple
tcp connections, which can be disconnected before the smbd
process terminates the whole ctdb connection, so we a
way to remove undo 'CTDB_CONTROL_TCP_CLIENT' again.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
c6602b686b4e50d93272667ef86d3904181fb1ab)
Stefan Metzmacher [Tue, 12 Dec 2023 12:39:21 +0000 (13:39 +0100)]
ctdb: add ctdb_connection_same() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
8395fd369d3c9d216817e922423727748581f133)
Stefan Metzmacher [Tue, 12 Dec 2023 12:27:17 +0000 (13:27 +0100)]
ctdb: make use of ctdb_canonicalize_ip_inplace() in ctdb_control_tcp_client()
We could also remove the src_addr and dest_addr helper variables
completely, but that would be too much for this commit.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
5f52d140f7b676ed68b5ce49d4445357bcbcb1a6)
Stefan Metzmacher [Tue, 12 Dec 2023 12:26:46 +0000 (13:26 +0100)]
ctdb: add ctdb_canonicalize_ip_inplace() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
f2d9c012fc803b48564c3203ed640c02f99bcbaa)
Stefan Metzmacher [Thu, 16 Nov 2023 10:56:59 +0000 (11:56 +0100)]
ctdb: remove unused ctdb->client_ip_list and print debug on ctdb_tcp_list instead
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
92badd3bdd82d1fa79727efcf81b6f479016811f)
Shachar Sharon [Thu, 16 Nov 2023 09:57:02 +0000 (11:57 +0200)]
vfs_ceph: call 'ceph_fgetxattr' only if valid fd
Align getxattr logic with the rest of xattr hooks: call ceph_fgetxattr
with appropriate io-fd when 'is_pathref' is false; otherwise, call
ceph_getxattr.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15440
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Nov 30 12:32:29 UTC 2023 on atb-devel-224
(cherry picked from commit
83edfcff5ccd8c4c710576b6d5612e0578d168c8)
Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Mon Dec 11 13:21:02 UTC 2023 on atb-devel-224
Samuel Cabrero [Mon, 4 Sep 2023 14:49:52 +0000 (16:49 +0200)]
testprogs: Add net offlinejoin composeodj tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Sep 5 22:11:46 UTC 2023 on atb-devel-224
(cherry picked from commit
f3c632e74ba100b455eeac66e8914b11d1d9b0a0)
Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Wed Nov 29 15:55:45 UTC 2023 on atb-devel-224
Samuel Cabrero [Mon, 4 Sep 2023 14:18:35 +0000 (16:18 +0200)]
testprogs: Cleanup machine account in net offlinejoin tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e92e4b9544231c15eaf0bdbba4505345cd0f6ab5)
Samuel Cabrero [Wed, 30 Aug 2023 18:53:18 +0000 (20:53 +0200)]
s3:net: Allow to load ODJ blob from stdin
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c14a4f51443f67bc46a670a342eed8cb9e81f37d)
Samuel Cabrero [Wed, 30 Aug 2023 18:25:17 +0000 (20:25 +0200)]
s3:net: Load ODJ blob from file only if "loadfile" parameter is present
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b2399b6994c89404f245e1a97ba1c1cf13d7fc86)
Samuel Cabrero [Thu, 31 Aug 2023 10:46:52 +0000 (12:46 +0200)]
s3:net: Add "net offlinejoin composeodj" command
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4a1f2071a6028a761bbe7efee20e9654851b51f0)
Samuel Cabrero [Thu, 31 Aug 2023 10:45:42 +0000 (12:45 +0200)]
s3:libnetapi: Implement NetComposeOfflineDomainJoin_l()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a8bd8f22aac2c223e85e318dba7af8b64052b053)
Samuel Cabrero [Thu, 31 Aug 2023 10:44:26 +0000 (12:44 +0200)]
s3:libnetapi: Add NetComposeOfflineDomainJoin() to API.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
7cabbec2eaf5aefd3751c635c12556eca590f506)
Samuel Cabrero [Thu, 31 Aug 2023 10:43:22 +0000 (12:43 +0200)]
s3:libnetapi: Add NetComposeOfflineDomainJoin() boilerplate
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
532701e3cce9d15e95166ee7c24cd1e4af51fcc4)
Samuel Cabrero [Thu, 31 Aug 2023 10:39:04 +0000 (12:39 +0200)]
s3:libnetapi: Add NetComposeOfflineDomainJoin() to IDL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
740e704bd68a6b618b62336ba1583c0edeb82d6f)
Samuel Cabrero [Mon, 4 Sep 2023 08:47:06 +0000 (10:47 +0200)]
s3:libnetapi: Add some comments to document ODJ blob charset conversions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
bdab834dfad55776155915f7ec410b5a192406fa)
Samuel Cabrero [Wed, 30 Aug 2023 17:59:04 +0000 (19:59 +0200)]
s3:libnetapi: Return error from RequestOfflineJoin
The error code must be returned to caller even if the error string is not set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e4afb211fe32f2aa92cc903df948874046f60305)
Jule Anger [Wed, 29 Nov 2023 14:24:32 +0000 (15:24 +0100)]
VERSION: Bump version up to Samba 4.18.10...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Wed, 29 Nov 2023 14:24:09 +0000 (15:24 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.18.9 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Wed, 29 Nov 2023 14:23:30 +0000 (15:23 +0100)]
WHATSNEW: Add release notes for Samba 4.18.9.
Signed-off-by: Jule Anger <janger@samba.org>
Christof Schmitt [Thu, 9 Nov 2023 19:44:02 +0000 (12:44 -0700)]
vfs_zfsacl: Call stat CAP_DAC_OVERRIDE functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Wed Nov 15 19:55:07 UTC 2023 on atb-devel-224
(cherry picked from commit
12e5c15a97b45aa01fc3f4274f8ba9cf7d1ddbe9)
Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Sat Nov 25 19:34:32 UTC 2023 on atb-devel-224
Christof Schmitt [Thu, 9 Nov 2023 19:42:13 +0000 (12:42 -0700)]
vfs_aixacl2: Call stat DAC_CAP_OVERRIDE functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
9cac91542128888bde79391ca99291a76752f334)
Christof Schmitt [Thu, 9 Nov 2023 19:39:57 +0000 (12:39 -0700)]
nfs4_acls: Make fstat_with_cap_dac_override static
No other module is calling this function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
bffd8bd8c32fea738824b807eb9e5f97a609493e)
Christof Schmitt [Thu, 9 Nov 2023 19:38:46 +0000 (12:38 -0700)]
nfs4_acls: Make stat_with_cap_dac_override static
No other module is calling this function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
0f664f016207894e0a156b9e1f4db7677c264205)
Christof Schmitt [Thu, 9 Nov 2023 19:37:25 +0000 (12:37 -0700)]
nfs4_acls: Make fstatat_with_cap_dac_override static
No other module is calling this function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
8831eeca1d70c909e15c86c8af6a7b1d7b0d3b5b)
Christof Schmitt [Thu, 9 Nov 2023 19:35:21 +0000 (12:35 -0700)]
vfs_gpfs: Move vfs_gpfs_fstatat to nfs4_acls.c and rename function
All stat DAC_CAP_OVERRIDE code is being moved to nfs4_acls.c to allow
reuse. Move the vfs_gpfs_fstatat function and rename it to the more
generic name nfs4_acl_fstat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
5fd73e93af9d015c9e65a6d4d16229476a541cfc)
Christof Schmitt [Thu, 9 Nov 2023 19:30:27 +0000 (12:30 -0700)]
vfs_gpfs: Move vfs_gpfs_lstat to nfs4_acls.c and rename function
All stat CAP_DAC_OVERRIDE code is being moved to nf4_acls.c to allow
reuse. Move the vfs_gpfs_lstat function and rename to the more generic
name nfs4_acl_lstat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
2c1195678d34516744ba4f8b1c5582f4046cba35)
Christof Schmitt [Thu, 9 Nov 2023 19:27:58 +0000 (12:27 -0700)]
vfs_gpfs: Move vfs_gpfs_fstat to nfs4_acls.c and rename function
All stat DAC_CAP_OVERRIDE code is moving to nfs4_acls.c to allow reuse.
Move the vfs_gpfs_fstat function and rename to the more generic name
nfs4_acl_fstat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
f9301871c61b066c1ea464e6e9109bb2cde71598)
Christof Schmitt [Thu, 9 Nov 2023 19:23:49 +0000 (12:23 -0700)]
vfs_gpfs: Move vfs_gpfs_stat to nfs4_acls.c and rename function
All stat DAC_CAP_OVERRIDE code is moving to nfs4_acls.c to allow reuse
by other file system modules. Also rename the function to the more
generic name nfs4_acl_stat.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
f8a23d960e02f783119c2aef38a6e293ee548df3)
Christof Schmitt [Thu, 9 Nov 2023 19:20:38 +0000 (12:20 -0700)]
vfs_gpfs: Move stat_with_capability to nfs4_acls.c and rename function
All stat CAP_DAC_OVERRIDE code is moving to nfs4_acls.c to allow reuse
by other filesystem modules. Also rename the function to the slightly
more precise name stat_with_cap_dac_overide.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
6b1e066c4f354f297fbf99ad93acfaf44e3b89cb)
Christof Schmitt [Thu, 9 Nov 2023 19:17:21 +0000 (12:17 -0700)]
vfs_gpfs: Move fstatat_with_cap_dac_override to nfs4_acls.c
All stat DAC_CAP_OVERRIDE code is being moved to nfs4_acls.c to allow
reuse by other filesystem modules.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
316c96ea83a7b70d35879e4743193bb1e9cb566c)
Christof Schmitt [Thu, 9 Nov 2023 19:01:56 +0000 (12:01 -0700)]
nfs4_acls: Implement fstat with DAC_CAP_OVERRIDE
AT_EMTPY_PATH does not exist on AIX. Address this by implementing an
override for fstat. Implement the new override function in nfs4_acls.c
since all stat functions with DAC_CAP_OVERRIDE will be moved there to
allow reuse by other filesystems.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit
05f1ee1ae2d8439af0ac9baf64ebba1a3374ea83)
Christof Schmitt [Thu, 26 Oct 2023 22:51:02 +0000 (15:51 -0700)]
vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstatat
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Nov 8 18:42:13 UTC 2023 on atb-devel-224
(cherry picked from commit
963fc353e70b940f4009ca2764e966682400e2dc)
Christof Schmitt [Thu, 26 Oct 2023 21:45:34 +0000 (14:45 -0700)]
vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstat
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
cbdc16a7cfa225d1cf9109fafe85e9d14729700e)
Christof Schmitt [Thu, 26 Oct 2023 21:39:46 +0000 (14:39 -0700)]
vfs_gpfs: Move fstatat with DAC_CAP_OVERRIDE to helper function
Allow reuse of this code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
95319351e37b8b968b798eee66c93852d9ad2d81)
Christof Schmitt [Thu, 26 Oct 2023 21:37:15 +0000 (14:37 -0700)]
vfs_gpfs: Use O_PATH for opening dirfd for stat with CAP_DAC_OVERRIDE
Use O_PATH when available; this avoids the need for READ/LIST access on
that directory. Keep using O_RDONLY if the system does not have O_PATH.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15507
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
b317622a8fed0ee195ffe40129eb5bcad28dd985)
Ralph Boehme [Thu, 16 Nov 2023 09:50:32 +0000 (10:50 +0100)]
smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor()
VFS modules like streams_xattr use the function fsp_is_alternate_stream() on the
fsp to determine in an fsp is a stream, eg in streams_xattr_close(). If
fspo->base_fsp is arlready set to NULL, this won't work anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15521
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 16 18:31:17 UTC 2023 on atb-devel-224
(cherry picked from commit
4481a67c1b20549a71d6c5132b637798a09f966d)
Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Tue Nov 21 10:24:37 UTC 2023 on atb-devel-224
Björn Jacke [Thu, 9 Nov 2023 13:56:06 +0000 (14:56 +0100)]
system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't usable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15093
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
(cherry picked from commit
a1738e8265dd256c5a1064482a6dfccbf9ca44f1)
Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Mon Nov 20 09:55:39 UTC 2023 on atb-devel-224
Ralph Boehme [Wed, 20 Sep 2023 21:21:44 +0000 (14:21 -0700)]
s3: smbd: Ignore fstat() error on deleted stream in fd_close().
In the fd_close() fsp->fsp_flags.fstat_before_close code path.
If this is a stream and delete-on-close was set, the
backing object (an xattr from streams_xattr) might
already be deleted so fstat() fails with
NT_STATUS_NOT_FOUND. So if fsp refers to a stream we
ignore the error and only bail for normal files where
an fstat() should still work. NB. We cannot use
fsp_is_alternate_stream(fsp) for this as the base_fsp
has already been closed at this point and so the value
fsp_is_alternate_stream() checks for is already NULL.
Remove knownfail.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Oct 10 09:39:27 UTC 2023 on atb-devel-224
(cherry picked from commit
633a3ee6894cc1d05b44dbe47a278202803d9b21)
Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Mon Nov 13 12:16:15 UTC 2023 on atb-devel-224
Stefan Metzmacher [Fri, 29 Jan 2016 22:35:31 +0000 (23:35 +0100)]
CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566)
Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Mon Oct 23 09:52:22 UTC 2023 on atb-devel-224
Stefan Metzmacher [Wed, 7 Jun 2023 16:18:58 +0000 (18:18 +0200)]
CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
70586061128f90afa33f25e104d4570a1cf778db)
Stefan Metzmacher [Mon, 26 Jun 2023 13:14:24 +0000 (15:14 +0200)]
CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry()
This makes the next change easier to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
498542be0bbf4f26558573c1f87b77b8e3509371)
Stefan Metzmacher [Fri, 29 Jan 2016 22:34:15 +0000 (23:34 +0100)]
CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container
This revealed a bug in our dirsync code, so we mark
test_search_with_dirsync_deleted_objects as knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
7f8b15faa76d05023c987fac2c4c31f9ac61bb47)
Stefan Metzmacher [Fri, 29 Jan 2016 22:33:37 +0000 (23:33 +0100)]
CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
0c329a0fda37d87ed737e4b579b6d04ec907604c)
Stefan Metzmacher [Fri, 29 Jan 2016 22:30:59 +0000 (23:30 +0100)]
CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor()
samba-tool drs clone-dc-database was quite useful to find
the true value of nTSecurityDescriptor of the CN=Delete Objects
containers.
Only the auto inherited SACL is available via a ldap search.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
3be190dcf7153e479383f7f3d29ddca43fe121b8)
Michael Adam [Mon, 16 Oct 2023 17:04:55 +0000 (19:04 +0200)]
gitignore: add WAF lockfile
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Christof Schmitt <christof.schmitt@us.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct 17 04:16:29 UTC 2023 on atb-devel-224
(cherry picked from commit
310629508bfbedecfab9b653b7cba0282f5c0e8b)
Christof Schmitt [Thu, 12 Sep 2013 23:11:34 +0000 (16:11 -0700)]
build: Add 'make printversion' to provide version string
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497
Signed-off-by: Christof Schmitt <christof.schmitt@us.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e2ace2d613701f3d4a7c7c202f68d2f193c0a64a)
Martin Schwenke [Tue, 19 Sep 2023 07:47:36 +0000 (17:47 +1000)]
ctdb-daemon: Call setproctitle_init()
Commit
19c82c19c009eefe975ae95c8b709fc93f5f4c39 changed the behaviour
of prctl_set_comment() so it now calls setproctitle(3bsd) by default.
In some Linux distributions (e.g. Rocky Linux 8.8), this results in
messages like this spamming the logs:
ctdbd: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
Most Samba daemons seem to call setproctitle_init(), so do it here.
In the longer term CTDB should also switch to using lib/util's
process_set_title(), like the rest of Samba, for more flexible process
names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15479
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Sep 21 00:46:50 UTC 2023 on atb-devel-224
(cherry picked from commit
8b9f464420b66cebaf00654cf8b19165b301b8b6)
Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-18-test): Wed Oct 11 10:57:21 UTC 2023 on atb-devel-224
Jule Anger [Tue, 10 Oct 2023 15:25:29 +0000 (17:25 +0200)]
VERSION: Bump version up to Samba 4.18.9...
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Tue, 10 Oct 2023 15:23:50 +0000 (17:23 +0200)]
Merge branch 'v4-18-stable' into v4-18-test
Jule Anger [Tue, 10 Oct 2023 15:04:24 +0000 (17:04 +0200)]
Merge tag 'samba-4.18.8' into v4-18-stable
samba: tag release samba-4.18.8
Jule Anger [Tue, 10 Oct 2023 08:58:39 +0000 (10:58 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.18.8 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Tue, 10 Oct 2023 08:58:08 +0000 (10:58 +0200)]
WHATSNEW: Add release notes for Samba 4.18.8.
Signed-off-by: Jule Anger <janger@samba.org>
Andrew Bartlett [Tue, 12 Sep 2023 04:23:49 +0000 (16:23 +1200)]
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.
This means that any duplicates will be noticed early not just
in a race condition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet@samba.org>