1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

128120 Commits

Author SHA1 Message Date
Joseph Sutton
0f4eca775a tests/krb5: Add tests for AS-REQ to self with FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 15 04:33:11 UTC 2021 on sn-devel-184
2021-12-15 04:33:11 +00:00
Joseph Sutton
100be7eb8e tests/krb5: Correctly determine whether tickets are service tickets
Previously we expected tickets to contain a ticket checksum if the sname
was not the krbtgt. However, the ticket checksum should not be present
if we are performing an AS-REQ to our own account. Now we determine a
ticket is a service ticket only if the request is also a TGS-REQ.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Joseph Sutton
1eb91291b5 tests/krb5: Generate unique UPNs for enterprise tests
This helps to avoid problems with account creation on Windows due to UPN
uniqueness constraints.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Joseph Sutton
3b23ae59ac s4:torture: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Joseph Sutton
030afa6c01 s4:torture: Remove comments that are no longer relevant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Joseph Sutton
bba30095ca kdc: Pad UPN_DNS_INFO PAC buffer
Padding this buffer to a multiple of 8 bytes allows the PAC buffer
padding to match Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Joseph Sutton
31f3e81579 Revert "s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows"
This alignment should be done on the Samba side instead.

This reverts commit 28a5a586c8.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Joseph Sutton
7dfcbc4e38 tests/krb5: Add tests for PAC buffer alignment
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Andreas Schneider
abbeb5c217 s4:mitkdc: Call krb5_pac_init() in kdb_samba_db_sign_auth_data()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Andreas Schneider
3a3f7feac5 s4:mitkdc: Do not allocate the PAC buffer in samba_make_krb5_pac()
This will be allocated by the KDC in MIT KRB5 1.20 and newer.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Andreas Schneider
731d9c42d0 s4:mitkdc: Pass NULL to ks_get_pac() as the client_key
This is unused with MIT KRB5 < 1.20 as this is probably not the right key.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Andreas Schneider
e95fb04c5d s4:mitkdc: Add support for pac_attrs and requester_sid
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Andreas Schneider
b46a942f95 s4:mitkdc: Reset errno to 0 for com_err messages
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Andreas Schneider
c69bfa0939 s4:mitkdc: Use talloc_get_type_abort() in ks_get_context()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Andreas Schneider
f00eb8485f s4:mitkdc: Initilalize is_error with errno instead of EPERM(1)
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Volker Lendecke
5b526f4533 tdb: Raw performance torture to beat tdb_increment_seqnum
Running this on sn-devel-184 takes ~14 seconds with the atomic
ops. Without them I did not wait for it to finish. After reducing
NPROCS from 500 to 50 it still ran for more than a minute.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec 15 01:03:56 UTC 2021 on sn-devel-184
2021-12-15 01:03:56 +00:00
Volker Lendecke
b9f06ab347 tdb: Use atomic operations for tdb_[increment|get]_seqnum
With locking.tdb now based on g_lock.c code, we change locking.tdb a
lot more often. I have a customer case where LDX tortures smbd very
hard with 800+ concurrent connections, which now completely falls over
where 4.12 still worked fine. Some debugging showed a thundering herd
on fcntl locking.tdb index 48 (TDB_SEQNUM_OFS). We still use fcntl for
the seqnum, back when we converted the chainlocks to mutexes we did
not consider it to be a problem. Now it is, but all we need to do with
the SEQNUM is to increment it, so an __atomic_add_fetch() of one is
sufficient.

I've taken a look at the C11 standard atomics, but I could not figure
out how to use them properly, to me they seem more general to be
initialized first etc. All we need is a X86 "lock incl 48(%rax)" to be
emitted, and the gcc __atomic_add_fetch seems to do this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-12-15 00:15:33 +00:00
Volker Lendecke
62dab3921b configure: Check for __atomic_add_fetch() and __atomic_load()
To be used in the tdb_seqnum code soon

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-12-15 00:15:33 +00:00
Bernd Kuhls
1dc803048f lib/util: Add signal.h include
Fixes build error with samba-4.15.3 and uClibc:

../../source3/printing/samba-bgqd.c: In function ‘main’:
../../source3/printing/samba-bgqd.c:340:21: error: ‘SIGPIPE’ undeclared (first use in this function); did you mean ‘EPIPE’?
../../source3/printing/samba-bgqd.c:384:14: error: ‘SIGTERM’ undeclared (first use in this function)

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Dec 13 16:22:28 UTC 2021 on sn-devel-184
2021-12-13 16:22:28 +00:00
Jeremy Allison
b5e7e7b65a s3: smbtorture3: Fix POSIX-BLOCKING-LOCK to actually negotiate SMB1+POSIX before using POSIX calls.
This must be done before doing POSIX calls on a connection.

Remove the final entry in knownfail.d/posix_infolevel_fails

    samba3.smbtorture_s3.plain.POSIX-BLOCKING-LOCK.smbtorture\(nt4_dc_smb1\)

And remove the file knownfail.d/posix_infolevel_fails itself.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Dec 11 12:03:36 UTC 2021 on sn-devel-184
2021-12-11 12:03:36 +00:00
Jeremy Allison
89f284af61 s3: tests: Fix the samba3.blackbox.acl_xattr test to actually negotiate SMB1+POSIX before using POSIX calls.
Remove the following entries in knownfail.d/posix_infolevel_fails.

    samba3.blackbox.acl_xattr.NT1.nt_affects_posix.*
    samba3.blackbox.acl_xattr.NT1.nt_affects_chown.*
    samba3.blackbox.acl_xattr.NT1.nt_affects_chgrp.*

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Jeremy Allison
e7f2cfb544 s3: tests: Fix the samba3.blackbox.inherit_owner test to actually negotiate SMB1+POSIX before using POSIX calls.
Remove the following entry in knownfail.d/posix_infolevel_fails.

	samba3.blackbox.inherit_owner.*.NT1.*verify.*unix\ owner.*

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Jeremy Allison
6453e5aac4 s4: torture: Fix unix.info2 test to actually negotiate SMB1+POSIX before using POSIX calls.
Cope with the minor difference in wildcard search return when
we're actually using SMB1+POSIX on the server (SMB1+POSIX treats
all directory search paths as wildcards).

Remove the following entries in knownfail.d/posix_infolevel_fails.

	samba3.unix.info2.info2\(nt4_dc_smb1\)
        samba3.unix.info2.info2\(ad_dc_smb1\)

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Jeremy Allison
397cc7599b s4: torture: Fix raw.search:test_one_file() by using the SMB1+POSIX connection for POSIX info levels.
Remove the following entry in knownfail.d/posix_infolevel_fails.

	^samba3.raw.search.one\ file\ search.*

from knownfail.d/posix_infolevel_fails

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Jeremy Allison
aaa6d09f6f s4: torture: raw.search: Add setup_smb1_posix(). Call it on the second connection in test_one_file().
Not yet used.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Jeremy Allison
d681a4b058 s4: torture: In raw.search:test_one_file() add a second connection.
Change from torture_suite_add_1smb_test() to torture_suite_add_2smb_test().

Not yet used. We will need this to do SMB1+POSIX search calls on
a connection on which we have negotiated SMB1+POSIX.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Jeremy Allison
4bd1f7609f s3: smbclient: Give a message if we try and use any POSIX command without negotiating POSIX first.
Ensure we only use a POSIX command if POSIX is set up.
Issue the message: Command "posix" must be issued before the "XXXX" command can be used.
After the parameter parsing has been done.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Jeremy Allison
59fa3806c9 s3: smbd: Tighten up info level checks for SMB1+POSIX to make sure POSIX was negotiated first.
Add knownfail file

	knownfail.d/posix_infolevel_fails

for tests that don't currently negotiate
SMB1+POSIX before using SMB1+POSIX calls.

These are:

samba3.smbtorture_s3.plain.POSIX-BLOCKING-LOCK.smbtorture\(nt4_dc_smb1\)
samba3.blackbox.acl_xattr.NT1.nt_affects_posix.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chown.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chgrp.*
samba3.blackbox.inherit_owner.*.NT1.*verify.*unix\ owner.*
samba3.unix.info2.info2\(nt4_dc_smb1\)
samba3.unix.info2.info2\(ad_dc_smb1\)
samba3.raw.search.one\ file\ search.*

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Jeremy Allison
00fd039c90 s4: torture: In raw.search:test_one_file() remove the leading '\\' in the test filenames.
We'll soon be using this under SMB1+POSIX and neither Windows or POSIX
need a leading '\\' (and SMB1+POSIX sees the '\\' as part of the name).

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Jeremy Allison
57c56d89be s4: torture: Fix raw.search:test_one_file() to use torture_result() instead of printf.
I think this test pre-dates torture_result.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Jeremy Allison
25c87b70c0 s3: smbd: Remove 'struct uc_state' name_has_wildcard element.
It is never set or looked at.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Dec 11 08:07:14 UTC 2021 on sn-devel-184
2021-12-11 08:07:14 +00:00
Jeremy Allison
0ecb5e3e3f s3: smbd: In unix_convert_step_stat() remove use of state->name_was_wildcard.
It can never be true.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:29 +00:00
Jeremy Allison
e6f0269817 s3: smbd: In unix_convert_step() remove all use of 'state->name_was_wildcard'
We know it is never true.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:29 +00:00
Jeremy Allison
ce6b3ba409 s3: smbd: In unix_convert() remove the now unneeded block indentation.
We removed the 'if (state->name_has_wildcard) {' clause, so
the block no longer needs indenting.

Best seen with git show -b.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:29 +00:00
Jeremy Allison
b21ba035bf s3: smbd: In unix_convert(), remove all references to state->name_has_wildcard.
It is never set.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:29 +00:00
Jeremy Allison
1d52a4a467 s3: smbd: Inside unix_convert(), never set state->name_is_wildcard.
We error out immediately if it's set anyway.
Preparing to remove 'state->name_is_wildcard' structure element.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:29 +00:00
Jeremy Allison
6493d39b67 s3: smbd: UCF_ALWAYS_ALLOW_WCARD_LCOMP 0x00000002 is no longer used.
Hurrah !

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:29 +00:00
Jeremy Allison
6f15f8b68a s3: smbd: We no longer need determine_path_error().
Now we don't have to consider wildcards just
return NT_STATUS_OBJECT_PATH_NOT_FOUND for
the cases we used to call it.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:29 +00:00
Jeremy Allison
e1cc3e3a67 s3: smbd: Inside 'struct uc_state', remove allow_wcard_last_component.
This is never allowed.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:29 +00:00
Jeremy Allison
da1417fb37 s3: smbd: filename_convert() no longer deals with wildcards.
These are already errored out with NT_STATUS_OBJECT_NAME_INVALID
in the unix_convert() code.

Remove the check.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:29 +00:00
Jeremy Allison
24002be588 s3: smbd: parse_dfs_path() can ignore wildcards.
If one is passed to filename_convert(), it will error out there
with NT_STATUS_OBJECT_NAME_INVALID.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:29 +00:00
Jeremy Allison
52ca4bf6d5 s3: smbd: Remove 'bool search_wcard_flag' from parse_dfs_path().
Never set.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:28 +00:00
Jeremy Allison
1812574748 s3: smbd: dfs_path_lookup() no longer deals with wildcards.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:28 +00:00
Jeremy Allison
fa45c91cb4 s3: smbd: Fix call_trans2findfirst() to use filename_convert_smb1_search_path().
filename_convert() no longer has to handle wildcards.
UCF_ALWAYS_ALLOW_WCARD_LCOMP is now unused.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:28 +00:00
Jeremy Allison
1658fad32c s3: smbd: Convert reply_search() to use filename_convert_smb1_search_path().
Cleans up this code path nicely !

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:28 +00:00
Jeremy Allison
3ca8221864 s3: smbd: Add filename_convert_smb1_search_path() - deals with SMB1 search pathnames.
SMB1search and trans2 findfirst are unique in that
they are the only passed in pathnames that can contain
a terminal wildcard component.

Deal with these two special cases with this new function
that strips off the terminal wildcard and returns as
the mask, and pass the non-wildcard parent directory
component through the standard filename_convert().

Uses new helper function strip_gmt_from_raw_dfs().

When SMB1search and trans2 findfirst have been
converted to use this function, we can strip all
wildcard handling out of filename_convert() as
we now know it will only ever be given valid
pathnames.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:28 +00:00
Jeremy Allison
addbf4cc3b s3: smbd: Allow dfs_redirect() to return a TWRP token it got from a parsed pathname.
This one is subtle. If an SMB1 request has both a DFS path and a @GMT token,
the unix_convert() inside the DFS path processing will remove the @GMT
token, not allowing the subsequent unix_convert() inside filename_convert()
to see it. By returning it from dfs_redirect() we can ensure it's correctly
added to the smb_filename returned from filename_convert().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:28 +00:00
Jeremy Allison
a568e92e51 s3: smbd: In dfs_path_lookup(). If we have a DFS path including a @GMT-token, don't throw away the twrp value when parsing the path.
Not yet used.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:28 +00:00
Jeremy Allison
14e0dd43d5 s3: smbd: filename_convert() is now a one-to-one wrapper around filename_convert_internal().
Remove filename_convert() and rename filename_convert_internal() -> filename_convert().
Move the old DEBUG(..) statements to DBG_XXX() so they don't print the wrong name.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:28 +00:00
Jeremy Allison
5425f2aa43 s3: smbd: Remove now unused check_reduced_name_with_privilege().
We now only have one function that does this check (check_reduced_name()),
used everywhere.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 07:17:28 +00:00