1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

2972 Commits

Author SHA1 Message Date
Björn Baumbach
2e2426e515 samba-tool group listmembers: always list objects which can not expire
Otherwise for example contacts wouldn't be listed when the
--hide-expired option is used. Contacts typically do not have the
accountExpires attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14692

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Rowland penny <rpenny@samba.org>

Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Mon Apr 26 13:21:43 UTC 2021 on sn-devel-184
2021-04-26 13:21:43 +00:00
Björn Baumbach
86f2b8dab1 test samba-tool group listmembers: test listing contacts as group members
Make sure that contacts are listed as group members, even if the
--hide-expired option is used.

Expect failure. Fix follows up.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14692

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Rowland penny <rpenny@samba.org>
2021-04-26 12:32:35 +00:00
Andreas Schneider
edda7a329e s3:smbd: Remove NIS support
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-22 17:57:30 +00:00
David Mulder
34a6575ab9 samba-tool: Use s3 net join for member join
The s4 member join code has been broken for some
time. Modify samba-tool to instead use the
working s3 member join code.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Wed Apr 21 21:40:13 UTC 2021 on sn-devel-184
2021-04-21 21:40:13 +00:00
Volker Lendecke
b113a3bbcd torture: Show sddl_decode() failure for "GWFX" access mask
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-20 23:19:28 +00:00
Jeremy Allison
5c3470c0f2 s3: smbd: Prevent fchmod on a symlink.
Remove selftest/knownfail.d/symlink_chmod.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 20 08:23:42 UTC 2021 on sn-devel-184
2021-04-20 08:23:42 +00:00
Jeremy Allison
249565c65a s3: torture: Add samba3.smbtorture_s3.plain.POSIX-SYMLINK-CHMOD
Shows we must protect against a null fsp handle when doing POSIX chmod on a symlink,
whether the symlink points to a real object or is dangling.

Add to knownfail for now. Commit 9722732b18
removed the fsp == NULL protection for POSIX, and we need to put it back.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-04-20 07:39:37 +00:00
Philipp Gesang
8e3b369c05 allow tests to be run against a PAM-less build
Indexing the config hash table fails for PAM related values:

    Traceback (most recent call last):
      File "/src/samba/samba/selftest/tests.py", line 49, in <module>
        pam_set_items_so_path = config_hash["PAM_SET_ITEMS_SO_PATH"]
    KeyError: 'PAM_SET_ITEMS_SO_PATH'
    Error creating recipe from python3 /src/samba/samba/selftest/tests.py| at /src/samba/samba/selftest/selftest.pl line 645.

which prevents the test suite from running when built
--without-pam. Access those values using the get() method
instead.

Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Apr 16 10:27:41 UTC 2021 on sn-devel-184
2021-04-16 10:27:41 +00:00
Gary Lockyer
768d48fca9 tests python krb5: MS-KILE client principal look-up
Tests of [MS-KILE]: Kerberos Protocol Extensions
                    section 3.3.5.6.1 Client Principal Lookup

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 12 00:38:26 UTC 2021 on sn-devel-184
2021-04-12 00:38:26 +00:00
Ralph Boehme
fc6eba619e smbd: SMB2 Compound related chain handling when generation of FileId has failed
Issue:
We have a scenario where an application sends a Compound Related chain
consisting of:
SMB2_CREATE
SMB2_IOCTL
SMB2_SET_INFO
SMB2_CLOSE

SMB2_CREATE failed with NT_STATUS_ACCESS_DENIED and subsequent
requests all fail. In Samba they return NT_STATUS_FILE_CLOSED.

When I tried the same against a Win2k12 server, I noticed that all the
failed requests of the chain would return NT_STATUS_ACCESS_DENIED.

I believe this behaviour is also mentioned in the [MS-SMB2] Specs
3.3.5.2.7.2: Handling Compounded Related Requests

"When the current operation requires a FileId and the previous
operation either contains or generates a FileId, if the previous
operation fails with an error, the server SHOULD<223> fail the current
operation with the same error code returned by the previous
operation."

Fix:
Save NTATUS of a failed Create request. When we process subsequent
requests of the chain we check if the previous Create has failed. In
case of a Create failure we returned the saved NTSTATUS.

Signed-off-by: Anubhav Rakshit <anubhav.rakshit@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr  8 17:30:50 UTC 2021 on sn-devel-184
2021-04-08 17:30:50 +00:00
Ralph Boehme
7f73cde000 torture: add smbtorture compound SMB2 requests test "related8"
This verifies that if the initial create fails with
NT_STATUS_OBJECT_NAME_NOT_FOUND, compount related operations fail with the same
error.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-08 16:13:34 +00:00
Anubhav Rakshit
422302accb torture: add smbtorture testcase "related7" for failure in compound related chain
We want to verify what Windows does when the first request of the
chain has failed and an async request is part of the chain. We see
Windows fails the async request with the same error. Also the async
request is immediately failed.

Signed-off-by: Anubhav Rakshit <anubhav.rakshit@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-08 16:13:34 +00:00
Anubhav Rakshit
5d26aa4069 torture: Add couple of compound related test cases to verify that server should return NTSTATUS of the failed Create for succeeding requests.
We already pass samba3.smb2.compound.related5, but mark related4 as knownfail.

Signed-off-by: Anubhav Rakshit <anubhav.rakshit@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-08 16:13:34 +00:00
Jeremy Allison
d590d9130e s3: smbd: Fix parent_pathref() to cope with symlink parents.
We know that the parent name must
exist, and the name has been canonicalized
even if this was a POSIX pathname.
Ensure that we follow symlinks for
the parent. See the torture test
POSIX-SYMLINK-PARENT for details.

Remove knownfail entry.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Apr  7 15:39:45 UTC 2021 on sn-devel-184
2021-04-07 15:39:45 +00:00
Jeremy Allison
eb3a578b0b s3: torture: Add an SMB1 POSIX specific test POSIX-SYMLINK-PARENT.
This creates a directory, then a symlink to a directory,
and then checks we can POSIX create and delete file, directory,
symlink and hardlink filesystem objects under the symlink
parent directory.

Mark as knownfail until next commit.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-04-07 14:36:37 +00:00
Joseph Sutton
c08f174c35 cracknames: Allow auto-conversion from an extended canonical name
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-07 09:18:30 +00:00
Joseph Sutton
7c2b26a431 auth/credentials: Add test for binding with an extended canonical name
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-07 09:18:30 +00:00
Joseph Sutton
6b57583830 cracknames: Add support for SID string format
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10319

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-07 09:18:30 +00:00
Joseph Sutton
3e531bb885 auth/credentials: Add test for binding with a domain SID
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10319

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-07 09:18:30 +00:00
Samuel Cabrero
aac8be5419 s3: rpc_server: Store new association groups in the id tree
Right now a new association group is created for each connection
assigning the legacy 0x53F0 id, but it is not stored anywhere. When a
second client request to join an association group by its id it is not
found and a new one is created with the same ID.

In practise, it means the association groups are not working even in the
same server process.

This commit stores the created association group in the idtree, but to
make use of it assigns a random id instead of the historical 0x53F0.

The test assoc_group_ok2 was wrongly passing before this change because
the same id 0x53F0 was assigned to all association groups.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-04-07 09:18:30 +00:00
Samuel Cabrero
1e559f9587 selftest: Test RPC handles and association groups from different connection
Add a test to check if a RPC handle can be used from a different connection
than the one where it was created, when the same association group is
requested in the bind operation of the second connection.

The association group handling is one of the differences between the S3
and S4 RPC server implementations provided by the implementation
callbacks after the merge.

Association groups work fine in the S4 implementation as the RPC server
runs in one process, except for the 'smbd' embedded services provided
by the S3 implementation like winreg (see lp_enforce_ad_dc_settings()).

In the S3 implementation, association groups should work in the same
process, but the merge introduced a bug where a new association group is
always created even when it already exists in the same process.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-04-07 09:18:30 +00:00
Joseph Sutton
88b3d3443b s4:dsdb/password_hash: Don't generate crypt() password for krbtgt account
Since the length of the krbtgt password after conversion to UTF-8 form is
typically greater than the maximum accepted by crypt(), the call usually
fails. This commit disables generation of crypt() passwords for this specific
account, as it's not necessary.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-07 09:18:30 +00:00
Joseph Sutton
05d70f92b6 provision tests: Add test for the CryptSHA256 and CryptSHA512 password hashing schemes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-07 09:18:30 +00:00
Volker Lendecke
6f4e6fc631 test: Add a test for background_job_send crash
I haven't figured out how to properly add a crashing test to
"knownfail", so this is added after the fix.

Signed-off-by: Volker Lendecke <vl@samba.org>
2021-04-01 19:32:36 +00:00
Andreas Schneider
1b183f5751 selftest: Allow to set the 'log level' for clients
This allows to set the 'log level' for clients on the command line:

    make test TESTS=wurst CLIENT_LOG_LEVEL=10

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 31 21:20:23 UTC 2021 on sn-devel-184
2021-03-31 21:20:23 +00:00
Ralph Boehme
10d753868e s3: smbd: fix deferred renames
This was broken by c7a9e0e4cd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14679
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1875

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@amba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 31 06:13:39 UTC 2021 on sn-devel-184
2021-03-31 06:13:39 +00:00
Jeremy Allison
8d9a0b8d57 s4: torture. Add smb2.lease.rename_wait test to reproduce regression in delay rename for lease break code.
Passes against Windows 10. Add to knownfail, the
next commit will fix this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14679
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1875

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-03-31 05:12:37 +00:00
Jeremy Allison
ff48422e63 s3: smbd: Fix SMB_VFS_FGET_NT_ACL/SMB_VFS_FSET_NT_ACL on stream handles.
As this is done on existing files, we know that
fsp->base_fsp != NULL and fsp->base_fsp->fh->fd != -1
(i.e. it's a pathref fd) for stream handles.

When getting and setting ACLs on stream handles,
use the fsp->base_fsp instead (as Windows does).

This not only fixes streams_xattr, but will
allow us to later analyze and remove all
special casing code for get/set ACLs on streams
handles.

Remove the knownfail.d/stream-acl file.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 30 20:14:35 UTC 2021 on sn-devel-184
2021-03-30 20:14:35 +00:00
Jeremy Allison
c7762a2bee s3: torture: Add a test for setting and getting ACLs on stream handles (SMB2-STREAM-ACL).
It shows this isn't done correctly for streams_xattr.

A common config is:

vfs_objects = streams_xattr acl_xattr

to store both streams and Windows ACLs in xattrs.

Unfortunately getting and setting ACLs using handles
opened on stream files isn't being done correctly
in Samba.

This test passes against Windows 10.

This adds tests that prove this doesn't work. Next
patch will add the fix and remove the knownfail.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-03-30 19:16:34 +00:00
Stefan Metzmacher
f0e5537834 smb2_server: don't cancel pending request if at least one channel is still alive
In order to allow replays of requests on a channel failure, we should
not cancel pending requests, the strategie that seems to make windows
clients happy is to let the requests running and return
NT_STATUS_FILE_NOT_AVAILABLE as long as the original request is still
pending.

Here we introduce xconn->transport.shutdown_wait_queue, this is used
to keep the xconn alive for the lifetime of pending requests.

Now we only cancel pending requests if the disconnected connection
is the last channel for a session.

In that case smbXsrv_session_remove_channel() and
smb2srv_session_shutdown_send() will take care of it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14449

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 19:36:37 +00:00
Stefan Metzmacher
997e9023c0 smbXsrv_open: intruduce smbXsrv_open_replay_cache to support FILE_NOT_AVAILABLE
Before processing an open we need to reserve the replay cache entry
in order to signal that we're still in progress.
If a reserved record is already present we need to return
FILE_NOT_AVAILABLE in order to let the client retry again.

[MS-SMB2] contains this:

  <152> Section 3.2.5.1: For the following error codes, Windows-based clients
  will retry the operation up to three times and then retry the operation every 5
  seconds until the count of milliseconds specified by Open.ResilientTimeout is
  exceeded:
  - STATUS_SERVER_UNAVAILABLE
  - STATUS_FILE_NOT_AVAILABLE
  - STATUS_SHARE_UNAVAILABLE

This works fine for windows clients, but current windows servers seems to
return ACCESS_DENIED instead of FILE_NOT_AVAILABLE.

A Windows server doesn't do any replay detection on pending opens,
which wait for a HANDLE lease to be broken (because of a
SHARING_VIOLATION), at all.

As this is not really documented for the server part of the current [MS-SMB2],
I found the key hint in "SMB 2.2: Bigger. Faster. Scalier - (Parts 1 and 2)"
on page 24. There's a picture showing that a replay gets FILE_NOT_AVAILABLE
as long as the original request is still in progress. See:
https://www.snia.org/educational-library/smb-22-bigger-faster-scalier-parts-1-and-2-2011

A Windows client is unhappy with the current windows server behavior if it
such a situation happens. There's also a very strange interaction with oplock
where the replay gets SHARING_VIOLATION after 35 seconds because it conflicts with
the original open.

I think it's good to follow the intial design from the 2011 presentation and
make the clients happy by using FILE_NOT_AVAILABLE (and differ from Windows).
I'll report that to dochelp@microsoft.com in order to get this hopefully fixed in
their server too).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14449

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 19:36:37 +00:00
Stefan Metzmacher
a19180904e smbXsrv_session: smbXsrv_session_remove_channel() should also remove the last channel
There's nothing special regarding the last channel,
as the smb2.session.bind2 test demonstrates.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14449

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 19:36:37 +00:00
Stefan Metzmacher
87b8049320 s4:torture/smb2: add smb2.session.bind2
This demonstrates that a session and it's open handles is destroyed
when the last explicitly bound channel gets disconnected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14449

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 19:36:37 +00:00
Stefan Metzmacher
f5168a21ab s4:torture/smb2: add smb2.replay.dhv2-pending* tests
These demonstrate that the replay detection for pending opens
either doesn't exist (for the share_access=NONE => SHARING_VIOLATION
case) or return the wrong status code => ACCESS_DENIED instead of
FILE_NOT_AVAILABLE.

Windows clients transparently retry after FILE_NOT_AVAILABLE,
while they pass ACCESS_DENIED directly to the application.

I'll report that to dochelp@microsoft.com in order to
clarify the situation.

In the meantime I added tests with a '-windows' suffix,
which demostrate the current windows server behavior,
while the tests with a '-sane' suffix expect the behavior
that whould make windows clients happy.

For Samba I'll implement the '-sane' behavior that
detects all replays and returns FILE_NOT_AVAILABLE
if the original request is still pending.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14449

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 19:36:37 +00:00
Douglas Bagnall
dbb3e65f7e CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode
A DN string with lots of trailing space can cause ldb_dn_explode() to
put a zero byte in the wrong place in the heap.

When a DN string has a value represented with trailing spaces,
like this

     "CN=foo   ,DC=bar"

the whitespace is supposed to be ignored. We keep track of this in the
`t` pointer, which is NULL when we are not walking through trailing
spaces, and points to the first space when we are. We are walking with
the `p` pointer, writing the value to `d`, and keeping the length in
`l`.

     "CN=foo   ,DC= "       ==>       "foo   "
            ^  ^                             ^
            t  p                             d
                                       --l---

The value is finished when we encounter a comma or the end of the
string. If `t` is not NULL at that point, we assume there are trailing
spaces and wind `d and `l` back by the correct amount. Then we switch
to expecting an attribute name (e.g. "CN"), until we get to an "=",
which puts us back into looking for a value.

Unfortunately, we forget to immediately tell `t` that we'd finished
the last value, we can end up like this:

     "CN=foo   ,DC= "       ==>        ""
            ^      ^                    ^
            t      p                    d
                                        l=0

where `p` is pointing to a new value that contains only spaces, while
`t` is still referring to the old value. `p` notices the value ends,
and we subtract `p - t` from `d`:

     "CN=foo   ,DC= "       ==>  ?     ""
            ^       ^            ^
            t       p            d
                                      l ~= SIZE_MAX - 8

At that point `d` wants to terminate its string with a '\0', but
instead it terminates someone else's byte. This does not crash if the
number of trailing spaces is small, as `d` will point into a previous
value (a copy of "foo" in this example). Corrupting that value will
ultimately not matter, as we will soon try to allocate a buffer `l`
long, which will be greater than the available memory and the whole
operation will fail properly.

However, with more spaces, `d` will point into memory before the
beginning of the allocated buffer, with the exact offset depending on
the length of the earlier attributes and the number of spaces.

What about a longer DN with more attributes? For example,
"CN=foo     ,DC= ,DC=example,DC=com" -- since `d` has moved out of
bounds, won't we continue to use it and write more DN values into
mystery memory? Fortunately not, because the aforementioned allocation
of `l` bytes must happen first, and `l` is now huge. The allocation
happens in a talloc_memdup(), which is by default restricted to
allocating 256MB.

So this allows a person who controls a string parsed by ldb_dn_explode
to corrupt heap memory by placing a single zero byte at a chosen
offset before the allocated buffer.

An LDAP bind request can send a string DN as a username. This DN is
necessarily parsed before the password is checked, so an attacker does
not need proper credentials. The attacker can easily cause a denial of
service and we cannot rule out more subtle attacks.

The immediate solution is to reset `t` to NULL when a comma is
encountered, indicating that we are no longer looking at trailing
whitespace.

Found with the help of Honggfuzz.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-03-24 12:05:32 +00:00
Douglas Bagnall
1996b79f37 CVE-2020-27840: pytests:segfault: add ldb.Dn validate test
ldb.Dn.validate wraps ldb_dn_explode.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-03-24 12:05:32 +00:00
Joseph Sutton
09995f780d netcmd: Determine which files are to be copied for an offline domain backup
The old behaviour attempted to check for and remove files with duplicate
names, but did not do so due to a bug, and would have left undetermined
which files were given priority when duplicate filenames were present.
Now when hardlinks are present, only one instance of each file is
chosen, with files in the private directory having priority. If one
backup dir is nested inside another, the files contained in the nested
directory are only added once. Additionally, the BIND DNS database is
omitted from the backup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz
2021-03-23 23:38:38 +00:00
Joseph Sutton
f52e6e5345 netcmd: Add test for an offline backup of nested directories
This test verifies that when performing an offline backup of a domain
where one of the directories to be backed up is nested inside another,
the contained files are only included once in the backup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz
2021-03-23 23:38:38 +00:00
Joseph Sutton
542678908a netcmd: Add test for an offline backup of a directory containing hardlinks
This test verifies that when performing an offline backup of a domain
where the directories to be backed up contain hardlinks, only one
instance of each file is backed up, and that files in the private
directory take precedence.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz
2021-03-23 23:38:38 +00:00
David Mulder
f1a72fc63d samba-tool: Add a gpo command for removing VGP Host Access Group Policy
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 18 20:02:50 UTC 2021 on sn-devel-184
2021-03-18 20:02:50 +00:00
David Mulder
90acb3cf99 samba-tool: Test gpo manage access remove command
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-18 18:50:28 +00:00
David Mulder
482046c56b samba-tool: Add a gpo command for adding VGP Host Access Group Policy
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-18 18:50:28 +00:00
David Mulder
996a0bd2e4 samba-tool: Test gpo manage access add command
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-18 18:50:28 +00:00
David Mulder
3f3c2b5b33 samba-tool: Add a gpo command for listing VGP Host Access Group Policy
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-18 18:50:28 +00:00
David Mulder
76868b50f3 samba-tool: Test gpo manage access list command
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-18 18:50:28 +00:00
Douglas Bagnall
1c1ff48e7a selftest/flapping: remove python[23] lines
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 17 07:03:27 UTC 2021 on sn-devel-184
2021-03-17 07:03:27 +00:00
Douglas Bagnall
467746da0a knownfail: remove python[23] lines
We no longer run any *python2* or *python3* specific tests, so
these knownfail lines are just clutter.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 05:57:34 +00:00
Stefan Metzmacher
8f43c15f62 smb2_sesssetup: validate that sign_algo and encryption_cipher match on a session bind
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 17 01:56:37 UTC 2021 on sn-devel-184
2021-03-17 01:56:37 +00:00
Stefan Metzmacher
4ab1b29d5d smb2_sesssetup: a session bind with a different user results in ACCESS_DENIED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Stefan Metzmacher
7733f98f69 smb2_sesssetup: a bind dialect mismatch should always result in INVALID_PARAMETER
The ACCESS_DENIED errors happened as we didn't expected to signing
algo is attached to the session key. So our client calculated the
wrong signature.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00