Karolin Seeger [Thu, 14 Jan 2021 08:24:26 +0000 (09:24 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.12.11 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Thu, 14 Jan 2021 08:23:55 +0000 (09:23 +0100)]
WHATSNEW: Add release notes for Samba 4.11.11.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Ralph Boehme [Fri, 11 Dec 2020 11:59:28 +0000 (12:59 +0100)]
vfs_fruit: fix close for fake_fd
If the next backend doesn't use kernel fd's should not
pass a fake_fd to the next backend.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14596
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 8 21:38:18 UTC 2021 on sn-devel-184
(back-ported from commit
564b62a6f7c0a9b9712946d723118122b9c3785f)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Wed Jan 13 13:45:00 UTC 2021 on sn-devel-184
Ralph Boehme [Fri, 11 Dec 2020 12:00:56 +0000 (13:00 +0100)]
vfs_fruit: check fake_fd in fruit_pread_meta_stream()
Don't call into the next VFS backend if we know we still have a fake-fd. Just
return -1 and the caller has the logic to handle this, which results in
returning a AFP_AfpInfo blob initialized with some defaults.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14596
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(back-ported from commit
c5da08422990dfc1e082bc01aa10d6e415eebe3f)
Ralph Boehme [Fri, 11 Dec 2020 12:00:09 +0000 (13:00 +0100)]
vfs_fruit: use "fake_fd" instead of "created"
Both have basically the same semantics.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14596
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(back-ported from commit
36eb30fd7d4b82bffd0e1ab471c088f678d700a4)
Stefan Metzmacher [Fri, 18 Dec 2020 13:36:00 +0000 (14:36 +0100)]
vfs_streams_xattr: make use of vfs_fake_fd_close()
When we used vfs_fake_fd() we should use vfs_fake_fd_close()
in order to have things symetric.
That may allows us to change vfs_fake_fd() internally if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14596
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(back-ported from commit
40e70cbd3c3a1df9205a7b18d07784c1754cc340)
Stefan Metzmacher [Fri, 18 Dec 2020 13:36:00 +0000 (14:36 +0100)]
vfs_fruit: make use of vfs_fake_fd_close()
When we used vfs_fake_fd() we should use vfs_fake_fd_close()
in order to have things symetric.
That may allows us to change vfs_fake_fd() internally if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14596
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(back-ported from commit
719c83b4dc4cef16429ec2803621039545f6885e)
Stefan Metzmacher [Fri, 18 Dec 2020 13:03:09 +0000 (14:03 +0100)]
s3:smbd: add vfs_fake_fd_close() helper
When we used vfs_fake_fd() we should use vfs_fake_fd_close()
in order to have things symetric.
This makes code easier to understand and may allow us to change
vfs_fake_fd() internally if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14596
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(back-ported from commit
8f057333466b2d9845cd8bc2b794d98252ade2a4)
Andreas Schneider [Mon, 21 Dec 2020 09:36:46 +0000 (10:36 +0100)]
s3:lib: Create the cache path of user gencache recursively
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14601
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 6 23:59:58 UTC 2021 on sn-devel-184
(cherry picked from commit
38c989fab78c3baade3e441829b7becf6b25ef3f)
Andreas Schneider [Mon, 21 Dec 2020 09:35:51 +0000 (10:35 +0100)]
lib:util: Add directory_create_or_exists_recursive()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14601
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
from commit
bf7b165877bdfd07eb84ecafdc87bd7a6d945f09)
Arne Kreddig [Fri, 1 Jan 2021 21:54:22 +0000 (22:54 +0100)]
vfs_virusfilter: Allocate separate memory for config char*
Instead of using only the pointer to the configuration char* from the
global configuration, vfs_virusfilter now allocates its own memory and
copies the char* from the global configuration.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14606
Signed-off-by: Arne Kreddig <arne@kreddig.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 7 19:25:38 UTC 2021 on sn-devel-184
(cherry picked from commit
2f21d1b0ac8526508161de73290f67858b2fe668)
Andrew Bartlett [Mon, 23 Nov 2020 06:35:37 +0000 (19:35 +1300)]
Do not create an empty DB when accessing a sam.ldb
Samba already does this for samba-tool and doing this should make
our errors more sensible, particularly in BIND9 if not provisioned
with the correct --dns-backend=DLZ_BIND9
The old error was like:
named[62954]: samba_dlz: Unable to get basedn for
/var/lib/samba/private/dns/sam.ldb
- NULL Base DN invalid for a base search.
The new error will be like (in this case from the torture test):
Failed to connect to Failed to connect to
ldb:///home/abartlet/samba/st/chgdcpass/bind-dns/dns/sam.ldb:
Unable to open tdb '/home/abartlet/samba/st/chgdcpass/bind-dns/dns/sam.ldb':
No such file or directory: Operations error
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14579
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d49e96bc45ea5e2d3364242dad36fe9094b7cc42)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Thu Jan 7 09:50:29 UTC 2021 on sn-devel-184
Martin Schwenke [Tue, 8 Dec 2020 13:03:47 +0000 (00:03 +1100)]
bootstrap: Cope with case changes in CentOS 8 repo names
RN: Be more flexible with repository names in CentOS 8 test environments
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14594
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(backported from commit
1c59f49aaede8ec1662d4e49aef84fcd902a8a76)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Wed Jan 6 12:19:21 UTC 2021 on sn-devel-184
Dimitry Andric [Fri, 1 Jan 2021 17:25:48 +0000 (18:25 +0100)]
lib: Avoid declaring zero-length VLAs in various messaging functions
In messaging_rec_create(), messaging_recv_cb() and
messaging_dispatch_rec(), variable length arrays of file descriptors are
declared using an incoming num_fds parameter.
However, there are several scenarios where num_fds can be zero, and
declaring a zero-length VLA is undefined behavior. This can lead to
segmentation faults and/or other crashes when compiling with recent
versions of clang at high optimization levels.
To avoid ever using zero as the length for these declarations, use
MAX(1, length) instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14605
Signed-off-by: Dimitry Andric <dimitry@andric.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jan 4 10:50:07 UTC 2021 on sn-devel-184
(cherry picked from commit
3e96c95d41e4ccd0bf43b3ee78af644e2bc32e30)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Tue Jan 5 09:11:44 UTC 2021 on sn-devel-184
Ralph Boehme [Mon, 30 Nov 2020 11:28:58 +0000 (12:28 +0100)]
vfs_zfsacl: add missing inherited flag on hidden "magic" everyone@ ACE
This was an omission in the fixes for bug 14470.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14587
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 1 20:29:34 UTC 2020 on sn-devel-184
(cherry picked from commit
936f74daed0d6221312f651f35c4ed357bbf1414)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Wed Dec 9 11:45:09 UTC 2020 on sn-devel-184
Ralph Boehme [Mon, 30 Nov 2020 11:28:00 +0000 (12:28 +0100)]
vfs_zfsacl: reformatting
No change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14587
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
a8457ac3c80e22588e33a343c2306b702734ca88)
Ralph Boehme [Thu, 26 Nov 2020 14:24:44 +0000 (15:24 +0100)]
s4/samba: call force_check_log_size() in standard_new_task()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248
RN: samba process does not honor max log size
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Dec 7 18:54:29 UTC 2020 on sn-devel-184
(cherry picked from commit
058f96f4c4eda42b404f0067521d3eafb495fe7d)
Ralph Boehme [Thu, 26 Nov 2020 14:24:26 +0000 (15:24 +0100)]
s4/samba: call force_check_log_size() in standard_accept_connection()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
6fa5fb8ef26dab862df5c46bb5e74f19839c30e2)
Ralph Boehme [Thu, 26 Nov 2020 14:23:58 +0000 (15:23 +0100)]
s4/samba: call force_check_log_size() in prefork_reload_after_fork()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248
Signed-off-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
82b64e930b0e2d3b2e5186017d9f8e420994136c)
Ralph Boehme [Mon, 23 Nov 2020 15:44:04 +0000 (16:44 +0100)]
s4: call reopen_logs_internal() in the SIGHUP handler of the prefork process model
With debug_schedule_reopen_logs() the actual reopen only takes place at some
point in the future when a DEBUG message is processed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
19413e76a46f07fdd46fde5e60707bb6845a782d)
Ralph Boehme [Fri, 20 Nov 2020 14:21:03 +0000 (15:21 +0100)]
s4: replace low-level SIGUP handler with a tevent handler
Replace the low-level signal handler for SIGHUP with a nice tevent signal
handler. The low-level handler sig_hup() installed by setup_signals() remains
being used during early startup before a tevent context is available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
9f71e6173ab43a04804ba8061cb0e8ae6c0165bf)
Ralph Boehme [Thu, 26 Nov 2020 13:21:58 +0000 (14:21 +0100)]
s4: install tevent tracing hooks to trigger logfile rotation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(backported from commit
516c2a04a242a539f9fbddb2822295fee233644c)
[slow@samba.org: process_prefork.c has additional include in master]
Ralph Boehme [Mon, 23 Nov 2020 16:53:57 +0000 (17:53 +0100)]
s4: add samba server tevent trace helper stuff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(backported from commit
68f71f227b17774a12c84575c1eecd82279fac95)
[slow@samba.org: conflict due to rename source4/smbd/ -> source4/samba/ in master]
Ralph Boehme [Mon, 23 Nov 2020 15:04:03 +0000 (16:04 +0100)]
debug: detect logrotation by checking inode number
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
3651a51e93b45104323d5db1d5ea704d4f71acf1)
Ralph Boehme [Mon, 23 Nov 2020 14:51:09 +0000 (15:51 +0100)]
debug: pass struct debug_class *config to do_one_check_log_size()
Pass a pointer to the struct instead of all struct members individually. No
change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
b7ee36146458bcc2c944f5670b7632df8281ae61)
Ralph Boehme [Mon, 23 Nov 2020 14:46:47 +0000 (15:46 +0100)]
debug: pass struct debug_class *config to reopen_one_log()
Pass a pointer to the struct instead of all struct members individually. No
change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
29cd139a32d5dbf36bef68eb9c7f1160201e3042)
Ralph Boehme [Fri, 13 Nov 2020 11:34:50 +0000 (12:34 +0100)]
loadparm: setup debug subsystem setting max_log_size from config
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
ab2c712c016f4e4dacd5064b9eb8f6417f4b9b60)
Jeremy Allison [Wed, 2 Dec 2020 19:47:02 +0000 (11:47 -0800)]
s3: smbd: Quiet log messages from usershares for an unknown share.
No need to log missing shares/sharenames at debug level zero.
Keep the debug level zero for all other usershare problems.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14590
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Rowland penny <rpenny@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 4 20:54:06 UTC 2020 on sn-devel-184
(cherry picked from commit
8a0a7359faba642baf55a8f98ff78c0d0884d0f0)
Günther Deschner [Tue, 24 Nov 2020 14:38:41 +0000 (15:38 +0100)]
vfs_glusterfs: print exact cmdline for disabling write-behind translator
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Nov 27 17:15:07 UTC 2020 on sn-devel-184
(cherry picked from commit
369c1d539837b70e94fe9d533d44860c8a9380a1)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Wed Dec 2 17:35:21 UTC 2020 on sn-devel-184
Anoop C S [Thu, 5 Nov 2020 10:42:09 +0000 (16:12 +0530)]
manpages/vfs_glusterfs: Mention silent skipping of write-behind translator
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Nov 9 13:30:06 UTC 2020 on sn-devel-184
(cherry picked from commit
be03ce7d8bb213633eedcfc3299b8d9865a3c67f)
Anoop C S [Thu, 12 Nov 2020 14:57:24 +0000 (20:27 +0530)]
vfs_shadow_copy2: Preserve all open flags assuming ROFS
Instead of replacing open flags with just O_RDONLY, filter out all those
flags unrelated to a Read Only File System
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14573
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Nov 12 17:23:19 UTC 2020 on sn-devel-184
(cherry picked from commit
e9e06a11daf036abf7a7022ebc8eaefde178aa52)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Thu Nov 19 14:09:43 UTC 2020 on sn-devel-184
Jeremy Allison [Thu, 5 Nov 2020 23:48:08 +0000 (15:48 -0800)]
s3: spoolss: Make parameters in call to user_ok_token() match all other uses.
We already have p->session_info->unix_info->unix_name, we don't
need to go through a legacy call to uidtoname(p->session_info->unix_token->uid).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14568
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 9 04:10:45 UTC 2020 on sn-devel-184
(cherry picked from commit
e5e1759057a767f517bf480a2172a36623df2799)
Jeremy Allison [Sun, 27 Sep 2020 05:14:33 +0000 (22:14 -0700)]
s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE().
They may have been carefully set by the aio_del_req_from_fsp()
destructor so we must not overwrite here.
Found via some *amazing* debugging work from Ashok Ramakrishnan <aramakrishnan@nasuni.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14515
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Sep 30 11:18:43 UTC 2020 on sn-devel-184
(cherry picked from commit
fca8cb63762faff54cda243c1ed8217b36333131)
Jones Syue [Mon, 28 Sep 2020 01:10:03 +0000 (09:10 +0800)]
interface: fix if_index is not parsed correctly
Replace probed_ifaces[i] with ifs.
In SDC 2020 SMB3 Virtual IO Lab,
run Windows Protocol Test Suite to test FileServer multichannel test cases.
Samba server has 2 virtual interfaces for VPN connection:
> name=tun2001, ip/mask=192.168.144.9/22
> name=tun2002, ip/mask=192.168.144.10/22
test suite client can ping these 2 ip addresses and browse shares.
Then client try to use IOCTL FSCTL_QUERY_NETWORK_INTERFACE_INFO to get the
virtual ip addresses of samba server, but samba server responded it
without the virtual ip addresses. My VPN setup is point-to-point and the
virtual interfaces 'tun2001' & 'tun2002' are without flag IFF_BROADCAST.
So edit smb.conf and add
"interfaces = ${virtual_ip}/${mask_length};if_index=${id}", like this:
> interfaces = eth4 eth8 eth11 eth10 qvs0 "192.168.144.9/22;if_index=50" "192.168.144.10/22;if_index=51"
then samba server IOCTL response could return the virtual ip addresses,
but found a issue:
the interface index of virtual ip addresses is always
4294967295
(0xFFFFFFFF, -1).
Quote Metze: https://gitlab.com/samba-team/devel/samba/-/commit/
6cadb55d975a6348a417caed8b3258f5be2acba4#note_419181789
This looks good, I think that also explains
the possible memory corruption/crash I mentioned in the bug report.
As 'i' is most likely the same as 'total_probed' and
probed_ifaces[i] is not valid, so we overwrite unrelated memory.
Later I see 'realloc(): invalid pointer' and this backtrace:
BACKTRACE:
#0 log_stack_trace + 0x29 [ip=0x7f2f1b6fffa9] [sp=0x7ffcd0ab53e0]
#1 smb_panic + 0x11 [ip=0x7f2f1b700301] [sp=0x7ffcd0ab5d10]
#2 sig_fault + 0x54 [ip=0x7f2f1b7004f4] [sp=0x7ffcd0ab5e20]
#3 funlockfile + 0x50 [ip=0x7f2f17ce6dd0] [sp=0x7ffcd0ab5ec0]
#4 gsignal + 0x10f [ip=0x7f2f1794970f] [sp=0x7ffcd0ab6b90]
#5 abort + 0x127 [ip=0x7f2f17933b25] [sp=0x7ffcd0ab6cb0]
#6 __libc_message + 0x297 [ip=0x7f2f1798c897] [sp=0x7ffcd0ab6de0]
#7 malloc_printerr + 0x1c [ip=0x7f2f17992fdc] [sp=0x7ffcd0ab6ef0]
#8 realloc + 0x23a [ip=0x7f2f17997f6a] [sp=0x7ffcd0ab6f00]
#9 _talloc_realloc + 0xee [ip=0x7f2f1a365d2e] [sp=0x7ffcd0ab6f50]
#10 messaging_filtered_read_send + 0x18c [ip=0x7f2f1a10f54c] [sp=0x7ffcd0ab6fb0]
#11 messaging_read_send + 0x55 [ip=0x7f2f1a10f705] [sp=0x7ffcd0ab7000]
#12 smb2srv_session_table_init + 0x83 [ip=0x7f2f1b3a6cd3] [sp=0x7ffcd0ab7040]
#13 smbXsrv_connection_init_tables + 0x2d [ip=0x7f2f1b373f4d] [sp=0x7ffcd0ab7060]
#14 smbd_smb2_request_process_negprot + 0x827 [ip=0x7f2f1b38cb47] [sp=0x7ffcd0ab7080]
#15 smbd_smb2_request_dispatch + 0x19db [ip=0x7f2f1b38921b] [sp=0x7ffcd0ab71d0]
#16 smbd_smb2_process_negprot + 0x298 [ip=0x7f2f1b38bb38] [sp=0x7ffcd0ab7260]
#17 process_smb + 0x2ca [ip=0x7f2f1b37537a] [sp=0x7ffcd0ab72b0]
#18 smbd_server_connection_read_handler + 0xd0 [ip=0x7f2f1b376420] [sp=0x7ffcd0ab7350]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14514
Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
b78ff5717654064c8a4facc54a8e9833e5843c21)
Jeremy Allison [Tue, 10 Nov 2020 18:18:18 +0000 (10:18 -0800)]
s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function.
file_lines_parse() plays horrible tricks with
the passed-in talloc pointers and the hierarcy
which makes freeing hard to get right.
As we know mem_ctx is freed by the caller, after
calling file_lines_parse don't free on exit and let the caller
handle it. This violates good Samba coding practice
but we know we're not leaking here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Nov 11 15:02:27 UTC 2020 on sn-devel-184
(cherry picked from commit
457b49c67803dd95abc8502c2a410fac273f6fba)
Jeremy Allison [Fri, 13 Nov 2020 22:18:43 +0000 (14:18 -0800)]
libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob.
Blob could be NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14210
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Nov 16 09:47:38 UTC 2020 on sn-devel-184
(cherry picked from commit
26ba04a4d1987a859152751e6083d9b9aef770ff)
Günther Deschner [Mon, 2 Nov 2020 15:10:44 +0000 (16:10 +0100)]
s3-vfs_glusterfs: always disable write-behind translator
The "pass-through" option has now been merged upstream as of:
https://github.com/gluster/glusterfs/pull/1640
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Anoop C S <anoopcs@samba.org>
Pair-Programmed-With: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 4 22:53:49 UTC 2020 on sn-devel-184
(cherry picked from commit
a51cda69ec6a017ad04b5690a3ae67a5478deee9)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Thu Nov 5 12:27:28 UTC 2020 on sn-devel-184
Karolin Seeger [Thu, 5 Nov 2020 09:07:17 +0000 (10:07 +0100)]
VERSION: Bump version up to 4.12.11...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Thu, 5 Nov 2020 09:06:06 +0000 (10:06 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.12.10 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Thu, 5 Nov 2020 09:03:16 +0000 (10:03 +0100)]
WHATSNEW: Add release notes for Samba 4.12.10.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Jeremy Allison [Mon, 2 Nov 2020 23:46:51 +0000 (15:46 -0800)]
s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Nov 3 01:56:59 UTC 2020 on sn-devel-184
(cherry picked from commit
7d846cd178d653600c71ee4bd6a491a9e48a56da)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Tue Nov 3 13:02:10 UTC 2020 on sn-devel-184
Günther Deschner [Mon, 2 Nov 2020 11:30:36 +0000 (12:30 +0100)]
s3-vfs_glusterfs: refuse connection when write-behind xlator is present
s3-vfs_glusterfs: refuse connection when write-behind xlator is present
Once the new glusterfs api is available we will programmtically disable
the translator, for now we just refuse the connection as there is
a potential for serious data damage.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Sachin Prabhu <sprabhu@redhat.com>
Pair-Programmed-With: Anoop C S <anoopcs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 2 21:40:33 UTC 2020 on sn-devel-184
(cherry picked from commit
2a49ccbcf5e3ff0f6833bcb7f04b800125f1783f)
Sachin Prabhu [Thu, 15 Oct 2020 11:14:33 +0000 (12:14 +0100)]
docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs
Add warning about data corruption with the write-behind translator.
The data corruption is highlighted by the smbtorture test smb2.rw.rw1.
More information about this data corruption issue is available in the
bz.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
08f8f665d409ee7b93840c25a8142f2ce8bacfa1)
Amitay Isaacs [Mon, 27 Jul 2020 02:51:41 +0000 (12:51 +1000)]
ctdb-common: Avoid aliasing errors during code optimization
When compiling with GCC 10.x and -O3 optimization, the IP checksum
calculation code generates wrong checksum. The function uint16_checksum
gets inlined during optimization and ip4pkt->tcp data gets wrongly
aliased.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14537
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Oct 21 05:52:28 UTC 2020 on sn-devel-184
(cherry picked from commit
6aa396b0cd1f83f45cb76a4f3123d99135e8dd8c)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Fri Oct 30 15:24:11 UTC 2020 on sn-devel-184
Andrew Walker [Thu, 24 Sep 2020 20:04:12 +0000 (16:04 -0400)]
vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special
When ZFS aclmode is set to "passthrough" chmod(2)/fchmod(2) will result
in special entries being modified in a way such that delete, delete_child,
write_named_attr, write_attribute are stripped from the returned ACL entry,
and the kernel / ZFS treats this as having rights equivalent to the desired
POSIX mode. Historically, samba has added delete_child to the NFSv4 ACL, but
this is only really called for in the case of special entries in this
particular circumstance.
Alter circumstances in which delete_child is granted so that it only
is added to special entries. This preserves the intend post-chmod behavior,
but avoids unnecessarily increasing permissions in cases where it's not
intended. Further modification of this behavior may be required so that
we grant a general read or general write permissions set in case of
POSIX read / POSIX write on special entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14471
RN: vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special
Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
c1a37b4f31d5252ce074d41f69e526aa84b0d3b3)
Ralph Boehme [Thu, 20 Aug 2020 14:41:36 +0000 (16:41 +0200)]
vfs_zfsacl: use a helper variable in zfs_get_nt_acl_common()
No change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14471
Pair-Programmed-With: Andrew Walker <awalker@ixsystems.com>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
13b4f913b06457d8e1f7cf71c85722bbecabd990)
Ralph Boehme [Thu, 20 Aug 2020 14:42:17 +0000 (16:42 +0200)]
vfs_zfsacl: README.Coding fix
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14471
Pair-Programmed-With: Andrew Walker <awalker@ixsystems.com>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
a182f2e6cdded739812e209430d340097acc0031)
Andrew Walker [Thu, 24 Sep 2020 15:42:16 +0000 (11:42 -0400)]
vfs_zfsacl: Add new parameter to stop automatic addition of special entries
Prevent ZFS from automatically adding NFSv4 special entries (owner@, group@,
everyone@). ZFS will automatically add these these entries when calculating the
inherited ACL of new files if the ACL of the parent directory lacks an
inheriting special entry. This may result in user confusion and unexpected
change in permissions of files and directories as the inherited ACL is
generated. Blocking this behavior is achieved by setting an inheriting
everyone@ that grants no permissions and not adding the entry to the file's
Security Descriptor.
This change also updates behavior so that the fd-based syscall facl() is
used where possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14470
RN: vfs_zfsacl: Add new parameter to stop automatic addition of special entries
Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
c10ae30c1185463eb937f69c1fc9914558087167)
Ralph Boehme [Thu, 20 Aug 2020 14:18:35 +0000 (16:18 +0200)]
vfs_zfsacl: use handle based facl() call to query ZFS filesytem ACL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14470
Pair-Programmed-With: Andrew Walker <awalker@ixsystems.com>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(backported from commit
f763b1e43640082af80c855a4a519f7747a6c87c)
[slow@samba.org: conflict in zfs_get_nt_acl_common() due to *AT changes in 4.13]
Alexander Bokovoy [Sat, 17 Oct 2020 07:58:12 +0000 (10:58 +0300)]
smb.conf.5: add clarification how configuration changes reflected by Samba
Users of Linux distributions know to read smb.conf(5) manual page but
apparently not many of them read smbd(8) and winbindd(8) to understand
how changes to smb.conf file are reflected in the running processes.
Add a small section that makes it clear where to find relevant
information. Also correct the information in smbd, nmbd, and winbindd
manual pages.
The interval at which smbd does check for smb.conf changes was increased
from 60 seconds to 180 seconds in 1999 with commit
3db52feb1f3b.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14538
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Tue Oct 20 08:50:13 UTC 2020 on sn-devel-184
(cherry picked from commit
e32846f0692df44b4ee929c5ed6ba1de88ec4bd2)
Karolin Seeger [Thu, 29 Oct 2020 09:42:44 +0000 (10:42 +0100)]
VERSION: Bump version up to 4.12.10.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Thu, 29 Oct 2020 09:42:15 +0000 (10:42 +0100)]
Merge tag 'samba-4.12.9' into v4-12-test
samba: tag release samba-4.12.9
Karolin Seeger [Tue, 27 Oct 2020 11:24:47 +0000 (12:24 +0100)]
VERSION: Disable GIT_SNAPSHOT for Samba 4.12.9.
o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify.
o CVE-2020-14323: Unprivileged user can crash winbind.
o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily
crafted records.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 27 Oct 2020 11:24:13 +0000 (12:24 +0100)]
WHATSNEW: Add release notes for Samba 4.12.9.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Björn Jacke [Tue, 6 Oct 2020 21:05:24 +0000 (23:05 +0200)]
docs: fix default value of spoolss:architecture
"Windows x64" is the default here since a couple of years already.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14522
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 6 23:06:50 UTC 2020 on sn-devel-184
(cherry picked from commit
c587685dde2448d1f68ada47ce5ad42b02a118ce)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Mon Oct 26 14:42:39 UTC 2020 on sn-devel-184
Douglas Bagnall [Fri, 21 Aug 2020 05:23:17 +0000 (17:23 +1200)]
CVE-2020-14383: s4/dns: do not crash when additional data not found
Found by Francis Brosnan Blázquez <francis@aspl.es>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184
(based on commit
df98e7db04c901259dd089e20cd557bdbdeaf379)
Douglas Bagnall [Fri, 21 Aug 2020 05:10:22 +0000 (17:10 +1200)]
CVE-2020-14383: s4/dns: Ensure variable initialization with NULL.
Based on patches from Francis Brosnan Blázquez <francis@aspl.es>
and Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
(based on commit
7afe449e7201be92bed8e53cbb37b74af720ef4e)
Volker Lendecke [Thu, 9 Jul 2020 19:48:57 +0000 (21:48 +0200)]
CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call
We can't add this test before the fix, add it to knownfail and have the fix
remove the knownfail entry again. As this crashes winbind, many tests after
this one will fail.
Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
Signed-off-by: Volker Lendecke <vl@samba.org>
Volker Lendecke [Thu, 9 Jul 2020 19:49:25 +0000 (21:49 +0200)]
CVE-2020-14323 winbind: Fix invalid lookupsids DoS
A lookupsids request without extra_data will lead to "state->domain==NULL",
which makes winbindd_lookupsids_recv trying to dereference it.
Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
Signed-off-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Wed, 8 Jul 2020 01:25:23 +0000 (18:25 -0700)]
s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.
Remove knownfail entry.
CVE-2020-14318
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 10 Jul 2020 22:09:33 +0000 (15:09 -0700)]
s4: torture: Add smb2.notify.handle-permissions test.
Add knownfail entry.
CVE-2020-14318
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
Signed-off-by: Jeremy Allison <jra@samba.org>
Karolin Seeger [Wed, 7 Oct 2020 08:13:02 +0000 (10:13 +0200)]
VERSION: Bump version up to 4.12.9...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Günther Deschner [Wed, 4 Mar 2020 17:51:01 +0000 (18:51 +0100)]
winexe: add configure option to control whether to build it (default: auto)
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Mar 9 16:27:21 UTC 2020 on sn-devel-184
(cherry picked from commit
54c21a99e6ca54bdb963c70d322f6778b57a384f)
Amitay Isaacs [Sun, 13 Sep 2020 23:45:50 +0000 (09:45 +1000)]
provision: BIND 9.17.x is not supported
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Thu Sep 24 05:55:43 UTC 2020 on sn-devel-184
(cherry picked from commit
1bccc67ce7c6364a95fbfeb095938522671578a8)
Amitay Isaacs [Fri, 11 Sep 2020 02:35:30 +0000 (12:35 +1000)]
provision: Add support for BIND 9.16.x
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
(cherry picked from commit
5b2ccb1c7cad5cded5dad37a18a7d42c1680b2f7)
Amitay Isaacs [Fri, 11 Sep 2020 02:34:07 +0000 (12:34 +1000)]
bind9-dlz: Add support for BIND 9.16.x
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
(cherry picked from commit
ca3c18a236dedfdfbf225dcfcd0418f1634d8759)
Amitay Isaacs [Sun, 13 Sep 2020 23:45:04 +0000 (09:45 +1000)]
provision: BIND 9.15.x is not supported
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
(cherry picked from commit
4d09797652059c3ed5b2a4f94f2181ce14d39972)
Amitay Isaacs [Fri, 11 Sep 2020 02:26:21 +0000 (12:26 +1000)]
provision: Add support for BIND 9.14.x
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
(cherry picked from commit
016c1174ef783990f93e348ee82f5c989c43cbbf)
Amitay Isaacs [Fri, 11 Sep 2020 02:24:51 +0000 (12:24 +1000)]
bind9-dlz: Add support for BIND 9.14.x
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
(cherry picked from commit
a167a2154d4909e8e1f97d9f36d0e4c947f2d944)
Amitay Isaacs [Sun, 13 Sep 2020 23:44:10 +0000 (09:44 +1000)]
provision: BIND 9.13.x is not supported
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
(cherry picked from commit
95278618829227632b2bcb29fc272e600607ea41)
Amitay Isaacs [Fri, 11 Sep 2020 02:16:01 +0000 (12:16 +1000)]
bind9-dlz: Bind 9.13.x switched to using bool as isc_boolean_t instead of int.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
(cherry picked from commit
cdb6c5d1eca1c0f6967941dbd1da07be6b53d302)
Khem Raj [Thu, 23 Jul 2020 05:42:09 +0000 (22:42 -0700)]
nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h
glibc 2.32 will define these varibles [1] which results in conflicts
with these static function names, therefore prefix these function names
with samba_ to avoid it
[1] https://sourceware.org/git/?p=glibc.git;a=commit;h=
499a92df8b9fc64a054cf3b7f728f8967fc1da7d
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Jul 28 10:52:00 UTC 2020 on sn-devel-184
(cherry picked from commit
6e496aa3635557b59792e469f7c7f8eccd822322)
Stefan Metzmacher [Tue, 13 Oct 2020 10:43:39 +0000 (12:43 +0200)]
s4:dsdb:acl_read: Implement "List Object" mode feature
See [MS-ADTS] 5.1.3.3.6 Checking Object Visibility
I tried to avoid any possible overhead for the common cases:
- SEC_ADS_LIST (List Children) is already granted by default
- fDoListObject is off by default
Overhead is only added if the administrator turned on
the fDoListObject feature and removed SEC_ADS_LIST (List Children)
from a parent object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 21 08:48:02 UTC 2020 on sn-devel-184
(cherry picked from commit
7223f6453b1b38c933c9480c637ffd06d9f39b97)
Stefan Metzmacher [Tue, 6 Oct 2020 09:21:34 +0000 (11:21 +0200)]
s4:dsdb:util: add dsdb_do_list_object() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
ffc0bdc6d49e88da1ee408956365da163ff3e1b2)
Stefan Metzmacher [Mon, 12 Oct 2020 15:59:34 +0000 (17:59 +0200)]
s4:dsdb:acl_read: defer LDB_ERR_NO_SUCH_OBJECT
We may need to return child objects even if the base dn
is invisible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
e1529bedb2b6c8553e69a42537ac0cffd03af6d6)
Stefan Metzmacher [Tue, 6 Oct 2020 13:10:33 +0000 (15:10 +0200)]
s4:dsdb:acl_read: make use of aclread_check_object_visible() for the search base
We should only have one place to do access checks.
Use 'git show -w' to see the minimal diff.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
faff8e6c89777c38443e561235073c336cfb2e9c)
Stefan Metzmacher [Tue, 6 Oct 2020 13:10:33 +0000 (15:10 +0200)]
s4:dsdb:acl_read: fully set up 'struct aclread_context' before the search base acl check
This makes further change much easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
c4a3028de726d6708f57d02f9162a4d62d1b6ae7)
Stefan Metzmacher [Tue, 6 Oct 2020 13:07:19 +0000 (15:07 +0200)]
s4:dsdb:acl_read: introduce aclread_check_object_visible() helper
In future this will do more than aclread_check_parent(),
if we implement fDoListObject and SEC_ADS_LIST_OBJECT handling.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
d2dd7c2a5c1f8ee30f0f3b41f933d082b0c75f7c)
Stefan Metzmacher [Wed, 7 Oct 2020 11:21:06 +0000 (13:21 +0200)]
s4:dsdb:tests: add AclVisibiltyTests
This tests a sorts of combinations in order to
demonstrate the visibility of objects depending on:
- with or without fDoListObject
- with or without explicit DENY ACEs
- A hierachy of objects with 4 levels from the base dn
- SEC_ADS_LIST (List Children)
- SEC_ADS_LIST_LIST_OBJECT (List Object)
- SEC_ADS_READ_PROP
- all possible scopes and basedns
This demonstrates that NO_SUCH_OBJECT doesn't depend purely
on the visibility of the base dn, it's still possible to
get children returned und an invisible base dn.
It also demonstrates the additional behavior with "List Object" mode.
See [MS-ADTS] 5.1.3.3.6 Checking Object Visibility
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
06d134406739e76b97273db3023855150dbaebbc)
Stefan Metzmacher [Mon, 20 Apr 2020 18:00:51 +0000 (20:00 +0200)]
python/tests: add DynamicTestCase setUpDynamicTestCases() infrastructure
This can be used in order to run a sepcific test (coded just once)
with an autogenerated set of arguments.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531
Pair-Programmed-With: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
80347deb544b38be6c6814e5d1b82e48ebe83fd1)
Martin Schwenke [Wed, 30 Sep 2020 00:48:38 +0000 (10:48 +1000)]
ctdb-tests: Strengthen node state checking in ctdb disable/enable test
Check that the desired state is set on all nodes instead of just the
test node. This ensures that node flags have correctly propagated
across the cluster.
RN: Fix remaining ctdb disable/enable bug
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14513
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Tue Oct 6 04:32:06 UTC 2020 on sn-devel-184
(cherry picked from commit
b68105b8f7c20692d23d457f2777edcf44f12bb8)
Signed-off-by: Martin Schwenke <martin@meltin.net>
Martin Schwenke [Tue, 16 Jan 2018 04:15:51 +0000 (15:15 +1100)]
ctdb-recoverd: Drop unnecessary and broken code
update_flags() has already updated the recovery master's canonical
node map, based on the flags from each remote node, and pushed out
these flags to all nodes.
If i == j then the node map has already been updated from this remote
node's flags, so simply drop this case.
Although update_flags() has updated flags for all nodes, it did not
update each node map in remote_nodemaps[] to reflect this. This means
that remote_nodemaps[] may contain inconsistent flags for some nodes
so it should not be used to check consistency when i != j.
Further, a meaningful difference in flags can only really occur if
update_flags() failed. In that case this code is never reached.
These observations combine to imply that this whole loop should be
dropped.
This leaves potential sub-second inconsistencies due to out-of-band
healthy/unhealthy flag changes pushed via CTDB_SRVID_PUSH_NODE_FLAGS.
These updates could be dropped (takeover run asks each node for
available IPs rather than making centralised decisions based on node
flags) but for now they will be fixed in the next iteration of
main_loop().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14513
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit
4b01f54041dee469971f244e64064eed46de2ed5)
Martin Schwenke [Fri, 19 Jan 2018 03:55:21 +0000 (14:55 +1100)]
ctdb-recoverd: Drop unnecessary code
This has already been done in update_flags().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14513
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit
3ab52b528673e08caa66f00e963528c591a84fe1)
Karolin Seeger [Wed, 7 Oct 2020 08:13:02 +0000 (10:13 +0200)]
VERSION: Bump version up to 4.12.9...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Wed, 7 Oct 2020 08:12:17 +0000 (10:12 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.12.8 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Wed, 7 Oct 2020 08:11:23 +0000 (10:11 +0200)]
WHATSNEW: Add release notes for Samba 4.12.8.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Laurent Menase [Wed, 20 May 2020 10:31:53 +0000 (12:31 +0200)]
winbind: Fix a memleak
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14388
Signed-off-by: Laurent Menase <laurent.menase@hpe.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Sep 14 13:33:13 UTC 2020 on sn-devel-184
(cherry picked from commit
8f868b0ea0b4795668f7bc0b028cd85686b249fb)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Fri Sep 25 11:15:08 UTC 2020 on sn-devel-184
Stefan Metzmacher [Fri, 18 Sep 2020 13:42:53 +0000 (15:42 +0200)]
VERSION: Bump version up to 4.12.8...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 18 Sep 2020 13:42:20 +0000 (15:42 +0200)]
Merge tag 'samba-4.12.7' into v4-12-test
samba: tag release samba-4.12.7
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Karolin Seeger [Fri, 18 Sep 2020 10:43:06 +0000 (12:43 +0200)]
VERSION: Disable GIT_SNAPSHOT for 4.12.7 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Fri, 18 Sep 2020 10:17:36 +0000 (12:17 +0200)]
WHATSNEW: Add release notes for Samba 4.12.7.
CVE-2020-1472: Samba impact of "ZeroLogon".
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Gary Lockyer [Fri, 18 Sep 2020 03:57:34 +0000 (15:57 +1200)]
CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge
Ensure that client challenges with the first 5 bytes identical are
rejected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
[abartlet@samba.org: backported from master as test order was flipped]
Gary Lockyer [Fri, 18 Sep 2020 00:39:54 +0000 (12:39 +1200)]
CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty machine acct pwd
Ensure that an empty machine account password can't be set by
netr_ServerPasswordSet2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Stefan Metzmacher [Thu, 17 Sep 2020 15:27:54 +0000 (17:27 +0200)]
CVE-2020-1472(ZeroLogon): docs-xml: document 'server require schannel:COMPUTERACCOUNT'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 17 Sep 2020 12:42:52 +0000 (14:42 +0200)]
CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log warnings about unsecure configurations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 17 Sep 2020 12:23:16 +0000 (14:23 +0200)]
CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no"
This allows to add expections for individual workstations, when using "server schannel = yes".
"server schannel = auto" is very insecure and will be removed soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 17 Sep 2020 12:57:22 +0000 (14:57 +0200)]
CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check()
We should debug more details about the failing request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 17 Sep 2020 11:37:26 +0000 (13:37 +0200)]
CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log warnings about unsecure configurations
This should give admins wawrnings until they have a secure
configuration.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 16 Sep 2020 08:56:53 +0000 (10:56 +0200)]
CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no"
This allows to add expections for individual workstations, when using "server schannel = yes".
"server schannel = auto" is very insecure and will be removed soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 16 Sep 2020 08:18:45 +0000 (10:18 +0200)]
CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check()
We should debug more details about the failing request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <metze@samba.org>