Jule Anger [Tue, 15 Mar 2022 13:09:14 +0000 (14:09 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.15.6 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Tue, 15 Mar 2022 13:08:42 +0000 (14:08 +0100)]
WHATSNEW: Add release notes for Samba 4.15.6.
Signed-off-by: Jule Anger <janger@samba.org>
Jeremy Allison [Thu, 17 Feb 2022 19:12:39 +0000 (11:12 -0800)]
s3: smbd: Fix our leases code to return the correct error in the non-dynamic share case.
We now return INVALID_PARAMETER when trying to open a
different file with a duplicate lease key on the same
(non-dynamic) share. This will enable us to pass another
Windows test suite leases test.
We now behave the same as Windows10.
Remove knownfail.d/smb2-lease-duplicateopen
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 18 20:12:12 UTC 2022 on sn-devel-184
(cherry picked from commit
408be54323861c24b6377b804be4428cf45b471e)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Mon Mar 7 14:34:46 UTC 2022 on sn-devel-184
Jeremy Allison [Thu, 17 Feb 2022 18:58:32 +0000 (10:58 -0800)]
s4: torture: Add new SMB2 lease test test_lease_duplicate_open().
Checks we return INVALID_PARAMETER when trying to open a
different file with a duplicate lease key on the same share.
Checked against Windows10. Currently fails against smbd
so add knownfail.d/smb2-lease-duplicateopen
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
(cherry picked from commit
ca3896b6f8bbcad68f042720feceedfa29ddbd83)
Jeremy Allison [Thu, 17 Feb 2022 17:58:27 +0000 (09:58 -0800)]
s4: torture: Add new SMB2 lease test test_lease_duplicate_create().
Checks we return INVALID_PARAMETER when trying to create a
new file with a duplicate lease key on the same share.
Checked against Windows10. Samba already passes this
but we didn't have a test before.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
(cherry picked from commit
bf22548d11fe67ea3f4ec10dff81773d626e4703)
Stefan Metzmacher [Mon, 21 Feb 2022 14:28:53 +0000 (15:28 +0100)]
s3:trusts_utils: use a password length of 120 for machine accounts
This is important when we change the machine password against
an RODC that proxies the request to an RWDC.
An RODC using NetrServerPasswordSet2() to proxy PasswordUpdateForward via
NetrLogonSendToSam() ignores a return of NT_STATUS_INVALID_PARAMETER
and reports NT_STATUS_OK as result of NetrServerPasswordSet2().
This hopefully found the last hole in our very robust machine account
password handling logic inside of trust_pw_change().
The lesson is: try to be as identical to how windows works as possible,
everything else may use is untested code paths on Windows.
A similar problem was fixed by this commit:
commit
609ca657652862fd9c81fd11f818efb74f72ff55
Author: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed Feb 24 02:03:25 2021 +1300
provision: Decrease the length of random machine passwords
The current length of 128-255 UTF-16 characters currently causes
generation of crypt() passwords to typically fail. This commit
decreases the length to 120 UTF-16 characters, which is the same as
that used by Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 23 08:49:54 UTC 2022 on sn-devel-184
(cherry picked from commit
5e2386336c49fab46c1192db972af5da1e916b32)
Stefan Metzmacher [Mon, 21 Feb 2022 14:23:54 +0000 (15:23 +0100)]
upgradehelpers.py: add a comment to update_krbtgt_account_password()
The backend generates its own random krbtgt password values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
ad0b5561b492dfa28acfc9604b2358bb8b490703)
Stefan Metzmacher [Mon, 21 Feb 2022 14:22:50 +0000 (15:22 +0100)]
provision: add a comment that the value of krbtgtpass is ignored in the backend
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
725c94d57d3d656bc94633dacbac683a4c11d3e6)
Stefan Metzmacher [Mon, 21 Feb 2022 14:22:06 +0000 (15:22 +0100)]
upgradehelpers.py: let update_machine_account_password() use 120 character passwords
We already changed provision to use 120 character passwords with commit
609ca657652862fd9c81fd11f818efb74f72ff55.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
6bb7c0f24918329804b7f4fb71908e8fab99e266)
Stefan Metzmacher [Mon, 21 Feb 2022 14:08:34 +0000 (15:08 +0100)]
provision: use 120 characters for the dns account password
We should use the same as for the computer account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
3b91be36581de1007427d539daffdaa62752412d)
Stefan Metzmacher [Mon, 21 Feb 2022 14:03:22 +0000 (15:03 +0100)]
samba-tool/join_member: let py_net_join_member() choose the password
It means we'll let trust_pw_new_value() generate the password.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
59ac782452c4993274fa837256a8b9c5675e707b)
Stefan Metzmacher [Mon, 21 Feb 2022 22:48:37 +0000 (23:48 +0100)]
s3:py_net: allow machinepass=None to py_net_join_member()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(similar to commit
576bdb08c51c47c390cc390fbefdcfee275b7f0f)
Douglas Bagnall [Thu, 23 Dec 2021 01:37:29 +0000 (14:37 +1300)]
s4/auth/simple_bind: correctly report TLS state
It went wrong in
366f8cf0903e3583fda42696df62a5337f22131f
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 26 12:39:52 UTC 2022 on sn-devel-184
(cherry picked from commit
309f1982263677045d407463eb19a2444c165a63)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14996
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Mon Mar 7 09:28:54 UTC 2022 on sn-devel-184
Douglas Bagnall [Wed, 26 Jan 2022 02:53:45 +0000 (15:53 +1300)]
pytest:auth_log: expect TLS connections when using ldaps
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
f37682747898591b37405f9e96a8135c15638637)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14996
Volker Lendecke [Wed, 23 Feb 2022 14:56:41 +0000 (15:56 +0100)]
smbd: Fix a use-after-free
stat_cache_lookup() allocates its result on top of talloc_tos().
filename_convert_smb1_search_path() creates a talloc_stackframe(),
which makes the names which were supposed to be allocated on the "ctx"
parameter of filename_convert_smb1_search_path() go away too
early. Reparent the results from stat_cache_lookup() properly.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14989
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 1 20:59:55 UTC 2022 on sn-devel-184
(cherry picked from commit
8c97743511e4d53f795f2469a28aabfb96da0dfa)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Wed Mar 2 12:27:47 UTC 2022 on sn-devel-184
Stefan Metzmacher [Fri, 25 Feb 2022 06:40:17 +0000 (07:40 +0100)]
s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()
This is most likely not a problem for the current callers,
but that it is unexpected and will likely cause problems with future
changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14993
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
f6fe86924c2ca756083d3628d5dbace0b12d06b0)
Björn Jacke [Wed, 26 Dec 2018 00:03:29 +0000 (01:03 +0100)]
waf: re-add missing readlink test
this was another portability regression that came with the moving to waf
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13631
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 18 23:12:51 UTC 2022 on sn-devel-184
(cherry picked from commit
45cb14ac80889ac913f7f76dbfaebcb4d5ee14fd)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Sun Feb 27 17:34:42 UTC 2022 on sn-devel-184
Björn Jacke [Wed, 26 Dec 2018 00:01:14 +0000 (01:01 +0100)]
readlink test: inverse return code
We need to return 0 in case readlink is *broken* here - this is because our waf
CHECK_CODE function does only allow generating defines in case the test succeeds
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13631
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
e225ab70db0cc01454d319eaca5265d7e33f396c)
Bjoern Jacke [Fri, 11 Feb 2022 00:45:00 +0000 (00:45 +0000)]
vfs_aixacl: add proper header file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=7239
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
396c17160c19c6df43123074bf62268c6ed0f9e4)
Björn Jacke [Tue, 15 Feb 2022 13:25:41 +0000 (14:25 +0100)]
wscript: s/default/required/ _static_modules for the acl modules
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14974
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
89e903985b6968c5becc69b757b23144b1aba66e)
Björn Jacke [Fri, 11 Feb 2022 02:38:31 +0000 (03:38 +0100)]
acl: fix function arguments for AIX' and Solaris' sys_acl_get_fd()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14974
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
183ab5ced8377b63ad07d2e810396d3b414f4a7d)
Samuel Cabrero [Tue, 22 Feb 2022 13:28:44 +0000 (14:28 +0100)]
s3:winbind: Use the canonical principal name to renew the credentials
The principal name stored in the winbindd ccache entry might be an
enterprise principal name if enterprise principals are enabled. Use
the canonical name to renew the credentials.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
8246ccc23d064147412bb3475e6431a9fffc0d27)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Sun Feb 27 10:31:47 UTC 2022 on sn-devel-184
Samuel Cabrero [Tue, 22 Feb 2022 12:19:02 +0000 (13:19 +0100)]
s3:winbind: Store canonical principal and realm in ccache entry
They will be used later to refresh the tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b)
Samuel Cabrero [Tue, 22 Feb 2022 12:08:56 +0000 (13:08 +0100)]
s3:libads: Return canonical principal and realm from kerberos_return_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
00b1f44a7e8f66976757535bcbc6bea97fb1c29f)
Samuel Cabrero [Tue, 22 Feb 2022 13:28:28 +0000 (14:28 +0100)]
lib:krb5_wrap: Fix wrong debug message and use newer debug macro
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
1b5b4107a5081f15ba215f3025056d509fcfcf2a)
Samuel Cabrero [Tue, 22 Feb 2022 12:00:05 +0000 (13:00 +0100)]
lib:krb5_wrap: Improve debug message and use newer debug macro
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
ed14513be055cc56eb39785323df2c538a813865)
Samuel Cabrero [Tue, 22 Feb 2022 11:59:44 +0000 (12:59 +0100)]
s3:libads: Fix memory leak in kerberos_return_pac() error path
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
3dbcd20de98cd28683a9c248368e5082b6388111)
Andreas Schneider [Tue, 1 Feb 2022 09:05:19 +0000 (10:05 +0100)]
docs-xml: Fix idmap_autorid documentation
What we want to avoid:
$ ./bin/testparm -s | grep "idmap config"
idmap config * : rangesize = 10000
idmap config * : range = 10000-19999
idmap config * : backend = autorid
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
S-1-5-32-544 SID_ALIAS (4)
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
10000
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
S-1-5-21-
4058748110-
895691256-
3682847423-1107 SID_USER (1)
$ ./bin/wbinfo --sid-to-gid S-1-5-21-
984165912-
589366285-
3903095728-1107
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-
984165912-
589366285-
3903095728-1107 to gid
If only one range is configured we are either not able to map users/groups
from our primary *and* the BUILTIN domain. We need at least two ranges to also
cover the BUILTIN domain!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Fri Feb 18 09:06:02 UTC 2022 on sn-devel-184
Andreas Schneider [Tue, 1 Feb 2022 09:07:50 +0000 (10:07 +0100)]
s3:utils: Add a testparm check for idmap autorid
What we want to avoid:
$ ./bin/testparm -s | grep "idmap config"
idmap config * : rangesize = 10000
idmap config * : range = 10000-19999
idmap config * : backend = autorid
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
S-1-5-32-544 SID_ALIAS (4)
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
10000
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
S-1-5-21-
4058748110-
895691256-
3682847423-1107 SID_USER (1)
$ ./bin/wbinfo --sid-to-gid S-1-5-21-
984165912-
589366285-
3903095728-1107
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-
984165912-
589366285-
3903095728-1107 to gid
If only one range is configured we are either not able to map users/groups
from our primary *and* the BUILTIN domain. We need at least two ranges to also
cover the BUILTIN domain!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
db6d4da3411a910e7ce45fe1fecfabf2864eb9f4)
Andreas Schneider [Tue, 1 Feb 2022 09:06:30 +0000 (10:06 +0100)]
s3:winbindd: Add a sanity check for the range
What we want to avoid:
$ ./bin/testparm -s | grep "idmap config"
idmap config * : rangesize = 10000
idmap config * : range = 10000-19999
idmap config * : backend = autorid
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
S-1-5-32-544 SID_ALIAS (4)
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
10000
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
S-1-5-21-
4058748110-
895691256-
3682847423-1107 SID_USER (1)
$ ./bin/wbinfo --sid-to-gid S-1-5-21-
984165912-
589366285-
3903095728-1107
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-
984165912-
589366285-
3903095728-1107 to gid
If only one range is configured we are either not able to map users/groups
from our primary *and* the BUILTIN domain. We need at least two ranges to also
cover the BUILTIN domain!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
fe84ae5547313e482ea0eba8ddca5b38a033dc8f)
Volker Lendecke [Thu, 3 Feb 2022 12:20:11 +0000 (13:20 +0100)]
smbd: Safeguards for getpwuid
Attempt to fix
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14900
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
929ccd3d1afb864ea715fa4d3d8af8f997e5d2aa)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Tue Feb 15 08:57:55 UTC 2022 on sn-devel-184
Pavel Filipenský [Mon, 7 Feb 2022 22:06:10 +0000 (23:06 +0100)]
s3:modules: Fix virusfilter_vfs_openat
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184
(cherry picked from commit
3f1c958f6fa9d2991185f4e281a377a295d09f9c)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Mon Feb 14 11:35:40 UTC 2022 on sn-devel-184
Pavel Filipenský [Tue, 8 Feb 2022 14:35:48 +0000 (15:35 +0100)]
s3:selftest: Add test for virus scanner
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544)
Pavel Filipenský [Tue, 8 Feb 2022 14:34:56 +0000 (15:34 +0100)]
selftest: Fix trailing whitespace in Samba3.pm
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
547b4c595a8513a4be99177edbaa39ce43840f7a)
Pavel Filipenský [Tue, 8 Feb 2022 21:35:29 +0000 (22:35 +0100)]
docs-xml:manpages: Document 'dummy' virusfilter and 'virusfilter:infected files'
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
2fd518e5cc63221c162c9b3f8526b9b7c9e34969)
Pavel Filipenský [Tue, 8 Feb 2022 11:07:03 +0000 (12:07 +0100)]
s3:modules: Implement dummy virus scanner that uses filename matching
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
9f34babec7c6aca3d91f226705d3b3996792e5f1)
Andreas Schneider [Wed, 9 Feb 2022 15:33:10 +0000 (16:33 +0100)]
selftest: Do not force -d0 for smbd/nmbd/winbindd
We have the env variable SERVER_LOG_LEVEL which allows you to change
the log level on the command line. If we force -d0 this will not work.
make test TESTS="samba" SERVER_LOG_LEVEL=10
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
9693f7ea7383c6a51ab58b7c8255b30206f18a3b)
Stefan Metzmacher [Mon, 31 Jan 2022 19:33:43 +0000 (20:33 +0100)]
libcli/smb: let smb2_signing_decrypt_pdu() cope with gnutls_aead_cipher_decrypt() ptext_len bug
The initial implementation of gnutls_aead_cipher_decrypt() had a bug and
used:
*ptext_len = ctext_len;
instead of:
*ptext_len = ctext_len - tag_size;
This got fixed with gnutls 3.5.2.
As we only require gnutls 3.4.7 we need to cope with this...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 2 18:29:08 UTC 2022 on sn-devel-184
(cherry picked from commit
735f3d7dde3daf5d0af2e8a1de60422b88663992)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Sun Feb 13 10:12:22 UTC 2022 on sn-devel-184
Stefan Metzmacher [Mon, 31 Jan 2022 19:33:43 +0000 (20:33 +0100)]
libcli/smb: fix error checking in smb2_signing_decrypt_pdu() invalid ptext_len
When the ptext_size != m_total check fails, we call this:
status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
goto out;
As rc is 0 at that point we'll exit smb2_signing_decrypt_pdu()
with NT_STATUS_OK, but without copying the decrypted data
back into the callers buffer. Which leads to strange errors
in the caller.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
99182af4ab5a3413311e27c2a193e09babceb01c)
Stefan Metzmacher [Tue, 1 Feb 2022 09:52:27 +0000 (10:52 +0100)]
selftest/quick: add smb2.session
We run the quicktest on each linux distro as part of samba-o3 builds.
We should make sure smb2 signing/enctyption works on all of them
and all different system libraries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
68e62962b08497da8359ddbe4324443818c05cd1)
Ralph Boehme [Fri, 28 Jan 2022 16:51:10 +0000 (17:51 +0100)]
s3/libads: ensure a sockaddr variable is correctly zero initialized
is_zero_addr() doesn't work with addresses that have been zero-initialized.
This fixes the logic added in
c863cc2ba34025731a18ac735f714b5b888504da.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14674
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2354
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Feb 8 20:24:12 UTC 2022 on sn-devel-184
(cherry picked from commit
3ee690455eb963dedc7955b79316481387d4ac8c)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Wed Feb 9 12:35:08 UTC 2022 on sn-devel-184
Ralph Boehme [Mon, 31 Jan 2022 11:54:12 +0000 (12:54 +0100)]
s3/libads: simplify storing existing ads->ldap.ss
We just need temporal storage for ads->ldap.ss, no need to store it as a struct
samba_sockaddr.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14674
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2354
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
c266ed40aeb1b1f59a1811cd4511e32e44a4a719)
Jeremy Allison [Thu, 3 Feb 2022 23:59:51 +0000 (15:59 -0800)]
s3: libsmb: Call cli_dfs_target_check() from cli_smb2_rename_send().
Strips off any DFS prefix from the target if passed in.
Remove knownfail selftest/knownfail.d/msdfs-rename.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Feb 4 12:02:36 UTC 2022 on sn-devel-184
(cherry picked from commit
b9b82f3611c56e837e9189f5275ae9a78e647262)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Wed Feb 9 09:22:03 UTC 2022 on sn-devel-184
Jeremy Allison [Thu, 3 Feb 2022 23:56:51 +0000 (15:56 -0800)]
s3: libsmb: Call cli_dfs_target_check() from cli_cifs_rename_send().
Strips off any DFS prefix from the target if passed in.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
4473aea926fe4ddd23a6e0913009bb1a0a1eaa90)
Jeremy Allison [Thu, 3 Feb 2022 23:54:55 +0000 (15:54 -0800)]
s3: libsmb: Call cli_dfs_target_check() from cli_smb1_rename_send().
Strips off any DFS prefix from the target if passed in.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
dd0317f6ecb572a80893405daa83e079dbcdf113)
Jeremy Allison [Thu, 3 Feb 2022 22:54:26 +0000 (14:54 -0800)]
s3: libsmb: Call cli_dfs_target_check() from cli_ntrename_internal_send().
Currently we don't pass MSDFS names as targets here, but a caller
may erroneously do this later, and for non-DFS names this is a no-op.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
cf3e5724422d8becd045542be196dfea6ac9ec2b)
Jeremy Allison [Thu, 3 Feb 2022 22:51:13 +0000 (14:51 -0800)]
s3: libsmb: Call cli_dfs_target_check() from cli_smb2_hardlink_send().
Currently we don't pass MSDFS names as targets here, but a caller
may erroneously do this later, and for non-DFS names this is a no-op.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
4bdbe3c2fc0c35635474ae526896b28f55142aca)
Jeremy Allison [Thu, 3 Feb 2022 19:15:30 +0000 (11:15 -0800)]
s3: libsmb: Add cli_dfs_target_check() function.
Strips any DFS prefix from a target name that will be passed
to an SMB1/2/3 rename or hardlink call. Returns a pointer
into the original target name after the prefix. Not yet used.
If the incoming filename is *NOT* a DFS prefix, the
original filename is returned unchanged.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
2abba0ea109d7a3a0b0cb4a7030293f70c2d9d8a)
Jeremy Allison [Thu, 3 Feb 2022 22:21:26 +0000 (14:21 -0800)]
s3: tests: Add a new test test_msdfs_rename() that does simple renames on MSDFS root shares.
We fail this on SMB2 for a subtle reason.
Our client code called from smbclient only sets the SMB2_HDR_FLAG_DFS flag
in the outgoing packet on the SMB2_CREATE call, and SMB2 rename does the
following operations:
SMB2_CREATE(src_path) // We set SMB2_HDR_FLAG_DFS here for a MSDFS share.
SMB2_SETINFO: SMB2_FILE_RENAME_INFO(dst_path). // We don't set SMB2_HDR_FLAG_DFS
However, from smbclient, dst_path is a MSDFS path but we don't set the flag,
so even though the rename code inside smbd will cope with a MSDFS path
(as used in the SMB1 SMBmv call) it fails as the correct flag isn't set.
Add knownfail selftest/knownfail.d/msdfs-rename.
Note we need to add the new test to "selftest/knownfail.d/smb1-tests"
as test_smbclient_s3.sh is run against the (ad_member|nt4_member)
environments first using NT1 (SMB1) protocol and then using SMB3,
but the (ad_member|nt4_member) environments don't support SMB1.
Seems a bit strange to me, but all the other SMB1 tests inside
test_smbclient_s3.sh have already been added to "selftest/knownfail.d/smb1-tests"
so just go with the test environment.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
44cc9fb0e01b3635804f41e03f9b20afc3bfe36c)
Jeremy Allison [Thu, 3 Feb 2022 21:58:28 +0000 (13:58 -0800)]
s3: tests: Add a new test test_msdfs_hardlink() that does simple hardlinks on MSDFS root shares.
We pass this already as the cmd_hardlink in smbclient doesn't
do the DFS path conversion on the hardlink target. But it's
good to have the test.
Note we need to add the new test to "selftest/knownfail.d/smb1-tests"
as test_smbclient_s3.sh is run against the (ad_member|nt4_member)
environments first using NT1 (SMB1) protocol and then using SMB3,
but the (ad_member|nt4_member) environments don't support SMB1.
Seems a bit strange to me, but all the other SMB1 tests inside
test_smbclient_s3.sh have already been added to "selftest/knownfail.d/smb1-tests"
so just go with the test environment.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
d7deb876053ef45313026b4dea9ee1b376153611)
Jeremy Allison [Wed, 2 Feb 2022 18:52:09 +0000 (10:52 -0800)]
lib: libsmbclient: Ensure cli_rename() always sets cli->raw_status.
Identical change as used in cli_unlink(), cli_mkdir(), cli_rmdir()
cli_chkpath() to ensure SMB2 calls correctly set raw_status for
libsmbclient uses.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14938
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 2 21:50:31 UTC 2022 on sn-devel-184
(cherry picked from commit
ca60f6350d566b7ecc822bcbb44fb65a1d150bbe)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Fri Feb 4 08:09:02 UTC 2022 on sn-devel-184
Jeremy Allison [Wed, 2 Feb 2022 18:49:17 +0000 (10:49 -0800)]
s4: test: Add samba4.libsmbclient.rename test. Currently fails for SMB3.
Add knownfail.d/libsmbclient_rename
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14938
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
0ecc58858360bcc0181a02e52ada3e8327f97c5b)
Günther Deschner [Wed, 17 Nov 2021 08:56:09 +0000 (09:56 +0100)]
pam_winbind: add new pwd_change_prompt option (defaults to off).
This change disables the prompt for the change of an expired password by
default (using the PAM_RADIO_TYPE mechanism if present).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
20c85cc1da8d8c7f1932fbdd92128bb6dafad472)
Jule Anger [Mon, 31 Jan 2022 13:44:06 +0000 (14:44 +0100)]
VERSION: Bump version up to Samba 4.15.6...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Jule Anger [Mon, 31 Jan 2022 13:43:18 +0000 (14:43 +0100)]
Merge tag 'samba-4.15.5' into v4-15-test
samba: tag release samba-4.15.5
Jule Anger [Mon, 31 Jan 2022 09:39:24 +0000 (10:39 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.15.5 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 31 Jan 2022 09:34:04 +0000 (10:34 +0100)]
WHATSNEW: Add release notes for Samba 4.15.5.
Signed-off-by: Jule Anger <janger@samba.org>
Jeremy Allison [Wed, 8 Dec 2021 06:19:29 +0000 (22:19 -0800)]
CVE-2021-44141: s3: smbd: Inside rename_internals_fsp(), we must use vfs_stat() for existence, not SMB_VFS_STAT().
We need to take SMB1+POSIX into account here and do an LSTAT if it's
a POSIX name.
Remove knownfail.d/posix_sylink_rename
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Wed, 8 Dec 2021 06:15:46 +0000 (22:15 -0800)]
CVE-2021-44141: s3: torture: Add a test samba3.blackbox.test_symlink_rename.SMB1.posix that shows we still leak target info across a SMB1+POSIX rename.
Add a knownfail.d/posix_sylink_rename
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 22:39:42 +0000 (14:39 -0800)]
CVE-2021-44141: s3: smbd: Fix a subtle bug in the error returns from filename_convert().
If filename_convert() fails to convert the path, we never call
check_name(). This means we can return an incorrect error code
(NT_STATUS_ACCESS_DENIED) if we ran into a symlink that points
outside the share to a non-readable directory. We need to make
sure in this case we always call check_name().
Remove knownfail.d/symlink_traversal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 22:33:17 +0000 (14:33 -0800)]
CVE-2021-44141: s3: smbd: Inside check_reduced_name() ensure we return the correct error codes when failing symlinks.
NT_STATUS_OBJECT_PATH_NOT_FOUND for a path component failure.
NT_STATUS_OBJECT_NAME_NOT_FOUND for a terminal component failure.
Remove:
samba3.blackbox.test_symlink_traversal.SMB1.posix
samba3.blackbox.smbclient_s3.*.Ensure\ widelinks\ are\ restricted\(.*\)
samba3.blackbox.smbclient_s3.*.follow\ symlinks\ \=\ no\(.*\)
in knownfail.d/symlink_traversal as we now pass these. Only one more fix
remaining to get rid of knownfail.d/symlink_traversal completely.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 19:44:09 +0000 (11:44 -0800)]
CVE-2021-44141: s3: smbd: For SMB1+POSIX clients trying to open a symlink, always return NT_STATUS_OBJECT_NAME_NOT_FOUND.
Matches the error return from openat_pathref_fsp().
NT_STATUS_OBJECT_PATH_NOT_FOUND is for a bad component in a path, not
a bad terminal symlink.
Remove knownfail.d/simple_posix_open, we now pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Wed, 8 Dec 2021 01:56:35 +0000 (17:56 -0800)]
CVE-2021-44141: s3: torture: Change expected error return for samba3.smbtorture_s3.plain.POSIX.smbtorture.
Trying to open a symlink as a terminal component should return
NT_STATUS_OBJECT_NAME_NOT_FOUND, not NT_STATUS_OBJECT_PATH_NOT_FOUND.
Mark as knownfail.d/simple_posix_open until we fix the server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 20:56:51 +0000 (12:56 -0800)]
CVE-2021-44141: s3: torture: In test_smbclient_s3, change the error codes expected for test_widelinks() and test_nosymlinks() from ACCESS_DENIED to NT_STATUS_OBJECT_NAME_NOT_FOUND.
For SMB1/2/3 (minus posix) we need to treat bad symlinks
as though they don't exist.
Add to knwownfail.d/symlink_traversal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 20:34:38 +0000 (12:34 -0800)]
CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.posix
Add to knownfail.d/symlink_traversal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 20:32:19 +0000 (12:32 -0800)]
CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.
Add to knownfail.d/symlink_traversal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 20:28:54 +0000 (12:28 -0800)]
CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB2.
Add to knownfail.d/symlink_traversal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Thu, 18 Nov 2021 20:16:44 +0000 (12:16 -0800)]
CVE-2021-44141: s3: smbtorture3: Fix POSIX-BLOCKING-LOCK to actually negotiate SMB1+POSIX before using POSIX calls.
This must be done before doing POSIX calls on a connection.
Remove the final entry in knownfail.d/posix_infolevel_fails
samba3.smbtorture_s3.plain.POSIX-BLOCKING-LOCK.smbtorture\(nt4_dc_smb1\)
And remove the file knownfail.d/posix_infolevel_fails itself.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 19 Nov 2021 08:05:35 +0000 (00:05 -0800)]
CVE-2021-44141: s3: tests: Fix the samba3.blackbox.acl_xattr test to actually negotiate SMB1+POSIX before using POSIX calls.
Remove the following entries in knownfail.d/posix_infolevel_fails.
samba3.blackbox.acl_xattr.NT1.nt_affects_posix.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chown.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chgrp.*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 19 Nov 2021 20:12:36 +0000 (12:12 -0800)]
CVE-2021-44141: s3: tests: Fix the samba3.blackbox.inherit_owner test to actually negotiate SMB1+POSIX before using POSIX calls.
Remove the following entry in knownfail.d/posix_infolevel_fails.
samba3.blackbox.inherit_owner.*.NT1.*verify.*unix\ owner.*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 19 Nov 2021 20:15:06 +0000 (12:15 -0800)]
CVE-2021-44141: s4: torture: Fix unix.info2 test to actually negotiate SMB1+POSIX before using POSIX calls.
Cope with the minor difference in wildcard search return when
we're actually using SMB1+POSIX on the server (SMB1+POSIX treats
all directory search paths as wildcards).
Remove the following entries in knownfail.d/posix_infolevel_fails.
samba3.unix.info2.info2\(nt4_dc_smb1\)
samba3.unix.info2.info2\(ad_dc_smb1\)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 19 Nov 2021 22:51:39 +0000 (14:51 -0800)]
CVE-2021-44141: s4: torture: Fix raw.search:test_one_file() by using the SMB1+POSIX connection for POSIX info levels.
Remove the following entry in knownfail.d/posix_infolevel_fails.
^samba3.raw.search.one\ file\ search.*
from knownfail.d/posix_infolevel_fails
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 19 Nov 2021 22:48:20 +0000 (14:48 -0800)]
CVE-2021-44141: s4: torture: raw.search: Add setup_smb1_posix(). Call it on the second connection in test_one_file().
Not yet used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 19 Nov 2021 22:44:05 +0000 (14:44 -0800)]
CVE-2021-44141: s4: torture: In raw.search:test_one_file() add a second connection.
Change from torture_suite_add_1smb_test() to torture_suite_add_2smb_test().
Not yet used. We will need this to do SMB1+POSIX search calls on
a connection on which we have negotiated SMB1+POSIX.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Sun, 21 Nov 2021 04:17:11 +0000 (20:17 -0800)]
CVE-2021-44141: s3: smbclient: Give a message if we try and use any POSIX command without negotiating POSIX first.
Ensure we only use a POSIX command if POSIX is set up.
Issue the message: Command "posix" must be issued before the "XXXX" command can be used.
After the parameter parsing has been done.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Thu, 18 Nov 2021 19:48:42 +0000 (11:48 -0800)]
CVE-2021-44141: s3: smbd: Tighten up info level checks for SMB1+POSIX to make sure POSIX was negotiated first.
Add knownfail file
knownfail.d/posix_infolevel_fails
for tests that don't currently negotiate
SMB1+POSIX before using SMB1+POSIX calls.
These are:
samba3.smbtorture_s3.plain.POSIX-BLOCKING-LOCK.smbtorture\(nt4_dc_smb1\)
samba3.blackbox.acl_xattr.NT1.nt_affects_posix.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chown.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chgrp.*
samba3.blackbox.inherit_owner.*.NT1.*verify.*unix\ owner.*
samba3.unix.info2.info2\(nt4_dc_smb1\)
samba3.unix.info2.info2\(ad_dc_smb1\)
samba3.raw.search.one\ file\ search.*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 19 Nov 2021 22:18:47 +0000 (14:18 -0800)]
CVE-2021-44141: s4: torture: In raw.search:test_one_file() remove the leading '\\' in the test filenames.
We'll soon be using this under SMB1+POSIX and neither Windows or POSIX
need a leading '\\' (and SMB1+POSIX sees the '\\' as part of the name).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 19 Nov 2021 20:54:47 +0000 (12:54 -0800)]
CVE-2021-44141: s4: torture: Fix raw.search:test_one_file() to use torture_result() instead of printf.
I think this test pre-dates torture_result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 21:06:27 +0000 (13:06 -0800)]
CVE-2021-44141: s3: smbd: Remove 'struct uc_state' name_has_wildcard element.
It is never set or looked at.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 21:05:55 +0000 (13:05 -0800)]
CVE-2021-44141: s3: smbd: In unix_convert_step_stat() remove use of state->name_was_wildcard.
It can never be true.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 21:03:47 +0000 (13:03 -0800)]
CVE-2021-44141: s3: smbd: In unix_convert_step() remove all use of 'state->name_was_wildcard'
We know it is never true.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 20:59:50 +0000 (12:59 -0800)]
CVE-2021-44141: s3: smbd: In unix_convert() remove the now unneeded block indentation.
We removed the 'if (state->name_has_wildcard) {' clause, so
the block no longer needs indenting.
Best seen with git show -b.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 20:55:41 +0000 (12:55 -0800)]
CVE-2021-44141: s3: smbd: In unix_convert(), remove all references to state->name_has_wildcard.
It is never set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 20:53:36 +0000 (12:53 -0800)]
CVE-2021-44141: s3: smbd: Inside unix_convert(), never set state->name_is_wildcard.
We error out immediately if it's set anyway.
Preparing to remove 'state->name_is_wildcard' structure element.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 20:40:43 +0000 (12:40 -0800)]
CVE-2021-44141: s3: smbd: UCF_ALWAYS_ALLOW_WCARD_LCOMP 0x00000002 is no longer used.
Hurrah !
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 20:37:15 +0000 (12:37 -0800)]
CVE-2021-44141: s3: smbd: We no longer need determine_path_error().
Now we don't have to consider wildcards just
return NT_STATUS_OBJECT_PATH_NOT_FOUND for
the cases we used to call it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 19:33:42 +0000 (11:33 -0800)]
CVE-2021-44141: s3: smbd: Inside 'struct uc_state', remove allow_wcard_last_component.
This is never allowed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 19:30:42 +0000 (11:30 -0800)]
CVE-2021-44141: s3: smbd: filename_convert() no longer deals with wildcards.
These are already errored out with NT_STATUS_OBJECT_NAME_INVALID
in the unix_convert() code.
Remove the check.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 19:48:23 +0000 (11:48 -0800)]
CVE-2021-44141: s3: smbd: parse_dfs_path() can ignore wildcards.
If one is passed to filename_convert(), it will error out there
with NT_STATUS_OBJECT_NAME_INVALID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 19:42:23 +0000 (11:42 -0800)]
CVE-2021-44141: s3: smbd: Remove 'bool search_wcard_flag' from parse_dfs_path().
Never set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 19:31:40 +0000 (11:31 -0800)]
CVE-2021-44141: s3: smbd: dfs_path_lookup() no longer deals with wildcards.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 19:28:40 +0000 (11:28 -0800)]
CVE-2021-44141: s3: smbd: Fix call_trans2findfirst() to use filename_convert_smb1_search_path().
filename_convert() no longer has to handle wildcards.
UCF_ALWAYS_ALLOW_WCARD_LCOMP is now unused.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 19:22:03 +0000 (11:22 -0800)]
CVE-2021-44141: s3: smbd: Convert reply_search() to use filename_convert_smb1_search_path().
Cleans up this code path nicely !
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 18:35:09 +0000 (10:35 -0800)]
CVE-2021-44141: s3: smbd: Add filename_convert_smb1_search_path() - deals with SMB1 search pathnames.
SMB1search and trans2 findfirst are unique in that
they are the only passed in pathnames that can contain
a terminal wildcard component.
Deal with these two special cases with this new function
that strips off the terminal wildcard and returns as
the mask, and pass the non-wildcard parent directory
component through the standard filename_convert().
Uses new helper function strip_gmt_from_raw_dfs().
When SMB1search and trans2 findfirst have been
converted to use this function, we can strip all
wildcard handling out of filename_convert() as
we now know it will only ever be given valid
pathnames.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Sat, 4 Dec 2021 00:14:08 +0000 (16:14 -0800)]
CVE-2021-44141: s3: smbd: Allow dfs_redirect() to return a TWRP token it got from a parsed pathname.
This one is subtle. If an SMB1 request has both a DFS path and a @GMT token,
the unix_convert() inside the DFS path processing will remove the @GMT
token, not allowing the subsequent unix_convert() inside filename_convert()
to see it. By returning it from dfs_redirect() we can ensure it's correctly
added to the smb_filename returned from filename_convert().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Sat, 4 Dec 2021 00:00:26 +0000 (16:00 -0800)]
CVE-2021-44141: s3: smbd: In dfs_path_lookup(). If we have a DFS path including a @GMT-token, don't throw away the twrp value when parsing the path.
Not yet used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 18:19:38 +0000 (10:19 -0800)]
CVE-2021-44141: s3: smbd: filename_convert() is now a one-to-one wrapper around filename_convert_internal().
Remove filename_convert() and rename filename_convert_internal() -> filename_convert().
Move the old DEBUG(..) statements to DBG_XXX() so they don't print the wrong name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 18:14:03 +0000 (10:14 -0800)]
CVE-2021-44141: s3: smbd: Remove now unused check_reduced_name_with_privilege().
We now only have one function that does this check (check_reduced_name()),
used everywhere.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 18:13:13 +0000 (10:13 -0800)]
CVE-2021-44141: s3: smbd: Remove unused check_name_with_privilege().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 3 Dec 2021 18:10:45 +0000 (10:10 -0800)]
CVE-2021-44141: s3: smbd: In filename_convert_internal(), remove call to check_name_with_privilege().
We now always pass NULL as struct smb_request *smbreq,
so this code path can never be taken.
Comment out check_name_with_privilege() as it's now
no longer used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>