1
0
mirror of https://github.com/samba-team/samba.git synced 2025-02-26 21:57:41 +03:00

653 Commits

Author SHA1 Message Date
Stefan Metzmacher
fd5cf415a7 s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob
We need the target service without realm, but the proxy services with realm.

I have a domain with an w2008r2 server and a samba and now both generate
the same S4U_DELEGATION_INFO.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13133

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-10-21 14:40:38 +00:00
Isaac Boukris
90bdaaf09d selftest: add a test for PAC delegation-info blob in S4U2Proxy
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13133

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-10-21 14:40:38 +00:00
Andreas Schneider
123584294c s3:libads: Do not turn on canonicalization flag for MIT Kerberos
This partially reverts 303b7e59a286896888ee2473995fc50bb2b5ce5e.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155

Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Oct 12 17:39:13 UTC 2019 on sn-devel-184
2019-10-12 17:39:13 +00:00
Andreas Schneider
93c2b44675 testprogs: Add test for kinit with canonicalization
Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-10-12 16:18:39 +00:00
Andreas Schneider
46068d5f28 gitlab-ci: Run several AD tests with MIT KDC
This will avoid introducing regressions in either client or server code.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-10-12 16:18:39 +00:00
Isaac Boukris
23ea12e98e spnego: fix server handling of no optimistic exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
2019-10-12 15:51:42 +00:00
Isaac Boukris
8a96359977 python/tests/gensec: add spnego downgrade python tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-10-12 14:33:33 +00:00
Isaac Boukris
02f538816b selftest: add tests for no optimistic spnego exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-10-12 14:33:33 +00:00
Isaac Boukris
90f557f3a1 selftest: s3: add a test for spnego downgrade from krb5 to ntlm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-10-12 14:33:32 +00:00
Ralph Boehme
90a14c90c4 s3:smbd: ensure a created stream picks up the File-ID from the basefile
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-10-02 08:01:40 +00:00
Ralph Boehme
49a754b82d s3:smbd: when storing DOS attribute call dos_mode() beforehand
This is required to ensure File-ID info is populated with the correct on-disk
value, before calling file_set_dosmode() which will update the on-disk value.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-10-02 08:01:39 +00:00
Ralph Boehme
300b47442b torture:smb2: add a File-ID test on directories
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-10-02 08:01:39 +00:00
Ralph Boehme
432202413f torture:smb2: extend test for File-IDs
This now hopefully covers most possible combinations of creating and opening
files plus, checking the file's File-ID after every operation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14137

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-10-02 08:01:39 +00:00
Michael Adam
63c9147f86 winbind: provide passwd struct for group sid with ID_TYPE_BOTH mapping (again)
https://git.samba.org/?p=samba.git;a=commitdiff;h=394622ef8c916cf361f8596dba4664dc8d6bfc9e
originally introduced the above feature.

This functionality was undone as part of "winbind: Restructure get_pwsid"
https://git.samba.org/?p=samba.git;a=commitdiff;h=bce19a6efe11980933531f0349c8f5212419366a
I think that this semantic change was accidential.

This patch undoes the semantic change and re-establishes the
functionality.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14141

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Fri Sep 27 17:25:29 UTC 2019 on sn-devel-184
2019-09-27 17:25:29 +00:00
Christof Schmitt
485874d6bb selftest: Test ID_TYPE_BOTH with idmap_rid module
ID_TYPE_BOTH means that each user and group has two mappings, a uid and
gid. In addition the calls to getpwent, getpwuid, getgrent and getgrgid
always return some information, so that uid and gid can be mapped to a
name. Establish a test to verify that the expected information is
returned.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14141

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-09-27 16:07:40 +00:00
Stefan Metzmacher
0ee085b594 selftest/Samba3.pm: use "winbind use krb5 enterprise principals = yes" for ad_member
This demonstrates that can do krb5_auth in winbindd without knowning about trusted domains.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Sep 24 19:51:29 UTC 2019 on sn-devel-184
2019-09-24 19:51:29 +00:00
Stefan Metzmacher
e2737a74d4 selftest/Samba3.pm: use "winbind scan trusted domains = no" for ad_member
This demonstrates that we rely on knowning about trusted domains before
we can do krb5_auth in winbindd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2019-09-24 18:30:38 +00:00
Ralph Boehme
95655fe683 vfs: restore stat fields in vfs_stat_fsp()
This ensures we preserve btime, itime and File-ID.

As the Durable Handles code calls vfs_stat_fsp() in the DH disconnect function,
previously the btime was lost and NOT stored in the cookie. With this change the
cookie will store the correct btime (and iflags), which requires us to call
dos_mode() in the reconnect function to ensure we pass
vfs_default_durable_reconnect_check_stat().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14121

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Sep 10 20:22:21 UTC 2019 on sn-devel-184
2019-09-10 20:22:21 +00:00
Ralph Boehme
2ecab3c60a s4:torture: add a file-id related test
Note I'm using the share vfs_fruit_xattr because I need a share with both a
streams and a acl_* VFS object.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14121

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-09-10 19:05:28 +00:00
Stefan Metzmacher
3123271062 s3:blocking: fix the fsp->blocked_smb1_lock_reqs handling
A new request is first checks against all pending
requests before checking the already granted locks.

Before we retried the lock array of another request
(the first in the list), but then finished current request,
which is wrong.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14113

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-09-09 14:23:41 +00:00
Stefan Metzmacher
d3bc019969 s4:torture/raw: add multilock6 test
This is similar to multilock3, but uses a read-only
(LOCKING_ANDX_SHARED_LOCK) locks for the 2nd lock
request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14113

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-09-09 14:23:40 +00:00
Stefan Metzmacher
6d4296aca0 s4:torture/raw: add multilock5 test
This is similar to multilock3, but uses a read-only
(LOCKING_ANDX_SHARED_LOCK) locks for the first lock
request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14113

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-09-09 14:23:40 +00:00
Stefan Metzmacher
d3e65ceb1e s4:torture/raw: add multilock4 test
This is similar to multilock3, but uses read-only
(LOCKING_ANDX_SHARED_LOCK) locks for the blocked
requests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14113

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-09-09 14:23:40 +00:00
Stefan Metzmacher
297763c6b6 s4:torture/raw: add multilock3 test
This demonstrates that unrelated lock ranges
are not blocked by other blocked requests on the same
fsp.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14113

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-09-09 14:23:40 +00:00
Stefan Metzmacher
8decf41bbb s3:smb2_lock: add retry for POSIX locks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14113

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-09-09 14:23:40 +00:00
Stefan Metzmacher
7155d3a2c5 s4:torture/smb2: add smb2.samba3misc.localposixlock1
This demonstrates that the SMB2 code path doesn't do
any retry for local posix locks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14113

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-09-09 14:23:40 +00:00
Stefan Metzmacher
aba0ee4625 s3:blocking: maintain state->deny_status
For Windows locks we start with LOCK_NOT_GRANTED and use
FILE_LOCK_CONFLICT if we retried after a timeout.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14113

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-09-09 14:23:40 +00:00
Stefan Metzmacher
2a77025a1e s4:torture/raw: assert to get LOCK_NOT_GRANTED in torture_samba3_posixtimedlock()
There should not be a different if the blocker is a posix process
instead of another smbd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14113

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-09-09 14:23:40 +00:00
Stefan Metzmacher
e8d719d31f s3:blocking: fix posix lock retry
We should evaluate the timeout condition after the very last
retry and not before.

Otherwise we'd fail to retry when waiting for posix locks.
The problem happens if the client provided timeout is smaller
than the 1 sec (for testing temporary 15 secs) retry.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14113

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-09-09 14:23:39 +00:00
Stefan Metzmacher
2ec9e93a7a s3:blocking: demonstrate the posix lock retry fails
This is just a temporary commit that shows the bug and its
fix. It will be reverted once the problem is fixed.

The posix lock retry fails if the client specified timeout
is smaller than the hardcoded 1 second retry.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14113

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-09-09 14:23:39 +00:00
Stefan Metzmacher
efd4832c2c CVE-2019-10197: smbd: split change_to_user_impersonate() out of change_to_user_internal()
This makes sure we always call chdir_current_service() even
when we still impersonated the user. Which is important
in order to run the SMB* request within the correct working directory
and only if the user has permissions to enter that directory.

It makes sure we always update conn->lastused_count
in chdir_current_service() for each request.

Note that vfs_ChDir() (called from chdir_current_service())
maintains its own cache and avoids calling SMB_VFS_CHDIR()
if possible.

It means we still avoid syscalls if we get a multiple requests
for the same session/tcon tuple.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Tue Sep  3 09:27:22 UTC 2019 on sn-devel-184
2019-09-03 09:27:21 +00:00
Stefan Metzmacher
9ab5a51a6e CVE-2019-10197: test_smbclient_s3.sh: add regression test for the no permission on share root problem
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2019-09-03 08:07:38 +00:00
Aaron Haslett
6dcf00ba0a downgradedatabase: installing script
Installing downgrade script so people don't need the source tree for it.

Exception added in usage test because running the script without arguments
is valid. (This avoids the need to knownfail it).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14059

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-08-20 03:40:28 +00:00
Tim Beale
fdaaee8d3a downgradedatabase: rename to samba_downgrade_db
Just so that it's slightly less of a mouthful for users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14059

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-08-20 03:40:28 +00:00
Ralph Boehme
64f182412a s3:mdssvc: fix slrpc_fetch_attributes() when CNID is not known
Samba currenlty fails the whole RPC request, macOS returns returns a nil entry
for the requested CNID:

DALLOC_CTX(): {
	sl_array_t(): {
		uint64_t: 0x0000
		CNIDs: unkn1: 0xfec, unkn2: 0x6b000020
			DALLOC_CTX(): {
				uint64_t: 0xe4bbf314c03b1e
			}
		sl_filemeta_t(): {
			sl_array_t(): {
				nil
				nil
			}
		}
	}
}

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Aug  8 21:43:14 UTC 2019 on sn-devel-184
2019-08-08 21:43:14 +00:00
Ralph Boehme
b2bf13ecf7 s3:mdssvc: close mdssvc rpc command must return in handle
Checked against macOS mdssvc.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-08-08 20:24:33 +00:00
Ralph Boehme
a5e705504b s3:mdssvc: failing the RPC request if the mdssvc policy handle is not found
Turns out macOS mdssvc doesn't fail the RPC request if the policy handle is all
zero. Also, if it fails with a non-all-zero handle, it returns a different RPC
error, namely DCERPC_NCA_S_PROTO_ERROR, not DCERPC_FAULT_CONTEXT_MISMATCH (or
rather their mapped NT_STATUS codes).

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-08-08 20:24:33 +00:00
Ralph Boehme
6336699687 s3:mdssvc: the open command must work on shares with Spotlight disabled
Move the implementation of this setting down to the actual search query
processing. macOS has no notion of "spotlight = false" at the DCERPC layer and
the open request will always succeed even on all shares.

When later the client issues search requests on such shares, we ensure we use
the noindex backend.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-08-08 20:24:33 +00:00
Ralph Boehme
940c3b31dd s3:mdssvv: don't fail the RPC request if the share name is unknown
Taken from macOS. We have to return an empty share_path and an empty policy
handle, but not fail the RPC request.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-08-08 20:24:33 +00:00
Ralph Boehme
017af5d583 torture: beginning of a mdssvc RPC service test-suite
Yikes! Most tests fail atm.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-08-08 20:24:33 +00:00
Ralph Boehme
b34fd5b997 s3:mdssvc: fix unmarshalling of empty CNID array
len=0 is invalid, len=8 is an empty array, len>8 is an array with members, so
for the len=8 case we must add the empty cnid array.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-08-08 20:24:32 +00:00
Ralph Boehme
c282d76d55 torture: start of a mdssvc packet (un)marshalling testsuite
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-08-08 20:24:32 +00:00
Douglas Bagnall
f8fb6f3261 auth/pycreds/encrypt_netr_crypt_password: don't segfault
Non-talloc objects were treated as talloc objects, to no good effect

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-22 22:20:26 +00:00
Douglas Bagnall
dc20e7c6df talloc: pytalloc_get_checked_type: survive non-talloc objects
If the python object is not a talloc object, we will end up
with a NULL pointer. We weren't checking for that properly

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-22 22:20:25 +00:00
Douglas Bagnall
fdb9a59069 pyldb: ldb.register_module() checks arguments a little bit
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-10 04:32:13 +00:00
Douglas Bagnall
192386ede6 pyldb: remove ldb.open, which was never survivable
There was no way to call ldb.open without evoking signal 11, so it is
unlikely anyone was using it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-10 04:32:13 +00:00
Douglas Bagnall
3af57daa84 py segfault test: ldb.open
There seems to be no way of using ldb.open without causing a segfault

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-10 04:32:13 +00:00
Douglas Bagnall
545e95386f py segfault test: ldb.register_module
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-10 04:32:13 +00:00
Douglas Bagnall
339f8bbdda pyldb: check for errors in PyLdb_GetPyType()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-10 04:32:13 +00:00
Douglas Bagnall
3822a41f74 s4/scripting/autoidl: remove it
What does it even do? Possibly nothing, not least because nobody ever
runs it.

It was introduced as source4/scripting/bin/autoidl.py in
a2446e5f8550582c0d4353bb85874dea17cf1d98 ("initial work for script
that uses probing to figure out IDL"). Since then it has only had
superficial patches, generally aimed at Python 3.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-07-05 01:05:20 +00:00