1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

129146 Commits

Author SHA1 Message Date
Joseph Sutton
3034c1933c CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
This allows us to make use of it in other tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:55 +02:00
Joseph Sutton
af53dbec65 CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
The environment variable is a string, but we expect an integer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:55 +02:00
Joseph Sutton
3bd5df466c CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
The target principal and realm fields of the setpw structure are
supposed to be optional, but in MIT Kerberos they are mandatory. For
better compatibility and ease of testing, fall back to parsing the
simpler (containing only the new password) structure if the MIT function
fails to decode it.

Although the target principal and realm fields should be optional, one
is not supposed to specified without the other, so we don't have to deal
with the case where only one is specified.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:55 +02:00
Joseph Sutton
f706dcd5dd CVE-2022-2031 s4:kpasswd: Account for missing target principal
This field is supposed to be optional.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-24 09:23:55 +02:00
Joseph Sutton
52b953bfc1 CVE-2022-2031 third_party/heimdal: Check generate_pac() return code
If the function fails, we should not issue a ticket missing the PAC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:23:55 +02:00
Joseph Sutton
628534b4dc CVE-2022-2031 s4:kdc: Add MIT support for ATTRIBUTES_INFO and REQUESTER_SID PAC buffers
So that we do not confuse TGTs and kpasswd tickets, it is critical to
check that the REQUESTER_SID buffer exists in TGTs, and to ensure that
it is not propagated to service tickets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:23:55 +02:00
Joseph Sutton
06444c0d4e selftest: Simplify krb5 test environments
It's not necessary to repeat the required environment variables for
every test.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit e729606631)
2022-07-24 09:23:55 +02:00
Joseph Sutton
191adf2cf3 tests/krb5: Add helper function to modify ticket flags
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ded5115f73)
2022-07-24 09:23:55 +02:00
Andreas Schneider
23f770ed91 s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f1ec950aeb)
2022-07-24 09:23:55 +02:00
Joseph Sutton
e0d25e172c CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
To use memcpy(), we need to specify the number of bytes to copy, rather
than the number of ldb_val structures.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:22 +02:00
Joseph Sutton
701aef133f CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
Doing so is undefined behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:22 +02:00
Joseph Sutton
f2ded77168 CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
Currently, we can crash the server by sending a large number of values
of a specific attribute (such as sAMAccountName) spread across a few
message elements. If val_count is larger than the total number of
elements, we get an access beyond the elements array.

Similarly, we can include unrelated message elements prior to the
message elements of the attribute in question, so that not all of the
attribute's values are copied into the returned elements values array.
This can cause the server to access uninitialised data, likely resulting
in a crash or unexpected behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:22 +02:00
Joseph Sutton
1d7690b000 CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
This avoids potentially trying to access the first element of an empty
array.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:22 +02:00
Andrew Bartlett
90ef792d90 CVE-2022-32746 ldb: Release LDB 2.5.2
* CVE-2022-32746 Use-after-free occurring in database audit logging module (bug 15009)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2022-07-24 09:20:22 +02:00
Joseph Sutton
18b73e01ca CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message
This aims to minimise usage of the error-prone pattern of searching for
a just-added message element in order to make modifications to it (and
potentially finding the wrong element).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
c0127af98b CVE-2022-32746 ldb: Add functions for appending to an ldb_message
Currently, there are many places where we use ldb_msg_add_empty() to add
an empty element to a message, and then call ldb_msg_add_value() or
similar to add values to that element. However, this performs an
unnecessary search of the message's elements to locate the new element.
Moreover, if an element with the same attribute name already exists
earlier in the message, the values will be added to that element,
instead of to the intended newly added element.

A similar pattern exists where we add values to a message, and then call
ldb_msg_find_element() to locate that message element and sets its flags
to (e.g.) LDB_FLAG_MOD_REPLACE. This also performs an unnecessary
search, and may locate the wrong message element for setting the flags.

To avoid these problems, add functions for appending a value to a
message, so that a particular value can be added to the end of a message
in a single operation.

For ADD requests, it is important that no two message elements share the
same attribute name, otherwise things will break. (Normally,
ldb_msg_normalize() is called before processing the request to help
ensure this.) Thus, we must be careful not to append an attribute to an
ADD message, unless we are sure (e.g. through ldb_msg_find_element())
that an existing element for that attribute is not present.

These functions will be used in the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
a7a59c540b CVE-2022-32746 ldb: Ensure shallow copy modifications do not affect original message
Using the newly added ldb flag, we can now detect when a message has
been shallow-copied so that its elements share their values with the
original message elements. Then when adding values to the copied
message, we now make a copy of the shared values array first.

This should prevent a use-after-free that occurred in LDB modules when
new values were added to a shallow copy of a message by calling
talloc_realloc() on the original values array, invalidating the 'values'
pointer in the original message element. The original values pointer can
later be used in the database audit logging module which logs database
requests, and potentially cause a crash.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
513574283d CVE-2022-32746 ldb: Add flag to mark message element values as shared
When making a shallow copy of an ldb message, mark the message elements
of the copy as sharing their values with the message elements in the
original message.

This flag value will be heeded in the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
77d8711774 CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
738955d0e1 CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
f2ee4c78d9 CVE-2022-32746 s4/dsdb/repl_meta_data: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
ef8e25cf53 CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
b436fa43f2 CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to

(el->flags & LDB_FLAG_MOD_MASK) == 0

which is only true if none of the LDB_FLAG_MOD_* values are set, so we
would not successfully return if the element was a DELETE. Correct the
expression to what it was intended to be.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
e46e43f76e CVE-2022-32746 s4:torture: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to

(el->flags & LDB_FLAG_MOD_MASK) == 0

which is only true if none of the LDB_FLAG_MOD_* values are set. Correct
the expression to what it was probably intended to be.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
59cd645b39 CVE-2022-32746 s4/dsdb/partition: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to

(req_msg->elements[el_idx].flags & LDB_FLAG_MOD_MASK) != 0

which is true whenever any of the LDB_FLAG_MOD_* values are set. Correct
the expression to what it was probably intended to be.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
c83967ad71 CVE-2022-32746 s4:dsdb:tests: Add test for deleting a disallowed SPN
If an account has an SPN that requires Write Property to set, we should
still be able to delete it with just Validated Write.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Joseph Sutton
16f3112687 CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-07-24 09:20:21 +02:00
Jule Anger
f44ba28879 VERSION: Bump version up to Samba 4.16.4...
and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>
2022-07-18 13:10:22 +02:00
Jule Anger
b3cbf421c2 VERSION: Disable GIT_SNAPSHOT for the 4.16.3 release.
Signed-off-by: Jule Anger <janger@samba.org>
2022-07-18 13:09:27 +02:00
Jule Anger
36eeba7380 WHATSNEW: Add release notes for Samba 4.16.3.
Signed-off-by: Jule Anger <janger@samba.org>
2022-07-18 13:08:52 +02:00
Samuel Cabrero
89b914b3c5 s3:winbind: Use the canonical realm name to renew the credentials
Consider the following AD topology where all trusts are parent-child
trusts:

                   ADOM.AFOREST.AD
		   	|
            ACHILD.ADOM.AFOREST.AD
			|
AGRANDCHILD.ACHILD.ADOM.AFOREST.AD <-- Samba joined

When logging into the Samba machine using pam_winbind with kerberos enabled
with user ACHILD\user1, the ccache content is:

	Default principal: user1@ACHILD.ADOM.AFOREST.AD

	Valid starting       Expires              Service principal
	07/06/2022 16:09:23  07/06/2022 16:14:23  krbtgt/ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD
	        renew until 07/13/2022 16:09:23
-->	07/06/2022 16:09:23  07/06/2022 16:14:23  krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT ticket
	        renew until 07/13/2022 16:09:23
	07/06/2022 16:09:23  07/06/2022 16:14:23  SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	        renew until 07/13/2022 16:09:23

But when logging in with user ADOM\user1, the ccache content is:

	Default principal: user1@ADOM.AFOREST.AD

	Valid starting       Expires              Service principal
	07/06/2022 16:04:37  07/06/2022 16:09:37  krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD
	        renew until 07/13/2022 16:04:37
	07/06/2022 16:04:37  07/06/2022 16:09:37  SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	        renew until 07/13/2022 16:04:37

MIT does not store the intermediate TGTs when there is more than one hop:

	ads_krb5_cli_get_ticket: Getting ticket for service [SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from [FILE:/tmp/krb5cc_11105] and impersonating [(null)]

	Getting credentials user1@ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_11105
	Starting with TGT for client realm: user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD

	Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD using TGT krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD
	Sending request to ADOM.AFOREST.AD
	Received answer from stream 192.168.101.32:88
	TGS reply is for user1@ADOM.AFOREST.AD -> krbtgt/ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD with session key rc4-hmac/D88B
-->	Received TGT for offpath realm ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT ticket is not stored

	Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD using TGT krbtgt/ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD
	Sending request (1748 bytes) to ACHILD.ADOM.AFOREST.AD
	Received answer (1628 bytes) from stream 192.168.101.33:88
	TGS reply is for user1@ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD with session key rc4-hmac/D015
-->	Received TGT for service realm: krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT is not stored

	Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD, referrals on
	Sending request (1721 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	Received answer (1647 bytes) from stream 192.168.101.34:88
	TGS reply is for user1@ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/345A
	Received creds for desired service SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	Storing user1@ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_11105

In the case of ACHILD\user1:

	ads_krb5_cli_get_ticket: Getting ticket for service [SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from [FILE:/tmp/krb5cc_2000] and impersonating [(null)]

	Getting credentials user1@ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_2000
	Starting with TGT for client realm: user1@ACHILD.ADOM.AFOREST.AD -> krbtgt/ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD

	Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD using TGT krbtgt/ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD
	Sending request to ACHILD.ADOM.AFOREST.AD
	Received answer from stream 192.168.101.33:88
	TGS reply is for user1@ACHILD.ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD with session key rc4-hmac/0F60
-->	Storing user1@ACHILD.ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_2000 <-- NOTE this TGT is stored
	Received TGT for service realm: krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD

	Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD, referrals on
	Sending request (1745 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	Received answer (1675 bytes) from stream 192.168.101.34:88
	TGS reply is for user1@ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/3576
	Received creds for desired service SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	Storing user1@ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_2000

The result is that winbindd can't refresh the tickets for ADOM\user1
because the local realm is used to build the TGT service name.

	smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for client 'user1@ADOM.AFOREST.AD' and service 'krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD'

	Retrieving user1@ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD from FILE:/tmp/krb5cc_11105 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_11105)

The canonical realm name must be used instead:

	smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for client 'user1@ADOM.AFOREST.AD' and service 'krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD'

	Retrieving user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD from FILE:/tmp/krb5cc_11105 with result: 0/Success
	Get cred via TGT krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD after requesting krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD (canonicalize off)
	Sending request to ADOM.AFOREST.AD
	Received answer from stream 192.168.101.32:88
	TGS reply is for user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD with session key aes256-cts/8C7B
	Storing user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD in FILE:/tmp/krb5cc_11105

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul 12 12:38:55 UTC 2022 on sn-devel-184

(cherry picked from commit 116af0df4f)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Jul 18 09:40:12 UTC 2022 on sn-devel-184
2022-07-18 09:40:12 +00:00
Samuel Cabrero
e388fe2b70 s3:winbind: Create service principal inside add_ccache_to_list()
The function can build the service principal itself, there is no
need to do it in the caller. This removes code duplication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8bef8e3de9)
2022-07-18 08:47:13 +00:00
Volker Lendecke
c5569b4f7a rpc_server3: Initialize mangle_fns in classic and spoolss
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15118
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Jul 12 13:33:14 UTC 2022 on sn-devel-184

(cherry picked from commit 11d3d2aeac)
2022-07-18 08:47:13 +00:00
Samuel Cabrero
17451c5a17 third_party/heimdal: Fix build with gcc version 12.1
Split lib/krb5/crypto to its own subsystem to built with its own CFLAGS
and avoid the following error:

    [1510/4771] Compiling third_party/heimdal/lib/krb5/crypto.c
    ../../third_party/heimdal/lib/krb5/crypto.c: In function ‘_krb5_internal_hmac’:
    ../../third_party/heimdal/lib/krb5/crypto.c:302:24: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
      302 |     iov[0].data.data = (void *) data;
          |                        ^
    ../../third_party/heimdal/lib/krb5/crypto.c: In function ‘derive_key_sp800_hmac’:
    ../../third_party/heimdal/lib/krb5/crypto.c:2427:18: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
     2427 |     label.data = (void *)constant;
          |                  ^
    ../../third_party/heimdal/lib/krb5/crypto.c: In function ‘decrypt_internal_derived’:
    ../../third_party/heimdal/lib/krb5/crypto.c:1280:9: error: pointer ‘p’ may be used after ‘realloc’ [-Werror=use-after-free]
     1280 |         free(p);
          |         ^~~~~~~
    ../../third_party/heimdal/lib/krb5/crypto.c:1278:20: note: call to ‘realloc’ here
     1278 |     result->data = realloc(p, l);
          |                    ^~~~~~~~~~~~~
    ../../third_party/heimdal/lib/krb5/crypto.c: In function ‘decrypt_internal_enc_then_cksum’:
    ../../third_party/heimdal/lib/krb5/crypto.c:1365:9: error: pointer ‘p’ may be used after ‘realloc’ [-Werror=use-after-free]
     1365 |         free(p);
          |         ^~~~~~~
    ../../third_party/heimdal/lib/krb5/crypto.c:1363:20: note: call to ‘realloc’ here
     1363 |     result->data = realloc(p, l);
          |                    ^~~~~~~~~~~~~
    ../../third_party/heimdal/lib/krb5/crypto.c: In function ‘decrypt_internal’:
    ../../third_party/heimdal/lib/krb5/crypto.c:1431:9: error: pointer ‘p’ may be used after ‘realloc’ [-Werror=use-after-free]
     1431 |         free(p);
          |         ^~~~~~~
    ../../third_party/heimdal/lib/krb5/crypto.c:1429:20: note: call to ‘realloc’ here
     1429 |     result->data = realloc(p, l);
          |                    ^~~~~~~~~~~~~
    ../../third_party/heimdal/lib/krb5/crypto.c: In function ‘decrypt_internal_special’:
    ../../third_party/heimdal/lib/krb5/crypto.c:1478:9: error: pointer ‘p’ may be used after ‘realloc’ [-Werror=use-after-free]
     1478 |         free(p);
          |         ^~~~~~~
    ../../third_party/heimdal/lib/krb5/crypto.c:1476:20: note: call to ‘realloc’ here
     1476 |     result->data = realloc(p, sz);
          |                    ^~~~~~~~~~~~~~
    cc1: all warnings being treated as errors

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15095

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Tue Jun 14 10:16:18 UTC 2022 on sn-devel-184

(cherry picked from commit 971441ca52)
2022-07-18 08:47:13 +00:00
Samuel Cabrero
3537ef5acb replace: Check for -Wuse-after-free
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15095

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 89e0c732b1)
2022-07-18 08:47:13 +00:00
Christof Schmitt
52ac4ce232 nfs4_acls: Correctly skip chown when gid did not change
Commit 86f7af84 introduced a problem that a chown is always attempted,
even when the owning gid did not change. Then the ACL is set in the file
system as root. Fix the check by correctly comparing with gid, not uid.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15120

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Wed Jul 13 17:30:30 UTC 2022 on sn-devel-184

(cherry picked from commit a6ccceb97e)
2022-07-18 08:47:13 +00:00
Andreas Schneider
a708af3665 s3:libads: Check if we have a valid sockaddr
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15106

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit fbf134c8d9)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Jul 11 11:33:49 UTC 2022 on sn-devel-184
2022-07-11 11:33:49 +00:00
Andreas Schneider
42edafd3ed s4:libads: Fix trailing whitespaces in ldap.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15106

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit d96a6cafe5)
2022-07-11 10:27:17 +00:00
Volker Lendecke
54ad51cd3c smbd: Make non_widelink_open() robust for non-cwd dirfsp
If you pass in dirfsp!=conn->cwd_fsp and a stream fsp, we don't chdir
to the parent pathname, and thus we also don't overwrite
fsp->base_fsp.

fsp->base_fsp!=NULL is thus the wrong condition to restore the
original base fsp name: If we open a stream with a non-cwd_fsp dirfsp,
we would overwrite fsp->base_fsp->fsp_name with NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15105

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 280e9191cb)
2022-07-11 10:27:17 +00:00
Andreas Schneider
cce25171f7 s3:printing: Do not clear the printer-list.tdb
With the new dcerpc architecture we need to keep printer-list.tdb
around. A spoolss dcerpc call will start rpc-spoolssd which will then
start the background queue process. However in order to enum the
printers we need have a printer-list.tdb. Depending on the number of
printers this task can take several seconds. It is unlinkly that
the printer-list will change all the time, so we might provide outdated
data till it gets refreshed, but this is better than providing no
printer list at all.

If there are a lot of printers, the idle_seconds for the rpc-spoolssd
should be increased so that the background task can finish.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15082

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 9080cd30d5)
2022-07-11 10:27:17 +00:00
Andreas Schneider
becccbae32 s3:waf: Fix version number of public libsmbconf
Error: ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15108

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8458449ddf)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Jun 27 08:25:10 UTC 2022 on sn-devel-184
2022-06-27 08:25:10 +00:00
Jeremy Allison
58bdf100b2 s3: VFS: streams_xattr: Add the same accommodation to streams_xattr_unlinkat() as used in streams_xattr_renameat().
vfs_fruit passes a synthetic filename here where smb_fname->fsp==NULL
when configured to use "fruit:resource = stream" so we need to use
synthetic_pathref() to get an fsp on the smb_fname->base_name
in order to call SMB_VFS_FREMOVEXATTR().

This is the same change we already use in streams_xattr_renameat()
and streams_xattr_stat(), the other pathname operations we implement
here.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15099

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Mon Jun 20 14:24:20 UTC 2022 on sn-devel-184

(backported from commit 808a7b8b76)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Thu Jun 23 08:43:30 UTC 2022 on sn-devel-184
2022-06-23 08:43:30 +00:00
Jeremy Allison
81dc0832ee s3: tests: Add test that shows smbd crashes using vfs_fruit with fruit:resource = stream on deleting a file.
Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15099

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(backported from commit 238b2cbb8f)
2022-06-23 07:35:08 +00:00
Noel Power
94a94383bb s3/client: fix dfs deltree, resolve dfs path
since 4cc4938a28 do_list seems
to deal with non dfs root path, hence we need to resolve the
path before calling cli_unlink.

Also remove the knownfail

We additionally have to also remove the fallback to remove 'file3'
int the smbcacls_dfs_propagate_inherit.teardown as the deltree
that happens in the baseclass now succeeds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15100

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun 17 17:12:07 UTC 2022 on sn-devel-184

(cherry picked from commit 81fdcf95ae)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Jun 20 10:56:52 UTC 2022 on sn-devel-184
2022-06-20 10:56:52 +00:00
Noel Power
659d6140f1 Add test smbclient 'delree' of dir (on DFS share)
deltree of a file on a DFS share results in NT_STATUS_OBJECT_PATH_NOT_FOUND
Addionally add a knownfail for this (to be removed in subsequent patch
to fix bug)
We also need to add a knownfail (which will not be removed) for the
new test which will fail in smb1 envs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15100

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 23a5a05db0)
2022-06-20 10:00:16 +00:00
Noel Power
8bac5eedc7 s3/client: fix dfs delete, resolve dfs path
since 4cc4938a28 do_list seems
to deal with non dfs root path, hence we need to resolve the
path before calling cli_unlink.

Also remove the knownfail

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15100

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 7c4cb49823)
2022-06-20 10:00:16 +00:00
Noel Power
2f105c9f54 Add test smbclient 'del' of file (on DFS share)
del of a file on a DFS share results in NT_STATUS_OBJECT_PATH_NOT_FOUND

Addionally add a knownfail (will be removed in following patch to
fix the bug)
We also need to add a knownfail (which will not be removed) for the
new test which will fail in smb1 envs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15100

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(back-ported from commit db1b4df0ab)
2022-06-20 10:00:16 +00:00
Noel Power
8db232cb6a Add new dfs node msdfs-share pointing to new msdfs-share2
Also add another node within msdfs-share2 pointing to normal share

This patch is in preperation for creating a test for 'del' &
'deltree' on DFS shares. The extra redirection is necessary to
reproduce the bug

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15100

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 39672a9676)
2022-06-20 10:00:16 +00:00
Andreas Schneider
a9f87b9278 s3:utils: Fix missing space in testparm output
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15097

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 7009fb1a10)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Sat Jun 18 09:55:28 UTC 2022 on sn-devel-184
2022-06-18 09:55:28 +00:00
Douglas Bagnall
edd5a85127 cmdline_s4: re-initialise logging once loadparm is ready
The first time round we maybe didn't know which files we wanted to log to.
Suppose, for example, we had an smb.conf with

 log level = 1 dsdb_group_json_audit:5@/var/log/group_json.log

we wouldn't see anything in "/var/log/group_json.log", while the level
5 dsdb_group_json_audit messages would go into the main log.

Note that the named file would still be opened by winbindd and others
that use the s3 code, but would remain empty as they don't have anything
to say about dsdb_group_json_audit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15076

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 9537ac723c)
2022-06-18 08:47:17 +00:00