VERSION: Disable GIT_SNAPSHOT for the 4.11.4 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

s3: smbd: Only set xconn->smb1.negprot.done = true after supported_protocols[protocol].proto_reply_fn() succeeds.

Otherwise we can end up with negprot.done set, but
without smbXsrv_connection_init_tables() being called.

This can cause a client self-crash.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec  4 21:27:24 UTC 2019 on sn-devel-184

(cherry picked from commit 8db0c1bff6f42feabd2e4d9dfb13ae12cc29607b)

Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Fri Dec 13 12:30:57 UTC 2019 on sn-devel-184

python: tests. Add test for fuzzing smbd crash bug.

Mark knownfail for now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 46899ecf836d350c0c29b615869851da7d0ad6fb)

s3: smbd: Ensure we exit if supported_protocols[protocol].proto_reply_fn() fails.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit e84910d919e02feab2a297fccbbf95f333e32119)

s3: smbd: Change (*proto_reply_fn()) to return an NTSTATUS.

That way the caller can know if the negprot really
succeeded or not.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit f4caa4159bd3db5127e114718e606867348a4f47)

s3: smbd: Change reply_smb20xx() to return NTSTATUS.

Not yet used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 836219c479b047403d2b0839a6b92ad637dbaea0)

s3: smbd: Ensure we exit on smbd_smb2_process_negprot() fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit a2d81d77c111379cbb6bd732c717307974eace0a)

s3: smbd: Allow smbd_smb2_process_negprot() to return NTSTATUS as it can fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 868bc05cf5d575e20edcce241e3af1d0fa6d9824)

s3: smbd: SMB2 - Ensure we use the correct session_id if encrypting an interim response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14189

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit eae1a45d09ef54dd6b59803eedca672ae9433902)

VERSION: Bump version up to 4.11.4.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

Merge tag 'samba-4.11.3' into v4-11-test

samba: tag release samba-4.11.3

smbd: Increase a debug level

This is not a real error, it happens when the share mode record is not
around.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14211
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
(cherry picked from commit 4b05fe7ca73dae30807680f0e0401340bfb2c738)

Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Wed Dec  4 10:15:19 UTC 2019 on sn-devel-184

VERSION: Disable GIT_SNAPSHOT for the 4.11.3 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.11.3.

o CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS
                  management server (dnsserver).
o CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition
                  on Samba AD DC.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

heimdal-build: avoid hard-coded /usr/include/heimdal in asn1_compile-generated code.

This fixes a cross-compilation issue, as cross-compilers (rightly)
complain if host include directories are in the include path.

The fix is taken from buildroot (https://github.com/buildroot/buildroot/blob/8b11b96f41a6ffa76556c9bf03a863955871ee57/package/samba4/0006-heimdal_build-wscript_build-do-not-add-host-include-.patch) where it was applied by Bernd Kuhls <bernd.kuhls@t-online.de>.

This reverts some of 3fe2bfddda6149f6bf7402720226e9285f479fef, but
building Samba's bundled Heimdal with a system roken is not supported
anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13856

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Dec  1 10:22:01 UTC 2019 on sn-devel-184

(cherry picked from commit 27fc062d7ea2207242d5a2c9933f3de5fa206488)

ldb: Release ldb 2.0.8

* Upgrade waf to version 2.0.18 to match the rest of Samba 4.11.x

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13846

Signed-off-by: Uri Simchoni <uri@samba.org>

autobuild: harden samba-xc test suite

Add more checks which directly test the behavior of
--cross-answers and --cross-execute.

Previous test tested things in a round-about way, checking
that running in all three modes (native, cross-execute,
cross-answers) yields the same result. It was vulnerable
to a degradation in which cross-compilation modes didn't
work at all and were running native tests, which is
what happened with the upgrade of waf.

The added tests check the following:
- That cross-excute with cross-answers sets the cross-answers file
- That the content of cross-answers file actually affects the build
  configuration
- That a missing line in cross-answers fails the build

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13846

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Sun Oct 20 13:29:58 UTC 2019 on sn-devel-184

(cherry picked from commit 649d15bb969b6d27fd4554f49600366bb3df4712)

wafsamba: pass environment to cross-execute tests

This can come in handy for cross-execute scripts in general, and
is particularly required by the samba-xc test for cross-answers /
cross-execute, because Samba sets LD_LIBRARY_PATH during rpath
checks, and the test program needs that in order to successfully
run.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13846

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fdfd69840902f4b13db2a204a0ca87a578b61b85)

wafsamba: avoid pre-forking if cross-compilation is enabled

Waf supports pre-forking to run configuration tests, but this
doesn't play well with Samba's cross-compilation support, because
Samba monkey-patches the actual fork+exec, which doesn't happen
in a pre-forked process pool.

This patch emulates the impact of WAF_NO_PREFORK env var when
cross-compilation is enabled.

The blueprint for the solution has been suggested by Thomas Nagy
in https://bugzilla.samba.org/show_bug.cgi?id=13846#c7 (item #2)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13846

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5a4ade953420a4122c80d291ac53310abd6a279c)

wafsamba: use test_args instead of exec_args to support cross-compilation

exec_args seems to have been a custom addition to Samba's copy of waf.
Upstream Waf has an identically-purposed parameter called test_args.

This parameter is being used for addiing runtime args to test programs that
are being run during configuration phases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13846

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e00e93350288dc212fed3f1be2adf78dcb6e58e7)

waf: upgrade to 2.0.18

This is required to get the new test_args parameter to conf.check, which
facilitates passing arguments to configuration test programs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13846

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 09e282ec8173f2935bdb579e0396f269ce712e0d)

CVE-2019-14870: mit-kdc: enforce delegation_not_allowed flag

Signed-off-by: Isaac Boukris <iboukris@samba.org>

CVE-2019-14870: heimdal: enforce delegation_not_allowed in S4U2Self

Signed-off-by: Isaac Boukris <iboukris@gmail.com>

CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed

Signed-off-by: Isaac Boukris <iboukris@gmail.com>

samba-tool: add user-sensitive command to set not-delegated flag

Signed-off-by: Isaac Boukris <iboukris@gmail.com>

s4-torture: Reduce flapping in SambaToolDrsTests.test_samba_tool_replicate_local

This test often flaps in Samba 4.9 (where more tests and DCs run in the environment)
with obj_1 being 3.  This is quite OK, we just need to see some changes get
replicated, not 0 changes.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 4ae0f9ce0f5ada99cf1d236377e5a1234c879ae3)

CVE-2019-14861: Test to demonstrate the bug

This test does not fail every time, but when it does it casues a segfault which
takes out the rpc_server master process, as this hosts the dnsserver pipe.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2019-14861: s4-rpc/dnsserver: Avoid crash in ldb_qsort() via dcesrv_DnssrvEnumRecords)

dns_name_compare() had logic to put @ and the top record in the tree being
enumerated first, but if a domain had both then this would break the
older qsort() implementation in ldb_qsort() and cause a read of memory
before the base pointer.

By removing this special case (not required as the base pointer
is already seperatly located, no matter were it is in the
returned records) the crash is avoided.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2019-14861: s4-rpc_server: Remove special case for @ in dns_build_tree()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2019-14861: s4-rpc/dnsserver: Confirm sort behaviour in dcesrv_DnssrvEnumRecords

The sort behaviour for child records is not correct in Samba so
we add a flapping entry.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

VERSION: Re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

VERSION: Bump version up to 4.11.3.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit e704eee3083658f7dcdd4238295f8e0b229a1688)

ctdb-tcp: Close inflight connecting TCP sockets after fork

Commit c68b6f96f26 changed the talloc hierarchy such that outgoing TCP sockets
while sitting in the async connect() syscall are not freed via
ctdb_tcp_shutdown() anymore, they are hanging off a longer-running structure.
Free this structure as well.

If an outgoing TCP socket leaks into a long-running child process (possibly the
recovery daemon), this connection will never be closed as seen by the
destination node. Because with recent changes incoming connections will not be
accepted as long as any incoming connection is alive, with that socket leak
into the recovery daemon we will never again be able to successfully connect to
the node that is affected by this leak. Further attempts to connect will be
discarded by the destination as long as the recovery daemon keeps this socket
alive.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14175
RN: Avoid communication breakdown on node reconnect

Signed-off-by: Martin Schwenke <martin@meltin.net>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit a6d99d9e5c5bc58e6d56be7a6c1dbc7c8d1a882f)

Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Tue Nov 19 13:21:18 UTC 2019 on sn-devel-184

ctdb-tcp: Drop tracking of file descriptor for incoming connections

This file descriptor is owned by the incoming queue.  It will be
closed when the queue is torn down.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14175

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit bf47bc18bb8a94231870ef821c0352b7a15c2e28)

ctdb-tcp: Avoid orphaning the TCP incoming queue

CTDB's incoming queue handling does not check whether an existing
queue exists, so can overwrite the pointer to the queue.  This used to
be harmless until commit c68b6f96f26664459187ab2fbd56767fb31767e0
changed the read callback to use a parent structure as the callback
data.  Instead of cleaning up an orphaned queue on disconnect, as
before, this will now free the new queue.

At first glance it doesn't seem possible that 2 incoming connections
from the same node could be processed before the intervening
disconnect.  However, the incoming connections and disconnect occur on
different file descriptors.  The queue can become orphaned on node A
when the following sequence occurs:

1. Node A comes up
2. Node A accepts an incoming connection from node B
3. Node B processes a timeout before noticing that outgoing the queue is writable
4. Node B tears down the outgoing connection to node A
5. Node B initiates a new connection to node A
6. Node A accepts an incoming connection from node B

Node A processes then the disconnect of the old incoming connection
from (2) but tears down the new incoming connection from (6).  This
then occurs until the originally affected node is restarted.

However, due to the number of outgoing connection attempts and
associated teardowns, this induces the same behaviour on the
corresponding incoming queue on all nodes that node A attempts to
connect to.  Therefore, other nodes become affected and need to be
restarted too.

As a result, the whole cluster probably needs to be restarted to
recover from this situation.

The problem can occur any time CTDB is started on a node.

The fix is to avoid accepting new incoming connections when a queue
for incoming connections is already present.  The connecting node will
simply retry establishing its outgoing connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14175

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit d0baad257e511280ff3e5c7372c38c43df841070)

ctdb-tcp: Check incoming queue to see if incoming connection is up

This makes it consistent with the reverse case.  Also, in_fd will soon
be removed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14175

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit e62b3a05a874db13a848573d2e2fb1c157393b9c)

gitlab-ci: Run samba-fileserver-heimdalkrb5

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14179

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Wed Nov 13 19:14:25 UTC 2019 on sn-devel-184

(cherry picked from commit 5343cec5f0a5531af85d72021dba30c31a4a3f1b)

bootstrap: Add heimdal-multidev for Debian and Ubuntu

This is required for testing the build with the
configure option --with-system-heimdalkrb5.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14179

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2efc243f1ad09eae46f6f99fb0646ecd4356c3f9)

autobuild: Add test for build with system heimdal library

The configure option --with-system-heimdalkrb5 requires --without-ad-dc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14179

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7965a204d68196acddf553959bb3407125baf31d)

krb5_plugin: Fix developer build with newer heimdal system library

Newer heimdal versions provide a different locator plugin interface. The
function pointer for the old method has been renamed. Use an ifdef to
initialize the correct pointer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14179

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 85d23236200dbe013c09a4f23d982ef1baac240d)

krb5_plugin: Use C99 initializer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14179

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1aef796e302058ad3327613964fa89abaf940c1c)

selftest: system-heimdal: workaround upstream "host" canon bug

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14179

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 15ddd95d94688ed742a2965c4b269d7c84e2d858)

wscript: Fix build with system heimdal

Ubuntu has heimdal include files in /usr/include/heimdal. As the
kerberos include files are pulled into many files through indirect
includes, add the discovered include paths to EXTRA_INCLUDES to
always have them available.

Also set USING_SYSTEM_KRB5 when enabling the system heimdal build,
to correctly handle the inclusion of the krb5-types.h file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14179

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit be2d90b60d19eca408b60fe4e1b49f9b418f1b97)

s3: libsmb: Ensure return from net_share_enum_rpc() sets cli->raw_status on error.

Convert net_share_enum_rpc() to return an NTSTATUS and ensure the
status is set correctly on error so SMBC_errno() can return it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14176

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Nov  5 12:36:48 UTC 2019 on sn-devel-184

(cherry picked from commit ff47cc661d432a9337ade9a232a4f49164652812)

s3: utils: smbtree. Ensure we don't call cli_RNetShareEnum() on an SMB1 connection.

Last unprotected call of cli_RNetShareEnum(). Not a libsmbclient
bug here but might as well fix the last caller as part of the
fix for the bug.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14174

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f30b8b3aa1309e9daeb9a3601b537dead81e5dbb)

Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Wed Nov 13 14:45:53 UTC 2019 on sn-devel-184

s3: libsmb: Ensure we don't call cli_RNetShareEnum() on an SMB1 connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14174

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1cfcad6283da855d3e97237a7a6fd6f4d2436ee2)

s3:printing: Fix %J substition

print_run_command() uses lp_print_command() which internally performs basic
substition by calling talloc_sub_basic(). As a result. any of the variables in
the "basic set", including "%J" are already substituted.

To prevent the unwanted subtitution, we declare all affected configuration
options as const, which disabled the basic substition.

As a result print_run_command() can run manual substitution on all characters,
including %J, in the variadic argument list *before* calling lp_string() to run
basic substition which we had disabled before with the const.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13745

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Nov  7 16:01:21 UTC 2019 on sn-devel-184

(cherry picked from commit 8846887a55b0c97a1639fc6ecb228941cf16b8f2)

s3:printing: add a DEBUG statement

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13745

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ede00779ab2d881e061adb9d861879e8c68e272b)

s3:lib: factor out talloc_sub_advanced() from talloc_sub_full()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13745

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 41ab92b62fbf029374b89f9d0ddf7578981f37cf)

s3: rename talloc_sub_advanced() to talloc_sub_full()

We currently have the following substitution functions:

  talloc_sub_basic()
  talloc_sub_advanced()

talloc_sub_basic() currently substitutes a subset of talloc_sub_advanced().

We'll need a function X that only substitutes what talloc_sub_advanced()
substitutes *without* what talloc_sub_basic() does.

To get there rename talloc_sub_advanced() to talloc_sub_full(). A subsequent
commit will then bring back talloc_sub_advanced() as described above.

Examples with fictional replacement letters A and B. Currently:

  talloc_sub_basic:    A
  talloc_sub_advanced: AB

New:

  talloc_sub_basic:    A
  talloc_sub_advanced:  B
  talloc_sub_full:     AB

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13745

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(backported from commit 4736623c24503b3ca09c76c9dbb134ef833b2f80)

s3: remove unused function standard_sub_advanced()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13745

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a591de28659919d2afd7ed55106cded6a0d9ab35)

s3: replace standard_sub_advanced with talloc_sub_advanced in one place

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13745

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 81ae199bb72886f2f1ed87b22b4c75b6b99c72f6)

s3:printing: fix a long line

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13745

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit dcb555c06a6341871b691dab3758e7de04110282)

lib/adouble: pass filesize to ad_unpack()

ad_unpack() needs the filesize, not the capped IO size we're using in the caller
to read up to "size" bystem from the ._ AppleDouble file.

This fixes a regression introduced by bdc257a1cbac7e8c73a084b618ba642476807483
for bug 13968.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14171
RN: vfs_fruit returns capped resource fork length

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Oct 30 14:52:34 UTC 2019 on sn-devel-184

(backported from commit f3df83a2c346d945487a27a9d258ee6331ea7dbb)

Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Fri Nov  8 13:52:49 UTC 2019 on sn-devel-184

lib/adouble: drop ad_data reallocate logic

Simply set the buffer size to AD_XATTR_MAX_HDR_SIZE. When reading the
AppleDouble file, read up to AD_XATTR_MAX_HDR_SIZE from the file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14171

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(backported from commit 9a3da6bebcdb924ca2027337544d79ac2088677e)

vfs_fruit: README.Coding fix: multi-line if expression

Also remove a TAB.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14171

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(backported from commit baaaf59e948df625b01fa8b6317ab5c3babb4e8f)

vfs_fruit: fix a long line

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14171

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(backported from commit f0c8ac47a4608eabeae334d39885aab98198b753)

torture: expand test "vfs.fruit.resource fork IO" to check size

Reveals a bug where the resource fork size is capped at 65454 bytes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14171

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit b63069db9fb6efb33b7b917cd5b0ee06b0da9cdc)

s3:smbd: Fix sync dosmode fallback in async dosmode codepath

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14070
RN: Fix sync dosmode fallback in async dosmode codepath

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Aug  6 15:40:18 UTC 2019 on sn-devel-184

(cherry picked from commit 5d4aa6e867044e6b58b45acde32ac35e1d0a7765)

s3:smbd: Incomplete conversion of former parametric options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14069
RN: Incomplete conversion of former parametric options

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(backported from commit ea17bd5539eb0be7a446b99c8b6baa4aa1ab273f)

s3: remove now unneeded call to cmdline_messaging_context()

This was only needed as dbwrap_open() had a bug where it asked for the ctdb
connection before initializing messaging. The previous commit fixed that so we
can now safely remove the calls to cmdline_messaging_context() from all tools
that don't use messaging.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13925

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 24 09:33:47 UTC 2019 on sn-devel-184

(cherry picked from commit 9471508391fd3bcf199b1e94f8d9ee2b956e8f8e)

s3:dbwrap: initialize messaging before getting the ctdb connection

This is a better fix for bug #13465.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13925

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ca95d7f41b683b4d7ac59ed6ee709d44abfe2019)

libnet_join: add SPNs for additional-dns-hostnames entries

and set msDS-AdditionalDnsHostName to the specified list.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 25 10:43:08 UTC 2019 on sn-devel-184

Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Tue Nov  5 13:57:30 UTC 2019 on sn-devel-184

docs-xml: add "additional dns hostnames" smb.conf option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

libnet_join_set_machine_spn: simplify adding uniq spn to array

and do not skip adding a fully qualified spn to netbios-aliases
in case a short spn already existed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

libnet_join_set_machine_spn: simplify memory handling

and avoid a possible memory leak when passing null to
add_string_to_array() as mem_ctx.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

libnet_join_set_machine_spn: improve style and make a bit room for indentation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

libnet_join: build dnsHostName from netbios name and lp_dnsdomain()

This make the join process much more reliable, and avoids "Constraint
violation" error when the fqdn returned from getaddrinfo has already
got assigned an SPN.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

s4:dirsync: fix interaction of dirsync and extended_dn controls

Azure AD connect reports discovery errors:
  reference-value-not-ldap-conformant
for attributes member and manager.
The key is that it sends the LDAP_SERVER_EXTENDED_DN_OID without
an ExtendedDNRequestValue blob, which means the flag value should
be treated as 0 and the HEX string format should be used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14153
RN: Prevent azure ad connect from reporting discovery errors:
reference-value-not-ldap-conformant

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 24 11:06:58 UTC 2019 on sn-devel-184

(cherry picked from commit d0f566c4ad32d69a1cf896e2dde56fc2489bb7fc)

s4:tests/dirsync: add tests for dirsync with extended_dn

This demonstrates a problems that the extended_dn returned
by the dirsync module always uses the SDDL format for GUID/SID
components.

Azure AD connect reports discovery errors:
  reference-value-not-ldap-conformant
for attributes member and manager.
The key is that it sends the LDAP_SERVER_EXTENDED_DN_OID without
an ExtendedDNRequestValue blob, which means the flag value should
be treated as 0 and the HEX string format should be used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14153

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6d43d82b49c8cd47da2f1489fe8b52d5a873a19c)

replace: Only link libnsl and libsocket if requrired

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14168

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Oct 23 08:23:13 UTC 2019 on sn-devel-184

(cherry picked from commit 263bec1b8d0744da73dd92e4a361fb7430289ab3)

Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Mon Nov  4 09:31:23 UTC 2019 on sn-devel-184

s3: torture: Ensure SMB1 cli_qpathinfo2() doesn't return an inode number.

Piggyback on existing tests, ensure we don't regress on:

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14161

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8e55a8562951924e4b1aad5a6d67fc8b309590c1)

s3: libsmb: Ensure SMB1 cli_qpathinfo2() doesn't return an inode number.

The info level it uses doesn't return that, previously we
were using the field that is returned as the EA size as
the inode number (which is usually zero, so the code in
libsmbclient would then synthesize an inode number from
a hash of the pathname, which is all it can do for SMB1).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14161

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit d495074ee27a5f528d5156a69800ee58d799b1eb)

VERSION: Bump version up to 4.11.3.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

Merge tag 'samba-4.11.2' into v4-11-test

samba: tag release samba-4.11.2

VERSION: Disable GIT_SNAPSHOT for the 4.11.2 release.

* Bug 14071: CVE-2019-10218: Client code can return filenames containing path
  separators.
* Bug 12438: CVE-2019-14833: Samba AD DC check password script does not receive
  the full password.
* Bug 14040: CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP
  server via dirsync.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.11.2.

* Bug 14071: CVE-2019-10218: Client code can return filenames containing path
  separators.
* Bug 12438: CVE-2019-14833: Samba AD DC check password script does not receive
  the full password.
* Bug 14040: CVE-2019-14847: User with "get changes" permission can crash AD DC
  LDAP server via dirsync.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

CVE-2019-14847 dsdb: Correct behaviour of ranged_results when combined with dirsync

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2019-14847 dsdb: Demonstrate the correct interaction of ranged_results style attributes and dirsync

Incremental results are provided by a flag on the dirsync control, not
by changing the attribute name.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2019-14833 dsdb: send full password to check password script

utf8_len represents the number of characters (not bytes) of the
password. If the password includes multi-byte characters it is required
to write the total number of bytes to the check password script.
Otherwise the last bytes of the password string would be ignored.

Therefore we rename utf8_len to be clear what it does and does
not represent.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12438

Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2019-14833: Use utf8 characters in the unacceptable password

This shows that the "check password script" handling has a bug.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12438
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2019-10218 - s3: libsmb: Protect SMB2 client code from evil server returned names.

Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071

Signed-off-by: Jeremy Allison <jra@samba.org>

CVE-2019-10218 - s3: libsmb: Protect SMB1 client code from evil server returned names.

Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071

Signed-off-by: Jeremy Allison <jra@samba.org>

VERSION: Bump version up to 4.11.2...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit 7b8309398beab679cd4068da497661ce33616edc)

VERSION: Bump version up to 4.11.2...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

VERSION: Disable GIT_SNAPSHOT for Samba 4.11.1.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.11.1.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

s3:libsmb: Link libsmb against pthread

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 7259197bf716f8b81dea74beefe6ee3b1239f172)

Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Wed Oct 16 20:39:04 UTC 2019 on sn-devel-184

nsswitch: Link stress-nss-libwbclient against pthread

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit d473f1e38c2822746030516269b4d70032cf9b2e)

s3:libads: Do not turn on canonicalization flag for MIT Kerberos

This partially reverts 303b7e59a286896888ee2473995fc50bb2b5ce5e.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155

Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 123584294cfd153acc2d9a5be9d71c395c847a25)

lib:krb5_wrap: Do not create a temporary file for MEMORY keytabs

The autobuild cleanup script fails with:

The tree has 3 new uncommitted files!!!
git clean -n
Would remove MEMORY:tmp_smb_creds_SK98Lv
Would remove MEMORY:tmp_smb_creds_kornU6
Would remove MEMORY:tmp_smb_creds_ljR828

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit d888655244b4d8ec7a69a042e0ff3c074585b0de)

spnego: fix server handling of no optimistic exchange

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184

python/tests/gensec: add spnego downgrade python tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

python/tests/gensec: make it possible to add knownfail tests for gensec.update()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest: add tests for no optimistic spnego exchange

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

spnego: add client option to omit sending an optimistic token

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: s3: add a test for spnego downgrade from krb5 to ntlm

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libsmb: Do not check the SPNEGO neg token for KRB5

The list is not protected and this could be a downgrade attack.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

spnego: ignore server mech_types list

We should not use the mech list sent by the server in the last
'negotiate' packet in CIFS protocol, as it is not protected and
may be subject to downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:smbd: add a comment explaining the File-ID semantics when a file is created

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit c190f3efa9eb4f633df28074b481ff884b67e65f)