Karolin Seeger [Fri, 21 Apr 2017 09:12:58 +0000 (11:12 +0200)]
VERSION: Disable GIT_SNAPSHOTS for the 4.6.3 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Fri, 21 Apr 2017 09:12:24 +0000 (11:12 +0200)]
WHATSNEW: Add release notes for Samba 4.6.3.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Hanno Böck [Wed, 19 Apr 2017 12:00:21 +0000 (14:00 +0200)]
cleanupdb: Fix a memory read error
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12748
Signed-off-by: Hanno Böck <hanno@hboeck.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
fd98a7b6a0053b62802e29fb729e219dc08eef6b)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Fri Apr 21 13:59:21 CEST 2017 on sn-devel-144
Michael Adam [Tue, 11 Apr 2017 10:03:52 +0000 (12:03 +0200)]
s3:vfs:shadow_copy2: fix corner case of "/@GMT-token" in shadow_copy2_strip_snapshot
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
26661218b3d3f0d4ee89039727bc110e972c2851)
The last 3 patches address
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12743
vfs_shadow_copy2 fails to list snapshots from shares with GlusterFS backend
Michael Adam [Tue, 11 Apr 2017 10:03:20 +0000 (12:03 +0200)]
s3:vfs:shadow_copy2: fix the corner case if cwd=/ in make_relative_path
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
16c89835cf07caa2082b586666095deba38ef962)
Michael Adam [Tue, 11 Apr 2017 09:18:30 +0000 (11:18 +0200)]
s3:vfs:shadow_copy2: fix quoting in debug messages
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
fffd611fdc558ab428c8a21cf1e68feaf1f6f469)
Stefan Metzmacher [Sun, 2 Apr 2017 22:19:25 +0000 (00:19 +0200)]
pam_winbind: no longer use wbcUserPasswordPolicyInfo when authenticating
The expiry time for the specific user comes from
info->pass_must_change_time and nothing else.
The authenticating DC knows which password policy applies
to the user, that's nothing the client can do, as
domain trusts and fine-grained password policies makes
this a very complex task.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12725
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
(cherry picked from commit
fba7ed9a3fa6fcb2d90d1271ae81ec11b554bd2d)
Jeremy Allison [Mon, 17 Apr 2017 21:30:54 +0000 (14:30 -0700)]
s3:smbd: Fix incorrect use of sys_getgroups()
Second arg must be NULL when first arg is 0 (it is in all other places).
Bug report and patch from Hanno Böck <hanno@hboeck.de>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12747
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 18 15:43:02 CEST 2017 on sn-devel-144
(cherry picked from commit
76b351e907f67cc7d4af4e7d800c7a3aa1269ee8)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Thu Apr 20 16:21:13 CEST 2017 on sn-devel-144
Jeremy Allison [Mon, 17 Apr 2017 21:30:04 +0000 (14:30 -0700)]
s3:lib: Fix incorrect logic in sys_broken_getgroups()
If setlen == 0 then the second argument must be ignored.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12747
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
60af864f751706c48b8af448700bf06e33e45946)
Jeremy Allison [Mon, 17 Apr 2017 21:09:24 +0000 (14:09 -0700)]
lib: debug: Avoid negative array access.
Report and patch from Hanno Böck <hanno@hboeck.de>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12746
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
600f8787e3b605c9f3e8f724c726e63157ee9efc)
Uri Simchoni [Thu, 13 Apr 2017 09:44:58 +0000 (12:44 +0300)]
vfs_acl_xattr: avoid needlessly supplying a large buffer to getxattr()
When obtaining the security descriptor via getxattr(), first try
optimistically to supply a buffer of 4K, and if that turns out
to be too small, determine the correct buffer size.
The previous behavior of falling back to a 64K buffer encountered
problem with Linux prior to version 3.6, due to pyisical memory
fragmentation. With those kernels, as long as the buffer is 8K or
smaller, getting the xattr is much less prone to failure due to
memory fragmentation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 18 04:41:16 CEST 2017 on sn-devel-144
(cherry picked from commit
05d83ccf7a6fecf963fcb980acd50cebfc0c3ea9)
Uri Simchoni [Sat, 8 Apr 2017 21:40:44 +0000 (00:40 +0300)]
vfs_acl_xattr: factor out fetching of an extended attribute
Pure refactoring - add a function that fetches an extended attribute
based on either the file descriptor or the file name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
7b775abd9278ae34110ec87d94a736be7f64884a)
Uri Simchoni [Thu, 13 Apr 2017 09:50:47 +0000 (12:50 +0300)]
vfs_xattr_tdb: handle case of zero size.
With getxattr(), passing a zero buffer size is a
way of obtaining actual xattr size.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
4dfa2d6a0972847e3b21ddf05077e50ed72c4ea8)
Uri Simchoni [Sat, 8 Apr 2017 21:20:40 +0000 (00:20 +0300)]
selftest: test fetching a large ACL from vfs_acl_xattr
Add a test that fetches an ACL whose size is larger than 4K.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
5017dfeef24b8d568e0146c085f3f979d688acf2)
Amitay Isaacs [Thu, 6 Apr 2017 02:20:21 +0000 (12:20 +1000)]
ctdb-docs: Fix documentation of -n option to ctdb tool
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12733
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
(cherry picked from commit
7f714a436250dfeaa1970f78090ef066482711f0)
Stefan Metzmacher [Sun, 2 Apr 2017 22:19:40 +0000 (00:19 +0200)]
rpcclient: allow -U'OTHERDOMAIN\user' again
I guess the primary reason for forcing lp_workgroup()
was the usage of -U% together with schannel,
see source3/script/tests/test_rpcclient_samlogon.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12731
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 5 14:09:23 CEST 2017 on sn-devel-144
(cherry picked from commit
f1e3c8ebb31fcd9ef9e1809a42a648442dffc1ee)
Ralph Boehme [Wed, 29 Mar 2017 09:13:46 +0000 (11:13 +0200)]
winbindd: trigger possible passdb_dsdb initialisation
If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
from secrets.tdb. As we use the domain SID in various places, we must
ensure the domain SID is migrated from dsdb to secrets.tdb before
get_global_sam_sid() is called the first time.
The migration is done as part of the passdb_dsdb initialisation, calling
pdb_get_domain_info() triggers it.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12729
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 1 21:18:59 CEST 2017 on sn-devel-144
(cherry picked from commit
8b32fc4006ae338ddee7c0e5991958ec3463da0d)
Ralph Boehme [Sun, 26 Mar 2017 06:22:13 +0000 (08:22 +0200)]
winbindd: error handling in rpc_lookup_sids()
NT_STATUS_NONE_MAPPED and NT_STATUS_SOME_NOT_MAPPED should not be
treated as fatal error. We should continue processing the results and
not bail out.
In case we got NT_STATUS_NONE_MAPPED we must have to ensure all
lsa_TranslatedName are of type SID_NAME_UNKNOWN.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
8dfbba59d768b10f6b088cfc49e5dbe6de4834e1)
Ralph Boehme [Sat, 1 Apr 2017 14:51:07 +0000 (16:51 +0200)]
s3/rpc_client: lookupsids error handling of NT_STATUS_NONE_MAPPED
NT_STATUS_NONE_MAPPED is not a fatal error, it just means we must return
all lsa_TranslatedName's as type SID_NAME_UNKNOWN.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
416c74e8c89dc2fb2083beaaa9ac8a6e975ec873)
Ralph Boehme [Sat, 1 Apr 2017 14:56:39 +0000 (16:56 +0200)]
s3/rpc_client: use NT_STATUS_LOOKUP_ERR
No change in behaviour.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
0e7e4ebad31caa1ccb392f2fe20c67929149b8c9)
Ralph Boehme [Sat, 1 Apr 2017 14:44:45 +0000 (16:44 +0200)]
s3/include: add NT_STATUS_LOOKUP_ERR
Useful helper macro to check the return value of LSA and SAMR
translations.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
fc37c7327dc7e4ad4405e324fc88d4bbf9b6ef9e)
Ralph Boehme [Fri, 31 Mar 2017 14:06:18 +0000 (16:06 +0200)]
selftest: fix for wbinfo -s tests for wellknown SIDs
Rework while loop to not use a pipe as that uses a subshell for the loop
which means assigning to the variable failed is not visible in the
main script.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
d8fd56a8244a3010469c27eaa3b73a2c5fbbc41f)
Ralph Boehme [Sun, 2 Apr 2017 11:42:45 +0000 (13:42 +0200)]
winbindd: explicit check for well-known SIDs in wb_lookupsids_bulk()
Those are implicitly already catched by the
if (sid->num_auths != 5)
check, but I'd like to make the desired behaviour more obvious.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
167bb5ead8c7193d173fdba8a453279d422fa7ea)
Ralph Boehme [Fri, 31 Mar 2017 14:24:05 +0000 (16:24 +0200)]
selftest: wbinfo --sids-to-unix-ids tests for wellknown SIDs
This test passes even without the fix, as in sids2xids we use the
lookupnames just to determine the mapping domain, using the default
idmap domain as fallback if that fails.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
8bd5f774fdc1f4ea012885262eb0f40640504de8)
Ralph Boehme [Fri, 31 Mar 2017 14:06:18 +0000 (16:06 +0200)]
selftest: wbinfo -s tests for wellknown SIDs
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
2150de3a73527850547263e853faf4f3fedca6e6)
Ralph Boehme [Thu, 30 Mar 2017 21:41:59 +0000 (23:41 +0200)]
winbindd: use passdb backend for well-known SIDs
On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the
local domain, otherwise something simple like this fails with
WBC_ERR_DOMAIN_NOT_FOUND:
$ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1
localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-1-0
On a member server asking our DC works and is what we're currently
doing, but changing it to ask passdb avoids the overhead.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
6b7a14b4b9c3411bd2e05383917e8fdedae51c90)
Ralph Boehme [Wed, 5 Apr 2017 11:27:51 +0000 (13:27 +0200)]
selftest: tests idmap mapping with idmap_rid
This adds two blackbox tests that run wbinfo --sids-to-unix-ids:
o a non-existing SID from the primary domain should return a mapping
o a SID with a bogus (and therefor unknown) domain must not return a mapping
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Apr 7 00:05:02 CEST 2017 on sn-devel-144
(cherry picked from commit
b680ceebf85b2403758a0f9e931f1211e9b80e8d)
Ralph Boehme [Wed, 5 Apr 2017 11:27:14 +0000 (13:27 +0200)]
selftest: new environment "ad_member_idmap_rid"
This uses idmap_rid for the primary domain.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
ef10b43469f5b31a696259a70b3e116a350bfd3d)
Ralph Boehme [Tue, 4 Apr 2017 12:23:03 +0000 (14:23 +0200)]
winbindd: remove unused single_domains array
This was added as part of
9be918116e356c358ef77cc2933e471090088293, but
is not needed anymore as the previous commit changed the logic.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
9671811da8ad3f91ba7bb0fa868f806bc5afe863)
Ralph Boehme [Tue, 4 Apr 2017 12:21:25 +0000 (14:21 +0200)]
winbindd: use correct domain name for failed lookupsids
What we want here is, for failed lookupsids, pass the domain name of the
SID we were trying to lookup to the idmap backend.
But as a domain member, using
state->single_domains[state->single_sids_done]
for this purpose will always be use our primary domain name (for S-1-5-21
SIDs that are not in our local SAM).
So for now use find_domain_from_sid_noinit() to find the domain from the
domain list. This can be removed when we switch idmap backend
determination to be based on domain SIDs, not names.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
a684df160e692710e011c4eb6795a66772025c23)
Martin Schwenke [Mon, 20 Mar 2017 03:49:34 +0000 (14:49 +1100)]
autobuild: Stop waf uninstall from removing test_tmpdir
Most of the autobuild tasks run "make distcheck", which does a
recursive "waf configure make install uninstall". "waf uninstall"
(via BuildContext.install() in Build.py) removes empty directories all
the way up the directory tree. This means that it removes
test_tmpdir, if it is empty, and any empty directories above it.
While this is arguably a waf bug, the simplest solution is to make
test_tmpdir non-empty so it don't get removed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12703
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 21 10:37:08 CET 2017 on sn-devel-144
(cherry picked from commit
05b5af4ae5fbc9b59c857468512858f73e5dea1b)
Stefan Metzmacher [Tue, 21 Feb 2017 16:05:08 +0000 (17:05 +0100)]
script/autobuild.py: ignore missing test_tmpdir
It is still unknown what removes it...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
cad23629ac48253e508fd9bead2bb79bfa7ee3b8)
Stefan Metzmacher [Wed, 11 Jan 2017 13:13:00 +0000 (14:13 +0100)]
script/autobuild.py: try to make TMPDIR handling more verbose
This hopefully gives some hints regarding flakey tests where
the tmpdir is not available.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
278c921263550c1473df8944260bbb4e62a0e0e6)
Stefan Metzmacher [Wed, 11 Jan 2017 14:02:17 +0000 (15:02 +0100)]
script/autobuild.py: add a do_print() wrapper function that flushes after each message
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
96277a9f82379c7fedf36ca13644eb3493dcd1e2)
Stefan Metzmacher [Wed, 11 Jan 2017 13:48:45 +0000 (14:48 +0100)]
script/autobuild.py: export PYTHONUNBUFFERED=1
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
5a8d7a5446c23985a7dd3a9cb4856481b94931db)
Stefan Metzmacher [Wed, 11 Jan 2017 13:42:08 +0000 (14:42 +0100)]
script/autobuild.py: cleanup the task subdirs when they're done.
This hopefully reduces the used space on the memdisk.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
f9e188747753225e77f254fe41aad95ff11fec53)
Ralph Boehme [Tue, 7 Feb 2017 14:13:15 +0000 (15:13 +0100)]
s4/torture: vfs_fruit: test for bug 12565
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
893fc5abbe0a1b63ebd81f442a8d544572ed76a9)
Ralph Boehme [Tue, 7 Feb 2017 06:44:40 +0000 (07:44 +0100)]
vfs_fruit: resource fork open request with flags=O_CREAT|O_RDONLY
When receiving an SMB create request with read-only access mode and
open_if disposition, we end of calling the open() function with
flags=O_CREAT|O_RDONLY for the ._ AppleDouble file.
If the file doesn't exist, ie there's currently no rsrc stream, we create
it but then we fail to write the AppleDouble header into the file due to
the O_RDONLY open mode, leaving a 0 byte size ._ file.
Running this create requests against macOS SMB server yields an
interesting result: it returns NT_STATUS_OBJECT_NAME_NOT_FOUND even
though create dispotion is open_if. Another instance where the macOS SMB
server just exposes FSA behaviour (ie HFS+) and we have to adapt to be
compatible.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
a36de8b81aa88c31450e68ec54d6b659b1693878)
Stefan Metzmacher [Tue, 28 Mar 2017 13:28:21 +0000 (15:28 +0200)]
wafsamba: move -L/some/path from LINKFLAGS_PYEMBED to LIBPATH_PYEMBED
LINKFLAGS should not have path components.
This fixes the build on systems like FreeBSD where python
is located in /usr/local/lib.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12724
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 4 16:10:18 CEST 2017 on sn-devel-144
(similar to commit
d1b88c6a6edeab4f85fc110eaa8d15e76c7e1f7b)
Volker Lendecke [Fri, 7 Apr 2017 14:33:57 +0000 (16:33 +0200)]
selftest: Test for bug 12558
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
3667876ebebb7181d89834e6038e2d7218c98797)
Volker Lendecke [Thu, 6 Apr 2017 20:12:36 +0000 (22:12 +0200)]
smbd: Fix smb1 findfirst with DFS
9377f3bce should have changed the callers of dfs_path_lookup. It now
takes a uint32_t ucf_flags, not a boolean anymore.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
baa3e71f7968ec3239d80d7602839c2d7c2de74f)
Christof Schmitt [Mon, 27 Mar 2017 22:11:08 +0000 (15:11 -0700)]
winbindd: Fix password policy for pam authentication
Authenticating users from trusted domains would return the password
policy of the joined domain. Fix the code so that the password policy of
the joined domain is only returned for users from that domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12725
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Wed Mar 29 22:54:47 CEST 2017 on sn-devel-144
(cherry picked from commit
bc39fb07ced84af4d97853d00d07fb4293352686)
Amitay Isaacs [Tue, 7 Mar 2017 03:13:10 +0000 (14:13 +1100)]
ctdb-tools: Avoid deferencing argv[0] if argc == 0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12723
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Mar 29 11:07:18 CEST 2017 on sn-devel-144
(cherry picked from commit
6e9879f6e2f8974730517fad22875db06f0738de)
Andreas Schneider [Fri, 17 Mar 2017 09:04:19 +0000 (10:04 +0100)]
selftest: Define template homedir for 'ad_member' env
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
With this set, the samba3.local.nss test for ad_member will ensure that
we correctly substitute those smb.conf options.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144
(cherry picked from commit
5f4979509950547e68af7f64ac263d0e0705ee03)
Andreas Schneider [Wed, 15 Mar 2017 11:37:08 +0000 (12:37 +0100)]
s3:tests: Add a subsitution test for %D %u %g
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
2be02fdd1ed1d565e28f50d02ff5216391ac0660)
Volker Lendecke [Fri, 17 Mar 2017 12:52:57 +0000 (13:52 +0100)]
s3:winbind: Use the correct talloc context for user information
This fixes the substitution for 'template homedir'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sat Mar 18 19:47:40 CET 2017 on sn-devel-144
(cherry picked from commit
ece5e67bbc027432aeb3d97205ef093a0acda8d5)
Karolin Seeger [Fri, 31 Mar 2017 08:18:05 +0000 (10:18 +0200)]
VERSION: Bump version up to 4.6.3.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Fri, 31 Mar 2017 08:17:48 +0000 (10:17 +0200)]
Merge tag 'samba-4.6.2' into v4-6-test
samba: tag release samba-4.6.2
Karolin Seeger [Fri, 31 Mar 2017 06:34:16 +0000 (08:34 +0200)]
VERSION: Disable GIT_SNAPSHOTS for the 4.6.2 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Fri, 31 Mar 2017 06:33:25 +0000 (08:33 +0200)]
WHATSNEW: Add release notes for 4.6.2.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Jeremy Allison [Tue, 28 Mar 2017 05:10:29 +0000 (22:10 -0700)]
s3: Test for CVE-2017-2619 regression with "follow symlinks = no" - part 2
Add tests for regular access.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Mar 28 17:05:27 CEST 2017 on sn-devel-144
(cherry picked from commit
4e734fcd1bf82c08aa303ce44e9735acccffcf06)
Jeremy Allison [Tue, 28 Mar 2017 00:09:38 +0000 (17:09 -0700)]
s3: smbd: Fix "follow symlink = no" regression part 2.
Use the cwd_name parameter to reconstruct the original
client name for symlink testing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
e182a4d39e86c9694e255efdf6ee2ea3ccb9af4a)
Jeremy Allison [Tue, 28 Mar 2017 00:04:58 +0000 (17:04 -0700)]
s3: smbd: Fix "follow symlink = no" regression part 2.
Add an extra paramter to cwd_name to check_reduced_name().
If cwd_name == NULL then fname is a client given path relative
to the root path of the share.
If cwd_name != NULL then fname is a client given path relative
to cwd_name. cwd_name is relative to the root path of the share.
Not yet used, logic added in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
83e30cb48859b412b76572b6a3ba84d8fde167af)
Jeremy Allison [Tue, 28 Mar 2017 05:07:50 +0000 (22:07 -0700)]
s3: Fixup test for CVE-2017-2619 regression with "follow symlinks = no"
Use correct bash operators (not string operators).
Add missing "return".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
037297a1c50e90a0092e3b94f472623f41ccc015)
Jeremy Allison [Mon, 27 Mar 2017 18:48:25 +0000 (11:48 -0700)]
s3: Test for CVE-2017-2619 regression with "follow symlinks = no".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Back-ported from commit
782172a9bef0040981d20e49519b13dd744df6a0
Jeremy Allison [Mon, 27 Mar 2017 17:46:47 +0000 (10:46 -0700)]
s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619).
In a UNIX filesystem, the names "." and ".." by definition can *never*
be symlinks - they are already reserved names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
(cherry picked from commit
ae17bebd250bdde5614b2ac17e53512f19fe9b68)
Karolin Seeger [Fri, 31 Mar 2017 06:31:37 +0000 (08:31 +0200)]
VERSION: Re-enable GIT_SNAPSHOTS.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Jeremy Allison [Tue, 28 Mar 2017 05:10:29 +0000 (22:10 -0700)]
s3: Test for CVE-2017-2619 regression with "follow symlinks = no" - part 2
Add tests for regular access.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Mar 28 17:05:27 CEST 2017 on sn-devel-144
(cherry picked from commit
4e734fcd1bf82c08aa303ce44e9735acccffcf06)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Thu Mar 30 12:30:32 CEST 2017 on sn-devel-144
Jeremy Allison [Tue, 28 Mar 2017 00:09:38 +0000 (17:09 -0700)]
s3: smbd: Fix "follow symlink = no" regression part 2.
Use the cwd_name parameter to reconstruct the original
client name for symlink testing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
e182a4d39e86c9694e255efdf6ee2ea3ccb9af4a)
Jeremy Allison [Tue, 28 Mar 2017 00:04:58 +0000 (17:04 -0700)]
s3: smbd: Fix "follow symlink = no" regression part 2.
Add an extra paramter to cwd_name to check_reduced_name().
If cwd_name == NULL then fname is a client given path relative
to the root path of the share.
If cwd_name != NULL then fname is a client given path relative
to cwd_name. cwd_name is relative to the root path of the share.
Not yet used, logic added in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
83e30cb48859b412b76572b6a3ba84d8fde167af)
Jeremy Allison [Tue, 28 Mar 2017 05:07:50 +0000 (22:07 -0700)]
s3: Fixup test for CVE-2017-2619 regression with "follow symlinks = no"
Use correct bash operators (not string operators).
Add missing "return".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
037297a1c50e90a0092e3b94f472623f41ccc015)
Jeremy Allison [Mon, 27 Mar 2017 18:48:25 +0000 (11:48 -0700)]
s3: Test for CVE-2017-2619 regression with "follow symlinks = no".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Back-ported from commit
782172a9bef0040981d20e49519b13dd744df6a0
Jeremy Allison [Mon, 27 Mar 2017 17:46:47 +0000 (10:46 -0700)]
s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619).
In a UNIX filesystem, the names "." and ".." by definition can *never*
be symlinks - they are already reserved names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
(cherry picked from commit
ae17bebd250bdde5614b2ac17e53512f19fe9b68)
Karolin Seeger [Thu, 23 Mar 2017 09:17:00 +0000 (10:17 +0100)]
VERSION: Bump version up to 4.6.2.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit
c47fee64a6419894713fde18907aff68c7d4c000)
Uri Simchoni [Thu, 23 Mar 2017 19:32:04 +0000 (21:32 +0200)]
selftest: tests for vfs_fruite file-id behavior
The test is in its own suite because it validates
our hackish workaround rather than some reference
implementation behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sun Mar 26 23:31:08 CEST 2017 on sn-devel-144
(cherry picked from commit
b6baf35ebde68db75515910ede26e74bb8313284)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Tue Mar 28 16:14:58 CEST 2017 on sn-devel-144
Uri Simchoni [Thu, 23 Mar 2017 19:30:50 +0000 (21:30 +0200)]
torture: add torture_assert_mem_not_equal_goto()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
f31fd41ca728d664ded940a7309ef1e32383bb66)
Uri Simchoni [Thu, 23 Mar 2017 12:51:32 +0000 (14:51 +0200)]
vfs_fruit: document added zero_file_id parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
e11d4eb4d5c6cfc6daa3dbdcc301a4fa83298f0e)
Uri Simchoni [Thu, 23 Mar 2017 12:08:45 +0000 (14:08 +0200)]
vfs_fruit: enable zero file id
Enable zero_file_id if both conditions are met:
- AAPL negotiated
- fruit:zero_file_id is set
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
245a325532c9a46ec3e459ceca38e903b203f691)
Uri Simchoni [Thu, 23 Mar 2017 12:08:26 +0000 (14:08 +0200)]
smbd: add zero_file_id flag
This flag instructs the SMB layer to report a zero on-disk
file identifier.
According to [MS-SMB2] 3.3.5.9.9, the reported on-disk file ID
SHOULD be unique. However, macOS clients seem to expect it to be
unique over time as well, like the HFS+ CNID. Reporting a file ID
of 0 seems to instruct the Mac client not to trust the server-reported
file ID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
6711522e1e57980e50e245f43167d0daf5a705ad)
Andreas Schneider [Mon, 20 Mar 2017 11:22:44 +0000 (12:22 +0100)]
nsswtich: Add negative tests for authentication with wbinfo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Wed Mar 22 10:58:58 CET 2017 on sn-devel-144
(cherry picked from commit
e7d1d8c49322a131e7ca1993f9956f0bddcaff3c)
Andreas Schneider [Tue, 21 Mar 2017 08:57:30 +0000 (09:57 +0100)]
s3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds()
There is no way we can get a better error code out of this. The original
function called was krb5_get_init_creds_opt_get_error() which has been
deprecated in 2008.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
(cherry picked from commit
e2028837b958618a66449a77ee628e4e176e521e)
Jeremy Allison [Tue, 14 Mar 2017 20:34:07 +0000 (13:34 -0700)]
s3: locking: Update oplock optimization for the leases era !
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12628
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 15 20:04:32 CET 2017 on sn-devel-144
(cherry picked from commit
1c4b15aa5f6707e7bcfc21435e26929fb7f45c0f)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Mon Mar 27 16:19:12 CEST 2017 on sn-devel-144
Jeremy Allison [Tue, 14 Mar 2017 20:23:13 +0000 (13:23 -0700)]
s3: locking: Move two leases functions into a new file.
map_oplock_to_lease_type(), fsp_lease_type().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12628
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
125c78ad0b8f9caaef1ba2f1aeb5ec593375fccd)
Jeremy Allison [Thu, 16 Mar 2017 16:17:51 +0000 (09:17 -0700)]
Changes to make the Solaris C compiler happy.
Fix Bug 12693 dbwrap_watch.c syntax error before or at: }
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12693
Signed-off-by: Tom schulz <schulz@adi.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
2780a56d0bb7848e017314a033ef22ee944d8b05)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Thu Mar 23 16:58:20 CET 2017 on sn-devel-144
Alexander Bokovoy [Fri, 10 Mar 2017 14:20:06 +0000 (16:20 +0200)]
lib/crypto: implement samba.crypto Python module for RC4
Implement a small Python module that exposes arcfour_crypt_blob()
function widely used in Samba C code.
When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
there is a need to encrypt trusted credentials with RC4 cipher.
Current Samba Python code relies on Python runtime to provide RC4
cipher. However, in FIPS 140-2 mode system crypto libraries do not
provide access RC4 cipher at all. According to Microsoft dochelp team,
Windows is treating AuthenticationInformation blob encryption as 'plain
text' in terms of FIPS 140-2, thus doing application-level encryption.
Replace samba.arcfour_encrypt() implementation with a call to
samba.crypto.arcfour_crypt_blob().
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144
(cherry picked from commit
bbeef554f2c15e739f6095fcb57d9ef6646b411c)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12690
Include samba.crypto Python module to 4.6
Jeremy Allison [Thu, 16 Mar 2017 16:10:52 +0000 (09:10 -0700)]
Fix for Solaris C compiler.
Inspired by comment 4 in bug 12559.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12559
Signed-off-by: Tom Schulz <schulz@adi.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit
59229276bcf5e2b7fa0ddf3ceb6fd3adccc01f9a)
Andreas Schneider [Mon, 20 Mar 2017 15:08:20 +0000 (16:08 +0100)]
s3:libsmb: Only print error message if kerberos use is forced
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Mar 21 14:25:54 CET 2017 on sn-devel-144
(cherry picked from commit
c0e196b2238914f88015c0f8a9073beee473120b)
Amitay Isaacs [Tue, 14 Mar 2017 05:12:55 +0000 (16:12 +1100)]
ctdb-readonly: Avoid a tight loop waiting for revoke to complete
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12697
During revoking readonly delegations, if one of the nodes disappears, then
there is no point re-trying revoking readonly delegation. The database
needs to be recovered before the revoke operation can succeed. So retry
only after a grace period.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Mar 17 14:05:57 CET 2017 on sn-devel-144
(cherry picked from commit
ad758cb869ac83534993caa212abc9fe9905ec68)
Jeremy Allison [Wed, 15 Mar 2017 20:52:05 +0000 (13:52 -0700)]
s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes.
We expect the following attributes to be present in an LDAP GPO object:
displayName
flags
gPCFileSysPath
name
ntSecurityDescriptor
versionNumber
and fail if a result is returned without them. Change this
to skip results that don't contain these attributes instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12695
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit
24622bab3a6f1e959c79dc9fc1850e9e64b15adc)
Andreas Schneider [Tue, 14 Mar 2017 15:12:20 +0000 (16:12 +0100)]
s3:vfs_expand_msdfs: Do not open the remote address as a file
The arguments get passed in the wrong order to read_target_host().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
Signed-off-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
1115f152de9ec25bc9e5e499874b4a7c92c888c0)
Andreas Schneider [Mon, 13 Mar 2017 15:34:05 +0000 (16:34 +0100)]
testprogs: Test 'net ads join' with a dedicated keytab
This checks that a 'net ads join' can create the keytab and make sure we
will not regress in future.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit
00e22fe3f63f986978d946e063e19e615cb00ab3)
The last 5 patches address
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12685
REGRESSION: net ads keytab handling is broken
Andreas Schneider [Mon, 13 Mar 2017 16:28:58 +0000 (17:28 +0100)]
param: Allow to specify kerberos method on the commandline
We support --option for our tools but you cannot set an option where the
value of the option includes a space.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit
12d26899a45ce5d05ac4279fa5915318daa4f2e0)
Andreas Schneider [Mon, 13 Mar 2017 15:24:52 +0000 (16:24 +0100)]
s3:libads: Correctly handle the keytab kerberos methods
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit
ca2d8f3161c647c425c8c1eaaac1837c2e97faad)
Andreas Schneider [Mon, 13 Mar 2017 15:11:39 +0000 (16:11 +0100)]
krb5_wrap: Print a warning for an invalid keytab name
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit
a6a527e1e83a979ef035c49a087b5e79599c10a4)
Andreas Schneider [Mon, 13 Mar 2017 16:30:37 +0000 (17:30 +0100)]
testprogs: Correctly expand shell parameters
The old behaviour is:
for var in $*
do
echo "$var"
done
And you get this:
$ sh test.sh 1 2 '3 4'
1
2
3
4
Changing it to:
for var in "$@"
do
echo "$var"
done
will correctly expand to:
$ sh test.sh 1 2 '3 4'
1
2
3 4
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144
(cherry picked from commit
acad0adc2977ca26df44e5b22d8b8e991177af71)
Andreas Schneider [Wed, 21 Dec 2016 21:17:22 +0000 (22:17 +0100)]
auth/credentials: Always set the the realm if we set the principal from the ccache
This fixes a bug in gensec_gssapi_client_start() where an invalid realm
is used to get a Kerberos ticket.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
30c07065300281e3a67197fe39ed928346480ff7)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Alexander Bokovoy [Wed, 8 Mar 2017 10:38:49 +0000 (12:38 +0200)]
s3-gse: move krb5 fallback to smb_gss_krb5_import_cred wrapper
MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing
credentials from a keytab without specifying actual principal.
This was fixed in MIT krb5 1.9.2 (see commit
71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git
master's version is
bd18687a705a8a6cdcb7c140764d1a7c6a3381b5).
Move fallback code to the smb_gss_krb5_import_cred wrapper. We only
expect this fallback to happen with krb5 GSSAPI mechanism, thus hard
code use of krb5 mech when calling to gss_acquire_cred.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144
(cherry picked from commit
57286d57732d49fdb8b8e21f584787cdbc917c32)
Alexander Bokovoy [Fri, 3 Mar 2017 14:58:14 +0000 (16:58 +0200)]
s3-gse: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
3d733d5791a6d82edda13ac39790bd8ba893f3d7)
Alexander Bokovoy [Fri, 3 Mar 2017 14:57:50 +0000 (16:57 +0200)]
libads: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
520167992bd2477bc11920d2dc9ec87f2cb339c9)
Alexander Bokovoy [Fri, 3 Mar 2017 14:57:13 +0000 (16:57 +0200)]
credentials_krb5: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
ca8fd793930173b4e625d3f286739de214155bc1)
Alexander Bokovoy [Fri, 3 Mar 2017 14:14:57 +0000 (16:14 +0200)]
lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper
Wrap gss_krb5_import_cred() to allow re-implementing it with
gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from()
works fine with GSSAPI interposer (GSS-proxy) while
gss_krb5_import_cred() is not interposed yet.
The wrapper has additional parameter, krb5_context handle, to facilitate
with credentials cache name discovery. All our callers to
gss_krb5_import_cred() already have krb5 context handy.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
0e6e8dd2600c699a7a02e3d11fed21b5bc49858d)
Alexander Bokovoy [Fri, 3 Mar 2017 15:08:09 +0000 (17:08 +0200)]
gssapi: check for gss_acquire_cred_from
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
d630a364f9d74443e482934f76cd7107c331e108)
Karolin Seeger [Thu, 23 Mar 2017 09:17:00 +0000 (10:17 +0100)]
VERSION: Bump version up to 4.6.2.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Thu, 23 Mar 2017 09:16:34 +0000 (10:16 +0100)]
Merge tag 'samba-4.6.1' into v4-6-test
samba: tag release samba-4.6.1
Karolin Seeger [Fri, 17 Mar 2017 10:54:34 +0000 (11:54 +0100)]
VERSION: Disable GIT_SNAPSHOTS for the 4.6.1 release.
CVE-2017-2619: Symlink race allows access outside share definition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Fri, 17 Mar 2017 10:51:42 +0000 (11:51 +0100)]
WHATSNEW: Add release notes for Samba 4.6.1.
CVE-2017-2619: Symlink race allows access outside share definition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Jeremy Allison [Thu, 15 Dec 2016 21:06:31 +0000 (13:06 -0800)]
CVE-2017-2619: s3: smbd: Use the new non_widelink_open() function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Jeremy Allison [Thu, 15 Dec 2016 21:04:46 +0000 (13:04 -0800)]
CVE-2017-2619: s3: smbd: Add the core functions to prevent symlink open races.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Jeremy Allison [Thu, 15 Dec 2016 20:56:08 +0000 (12:56 -0800)]
CVE-2017-2619: s3: smbd: Move special handling of symlink errno's into a utility function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Jeremy Allison [Thu, 15 Dec 2016 20:52:13 +0000 (12:52 -0800)]
CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>