Stefan Metzmacher [Fri, 23 Feb 2024 12:20:29 +0000 (13:20 +0100)]
python/samba/netcmd/domain/provision.py "2012", "2012_R2"
Stefan Metzmacher [Thu, 3 Feb 2022 17:27:19 +0000 (18:27 +0100)]
s3:libnet: add a debug message to libnet_keytab_add_to_keytab_entries()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 3 Feb 2022 17:27:19 +0000 (18:27 +0100)]
s3:libnet: add support for trusted domains in libnet_dssync_keytab.c
It means that keytabs generated via 'net rpc vampire keytab' are
able to decrypt cross-realm tickets in wireshark.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 3 Feb 2022 13:48:03 +0000 (14:48 +0100)]
s3:libnet: split out store_or_fetch_attribute() from parse_user() in libnet_dssync_keytab.c
This way we can easily re-use the logic in the next commits...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 3 Feb 2022 13:48:03 +0000 (14:48 +0100)]
s3:libnet: split out parse_user() in libnet_dssync_keytab.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 3 Feb 2022 13:48:03 +0000 (14:48 +0100)]
s3:libnet: let parse_user() in libnet_dssync_keytab.c work without nt hash
It happens in setups with 'nt hash store = never'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 28 Mar 2024 14:10:28 +0000 (15:10 +0100)]
Revert "s4:kdc: also provide cross-realm keys via samba_kdc_seq()"
This reverts commit
c633aa9b023112e314ea95bd751e516e1db7e854.
Stefan Metzmacher [Thu, 3 Feb 2022 13:14:06 +0000 (14:14 +0100)]
s4:kdc: also provide cross-realm keys via samba_kdc_seq()
This means that 'samba-tool domain exportkeytab' is able to
export them.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 1 Feb 2024 12:57:56 +0000 (13:57 +0100)]
HEIMDAL: lib/krb5: don't ignore krb5_init_creds_get_creds() result in krb5_get_init_creds_password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Stefan Metzmacher [Thu, 1 Feb 2024 12:58:32 +0000 (13:58 +0100)]
HEIMDAL: lib/krb5: work around AIX fwrite() caching bug in stdio_store()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Stefan Metzmacher [Thu, 1 Feb 2024 12:58:32 +0000 (13:58 +0100)]
krb5_wrap: don't ignore krb5_kt_start_seq_get() errors
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 17:25:30 +0000 (17:25 +0000)]
auth/credentials_krb5: make use of smb_gss_krb5_prepare_acceptor_cred()
We should check all keys in our in memory keytab
and skip the transited checks unless we're
in standalone/MIT-realm mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 17:25:09 +0000 (17:25 +0000)]
auth/credentials_krb5: let cli_credentials_get_server_gss_creds() use an early return
This will simplify the next commits.
Check with: git show -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 17:13:41 +0000 (17:13 +0000)]
s3:gse: let gse_init_server() use smb_gss_krb5_prepare_acceptor_cred()
We should check all keys in our in memory keytab
and skip the transited checks unless we're in
standalone/MIT-realm mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 16:52:15 +0000 (16:52 +0000)]
krb5_wrap: add smb_gss_krb5_prepare_acceptor_cred()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 16:09:47 +0000 (16:09 +0000)]
configure_mitkrb5: check for GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 16:09:47 +0000 (16:09 +0000)]
s4:heimdal_build: define HAVE_GSS_KRB5_CRED_{SKIP_TRANSIT_CHECK,ITERATE_ACCEPTOR_KEYTAB}_X
We can only do that for our own copy of heimdal, see
https://github.com/heimdal/heimdal/pull/656
In future we may want to use
source4/heimdal_build/wscript_configure only for
our in tree copy of heimdal and do real configure
checks for the system heimdal build.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 08:30:01 +0000 (10:30 +0200)]
HEIMDAL:lib/gssapi/krb5: add GSS_KRB5_CRED_ITERATE_ACCEPTOR_KEYTAB_X
This allows krb5_rd_req_in_set_iterate_keytab() to be used via the
gssapi layer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Sat, 20 Jul 2019 10:15:04 +0000 (10:15 +0000)]
HEIMDAL:lib/krb5: add krb5_rd_req_in_set_iterate_keytab()
A caller might not know the kvno maintained by the KDC.
And most often there's need to know it.
So this function makes it possible to force the keytab
iteration in order to get a consistent behavior.
Otherwise it's possible to get a different behavior
if the guessed kvno in the keytab accidentally matches
the kvno of the ticket and we'll give up if the
key is not able to decrypt the ticket.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Sat, 20 Jul 2019 10:15:04 +0000 (10:15 +0000)]
HEIMDAL:lib/krb5: let krb5_rd_req_ctx() fallback only on KRB5KRB_AP_ERR_BAD_INTEGRITY
This avoids hidding a real error like KRB5KRB_AP_ERR_ILL_CR_TKT.
We only want to retry with the next key if the decryption
failed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 18 Aug 2017 13:33:17 +0000 (15:33 +0200)]
HEIMDAL:lib/gssapi/krb5: add GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X
This allows KRB5_VERIFY_AP_REQ_SKIP_TRANSITED_CHECK (on the acceptor)
to be controlled via the gssapi layer.
Members of Active Directory domains should just rely on there
KDCs (domain controllers) to do SID-Filtering (and name checking)
on trust boundaries, I have verified this with a modified Samba KDC
and a Windows 2012R2 DC. The Windows DC rejects invalid cross-realm tickets
with KRB5KDC_ERR_POLICY, before generating a new (service or referral)
ticket. So any service ticket is already policy checked by the KDC
even if this does not result in setting the transited_policy_checked in the ticket.
This means an accepting service can tell gss_accept_sec_context()
to skip any transited checking, as the trust topoligy is only
fully known to the KDC anyway.
The detailed background for this can be found in the bug report
and the mailing list:
https://lists.samba.org/archive/samba-technical/2019-September/thread.html#134285
https://lists.samba.org/archive/samba-technical/2019-November/thread.html#134553
http://mailman.mit.edu/pipermail/krbdev/ should also have references.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 18 Aug 2017 13:33:17 +0000 (15:33 +0200)]
HEIMDAL:lib/krb5: add [libdefaults] acceptor_skip_transit_check and KRB5_VERIFY_AP_REQ_SKIP_TRANSITED_CHECK
In active directory a domain member replies on (trusts) the [K]DCs
of the domain. It's the job of the [K]DCs to only generate useful
tickets as they know about the trust topology.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 18 Aug 2017 13:33:17 +0000 (15:33 +0200)]
HEIMDAL:lib/krb5: add krb5_rd_req_in_set_verify_ap_req_flags()
In the next commits we want to be able to pass down
things like KRB5_VERIFY_AP_REQ_NO_TRANSITED_CHECK.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 17 Aug 2021 15:35:27 +0000 (17:35 +0200)]
schema_samba4.ldif: allocate GSS_KRB5_CRED_ITERATE_ACCEPTOR_KEYTAB_X from our OID space
This will be in (at least our own copy of) Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 17 Aug 2021 15:35:27 +0000 (17:35 +0200)]
samba.schema: allocate GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X from our OID space
This will be used in MIT kerberos and (at least our own copy of) Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 1 Aug 2023 12:40:33 +0000 (14:40 +0200)]
HEIMDAL: make-proto.pl make JSON:PP optional
Pavel Filipenský [Thu, 14 Mar 2024 14:24:21 +0000 (15:24 +0100)]
tests: Add a test for "all_groups=no" to test_idmap_ad.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Apr 2 13:25:39 UTC 2024 on atb-devel-224
(cherry picked from commit
f8b72aa1f72881989990fabc9f4888968bb81967)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Apr 17 14:38:42 UTC 2024 on atb-devel-224
Pavel Filipenský [Mon, 25 Mar 2024 21:38:18 +0000 (22:38 +0100)]
selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
2dab3a331b5511b4f2253f2b3b4513db7e52ea9a)
Pavel Filipenský [Tue, 12 Mar 2024 12:20:24 +0000 (13:20 +0100)]
s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad
The LDAP query of lookup_groupmem() returns all group members from AD
even those with missing uidNumber. Such group members are useless in
UNIX environment for idmap_ad backend since there is no uid mapping.
'test_user' is member of group "Domanin Users" with 200K members,
only 20K members have set uidNumber.
Without this fix:
$ time id test_user
real 1m5.946s
user 0m0.019s
sys 0m0.012s
With this fix:
$ time id test_user
real 0m3.544s
user 0m0.004s
sys 0m0.007s
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
5d475d26a3d545f04791a04e85a06b8b192e3fcf)
Pavel Filipenský [Wed, 13 Mar 2024 12:55:41 +0000 (13:55 +0100)]
docs-xml: Add parameter all_groupmem to idmap_ad
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
a485d9de2f2d6a9815dcac6addb988a8987e111c)
Alexander Bokovoy [Thu, 22 Jun 2023 06:56:12 +0000 (09:56 +0300)]
Do not fail checksums for RFC8009 types
While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.
[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196, 2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228, 5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15635
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8e931fce126e8c1128da893c806702731c08758a)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Tue Apr 16 12:24:55 UTC 2024 on atb-devel-224
Douglas Bagnall [Wed, 10 Apr 2024 23:52:14 +0000 (11:52 +1200)]
s4:dns_server: less noisy, more informative debug messages
This shouldn't have been DBG_ERR, and it might as well say something
about the tombstone.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15630
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Apr 12 15:18:05 UTC 2024 on atb-devel-224
(cherry picked from commit
dde973d170e479632d1a411279f4f0fad6608539)
Andreas Schneider [Mon, 4 Mar 2024 09:58:23 +0000 (10:58 +0100)]
packaging: Provide a systemd service file for samba-bgqd
There might be scenarios where the background queue daemon should be
running all the time instead of being started on demand. This makes
especially sense for bigger printing servers with a lot of printers. It
takes ~1 sec to get a printer from cups, so a print server with 100
printers needs 100 seconds to update the printer_list.tdb. The service
will be killed because of idle in the meantime.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15600
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
c97071726e163b40f0e391af70e81b3e6c1ab0eb)
Noel Power [Thu, 28 Mar 2024 10:48:58 +0000 (10:48 +0000)]
libcli/http: Detect unsupported Transfer-encoding type
Also removes knownfail for test that now passes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a18c53a9b98e2e8dea08cf0ef08efc59e58ec137)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Thu Apr 11 12:24:08 UTC 2024 on atb-devel-224
Noel Power [Thu, 28 Mar 2024 09:16:33 +0000 (09:16 +0000)]
selftest: Add new test for testing non-chunk transfer encoding
And add a known fail because there is a bug :-(
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
93709d31590d4ca25fbac813b9e499755b81ddb5)
Noel Power [Thu, 28 Mar 2024 09:09:02 +0000 (09:09 +0000)]
selftest: fix potential reference before assigned error
This would only happen if the test failed (but the message would be
incorrect as 'e' the exception to be stringified doesn't exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
efdbf0511e0a89f865210170001fbebf17a45278)
Noel Power [Mon, 25 Mar 2024 19:44:10 +0000 (19:44 +0000)]
libcli/http: Handle http chunked transfer encoding
Also removes the knownfail for the chunked transfer test
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
(cherry picked from commit
03240c91fb6ffcf5afe47c14a1ba7a8bc12f2348)
Noel Power [Thu, 23 Sep 2021 11:18:22 +0000 (12:18 +0100)]
tests: add test for chunked encoding with http cli library
Adds http test client to excercise the http client library
and a blackbox test to run the client. This client is built
only with selftest
also adds a knownfail for the test
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
(cherry picked from commit
30acd609f560352d3edb0c931b9a864110025b2c)
Noel Power [Fri, 22 Mar 2024 08:55:49 +0000 (08:55 +0000)]
libcli/http: Optimise reading for content-length
Instead of reading byte-by-byte we know the content length we
want to read so lets use it.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
(cherry picked from commit
5f03d84e3b52bf5a31a0f885cb83bdcb48ec96f7)
Noel Power [Mon, 25 Mar 2024 16:25:55 +0000 (16:25 +0000)]
selftest: Add basic content-lenght http tests
very simple test of basic http request/response plus some checks to
ensure http response doesn't exceed the response max length set by
the client call.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
74cdebeae3d1bc35eea96b51b9491f6c52844b10)
Noel Power [Mon, 25 Mar 2024 19:21:54 +0000 (19:21 +0000)]
Add simple http_client for use in black box tests (in following commits)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
cd6c075476c820b4fe8bdc10a24d8fc8ac74e9c9)
Jule Anger [Wed, 27 Mar 2024 16:13:13 +0000 (17:13 +0100)]
VERSION: Bump version up to Samba 4.20.1...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Wed, 27 Mar 2024 16:12:54 +0000 (17:12 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.20.0 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Wed, 27 Mar 2024 16:10:58 +0000 (17:10 +0100)]
WHATSNEW: Add release notes for Samba 4.20.0.
Signed-off-by: Jule Anger <janger@samba.org>
Björn Jacke [Wed, 24 Jan 2024 23:46:38 +0000 (00:46 +0100)]
Revert "token_util.c: prefer capabilities over become_root"
This reverts commit
944cb51506a94084d7ab52ee044fe6f66e1aaeb9.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 27 10:47:23 UTC 2024 on atb-devel-224
(cherry picked from commit
0dec2ef188a93504da873d927ca2b26f8c491fb8)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Mar 27 16:51:00 UTC 2024 on atb-devel-224
Björn Jacke [Mon, 25 Mar 2024 16:04:45 +0000 (17:04 +0100)]
Revert "dosmode.c: prefer use of capabilities at two places over become_root"
This reverts commit
c1e2fbb1b9a7551becf5caa0f08d434edf9ad862.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
32aa11e9b570ce1c0bec889b699bc4897c9d9843)
Björn Jacke [Mon, 25 Mar 2024 16:04:23 +0000 (17:04 +0100)]
Revert "nfs4_acls.c: prefer capabilities over become_root"
This reverts commit
06e5c1e32ea7907523cc19f021225e7541e2075f.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
33e88911ee7a8974d52021632ca25c1ddfcb6f45)
Björn Jacke [Mon, 25 Mar 2024 16:04:17 +0000 (17:04 +0100)]
Revert "vfs_acl_common.c: prefer capabilities over become_root"
This reverts commit
12734848dc9901b932644139aaa7e3f78e55c8dc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
af7b930e2bfe2275cee14dc2154f2aea8875fa63)
Björn Jacke [Mon, 25 Mar 2024 16:03:57 +0000 (17:03 +0100)]
Revert "vfs_default.c: prefer capabilities over become_root"
This reverts commit
62464bd2db2a95b1253364f4493bbb6770b73193.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
52ad635b2705bcfc8166bd90b1ad35ebb9cbc986)
Björn Jacke [Mon, 25 Mar 2024 16:03:50 +0000 (17:03 +0100)]
Revert "vfs_posix_eadb.c: prefer capabilities over become_root"
This reverts commit
92278418dc885ed411f545e73c800ce93f858090.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
10c7a3e47c62dcb1dfe7e384960d60cafcb9e44e)
Björn Jacke [Mon, 25 Mar 2024 16:03:44 +0000 (17:03 +0100)]
Revert "vfs_recycle.c: prefer capabilities over become_root"
This reverts commit
4227b011f6ada97a4cd72a440ed887ffdb3f219e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
7f19afbd40d3ad3c8d186d0a2a64d07a2a8bd00a)
Björn Jacke [Mon, 25 Mar 2024 16:03:35 +0000 (17:03 +0100)]
Revert "open.c: prefer capabilities over become_root"
This reverts commit
b250f25fe407f9a6269b804382de4854501f2d86.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
88eb58af6783ad23d2e2b602ee9fdbbdf556b354)
Björn Jacke [Mon, 25 Mar 2024 16:03:28 +0000 (17:03 +0100)]
Revert "posix_acls.c: prefer capabilities over become_root"
This reverts commit
1edf9ecaf56f3312e199e633bff0804243042e33.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
87479544381e103ee2b1def574a5865a3f6a93d9)
Björn Jacke [Mon, 25 Mar 2024 16:03:14 +0000 (17:03 +0100)]
Revert "dosmode: prefer capabilities over become_root"
This reverts commit
5e925f9755fad180863861157aa7548d83dd3fde.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
58ea952fd0c716f94b1b79b8ed1829bb72732ccc)
Noel Power [Tue, 20 Feb 2024 09:26:29 +0000 (09:26 +0000)]
s3/smbd: If we fail to close file_handle ensure we should reset the fd
if fsp_flags.fstat_before_close == true then close_file_smb will call
vfs_stat which can fail. If it does fail then the fd associated
with the file handle will still be set (and we will hit an assert
is the file handle destructor) when calling file_free.
We need to set fd to -1 to avoid that. To achieve that we capture and
return the vfs_stat_fsp failure status while still processing the rest
of the fd_close logic.
[2024/02/20 09:23:48.454671, 0, pid=9744] ../../source3/smbd/smb2_close.c:226(smbd_smb2_close)
smbd_smb2_close: close_file[]: NT_STATUS_ACCESS_DENIED
[2024/02/20 09:23:48.454757, 0, pid=9744] ../../source3/smbd/fd_handle.c:40(fd_handle_destructor)
PANIC: assert failed at ../../source3/smbd/fd_handle.c(40): (fh->fd == -1) || (fh->fd == AT_FDCWD)
[2024/02/20 09:23:48.454781, 0, pid=9744] ../../lib/util/fault.c:178(smb_panic_log)
===============================================================
[2024/02/20 09:23:48.454804, 0, pid=9744] ../../lib/util/fault.c:185(smb_panic_log)
INTERNAL ERROR: assert failed: (fh->fd == -1) || (fh->fd == AT_FDCWD) in smbd (smbd[192.168.10) (client [192.168.100.15]) pid 9744 (4.21.0pre1-DEVELOPERBUILD)
[2024/02/20 09:23:48.454844, 0, pid=9744] ../../lib/util/fault.c:190(smb_panic_log)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
[2024/02/20 09:23:48.454869, 0, pid=9744] ../../lib/util/fault.c:191(smb_panic_log)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Wed Mar 13 10:34:45 UTC 2024 on atb-devel-224
(cherry picked from commit
6ee3f809a54d7b833ff798e68a93ada00a215d4d)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Mar 27 15:41:37 UTC 2024 on atb-devel-224
Ralph Boehme [Mon, 5 Feb 2024 14:03:48 +0000 (15:03 +0100)]
smbd: simplify handling of failing fstat() after unlinking file
close_remove_share_mode() already called vfs_stat_fsp(), so we can skip the
fstat() triggered in fd_close() by fsp->fsp_flags.fstat_before_close being true.
This avoids getting an EACCESS error when doing an fstat() on the removed file
which seems to happen with some FUSE filesystems.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
6e6324cff29089a636823786183222a73fe7cb28)
Douglas Bagnall [Fri, 22 Mar 2024 19:27:41 +0000 (08:27 +1300)]
ndr: always attempt ACE coda pull if ACE type suggests a coda
We were skipping the pull in cases where the coda size was calculated
to be zero. This has the right result for empty conditional ACEs, but
not for Resource Attribute ACEs where the
CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 coda was not intialised.
The situation is made a bit worse, because the function that
calculates the coda size (ndr_subcontext_size_of_ace_coda()) can
return zero in conditions that are not exactly errors, but in which
the would-be calculated value makes so little sense that zero is
thought to be a safer default.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66577
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15613
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 25 06:00:21 UTC 2024 on atb-devel-224
(cherry picked from commit
6fb98f70c6274e172787c8d5f73aa93920171e7c)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Tue Mar 26 11:17:58 UTC 2024 on atb-devel-224
Jo Sutton [Tue, 2 May 2023 03:42:24 +0000 (15:42 +1200)]
tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15607
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 21 04:19:18 UTC 2024 on atb-devel-224
(cherry picked from commit
4f0ed9b00389fa641a423b88ab5462b32dd7bbca)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Fri Mar 22 11:06:51 UTC 2024 on atb-devel-224
Douglas Bagnall [Sun, 17 Mar 2024 10:08:23 +0000 (23:08 +1300)]
libcli/security: check again for NULL values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=156067
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224
(cherry picked from commit
b815abe77991d7929717ea3ed4b9d7bef7179715)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Mar 20 12:03:45 UTC 2024 on atb-devel-224
Douglas Bagnall [Sun, 17 Mar 2024 10:07:17 +0000 (23:07 +1300)]
libcli/security: claims_conversions: check for NULL in claims array
If by mistake we end up with a NULL in our array of claims pointers,
it is better to return an error than crash.
There can be NULLs in the array if a resource attribute ACE has a
claim that uses 0 as a relative data pointer. Samba assumes this means
a NULL pointer, rather than a zero offset.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
78f728063a1e510966a45f7f1d9515ea3bd16214)
Stefan Metzmacher [Fri, 15 Mar 2024 22:17:36 +0000 (23:17 +0100)]
WHATSNEW: announce Service Witness Protocol [MS-SWN] and related options
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(v4-20-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-20-test): Tue Mar 19 13:30:31 UTC 2024 on atb-devel-224
Andreas Schneider [Tue, 5 Mar 2024 12:17:19 +0000 (13:17 +0100)]
libgpo: Do not segfault if we don't have a valid security descriptor
Program received signal SIGSEGV, Segmentation fault.
ndr_push_security_descriptor (ndr=ndr@entry=0x555555bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713
713 NDR_CHECK(ndr_push_security_descriptor_revision(ndr, NDR_SCALARS, r->revision));
Thread 1 (Thread 0x7ffff7ece740 (LWP 21460) "python3"):
#0 ndr_push_security_descriptor (ndr=ndr@entry=0x555555bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713
_flags_save_STRUCT = 0
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
_status = <optimized out>
__FUNCTION__ = "ndr_push_security_descriptor"
#1 0x00007ffff617237f in ndr_push_struct_blob (blob=blob@entry=0x7fffffffdb20, mem_ctx=0x555555aa3bd0, p=0x0, fn=0x7ffff6074ad0 <ndr_push_security_descriptor>, fn@entry=0x7ffff60706c8 <ndr_push_security_descriptor@plt>) at ../../librpc/ndr/ndr.c:1438
_status = <optimized out>
ndr = 0x555555bf41b0
#2 0x00007ffff607cccf in marshall_sec_desc (mem_ctx=<optimized out>, secdesc=<optimized out>, data=data@entry=0x7fffffffdb80, len=len@entry=0x7fffffffdb78) at ../../libcli/security/secdesc.c:241
blob = {data = 0x7fffffffdb40 "`\333\377\377\377\177", length =
140737352374299}
ndr_err = <optimized out>
__FUNCTION__ = "marshall_sec_desc"
#3 0x00007ffff29edd94 in GPO_marshall_get_sec_desc_buf (self=<optimized out>, args=<optimized out>, kwds=<optimized out>) at ../../libgpo/pygpo.c:119
gpo_ptr = <optimized out>
status = <optimized out>
data = 0x0
len = 0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15599
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
(cherry picked from commit
b13d4359f2f16e391763d1dc6a5718def973fabb)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Fri Mar 15 10:29:54 UTC 2024 on atb-devel-224
Andreas Schneider [Mon, 4 Mar 2024 15:42:38 +0000 (16:42 +0100)]
libgpo: Fix trailing spaces in pygpo.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
(cherry picked from commit
6fb86a0fa62d93c1c84c2000f01c381a9e8217e1)
Jule Anger [Mon, 11 Mar 2024 14:54:24 +0000 (15:54 +0100)]
VERSION: Bump version up to Samba 4.20.0rc5...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 11 Mar 2024 14:53:57 +0000 (15:53 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.20.0rc4 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 11 Mar 2024 14:53:16 +0000 (15:53 +0100)]
WHATSNEW: Add release notes for Samba 4.20.0rc4.
Signed-off-by: Jule Anger <janger@samba.org>
Andreas Schneider [Wed, 21 Feb 2024 08:10:47 +0000 (09:10 +0100)]
python:gp: Implement client site lookup in site_dn_for_machine()
This is [MS-GPOL] 3.2.5.1.4 Site Search.
The netr_DsRGetSiteName() needs to run over local rpc, however we do not
have the call implemented in our rpc_server. What netr_DsRGetSiteName()
actually does is an ldap query to get the sitename, we can just do the
same.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15588
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e4c3c61302b12419f041867b58350f11dc800318)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Fri Mar 1 09:01:06 UTC 2024 on atb-devel-224
Andreas Schneider [Wed, 21 Feb 2024 07:56:06 +0000 (08:56 +0100)]
librpc:idl: Make netlogon_samlogon_response public
This is required that we can use it with ndrdump or in python to decode
a NETLOGON_SAM_LOGON_RESPONSE_EX ldap response.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15588
Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e758425869729a43136ae51e6baecb2061d1525b)
Jule Anger [Mon, 26 Feb 2024 11:36:59 +0000 (12:36 +0100)]
VERSION: Bump version up to Samba 4.20.0rc4...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 26 Feb 2024 11:36:25 +0000 (12:36 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.20.0rc3 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 26 Feb 2024 11:35:56 +0000 (12:35 +0100)]
WHATSNEW: Add release notes for Samba 4.20.0rc3.
Signed-off-by: Jule Anger <janger@samba.org>
Noel Power [Thu, 8 Feb 2024 14:05:43 +0000 (14:05 +0000)]
s3/rpc_client: Fix array offset check
Previous to this commit we were modifying the offset before
the array offset check. This was causing a spurious debug
message indicating the offset was out of bounds. An second
problem is that upon detecting the error we don't exit the loop.
A third problem was that when reading the offset the check
didn't cater for the size of the integer address about to be read.
This commit moves the offset check to before the first read,
additionally when an error is detected now we actually exit the loop
and the offset have been corrected to include the size of the
integer to be read
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sat Feb 17 17:58:43 UTC 2024 on atb-devel-224
(cherry picked from commit
885850b6aaabf089f422b1b015481a0ccff4f90e)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Feb 26 10:37:37 UTC 2024 on atb-devel-224
Noel Power [Wed, 14 Feb 2024 11:19:39 +0000 (11:19 +0000)]
s3/rpc_client: Ensure max possible row buffer size is not exceeded
The max buf size of rows buffer should not exceed 0x00004000.
Ensuring this value is within limits means we can safely use
uint32_t offsets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
f487211706a74d516bf447ed393222b4c0dce7b0)
Noel Power [Wed, 14 Feb 2024 12:01:28 +0000 (12:01 +0000)]
idl: Add constant for max rows buffer size
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
01e901ef869a1a87fba0e67bce311dbeb199b717)
Noel Power [Wed, 10 Jan 2024 14:43:58 +0000 (14:43 +0000)]
s3/rpc_client: cleanup unmarshalling of variant types from row columns
Prior to this change fn 'extract_variant_addresses' actually returns offsets
to the variant stored not the addresses, additionally the param in the
signature of the method is named offset where the param in reality is a
base address.
This change makes fn 'extract_variant_addresses' actually return addresses
instead of offsets and also changes the name of the incoming param. The
resulting changes are propaged to callers which hopefully makes what the
code is actually doing a little clearer
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Jan 30 17:22:37 UTC 2024 on atb-devel-224
(cherry picked from commit
9b2f2302ee4828ae54f5903a3bf649ffd255fb4a)
Noel Power [Mon, 8 Jan 2024 15:56:38 +0000 (15:56 +0000)]
s3/utils: use full 64 bit address for getrows (with 64bit offsets)
if 64bit offsets are used the hi 32-bits of address are stored in
the ulreserved2 member of the message header field and the low 32-bits
are stored in the ulclientbase member of the cpmgetrows message
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
6ecb614b8ec6953ba15e8061fce9b395615b035a)
Noel Power [Wed, 10 Jan 2024 10:59:23 +0000 (10:59 +0000)]
s3/rpc_client: Remove stray unnecessary comment
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
efa60ff3105ac80ffff6d2a5d82dd0615ddb7578)
Noel Power [Mon, 8 Jan 2024 15:12:35 +0000 (15:12 +0000)]
s3/rpc_client: change type of offset to uint64_t
Offset can be a 32 or 64 bit address depending on the indexing addressing
mode negotiated by the client
With a 32 bit param we can only specify a 32 bit base address. This change
alone doesn't affect anything as it is the client itself that choses and
passes the base address offset and wspsearch is the only current user of
this code.
In this case even with 64bit addressing negotiated the address passed
represents only the lower 32-bits part of the address.
However, for coverage purposes it would be better for the client to use an
address that covers the full 64bit range of the address (when 64 bit
addressing is negotiated).
This change will alow the wspsearch client in a future commit to pass a
base address value with both the hi and low 32 bits values set to make up
the full 64 bit address.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a61eb7032896265eaef3ba225aafd6f293e7569d)
Martin Schwenke [Fri, 9 Feb 2024 06:29:46 +0000 (17:29 +1100)]
ctdb-protocol: Add missing push support for new controls
CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
CTDB_CONTROL_TCP_CLIENT_PASSED were added in commits
c6602b686b4e50d93272667ef86d3904181fb1ab and
037e8e449deb136ad5ed5e4de05439411b545b6d. They were missing test
support for the packet push/pull. While adding the testing (for
completeness, before adding another new control) I noticed that the
push functionality was absent. This adds that, along with the test
support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15580
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb 19 10:21:48 UTC 2024 on atb-devel-224
(cherry picked from commit
dd9b11acbc4fbde1941719968aeb463b853b0ffb)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Tue Feb 20 13:46:47 UTC 2024 on atb-devel-224
Jo Sutton [Thu, 1 Feb 2024 23:23:58 +0000 (12:23 +1300)]
python: Remove ‘typing.Final’
This is only present in Python 3.8 and above.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15575
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d6fe66ddeeb99c550fa9a0f1abb845e6daf71f8a)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Feb 19 15:35:39 UTC 2024 on atb-devel-224
Rob van der Linde [Thu, 1 Feb 2024 23:54:41 +0000 (12:54 +1300)]
python: do not make use of typing.Final for python 3.6
Python 3.6 does not have typing.Final yet
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15575
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ecc84aa448a962f1a224144bbb65f0cef36a4279)
Stefan Metzmacher [Thu, 8 Feb 2024 14:43:39 +0000 (15:43 +0100)]
docs-xml: document "smb3 share cap:{CONTINUOUS AVAILABILITY,SCALE OUT,CLUSTER,ASYMMETRIC}"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15577
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Feb 13 21:06:24 UTC 2024 on atb-devel-224
(cherry picked from commit
7a674ee9ffeca047ceed7ac046db1b168d4025a6)
Stefan Metzmacher [Thu, 8 Feb 2024 14:31:10 +0000 (15:31 +0100)]
smb2_tcon: only announce SMB3 related share capabilities if SMB3 is used
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15577
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
32b84c5bce00c4f91191596dc00d9824e82e0f24)
Stefan Metzmacher [Thu, 8 Feb 2024 14:15:28 +0000 (15:15 +0100)]
smb2_tcon: only announce SMB2_SHARE_CAP_CLUSTER if rpcd_witness can run
rpcd_witness needs ncacn_ip_tcp support and that's only
available if samba-dcerpcd is not started on demand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15577
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
d8bfdaaaa737032c6a8623512fcb2cd01850628a)
Stefan Metzmacher [Thu, 8 Feb 2024 13:25:05 +0000 (14:25 +0100)]
docs-xml: add details for 'net witness'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15577
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
1d0938d6fe46c06432ae5fda9e7491b908a9ac56)
Stefan Metzmacher [Thu, 8 Feb 2024 14:07:42 +0000 (15:07 +0100)]
s3:utils: fix help string for 'net witness force-response'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15577
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
7a23429ed6a04bb14509758492bfaee5db6dbd0d)
Stefan Metzmacher [Fri, 2 Feb 2024 12:54:20 +0000 (13:54 +0100)]
ctdb/events: add 47.samba-dcerpcd.script
If someone wants to enable the witness service
samba-dcerpcd needs to be started as standalone service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15577
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
f1f68108cc303b92b8a88728d12c2b699fdfc731)
Stefan Metzmacher [Fri, 2 Feb 2024 12:54:20 +0000 (13:54 +0100)]
ctdb/events: use 'service "$CTDB_SERVICE_NMB" status' in 48.netbios.script
We can easily monitor if the service is running at all,
that better than no monitoring at all...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15577
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
ff8f778e39af563d97b1d38f89368a3c148532f2)
Jule Anger [Mon, 12 Feb 2024 13:05:12 +0000 (14:05 +0100)]
VERSION: Bump version up to Samba 4.20.0rc3...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 12 Feb 2024 13:04:39 +0000 (14:04 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.20.0rc2 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 12 Feb 2024 13:01:59 +0000 (14:01 +0100)]
WHATSNEW: Add release notes for Samba 4.20.0rc2.
Signed-off-by: Jule Anger <janger@samba.org>
Andrew Bartlett [Wed, 31 Jan 2024 22:33:27 +0000 (11:33 +1300)]
WHATSNEW: Explain new AD DC Claims, authentication policies and Silos
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Feb 12 11:55:51 UTC 2024 on atb-devel-224
Douglas Bagnall [Mon, 15 Jan 2024 02:21:11 +0000 (15:21 +1300)]
WHATSNEW: Add some information about new conditional aces feature
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Douglas Bagnall [Mon, 15 Jan 2024 02:22:27 +0000 (15:22 +1300)]
WHATSNEW: note "acl_claims evaluation" smb.conf option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Douglas Bagnall [Mon, 8 Jan 2024 02:05:35 +0000 (15:05 +1300)]
ndr: ignore trailing bytes in ndr_pull_security_ace()
This returns the behaviour with ordinary ACEs to where it was with 4.19.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit
0c1f421c107be3156b3f1db75aced24a1bca3d2f)
Douglas Bagnall [Mon, 8 Jan 2024 01:50:30 +0000 (14:50 +1300)]
ndr: ndr_push_security_ace: calculate coda size once
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit
a72c198921f64f2502f543c7158762c64cb3074e)
Douglas Bagnall [Sun, 31 Dec 2023 21:21:55 +0000 (10:21 +1300)]
ndr: avoid object ACE push overhead for non-object ACE
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit
ecb5da3e49283ca3a03dea81d22db4a081e192e4)
Douglas Bagnall [Sun, 31 Dec 2023 21:21:33 +0000 (10:21 +1300)]
ndr: avoid object ACE pull overhead for non-object ACE
When an ACE is not an object ACE, which is common, setting the switch
value and attempting the object ACE GUID pull is just going to do
nothing, and we know that ahead of time. By noticing that we can save
a bit of time on a common operation.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit
fce4d51eb492a6fc807c6849cd4bd65ca7714509)
Douglas Bagnall [Sun, 31 Dec 2023 04:45:36 +0000 (17:45 +1300)]
ndr: do not push ACE->coda.ignored blob
From
1e80221b2340de5ef5e2a17f10511bbc2c041163 (2008) until
c73034cf7c4392f5d3505319948bc84634c20fa5 (conditional ACEs, etc, 2023)
we had a manual ndr_pull_security_ace() that would discard trailing
bytes, which are those bytes that we now call the coda. The ACE types
that we handled then are those that end up with a coda.ignored data
blob.
With this we effectively restore the long-standing behaviour in the
event that we push and pull an ACE -- though now we discard the
ignored bytes on push rather than pull.
This change is not because the trailing bytes caused any problems (as
far as is known), but because it is much faster to not do the push.
It may be that such ACEs no longer occur.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit
2a60ec98409b161cfeb4b51414ba61feb26c01b9)
Douglas Bagnall [Fri, 29 Dec 2023 02:27:08 +0000 (15:27 +1300)]
ndr: mark invalid pull ndr_flags as unlikely
This might have little effect, but sometimes we see primatives like
ndr_pull_uint32() taking a few percent of the CPU time, and this is in
all those functions.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
(cherry picked from commit
4face258dee93dcd01dce71fcb7448b285ff4860)