IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit c207f2a989fc791b5f9bf9043d3c6ac31db5cdfd)
Test various combinations of having encryption globally turned off and
enabled (desired/required) on a share, with SMB1 UNIX Extensions and SMB3.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 21d030e5bdf7dc6ef8d5f4e70bed7e70b731cd15)
Encryption is currently not tested in this env so we can safely turn it
off. The next commit will add a blackbox tests that test combinations of
having encryption globally turned off and enabled (desired/required) on
a share.
This also adds a new share "enc_desired" with "smb encrypt = desired"
which will be used by the test in the next commit.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 573e8e15b3ed27d6b593e635e9c24eea3fdf4fb9)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit f8d937b331ac985264c76d76b447683fc494d38a)
If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.
The behaviour of specifying
[Global]
smb encrypt = off
[share]
smb encrypt = desired
must be an unecrypted tree connect to the share "share".
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit b0b418c22558fa1df547df9bdac2642343ac39e1)
If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.
The behaviour of setting
[Global]
smb encrypt = off
[share]
smb encrypt = required
must be to completely deny access to the share "share".
This was working correctly for clients when using SMB 3 dialects <
3.1.1, but not for 3.1.1 with a negprot encryption context.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 6ae63d42f5aacddf5b7b6dbdfbe620344989e4e5)
If encryption is disabled globally, per definition we shouldn't allow
enabling encryption on individual shares.
The behaviour of setting
[Global]
smb encrypt = off
[share_required]
smb encrypt = required
[share_desired]
smb encrypt = desired
must be to completely deny access to the share "share_required" and an
unencrypted connection to "share_desired".
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 43a90cee46bb7a70f7973c4fc51eee7634e43145)
Pair-Programmed-With: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Jan 12 15:34:25 CET 2017 on sn-devel-144
(cherry picked from commit 7870c645b79da647bae45b4dc95e7d6e9abcd91a)
Autobuild-User(v4-4-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-4-test): Fri Jan 27 11:52:07 CET 2017 on sn-devel-144
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Sat Jan 21 17:00:54 CET 2017 on sn-devel-144
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12535
(cherry picked from commit 5059c8e2e3a6159bc2917ddd80d09fab35b39e66)
Autobuild-User(v4-4-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-4-test): Thu Jan 26 12:41:13 CET 2017 on sn-devel-144
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12509
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 10 17:40:58 CET 2017 on sn-devel-144
(cherry picked from commit e84e44ce923e5dc7529bb813e10a2890528a4ab0)
Autobuild-User(v4-4-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-4-test): Sat Jan 14 13:55:25 CET 2017 on sn-devel-144
This avoids the usage of the ccselect_realm logic in MIT krb5,
which leads to unpredictable results.
The problem is the usage of gss_acquire_cred(), that just creates
a credential handle without ccache.
As result gss_init_sec_context() will trigger a code path
where it use "ccselect" plugins. And the ccselect_realm
module just chooses a random ccache from a global list
where the realm of the provides target principal matches
the realm of the ccache user principal.
In the winbindd case we're using MEMORY:cliconnect to setup
the smb connection to the DC. For ldap connections we use
MEMORY:winbind_ccache.
The typical case is that we do the smb connection first.
If we try to create a new ldap connection, while the
credentials in MEMORY:cliconnect are expired,
we'll do the required kinit into MEMORY:winbind_ccache,
but the ccselect_realm module will select MEMORY:cliconnect
and tries to get a service ticket for the ldap server
using the already expired TGT from MEMORY:cliconnect.
The solution will be to use gss_krb5_import_cred() and explicitly
pass the desired ccache, which avoids the ccselect logic.
We could also use gss_acquire_cred_from(), but that's only available
in modern MIT krb5 versions, while gss_krb5_import_cred() is available
in heimdal and all supported MIT versions (>=1.9).
As far as I can see both call the same internal function in MIT
(at least for the ccache case).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 7c3ea9fe96336483752adb821f8062a883d52998)
We always have gss_krb5_import_cred(), it available in heimdal
and also the oldest version (1.9) of MIT krb5 that we support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit b61a93755ca59a58775c1c8c21baee49fef42fbf)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 6f029d58703f657e46fee35fc663128157db4d9f)
ReFS doesn't support compression, but responds to set-compression FSCTLs
with NT_STATUS_OK if (and only if) the requested compression format is
COMPRESSION_FORMAT_NONE.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12144
Reported-by: Nick Barrett <nick@barrett.org.nz>
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jan 9 23:14:28 CET 2017 on sn-devel-144
(cherry picked from commit 28cc347876b97b7409d6efd377f031fc6df0c5f3)
This test case was overlooked in the previous bso#12144 update -
set compression requests with format=COMPRESSION_FORMAT_NONE should
succeed if the server / backing storage doesn't offer compression
support.
Confirm that Samba matches Windows Server 2016 ReFS behaviour here.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12144
Reported-by: Nick Barrett <nick@barrett.org.nz>
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 6fde123176409e261d955e24b3d28e5124f33bed)
NT_STATUS_ACCOUNT_DISABLED,
NT_STATUS_PASSWORD_RESTRICTION,
NT_STATUS_PWD_HISTORY_CONFLICT,
NT_STATUS_PWD_TOO_RECENT,
NT_STATUS_PWD_TOO_SHORT
now map to PAM_AUTHTOK_ERR (Authentication token manipulation error), which is
the closest match.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2210
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 69f10080c3765a9b139fbad7f3dc633066fdded2)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12479
Back-port from cherry pick from commit b92cac857823ac2d29133fba2fde57cf58805b45)
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(v4-4-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-4-test): Mon Jan 9 14:18:47 CET 2017 on sn-devel-144
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12479
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
(cherry picked from commit e0f1ed9f450851bf5b7fec84577b50047309db3f)
The system /etc/krb5.conf defines some defaults like:
default_ccache_name = KEYRING:persistent:%{uid}
We need to respect that so should include it in our own created
krb5.conf file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 4ef772be3a7259b48253643392574fab28c37916)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit f464f69b33b40c81d6ee57bebf9d59837431739b)
MIT only defined this as CKSUMTYPE_HMAC_SHA1_96_AES128,
while Heimdal has CKSUMTYPE_HMAC_SHA1_96_AES_128.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit bb64c550ae19b08ad4e6d8d26f68c2474cb251e6)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12471
Patches for CVE-2016-2126 break build with MIT Kerberos
Autobuild-User(v4-4-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-4-test): Tue Dec 20 15:58:07 CET 2016 on sn-devel-144
Calling programs expect to cleanly read from STDOUT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12467
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 9fbd544b90c2b27985637a9bb3fa520f891f8696)
Autobuild-User(v4-4-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-4-test): Thu Dec 15 12:21:27 CET 2016 on sn-devel-144
Reported and proposed fix by Shilpa K <shilpa.krishnareddy@gmail.com>.
When processing DENY ACE entries for owner rights SIDs (S-1-3-4) the
code OR's in the deny access mask bits without taking into account if
they were being requested in the requested access mask.
E.g. The current logic has:
An ACL containining:
[0] SID: S-1-3-4
TYPE: DENY
MASK: WRITE_DATA
[1] SID: S-1-3-4
TYPE: ALLOW
MASK: ALLOW_ALL
prohibits an open request by the owner for READ_DATA - even though this
is explicitly allowed.
Furthermore a non-canonical ACL containing:
[0] SID: User SID 1-5-21-something
TYPE: ALLOW
MASK: READ_DATA
[1] SID: S-1-3-4
TYPE: DENY
MASK: READ_DATA
[2] SID: User SID 1-5-21-something
TYPE: ALLOW
MASK: WRITE_DATA
prohibits an open request by the owner for READ_DATA|WRITE_DATA - even
though READ_DATA is explicitly allowed in ACE no 0 and is thus already
filtered out of the "access-still-needed" mask when the deny ACE no 1 is
evaluated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 29b02cf22f3c0f2d556408e9e768d68c1efc3b96)
Based on code from Michael Zeis <mzeis.quantum@gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 91b591224ab7f8ea7b4594da9f61efef14353f7f)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit beb8a73e95e768565760f79c2a16586bafb4e58c)
Noticed by Michael Zeis <mzeis.quantum@gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 2bfad1c9d3237ad8d174b7dc2d1e6e3c53fdb8dc)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12412
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(v4-4-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-4-test): Thu Dec 8 14:52:52 CET 2016 on sn-devel-144
Due to a misspelling in the option parser in all Samba versions up to
and including 4.5.1 this options must be given "fruit:ressource", ie
with two "s".
Samba 4.6 will accept both the correct the correct and the wrong
spelling, Samba 4.7 onwards will only accept the correct
spelling.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12412
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The rule is, a directory (with any other attributes) should always also
set FILE_ATTRIBUTE_DIRECTORY, a file should only set
FILE_ATTRIBUTE_NORMAL if no other attributes is set.
Iow, if a file contains any existing attributes (e.g. FILE_ATTRIBUTE_HIDDEN),
don't add in the FILE_ATTRIBUTE_NORMAL attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12436
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Nov 19 11:55:35 CET 2016 on sn-devel-144
(cherry picked from commit a0783e8dd966a0b2d24d2ca5baa6bed3fe5a7d5a)
Autobuild-User(v4-4-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-4-test): Thu Dec 1 14:51:30 CET 2016 on sn-devel-144
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 08d1ac0e36339e97e4464f6a6724464b0a568347)
Autobuild-User(v4-4-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-4-test): Wed Nov 30 15:50:43 CET 2016 on sn-devel-144
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12433
The test is known to be failing if sealing is turned on in some
circumstances. In this case a secret is created and then the function
dcerpc_fetch_session_key() fails. The secret is not removed!
We use torturesecret-%08x with random() to fill in the number. Sometimes
it happens that random() returns a number we already used. So we end up
trying to create a secret for an entry which already exists and run
into a collision
This change makes sure we always cleanup behind us and do not leave
secret objects we created.
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 17 22:30:36 CET 2016 on sn-devel-144
(cherry picked from commit 9de04626c058563a6cf4c13e4f5399039e345ef5)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12415
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 9c0f2576d8aa3dd95be1c5ddda2b10d891add0bc)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12415
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 4d9f4bfc69a5899bdf91406dfb7efb70a530446c)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12392
Earlier we were relying on SCHED_RESET_ON_FORK to reset the priority of lock
helper processes. Since SCHED_RESET_ON_FORK support has been removed, the
scheduling priority of child processes created using vfork() need to be reset
explicitly in the helper processes.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Nov 18 10:18:27 CET 2016 on sn-devel-144
(cherry picked from commit 6c6d63c04497fdfdbe665508f2a503f2392dc526)
ULONG_PTR needs to be decoded as a uint3264 and not as a 'uint32 *'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11197
Guenther
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 73f664710a8c9b312a54d0cf41d2f4440c8b42eb)
build: Fix build with perl on debian sid.
It appears that "." is no longer in perl_inc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12395
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Sat Oct 29 09:32:37 CEST 2016 on sn-devel-144
(cherry picked from commit da67acbcfe2167fce9c360a55416ab10e9537a2a)
Autobuild-User(v4-4-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-4-test): Wed Nov 16 14:32:10 CET 2016 on sn-devel-144
