1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

136146 Commits

Author SHA1 Message Date
Ralph Boehme
55d98b29eb smbd: check is POSIX is enabled on the fsp in fsinfo_unix_valid_level()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-27 18:31:35 +00:00
Ralph Boehme
01022d036f smbd: pass fsp to fsinfo_unix_valid_level()
We need the fsp down in fsinfo_unix_valid_level(), pass it down.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-27 18:31:35 +00:00
Ralph Boehme
bca6f0298f smbd: pass fsp to smbd_do_qfsinfo()
We need the fsp down in fsinfo_unix_valid_level(), start passing it down.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-27 18:31:35 +00:00
Ralph Boehme
3f73bb591c smbd: leave comment on broken SMB1 POSIX open handling of SMB_O_DIRECT
Since e0814dc508 the passed in attributes get
replaced by the mode in create_file_default().

As FILE_FLAG_NO_BUFFERING is never checked when doing the final IO, it doesn't
really matter.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-27 18:31:35 +00:00
Andrew Bartlett
0b74adb3f0 samba-tool: Improve help messages for "samba-tool domain auth policy"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 27 04:05:46 UTC 2023 on atb-devel-224
2023-11-27 04:05:46 +00:00
Andrew Bartlett
828d534c47 docs-xml: Improve and consolidate "samba-tool domain auth policy create/modify" docs
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-11-27 03:08:28 +00:00
Rob van der Linde
9c5a7d1244 netcmd: auth: set better metavar that matches the docs
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 03:08:28 +00:00
Douglas Bagnall
14b17c3de6 libcli/security/tests: gunzip the oversized-acls test vectors
These are just as readable with `less` as they were with `zless`.

This file has been slightly manually edited to add line-breaks. There
is not an easy setting in Python's json module to get good formatting.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 27 02:10:12 UTC 2023 on atb-devel-224
2023-11-27 02:10:12 +00:00
Douglas Bagnall
19129660df libcli/security/tests: remove duplicate TX-integer tests from oversized-ACLs
We had two sets of test vectors (Windows ground-truth for SDDL
compilation) that got mixed up.

The "oversized ACLs" set is ACLs that contain repeated ACEs, like
"D:P(D;;;;;MP)(D;;;;;MP)" -- Windows will assign a size to the ACL
that is greater than the sum of the ACEs, while Samba will not (in
part because we don't actually store a size for the ACL, instead
calculating it on the fly from the size of the ACEs).

The "TX integers" set is for resource attribute ACEs with octet-string
data that contains pure integers (lacking '#' characters) in their
SDDL, like «(RA;;;;;WD;("bar",TX,0x0,0077,00,0077,00))». We used to
think that was weird, and that RA-TX ACEs should contain octet-strings
in the conditional ACE style. But now we have realised it's not weird,
it's normal, and we have fixed our handling of these ACEs.

As a result of this mix-up, some of the tests labelled as "oversized
ACLs" started passing when we fixed the TX integer problem, and that
was confusing. All of the removed tests are already on the TX integer
set -- the removed ones were duplicates.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
cf295c94aa libcli/security:sddl: remove vestiges of shared conditional/resource ACE SID parsing
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
20ffec711d libcli/security: improve error messages in RA ACE SDDL
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
dc60891de9 libcli/security: conditional ACE sid parser no longer expects RA ACEs
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
0a2e335e37 libcli/security: parse resource attribute ace SIDs separately
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
79292c8d1e libcli/security/sddl: write RA octet strings the Windows way
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
38e7b4dcbd libcli/security: add a parser for resource attribute ACE byte strings
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
9ef71399ce libcli/security: sddl_conditional_ace: remove check_resource_attr_type()
This is unneeded, as now all the checks are done in the relevant
parse_* functions.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
059610a62e libcli/security: sddl_conditional_ace: add parse_bool for RA aces
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
800f770e11 libcli/security: sddl_conditional_ace: add parse_uint for RA aces
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
33caae4381 libcli/security: un-invert parse_resource_attr_list, check type first
We were reusing parse_literal() because it almost does what we need,
but it is different enough that check_resource_attr_type() is large
and complicated, and can't handle all the cases (in particular octet-
strings and SIDs are different in resource ACEs).

This way is better because we know the type in advance, so we can use
that to choose the parser, which will help with octet-strings that are
only digits.

In this commit we're leaving the check there, but it soon won't do
anything that the parse_* functions don't, and we will remove it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
cda9371b59 libcli/security/test_sddl_conditional_ace: adjust RA octet parse tests
We are going to parse octet strings like Windows (as opposed to like
Windows docs), so the tests need changing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
4ab9cb1907 libcli/security:sddl_condtional_ace: log compiler errors at some debug levels
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
f18ffd1182 libcli/security: initialise conditional ACE token flags
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
8e3be66a49 pytest: security_descriptors tests get enumerator in name
This will make knownfails easier, given the names contain so many
regular expression metacharacters.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Björn Jacke
5e925f9755 dosmode: prefer capabilities over become_root
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Björn Jacke
1dd81928a2 libgpo: fix wrong lineending in admx files
When changing or reviewing admx file patches, make sure, that those files are
dos fileformat and they need to have the magic ^M at the end of each line ...

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Stefan Metzmacher
f5c76c3c81 Revert "README.Coding.md: add DBG_STARTUP_NOTICE macro"
This reverts commit bb370b9381.

We no longer use log level -1

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Nov 24 10:34:58 UTC 2023 on atb-devel-224
2023-11-24 10:34:58 +00:00
Stefan Metzmacher
cd8dcff9e9 lib/util: convert DBG_STARTUP_NOTICE() to use debug_set_forced_log_priority(DBGLVL_NOTICE)
Using -1 as log level is not compatible without our infrastructure.

As all backends are initialized with .log_level = -1, which means
they don't log the message, but now they all try to handle the
startup message even if they are not configured.

E.g. is means that systemd's journalctl get the message twice
now, first via the syslog and also the systemd backend.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-24 09:30:38 +00:00
Stefan Metzmacher
bd21a0cdef lib/util: add debug_set_forced_log_priority()
By default the priority for syslog/systemd is derived from
the log level of the debug message.

But for things like startup messages we want to
change the priority temporary, like this:

debug_set_forced_log_priority(DBGLVL_NOTICE);
D_ERR("Startup...\n");
debug_set_forced_log_priority(-1);

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-24 09:30:38 +00:00
Rob van der Linde
83e8971c0f Claims initial black box tests
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Nov 23 00:32:33 UTC 2023 on atb-devel-224
2023-11-23 00:32:33 +00:00
Rob van der Linde
fad29cd0a6 netcmd: auth policy: add allowed-to-authenticate-from-device-group attributes
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
1b4514712d netcmd: auth policy: fix missing 'by' in help string
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
eaf1bd5623 netcmd: auth policy: add allowed-to-authenticate-to-by-group attributes
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
dbeb424e6c netcmd: auth policy: rename "from silo" to "from device silo"
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
1e00952c34 netcmd: auth policy: document allowed to authenticate from silo and to by silo attributes
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
42de24d73a netcmd: auth policy: add allowed to authenticate to by silo attributes
--user-allowed-to-authenticate-to-by-silo
--service-allowed-to-authenticate-to-by-silo
--computer-allowed-to-authenticate-to-by-silo

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
9fe147a02c netcmd: models: add field test for SIDField
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
96aaa0059f netcmd: models: add a Group model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
e9b1ac93b5 netcmd: models: make systemFlags and systemOnly fields readonly
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
c1f56feefb netcmd: models: ensure that backlinks are always readonly
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
6255d57ce8 netcmd: models: add readonly attribute on fields to exclude it from save
There was trouble when saving fields like is system object, these need to be excluded on save.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
e256a04d5d netcmd: models: get_base_dn returns default rather than be abstract
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
91cc73352e netcmd: models: add SIDField field
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
0ce9b75325 netcmd: models: use correct SDDL for authentication silos
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
bf07a97931 netcmd: fix typo in groups and computer commands
Everywhere else it is using Group's except for one place which makes it obvious this was incorrect.

Same goes for Computers's vs Computer's

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
6e3491e280 selftest: move planoldpythontestsuite up so it can be used by blackbox tests
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
faf0b784a1 tests: gensec: docstrings in the middle of code should be comments
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Volker Lendecke
f955d9aa49 smbd: Fix Coverity ID 1499372 Uninitialized scalar variable
This is real.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Nov 21 18:33:51 UTC 2023 on atb-devel-224
2023-11-21 18:33:51 +00:00
Volker Lendecke
bc0df4fd97 winbind: Fix Coverity ID 1398910
Coverity isn't smart enough for talloc

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-21 17:34:36 +00:00
Volker Lendecke
0bc329a343 lsa4: Fix Coverity ID 1499410
It complains about uninitialized access, and I'm not sure it isn't
right. Just initialize the structure.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-21 17:34:36 +00:00
Volker Lendecke
a5c2134cc2 samr4: Fix Coverity ID 1499378
Coverity isn't smart enough to see this is initialized. As it's good
practice to initialize vars, just do it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-21 17:34:36 +00:00