sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-15 23:24:37 +03:00
Code
102,099 Commits 60 Branches 1,145 Tags
Commit Graph

102099 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Stefan Metzmacher
0f6713826d s4:pygensec: make sig_size() and sign/check_packet() available 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:27 +01:00
Stefan Metzmacher
dec9d085f3 s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size() 
This is important in order to support gensec_[un]wrap() with GENSEC_SEAL.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:27 +01:00
Stefan Metzmacher
79bf883534 s3:librpc/gse: don't log gss_acquire_creds failed at level 0 
Some callers just retry after a kinit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:27 +01:00
Stefan Metzmacher
e4aebd7e28 s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:27 +01:00
Stefan Metzmacher
a8fa078f1a s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:26 +01:00
Stefan Metzmacher
84c66f1a38 s3:librpc/gse: fix debug message in gse_init_client() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:26 +01:00
Stefan Metzmacher
46b9252518 s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:26 +01:00
Stefan Metzmacher
1fd5bdafbd wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X 
Newer MIT versions (maybe krb5-1.14) will also support this.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:26 +01:00
Stefan Metzmacher
cd8af25d4b s3:libads: remove unused ads_connect_gc() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:26 +01:00
Stefan Metzmacher
960b0adfb3 s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:26 +01:00
Stefan Metzmacher
e9e9ba7eae librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-03-10 06:52:26 +01:00
Stefan Metzmacher
5afc2d85b3 dcerpc.idl: make WERROR RPC faults available in ndr_print output 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-03-10 06:52:26 +01:00
Stefan Metzmacher
2e71f5d935 epmapper.idl: make epm_twr_t available in python bindings 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:26 +01:00
Stefan Metzmacher
2c9f9557e4 s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:26 +01:00
Stefan Metzmacher
e906739553 s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net) 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:26 +01:00
Stefan Metzmacher
6400bbb5ee lib/util_net: add support for .ipv6-literal.net 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:26 +01:00
Stefan Metzmacher
771042a238 lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:26 +01:00
Andreas Schneider
f7116f0ad0 s4-selftest: Make export keytab test heimdal specific 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2016-03-10 06:52:26 +01:00
Andreas Schneider
5c5d586d3e s4-libnet: Implement export_keytab without HDB 
This is used by 'samba-tool domain exportkeytab'. This loads the HDB
Samba backend thus needs access to samdb. To avoid using heimdal
specific code here, we could talk to samdb directly and write a
keytab file.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2016-03-10 06:52:25 +01:00
Andreas Schneider
eb880ccc7c s3-libnet: Allow the keytab function to use a relative path 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2016-03-10 06:52:25 +01:00
Andreas Schneider
c2f5c30bea krb5_wrap: Add smb_krb5_open_keytab_relative() function 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2016-03-10 06:52:25 +01:00
Andreas Schneider
4e367288a5 krb5_wrap: Move smb_krb5_kt_add_entry() to krb5_wrap 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2016-03-10 06:52:25 +01:00
Andreas Schneider
49efa9379c s3-libads: Use the C99 boolean false 
This is a preparation to move smb_krb5_kt_add_entry() to krb5_wrap.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2016-03-10 06:52:25 +01:00
Andreas Schneider
a135b353ae s3-libads: Call smb_krb5_create_key_from_string() directly 
This is a preparation to move smb_krb5_kt_add_entry() to krb5_wrap.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2016-03-10 06:52:25 +01:00
Andreas Schneider
1e1e12a825 s3-libads: Pass down the salt principal in smb_krb5_kt_add_entry() 
This is a preparation to move smb_krb5_kt_add_entry() to krb5_wrap.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2016-03-10 06:52:25 +01:00
Garming Sam
c37c4b18e0 CVE-2016-0771: tests/dns: Remove dependencies on env variables 
Now that it is invoked as a normal script, there should be less of them.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:25 +01:00
Garming Sam
9f1ba00f1f CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest 
This makes it easier to invoke, particularly against Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:25 +01:00
Garming Sam
8cee2c8146 CVE-2016-0771: tests: rename test getopt to get_opt 
This avoids any conflicts in this directory with the original toplevel
getopt.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:25 +01:00
Garming Sam
286b7a5e3f CVE-2016-0771: tests/dns: RPC => DNS roundtrip test 
Make sure that TXT entries stored via RPC come out the same in DNS.

This has one caveat in that adding over RPC in Windows eats slashes,
and so fails there.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:25 +01:00
Garming Sam
8e056caa8b CVE-2016-0771: dnsserver: don't force UTF-8 for TXT 
While using a charset is not entirely logical, it allows testing of non
UTF-8 data (like inserting 0xFF into the TXT string).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:25 +01:00
Garming Sam
ffec494826 CVE-2016-0771: tests/dns: modify tests to check via RPC 
This checks that TXT records added over DNS, look the same over RPC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:24 +01:00
Garming Sam
2a796e5de7 CVE-2016-0771: tests/dns: Add some more test cases for TXT records 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:24 +01:00
Garming Sam
bbda6b6eda CVE-2016-0771: tests/dns: Correct error code for formerly unrun test 
Both Samba and Windows returned NXRRSET

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:24 +01:00
Garming Sam
5b10cc25be CVE-2016-0771: tests/dns: restore formerly segfaulting test 
This was on the client side, due the a strlen(NULL) on the previously
DOS-encoded TXT field. With a new IDL structure, this segfault no longer exists.
Note that both Samba and Windows return NXRRSET instead of FORMERR.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:24 +01:00
Garming Sam
866bf51758 CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:24 +01:00
Garming Sam
a988dc7b2d CVE-2016-0771: tests/dns: FORMERR can simply timeout against Windows 
Two requests with identical parameters which are poorly formatted, can
non-deterministically return FORMERR or simply fail to give a response.

Setting the timeout to a number allows Windows to succeed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:24 +01:00
Garming Sam
2ad53d1c07 CVE-2016-0771: tests/dns: prepare script for further testing 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:24 +01:00
Garming Sam
e09544de63 CVE-2016-0771: tests/dns: Modify dns tests to match new IDL 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:24 +01:00
Stefan Metzmacher
d22a9f427c CVE-2016-0771: dns.idl: make use of dnsp_hinfo 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:24 +01:00
Stefan Metzmacher
ee8d777bbf CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record 
From RFC 1035:

    3.3.14. TXT RDATA format

        +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
        /                   TXT-DATA                    /
        +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

    where:

    TXT-DATA        One or more <character-string>s.

    TXT RRs are used to hold descriptive text.  The semantics of the text
    depends on the domain where it is found.

Each record contains an array of strings instead of just one string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:24 +01:00
Stefan Metzmacher
1cc57a98d4 CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:23 +01:00
Stefan Metzmacher
63b1fb06cf CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library 
RPC_NDR_DNSSERVER is the client interface NDR_DNSP contains just
marshalling helpers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:23 +01:00
Stefan Metzmacher
42524c20a8 CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-10 06:52:23 +01:00
Jeremy Allison
841ae4a2e2 CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test. 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2016-03-10 06:52:23 +01:00
Jeremy Allison
19eb1c9311 CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test. 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2016-03-10 06:52:23 +01:00
Jeremy Allison
6b61b5448a CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests. 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2016-03-10 06:52:23 +01:00
Jeremy Allison
e7e23e9647 CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames. 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2016-03-10 06:52:23 +01:00
Jeremy Allison
77b3d5b2a8 CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink. 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2016-03-10 06:52:23 +01:00
Jeremy Allison
3f491d7756 CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink. 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2016-03-10 06:52:23 +01:00
Jeremy Allison
464d044145 CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication. 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
 2016-03-10 06:52:23 +01:00