1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

37090 Commits

Author SHA1 Message Date
Stefan Metzmacher
87b8049320 s4:torture/smb2: add smb2.session.bind2
This demonstrates that a session and it's open handles is destroyed
when the last explicitly bound channel gets disconnected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14449

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 19:36:37 +00:00
Stefan Metzmacher
f5168a21ab s4:torture/smb2: add smb2.replay.dhv2-pending* tests
These demonstrate that the replay detection for pending opens
either doesn't exist (for the share_access=NONE => SHARING_VIOLATION
case) or return the wrong status code => ACCESS_DENIED instead of
FILE_NOT_AVAILABLE.

Windows clients transparently retry after FILE_NOT_AVAILABLE,
while they pass ACCESS_DENIED directly to the application.

I'll report that to dochelp@microsoft.com in order to
clarify the situation.

In the meantime I added tests with a '-windows' suffix,
which demostrate the current windows server behavior,
while the tests with a '-sane' suffix expect the behavior
that whould make windows clients happy.

For Samba I'll implement the '-sane' behavior that
detects all replays and returns FILE_NOT_AVAILABLE
if the original request is still pending.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14449

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 19:36:37 +00:00
Stefan Metzmacher
ae1c3a0d9a s4:torture/smb2: provide verbose output when we're waiting for potential lease/oplock breaks
It makes it easier to follow manual tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14449

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 19:36:37 +00:00
Stefan Metzmacher
aa5f93eb65 s4:torture/smb2: add smb2_util_lease_state_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14449

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 19:36:37 +00:00
Stefan Metzmacher
1714a05b99 s4:torture/smb2: make use of torture_reset_break_info() in replay.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14449

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 19:36:37 +00:00
Stefan Metzmacher
e63651cfd6 s4:torture/smb2: make use of torture_reset_lease_break_info() in lease.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14449

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-29 19:36:37 +00:00
Mathieu Parent
359c6bd210 Rename mdfind to mdsearch
GNUstep as an mdfind binary, and both should be co-instalable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14431

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Björn Baumbach <bb@sernet.de>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Mar 29 16:18:54 UTC 2021 on sn-devel-184
2021-03-29 16:18:54 +00:00
Andrew Bartlett
7415f712db smb.conf: Remove "share backend" option
This is a confusing hold-over from the NTVFS fileserver that never became part of
the merged architecture.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-26 03:04:39 +00:00
Andreas Schneider
ca57356b78 s4:lib:cmdline: Rename cli_credentials_set_cmdline_callbacks()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2021-03-24 00:55:32 +00:00
David Mulder
76868b50f3 samba-tool: Test gpo manage access list command
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-18 18:50:28 +00:00
David Mulder
a6cb5b8cc5 gpo: Apply Group Policy Host Access configuration from VGP
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-18 18:50:28 +00:00
Douglas Bagnall
f3309818d3 py bindings: write 'bytes', not 'PY_DESC_PY3_BYTES'
Because it is shorter, clearer, and reduces py3compat.h

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 17:10:32 +00:00
Stefan Metzmacher
2045008995 s4:torture/smb2: add smb2.session.bind_{invalid_auth,different_user}
These demonstrate that a failing bind does not destroy
the existing session and binding with a different user results
in ACCESS_DENIED.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Stefan Metzmacher
341ad1ae68 s4:torture: add a torture_user2_credentials() helper to pass additional credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Stefan Metzmacher
457b989881 s4:torture/smb2: add smb2.session.bind_negative_{smb202,smb210,smb2to3,smb3to2,smb3to3}
'smb2.session.bind_negative_smb202' is similar to the MultipleChannel_Negative_SMB2002 test
from the Windows Protocol Test Suite.

It demonstrates that the server needs to do lookup
in the global session table in order to get the signing
and error code of invalid session setups correct.

In order to work out the details I've added more similar tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Stefan Metzmacher
30fa5a45c2 s4:torture/smb2: improve smb2.notify.invalid-reauth
This demonstrates that the session is gone after a failed reauth.
This is different compared to a failing session bind.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Stefan Metzmacher
fe7fe76c31 s4:param: let lpcfg_smbcli_options() fill smb3_capabilities.ciphers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Stefan Metzmacher
c34b86a34e libcli/smb: pass smb3_capabilities to smbXcli_conn_create()
Passing NULL means use none.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Stefan Metzmacher
5b5140483e s4:libcli/raw: add smb3_capabilities to struct smbcli_options
Currently this will be zeroed in lpcfg_smbcli_options(),
but will later allow advanced callers to pass values to
smbXcli_conn_create().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-17 00:49:32 +00:00
Volker Lendecke
bb5bf50819 lib: Remove init_names()
is_myname() looks at lp_* directly, nmbd maintains its own list: We don't
need the baroque loadparm handler anymore.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:32 +00:00
Volker Lendecke
c8f47dfc03 torture: Make srv_cb static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:32 +00:00
Volker Lendecke
8d37c632b9 rpc_server4: Make "srv_callbacks" static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:31 +00:00
Volker Lendecke
403eabe4fc librpc: Add "private_data" to struct dcesrv_context_callbacks
Not used right now, but we should never have callbacks without a
"private_data" pointer. Some of the callbacks could even today benefit
from this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:31 +00:00
Stefan Metzmacher
11f3c852c7 s4:libnet_rpc: avoid reusing the assoc_group_id of the lsa connection
This was an unexpected side effect introduced in commit
1b17d9a587.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 11 22:50:02 UTC 2021 on sn-devel-184
2021-03-11 22:50:02 +00:00
David Mulder
6054564d4f samba-gpupdate: Enable the Startup Scripts Extension
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Björn Baumbach <bb@sernet.de>
2021-03-11 20:29:41 +00:00
David Mulder
fed09b307f samba-tool: Enable pydns without ad dc
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-03-10 21:43:34 +00:00
David Mulder
a7897cc6cd samba-tool: Enable pydsdb without ad dc
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-03-10 21:43:34 +00:00
David Mulder
e5e39a836a python: Test samdb import
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-03-10 21:43:34 +00:00
Andrew Bartlett
5cdc065211 lib/param: Remove lpcfg_volume_label() and only caller in NTVFS file server
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2021-03-10 06:58:39 +00:00
Volker Lendecke
1ea49c426c samba: Fix indentation
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-09 22:36:28 +00:00
David Mulder
2461c89c07 gpo: Apply Group Policy Issue setting from VGP
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-08 19:45:30 +00:00
David Mulder
efc9bce868 gpo: Apply Group Policy MOTD setting from VGP
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-08 19:45:30 +00:00
David Mulder
f914b42d27 gpo: Test to ensure that samba-gpupdate doesn't require ad-dc
Running samba-gpupdate on a client is causing an
error in gp_access_ext, due to it attempting to
access sam.ldb before detecting whether we are on
an ad-dc.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-08 17:58:37 +00:00
Stefan Metzmacher
2a0626c32a s4:torture/smb2: add smb2.lease.timeout-disconnect test
This reproduces a problem that is triggered when
smbd_server_connection_terminate() is called recursively.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14533

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-06 02:20:05 +00:00
Stefan Metzmacher
2cf1628419 s4:torture/smb2: add a smb2.session.two_logoff test
This reproduces a bug where two SMB2_LOGOFF messages kill the whole
client smbd when multi-channel is used, instead of just removing the
logical session.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14532

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-06 02:20:05 +00:00
Stefan Metzmacher
a200769950 s4:torture/smb2: use %t (timestamp) instead of %R for lease.dynamic_share test
This test should be independent of the protocol in order to be
independent of multi-channel support of the server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14534

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-06 02:20:05 +00:00
Volker Lendecke
e0426187eb dsdb: Fix CID 1473454: Null pointer dereferences
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-06 02:20:05 +00:00
Volker Lendecke
84be21565c dsdb: Fix CID 1473453: Null pointer dereferences
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-06 02:20:05 +00:00
Björn Baumbach
3174c6dd41 s4:dsdb/dirsync: fix a typo in a comment
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-03-01 03:50:35 +00:00
David Mulder
ddf1cbd345 gpo: Apply Group Policy OpenSSH settings from VGP
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-02-09 20:22:36 +00:00
Paul Wise
f9ed4f7028 HEIMDAL: krb5_storage_free(NULL) should work
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12505

Signed-off-by: Paul Wise <pabs3@bonedaddy.net>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Original-author: Nicolas Williams <nico@twosigma.com>
(cherry-picked from heimdal commit b3db07d5f0e03f6a1a0a392e70f9675e19a6d6af)
2021-02-09 03:09:34 +00:00
David Mulder
0b66bf6512 gpo: Apply Group Policy Files Policy from VGP
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-02-08 22:33:14 +00:00
Andrew Bartlett
da627106cd dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones
These reports (about recently deleted objects)
create concern about a perfectly normal part of DB operation.

We must not operate on objects that are expired or we might reanimate them,
but we must fix "Deleted Objects" if it is wrong (mostly it is set as being
deleted in 9999, but in alpha19 we got this wrong).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14593

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb  3 05:29:11 UTC 2021 on sn-devel-184
2021-02-03 05:29:11 +00:00
Andreas Schneider
144b32ae01 s4:kdc:mit: Fix heap-use-after-free
We need to duplicate the string as lp_load() will free the s4_conf_file
pointer and set it again.

Found with AddressSanitizer.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-02-03 04:19:36 +00:00
Andreas Schneider
a878200934 s4:ntvfs: Add missing break in switch statement
error: unannotated fall-through between switch labels [-Werror,-Wimplicit-fallthrough]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-02-01 21:50:32 +00:00
Andreas Schneider
4b398bb476 s4:rpc_server: Add missing break in switch statement
error: unannotated fall-through between switch labels [-Werror,-Wimplicit-fallthrough]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-02-01 21:50:32 +00:00
Andreas Schneider
02fe2d050d s4:gensec: Fix overflow issues in switch statement
error: overflow converting case value to switch condition type (-1765328344 to 2529638952) [-Werror,-Wswitch]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-02-01 21:50:32 +00:00
Volker Lendecke
895f459b4b epmapper: Simplify _epm_Map()
We have a routine to compare ndr_syntax_id, don't do it manually.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Samuel Cabrero
522ef9e6a5 s4-torture: Add a test for ndr_syntax_id_from_string()
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2021-01-28 16:58:35 +00:00
Samuel Cabrero
15934ace71 s4-torture: Add a test for GUID_from_data_blob
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2021-01-28 16:58:35 +00:00
Volker Lendecke
064eab8b25 dsdb: Avoid an unneeded #include
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-01-28 16:58:35 +00:00
Ralph Boehme
dd42681fe9 s4/torture: move deletion out of close loop in torture_smb2_maxfid()
A subsequent commit is changing the delete-on-close code in the fileserver to
open a handle on the parent directory of the file that is to be deleted.

If we've consumed all available handles, that open would fail causing a test
failure. As it's not really needed for the test semantics, don't set
delete-on-close when closing the handles, instead let the subsequent
smb2_deltree() do the cleanup.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-28 08:11:49 +00:00
Stefan Metzmacher
d06f2c22d7 s4:selftest: use plansmbtorture4testsuite() for 'rpc.echo'
This makes sure "--basedir=$SELFTEST_TMPDIR" is passed to smbtorture.

Tests should not create files in the build nor the source directory!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jan 27 11:01:32 UTC 2021 on sn-devel-184
2021-01-27 11:01:32 +00:00
David Mulder
7ac29c8eeb gpo: Apply Group Policy Symlink Policy from VGP
This adds a Group Policy extension which applies
symlink policies set by Vintela Group Policy in the
SYSVOL.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-27 06:30:31 +00:00
Volker Lendecke
b9f6e25fad torture: Fix a gcc qualifier ordering warning
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 22 21:07:57 UTC 2021 on sn-devel-184
2021-01-22 21:07:57 +00:00
Volker Lendecke
f055d3f7db rpc_server: Fix a "bool==true" condition
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-22 19:54:38 +00:00
Volker Lendecke
181eb5728f torture: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-22 19:54:38 +00:00
Volker Lendecke
d6c3faa188 rpc_server: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-22 19:54:37 +00:00
Stefan Metzmacher
3db566026b s4:torture/smb2: add samba3.smb2.ioctl.bug14607
FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 will be used
to trigger an SMB2 IOCTL response with extra padding.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2021-01-15 07:26:29 +00:00
Gary Lockyer
4e624478dc s4 auth ntlm: Fix integer overflow in authsam_password_check_and_record
Fix a ubsan detected integer overflow.
../../source4/auth/ntlm/auth_sam.c:445:56: runtime error:
     signed integer overflow: 60 * 600000000
     cannot be represented in type 'int'

In practice this meant that the default for the smb.conf parameter
"old password allowed period" was approximately 16 seconds, rather than
the intended 60 minutes. Similarly the value used would be 22.5 times
less than the value specified in smd.conf.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 13 23:52:38 UTC 2021 on sn-devel-184
2021-01-13 23:52:38 +00:00
Volker Lendecke
e60c435744 auth4: Use global_sid_Anonymous
dom_sid_dup() is much simpler than dom_sid_parse_talloc()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-12 00:10:30 +00:00
Volker Lendecke
6b73ffb69d auth4: Use global_sid_System
dom_sid_dup() is much simpler than dom_sid_parse_talloc()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-12 00:10:30 +00:00
Stefan Metzmacher
f9b2559c42 s4:torture/fruit: avoid sleep(10000000); if write_stream() fails
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-08 20:31:33 +00:00
Volker Lendecke
dad4410c86 dsdb: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-08 20:31:33 +00:00
Volker Lendecke
768917f6f8 dsdb: Fix comment wording
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-08 20:31:33 +00:00
Volker Lendecke
fbe6c6cd11 auth: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-08 20:31:33 +00:00
Volker Lendecke
04077435dc auth: Reformat a comment
Will fix a typo next

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-08 20:31:33 +00:00
Stefan Metzmacher
54963d246e Happy New Year 2021!
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan  1 11:56:23 UTC 2021 on sn-devel-184
2021-01-01 11:56:23 +00:00
Björn Jacke
18d68e85c8 dns_update.c: handle DNS_QTYPE_ALL
we have code to handle this, we should not refuse the request

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14576

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Sat Dec 19 18:20:30 UTC 2020 on sn-devel-184
2020-12-19 18:20:30 +00:00
David Mulder
9b44f7a71e gpo: Apply Group Policy Sudo Rights from VGP
This adds a Group Policy extension which applies
Sudo rights set by Vintela Group Policy in the
SYSVOL.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Dec 19 08:11:50 UTC 2020 on sn-devel-184
2020-12-19 08:11:50 +00:00
Björn Baumbach
bcfce0ecd3 selftest: add tests for smb notify, using the a special share
That share will get the "honor change notify privilege = yes" option
once it's implemented. For now it's marked as knownfail.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-12-17 13:59:38 +00:00
Gary Lockyer
1ed461a142 tests python krb5: initial TGS tests
Initial tests on the KDC TGS

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-12-16 23:48:05 +00:00
Stefan Metzmacher
14768d0d54 s4:torture:smb2: remove unused fallback defines in oplock.c
F_SETLEASE/F_SETSIG were all included in the kernel
and glibc in 2002, there's no need to have fallbacks 18 years later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Dec  7 20:07:18 UTC 2020 on sn-devel-184
2020-12-07 20:07:18 +00:00
Stefan Metzmacher
6d4ce53ecd s3/wscript: only check for F_SETLEASE being available at compile time
F_GETLEASE/F_SETLEASE are available (at least) since Linux 2.4.0 from
2002.

We also should not have the configure check depend on the filesystem
we find at build time. It's very common that the build-environment is
much more restricted than the runtime-environment will be.

As a history we had this check on Samba 3.6:

 AC_CACHE_CHECK([for Linux kernel oplocks],samba_cv_HAVE_KERNEL_OPLOCKS_LINUX,[
 AC_TRY_RUN([
 #include <sys/types.h>
 #include <fcntl.h>
 #ifndef F_GETLEASE
 #define F_GETLEASE	1025
 #endif
 main() {
        int fd = open("/dev/null", O_RDONLY);
        return fcntl(fd, F_GETLEASE, 0) == -1;
 }
 ],
 samba_cv_HAVE_KERNEL_OPLOCKS_LINUX=yes,samba_cv_HAVE_KERNEL_OPLOCKS_LINUX=no,samba_cv_HAVE_KERNEL_OPLOCKS_LINUX=cross)])
 if test x"$samba_cv_HAVE_KERNEL_OPLOCKS_LINUX" = x"yes"; then
    AC_DEFINE(HAVE_KERNEL_OPLOCKS_LINUX,1,[Whether to use linux kernel oplocks])
 fi

which didn't depend on the filesystem.

Then we got a broken check introduced in Samba 4.0 (a copy of the
F_NOTIFY check):

 # Check for Linux kernel oplocks
 conf.CHECK_CODE('''
 #include <sys/types.h>
 #include <fcntl.h>
 #include <signal.h>
 #ifndef F_NOTIFY
 #define F_NOTIFY 1026
 #endif
 main() {
         exit(fcntl(open("/tmp", O_RDONLY), F_NOTIFY, 0) == -1 ?  1 : 0);
 }''', 'HAVE_KERNEL_OPLOCKS_LINUX', addmain=False, execute=True,
        msg="Checking for Linux kernel oplocks")

this got "fixed" in Samba 4.7 (and backports to 4.6, 4.5 and 4.4) into

 # Check for Linux kernel oplocks
 conf.CHECK_CODE('''
 #include <sys/types.h>
 #include <fcntl.h>
 #include <signal.h>
 #ifndef F_GETLEASE
 #define F_GETLEASE 1025
 #endif
 main() {
         exit(fcntl(open("/tmp", O_RDONLY), F_GETLEASE, 0) == -1 ?  1 : 0);
 }''', 'HAVE_KERNEL_OPLOCKS_LINUX', addmain=False, execute=True,
        msg="Checking for Linux kernel oplocks")

Lately it became dependend on the filesystem in the build-environment:

 # Check for Linux kernel oplocks
 conf.CHECK_CODE('''
 #include <sys/types.h>
 #include <fcntl.h>
 #include <signal.h>
 #ifndef F_GETLEASE
 #define F_GETLEASE 1025
 #endif
 main() {
       const char *fname="/tmp/oplock-test.txt";
       int fd = open(fname, O_RDWR|O_CREAT, 0644);
       int ret = fcntl(fd, F_SETLEASE, F_WRLCK);
       unlink(fname);
       return (ret == -1) ? 1 : 0;
 }''', 'HAVE_KERNEL_OPLOCKS_LINUX', addmain=False, execute=True,
        msg="Checking for Linux kernel oplocks")

Now we just check for F_SETLEASE being available in linux/fcntl.h.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-12-07 19:02:33 +00:00
Ralph Boehme
058f96f4c4 s4/samba: call force_check_log_size() in standard_new_task()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248
RN: samba process does not honor max log size

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Dec  7 18:54:29 UTC 2020 on sn-devel-184
2020-12-07 18:54:29 +00:00
Ralph Boehme
6fa5fb8ef2 s4/samba: call force_check_log_size() in standard_accept_connection()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-12-07 17:54:10 +00:00
Ralph Boehme
82b64e930b s4/samba: call force_check_log_size() in prefork_reload_after_fork()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248

Signed-off-by: Ralph Boehme <slow@samba.org>
2020-12-07 17:54:10 +00:00
Ralph Boehme
19413e76a4 s4: call reopen_logs_internal() in the SIGHUP handler of the prefork process model
With debug_schedule_reopen_logs() the actual reopen only takes place at some
point in the future when a DEBUG message is processed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-12-07 17:54:10 +00:00
Ralph Boehme
9f71e6173a s4: replace low-level SIGUP handler with a tevent handler
Replace the low-level signal handler for SIGHUP with a nice tevent signal
handler. The low-level handler sig_hup() installed by setup_signals() remains
being used during early startup before a tevent context is available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-12-07 17:54:10 +00:00
Ralph Boehme
516c2a04a2 s4: install tevent tracing hooks to trigger logfile rotation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-12-07 17:54:10 +00:00
Ralph Boehme
68f71f227b s4: add samba server tevent trace helper stuff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-12-07 17:54:10 +00:00
Volker Lendecke
7bd5121750 torture: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-11-30 22:24:38 +00:00
Volker Lendecke
d1be9eee67 samldb: Align two integer types
ARRAY_SIZE is size_t

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-11-30 22:24:38 +00:00
Ralph Boehme
4142bde7e5 s4: rename source4/smbd/ to source4/samba/
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Nov 27 10:07:18 UTC 2020 on sn-devel-184
2020-11-27 10:07:18 +00:00
Andrew Bartlett
53274d1148 samba_upgradedns: Do not print confusing logs about missing .zone files
samba_upgradedns prints confusing logs about upgrading zone files
and automatically creating DNS zones when the zone already exists.

We need to move the logging to later when we know we what we are
using the parsed information for.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14580

Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Nov 26 08:16:04 UTC 2020 on sn-devel-184
2020-11-26 08:16:04 +00:00
Andrew Bartlett
d49e96bc45 Do not create an empty DB when accessing a sam.ldb
Samba already does this for samba-tool and doing this should make
our errors more sensible, particularly in BIND9 if not provisioned
with the correct --dns-backend=DLZ_BIND9

The old error was like:

 named[62954]: samba_dlz: Unable to get basedn for
 /var/lib/samba/private/dns/sam.ldb
  - NULL Base DN invalid for a base search.

The new error will be like (in this case from the torture test):
 Failed to connect to Failed to connect to
 ldb:///home/abartlet/samba/st/chgdcpass/bind-dns/dns/sam.ldb:
 Unable to open tdb '/home/abartlet/samba/st/chgdcpass/bind-dns/dns/sam.ldb':
 No such file or directory: Operations error

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14579

Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-11-26 06:52:41 +00:00
Andrew Bartlett
f226bea5de torture: Do not call destroy_dlz() on uninitialised memory
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14579

Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-11-26 06:52:41 +00:00
Gary Lockyer
a00a1c9745 tests python krb5: Convert kdc-heimdal to python
Implement the tests in source4/torture/krb5/kdc-heimdal.c in python.
The following tests were not re-implemented as they are client side
tests for the "Orpheus Lyre" attack:
       TORTURE_KRB5_TEST_CHANGE_SERVER_OUT
       TORTURE_KRB5_TEST_CHANGE_SERVER_IN
       TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-11-12 21:30:32 +00:00
Björn Jacke
e4f3354821 torture/sharemode: fix empty initializer compile warning
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-11-10 06:53:43 +00:00
Björn Jacke
104b3545e0 heimdal_build: silence warning: macro redefined
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-11-10 06:53:42 +00:00
Andreas Schneider
c75dd1ea17 s4:rpc_server: Allow to use RC4 for creating trusts
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-11-09 08:58:35 +00:00
Andreas Schneider
c93ccebdfe s4:rpc_server: Use gnutls_cipher_decrypt() in get_trustdom_auth_blob()
It doesn't matter for RC4, but just to be correct.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-11-09 08:58:35 +00:00
Gary Lockyer
1e1d8b9c83 tests python krb5: Add python kerberos compatability tests
Add new python test to document the differences between the MIT and
Heimdal Kerberos implementations.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-11-09 02:46:50 +00:00
Isaac Boukris
604153525a Remove source4/scripting/devel/createtrust script
We now have the 'samba-tool domain trust' command.

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Fri Nov  6 11:25:02 UTC 2020 on sn-devel-184
2020-11-06 11:25:02 +00:00
Isaac Boukris
cfaad16ff6 selftest: add a test for the CreateTrustedDomainRelax wrapper
Originally copied from 'source4/scripting/devel/createtrust'
(had to drop the TRUST_AUTH_TYPE_VERSION part though, as it
fails against samba DC).

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-11-06 10:02:35 +00:00
Isaac Boukris
eba91f0dfa Add py binding for dcerpc_transport_encrypted
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-11-06 10:02:35 +00:00
Isaac Boukris
339bfcd67a Add dcerpc_transport_encrypted()
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-11-06 10:02:35 +00:00
Andrew Walker
c2fcd83ed7 s4:libnet:py_net - free event context in dealloc fn
Creation of a new Net() object initializes an event context under
a NULL talloc context and then creates a new talloc context as a
child of the event context. The deallocation function for the
net object only frees the child and not the parent. This leaks an
fd for the tevent context and associated memory.

Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Nov  6 04:58:31 UTC 2020 on sn-devel-184
2020-11-06 04:58:31 +00:00
Gary Lockyer
005435dc4d tests python krb5: Add python kerberos canonicalization tests
Add python canonicalization tests, loosely based on the code in
source4/torture/krb5/kdc-canon-heimdal.c.  The long term goal is to move
the integration level tests out of kdc-canon-heimdal, leaving it as a
heimdal library unit test.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-11-04 22:54:41 +00:00
Björn Baumbach
a1b021200e selftest: add test for new "samba-tool user unlock" command
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Nov  4 00:19:25 UTC 2020 on sn-devel-184
2020-11-04 00:19:25 +00:00
Andreas Schneider
1a92994a95 auth:creds:tests: Migrate test to a cmocka unit test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-11-03 15:25:37 +00:00
Andreas Schneider
1298280a22 auth:creds: Rename CRED_USE_KERBEROS values
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-11-03 15:25:37 +00:00
Douglas Bagnall
6a9d22f4a9 dsdb/mod/operational: correct comment arithmetic
E + F is not 1F! E + F is 1D!

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-11-03 00:33:41 +00:00
Andreas Schneider
7d54e4b49c s4:param: Add 'weak crypto' getter to pyparam
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-10-29 14:19:36 +00:00
Andreas Schneider
a9c532c6d3 s4:rpc_server: Allow to use RC4 for setting passwords
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-10-29 14:19:36 +00:00
Jeremy Allison
6e143d9c7a s4: torture: Add smb2.notify.handle-permissions test.
Add knownfail entry.

CVE-2020-14318

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434

Signed-off-by: Jeremy Allison <jra@samba.org>
2020-10-29 10:25:37 +00:00
Volker Lendecke
40f23c2459 CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call
We can't add this test before the fix, add it to knownfail and have the fix
remove the knownfail entry again. As this crashes winbind, many tests after
this one will fail.

Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
Signed-off-by: Volker Lendecke <vl@samba.org>
2020-10-29 10:25:37 +00:00
Andreas Schneider
5f92ec6988 s4:torture: Pass buffer correctly to write()
../../source4/torture/basic/denytest.c: In function ‘torture_createx_specific.isra’:
../../source4/torture/basic/denytest.c:2372:9: error: ‘write’ reading 56 bytes from a region of size 8 [-Werror=stringop-overflow=]
 2372 |   res = write(data_file_fd, &cxd, cxd_len);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14555

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Oct 28 17:52:19 UTC 2020 on sn-devel-184
2020-10-28 17:52:19 +00:00
Alexander Bokovoy
3e27dc4847 daemons: report status to systemd even when running in foreground
When systemd launches samba services, the configuration we have in
systemd service files expects that the main process (/usr/sbin/*)
would use sd_notify() to report back its status. However, we only use
sd_notify() when running become_daemon().

As a result, samba/smbd/winbindd/nmbd processes never report back its
status and the status updates from other childs (smbd, winbindd, etc)
are not accepted as we now have implied NotifyAccess=main since commit
d1740fb3d5

This leads to a timeout and killing samba process by systemd. Situation
is reproducible in Fedora 33, for example.

Make sure that we have required status updates for all daemons in case
we aren't runnning in interactive mode.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14552

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Oct 26 19:58:18 UTC 2020 on sn-devel-184
2020-10-26 19:58:17 +00:00
Alexander Bokovoy
183d5d63f4 DNS Resolver: support both dnspython before and after 2.0.0
`dnspython` 2.0.0 has many changes and several deprecations like:

```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.

> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```

The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
  system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
  to spend trying to get an answer to the question)

The compatibility shim was developed by Stanislav Levin for FreeIPA and
adopted for Samba by Alexander Bokovoy.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-10-26 18:33:40 +00:00
Ralph Boehme
c2f0fd40da smb: rename NTCREATEX_OPTIONS_PRIVATE_DENY_FCB to NTCREATEX_FLAG_DENY_FCB
Just a shorter name, no change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-23 17:44:33 +00:00
Ralph Boehme
6da16727e1 smb: rename NTCREATEX_OPTIONS_PRIVATE_DENY_DOS to NTCREATEX_FLAG_DENY_DOS
Just a shorter name, no change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-23 17:44:33 +00:00
Volker Lendecke
2ae42bebe3 libcli: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-21 19:04:38 +00:00
Stefan Metzmacher
7223f6453b s4:dsdb:acl_read: Implement "List Object" mode feature
See [MS-ADTS] 5.1.3.3.6 Checking Object Visibility

I tried to avoid any possible overhead for the common cases:

- SEC_ADS_LIST (List Children) is already granted by default
- fDoListObject is off by default

Overhead is only added if the administrator turned on
the fDoListObject feature and removed SEC_ADS_LIST (List Children)
from a parent object.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 21 08:48:02 UTC 2020 on sn-devel-184
2020-10-21 08:48:01 +00:00
Stefan Metzmacher
ffc0bdc6d4 s4:dsdb:util: add dsdb_do_list_object() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-10-21 07:25:37 +00:00
Stefan Metzmacher
e1529bedb2 s4:dsdb:acl_read: defer LDB_ERR_NO_SUCH_OBJECT
We may need to return child objects even if the base dn
is invisible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-10-21 07:25:37 +00:00
Stefan Metzmacher
faff8e6c89 s4:dsdb:acl_read: make use of aclread_check_object_visible() for the search base
We should only have one place to do access checks.

Use 'git show -w' to see the minimal diff.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-10-21 07:25:37 +00:00
Stefan Metzmacher
c4a3028de7 s4:dsdb:acl_read: fully set up 'struct aclread_context' before the search base acl check
This makes further change much easier.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-10-21 07:25:37 +00:00
Stefan Metzmacher
d2dd7c2a5c s4:dsdb:acl_read: introduce aclread_check_object_visible() helper
In future this will do more than aclread_check_parent(),
if we implement fDoListObject and SEC_ADS_LIST_OBJECT handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-10-21 07:25:37 +00:00
Stefan Metzmacher
06d1344067 s4:dsdb:tests: add AclVisibiltyTests
This tests a sorts of combinations in order to
demonstrate the visibility of objects depending on:

- with or without fDoListObject
- with or without explicit DENY ACEs
- A hierachy of objects with 4 levels from the base dn
- SEC_ADS_LIST (List Children)
- SEC_ADS_LIST_LIST_OBJECT (List Object)
- SEC_ADS_READ_PROP
- all possible scopes and basedns

This demonstrates that NO_SUCH_OBJECT doesn't depend purely
on the visibility of the base dn, it's still possible to
get children returned und an invisible base dn.

It also demonstrates the additional behavior with "List Object" mode.
See [MS-ADTS] 5.1.3.3.6 Checking Object Visibility

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-10-21 07:25:37 +00:00
Gary Lockyer
6bf1b9885b CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 zero password
Ensure that a password of all zeros shorter than the maximum length is
rejected.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 16 06:09:06 UTC 2020 on sn-devel-184
2020-10-16 06:09:05 +00:00
Gary Lockyer
61f216dc89 CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 max len password
Ensure that a maximum length password (512) is still accepted

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-16 04:45:40 +00:00
Gary Lockyer
56297c7089 CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 all zero password
Check that an all zero password is rejected, Note this test user ARC4
encryption so that it passes the self encryption test.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-16 04:45:40 +00:00
Gary Lockyer
b2f4a55671 CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 confounder
Test that a confounder that encrypts to itself is rejected

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-16 04:45:40 +00:00
Gary Lockyer
e790f9d20a CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 all zero password
Check that a password buffer containing all zeros is rejected.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-16 04:45:40 +00:00
Gary Lockyer
f47e373415 CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 all zero enc req
Check that a request that encrypts to all zeros, is rejected if the length
encrypts to itself.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-16 04:45:40 +00:00
Gary Lockyer
07c316346a CVE-2020-1472(ZeroLogon): torture: Move existing tests
Move the existing ZeroLogon tests into the ZeroLogon testsuite.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-16 04:45:40 +00:00
Gary Lockyer
6f59a5fd84 CVE-2020-1472(ZeroLogon): Add zerologon test suite
Add a ZeroLogon test suite, to allow the ZeroLogon tests to be run against
the s3 and s4 netlogon servers.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-16 04:45:40 +00:00
Gary Lockyer
b9b6abf18b CVE-2020-1472(ZeroLogon): rpc_server/netlogon: Fix confounder check
Add check for zero length confounder, to allow setting of passwords 512
bytes long. This does not need to be backported, as it is extremely
unlikely that anyone is using 512 byte passwords.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-10-16 04:45:40 +00:00
Volker Lendecke
39180ca2d8 libcli: Use GUID_to_ndr_buf() in smb2_create_send()
Avoid talloc/free

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:34 +00:00
Volker Lendecke
b1fa3e2bcc libcli: Use GUID_to_ndr_buf() in smbcli_push_guid()
Avoid two talloc/free

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:34 +00:00
Ralph Boehme
616b64c362 s4/torture: use unique filename for torture_samba3_hide() test
The filename "test.txt" is also used by other tests and without O_PATH the file
can't be removed at the end of this tests: open_smb_fname_fsp() fails with
ACCESS_DENIED because the POSIX mode of the file is 0000 and become_root() used
in the #ifndef O_PATH fallback case doesn't work in CI.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 19:39:43 +00:00
David Mulder
a3cd315321 python2 reduction: Merge remaining compat code into common
The remaining compat code (get_string, get_bytes,
cmp) are useful helper routines which we should
simply merge into common (especially since there
is some duplication here).

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Fri Oct  2 14:49:36 UTC 2020 on sn-devel-184
2020-10-02 14:49:36 +00:00
David Mulder
85d2ff2f00 python: Move dsdb_Dn to samdb
The import dsdb needed for dsdb_Dn causes import
errors when trying to import get_bytes/get_string
in some places.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-10-02 13:29:35 +00:00
Alexander Bokovoy
234957a2e4 Fix build after removal of an extra safe_string.h
Move of strcasecmp redefine to lib/util/safe_string.h in
https://gitlab.com/samba-team/samba/-/merge_requests/1507 broke build on
Fedora 33 with GCC 10.2.1 for those compilation units that use
ldb_att_cmp().

The reason for that is that ldb_attr_cmp() defined as

   #define ldb_attr_cmp(a, b) strcasecmp(a, b)

because attribute names restricted to be ASCII by RFC2251 (LDAPv3 spec).

A solution is to add

   #undef strcasecmp

to all source code files which use ldb_attr_cmp().

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct  1 22:45:29 UTC 2020 on sn-devel-184
2020-10-01 22:45:29 +00:00
Jule Anger
efa9889acb testsuite: add test suite for samba-tool contact commands
Signed-off-by: Jule Anger <ja@sernet.de>
Reviewed-by: Björn Baumbach <bb@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-10-01 01:18:39 +00:00
Amitay Isaacs
5b2ccb1c7c provision: Add support for BIND 9.16.x
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
2020-09-24 04:32:42 +00:00
Amitay Isaacs
ca3c18a236 bind9-dlz: Add support for BIND 9.16.x
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
2020-09-24 04:32:41 +00:00
Amitay Isaacs
016c1174ef provision: Add support for BIND 9.14.x
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
2020-09-24 04:32:41 +00:00
Amitay Isaacs
a167a2154d bind9-dlz: Add support for BIND 9.14.x
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
2020-09-24 04:32:41 +00:00
Amitay Isaacs
cdb6c5d1ec bind9-dlz: Bind 9.13.x switched to using bool as isc_boolean_t instead of int.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
2020-09-24 04:32:41 +00:00
Gary Lockyer
9945f3e354 CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge
Ensure that client challenges with the first 5 bytes identical are
rejected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Sep 18 14:13:17 UTC 2020 on sn-devel-184
2020-09-18 14:13:17 +00:00
Gary Lockyer
4b262b03e1 CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty machine acct pwd
Ensure that an empty machine account password can't be set by
netr_ServerPasswordSet2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-09-18 12:48:39 +00:00
Stefan Metzmacher
ca8a0098ac CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log warnings about unsecure configurations
This should give admins wawrnings until they have a secure
configuration.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:39 +00:00
Stefan Metzmacher
f9b772bf28 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no"
This allows to add expections for individual workstations, when using "server schannel = yes".
"server schannel = auto" is very insecure and will be removed soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:38 +00:00
Stefan Metzmacher
be8e639499 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check()
We should debug more details about the failing request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:38 +00:00
Stefan Metzmacher
d8a6e6549c CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:38 +00:00
Stefan Metzmacher
74eb448adf CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make use of netlogon_creds_random_challenge()
This is not strictly needed, but makes things more clear.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:38 +00:00
Stefan Metzmacher
355efadc6a CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of netlogon_creds_random_challenge()
This will avoid getting flakey tests once our server starts to
reject weak challenges.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:38 +00:00
Jeremy Allison
2ebf3191f2 lib: addns: Fix ads_dns_lookup_srv() and functions to return size_t * num servers.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2020-09-15 10:09:37 +00:00
Jeremy Allison
e034072c96 libcli: nbt: Fix resolve_lmhosts_file_as_sockaddr() to return size_t * count of addresses.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2020-09-15 10:09:37 +00:00
David Disseldorp
47ee0c81f6 s4:torture/rpc: move test_fsrvp_seq_timeout as last
test_fsrvp_seq_timeout may see share snapshots left-over, which can
cause problems if subsequent tests expect a clean slate
(i.e. enum_created).

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-09-11 03:43:40 +00:00
David Disseldorp
9bbfdb1185 s4:torture/rpc: flip order of netlogon tests
The previous change to not run rpc tests in reverse order results in
the following failure:
  Testing netr_LogonGetDomainInfo
  UNEXPECTED(failure): samba4.rpc.netlogon with
                       seal,padcheck.netlogon.GetDomainInfo(ad_dc)
  REASON: Exception: ../../source4/torture/rpc/netlogon.c:320:
	      Expression `plain_pass != ((void *)0)' failed: plain_pass

Restore the dependent order of netlogon tests by reversing the
torture_rpc_tcase_add_test*() calls for the suite.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-09-11 03:43:40 +00:00
David Disseldorp
671fe10f21 s4:torture/rpc: run tests in the order that they're added
torture_rpc_tcase_add_test*() uses DLIST_ADD(), which sees them executed
in reverse order to which they're added. Use DLIST_ADD_END() instead to
fix this.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-09-11 03:43:40 +00:00
Stefan Metzmacher
0022cd9458 lib/replace: move lib/replace/closefrom.c from ROKEN_HOSTCC_SOURCE to REPLACE_HOSTCC_SOURCE
This is where it really belongs and we avoid the strange interaction
with source4/heimdal_build/config.h. This a follow up for commit
f31333d40e.

This fixes a build problem if libbsd-dev is not installed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14482

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Sep  8 13:59:58 UTC 2020 on sn-devel-184
2020-09-08 13:59:58 +00:00
Andreas Schneider
0b742ec6a0 s4:smb_server: Use cli_credentials_init_server() for negprot
Signed-off-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Sep  7 13:22:26 UTC 2020 on sn-devel-184
2020-09-07 13:22:26 +00:00
Andreas Schneider
6c94ebf77f s4:rpc_server: Use cli_credentials_init_server()
Signed-off-by: Andreas Schneider <asn@samba.org>
2020-09-07 12:02:15 +00:00
Stefan Metzmacher
5e3363e0b8 s4:ldap_server: Use samba_server_gensec_start() in ldapsrv_backend_Init()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-09-07 12:02:15 +00:00
David Mulder
1ba15c459b GPO: Update the samba-gpupdate man page
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-09-02 09:11:30 +00:00
David Mulder
11f97148bb gpo: Pass necessary parameters to rsop
These parameters were missed by mistake when exts
were modified to be initialized within the rsop
command. Fixes an exception thrown when executing
samba-gpupdate --rsop:

Traceback (most recent call last):
  File "/usr/sbin/samba-gpupdate", line 99, in <module>
    rsop(lp, creds, gp_extensions, opts.target)
  File "/usr/lib64/python3.8/site-packages/samba/gpclass.py", line 512, in rsop
    ext = ext(logger, lp, creds, store)
NameError: name 'logger' is not defined

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-09-02 09:11:30 +00:00
Noel Power
e3079c5387 python/samba/tests/blackbox: Tests with nested DFS container
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug 31 19:09:24 UTC 2020 on sn-devel-184
2020-08-31 19:09:24 +00:00
Noel Power
7faab75b47 python/samba/tests/blackbox: python smbcacls '--propagate-inherit' test
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-31 17:44:38 +00:00
Matthew DeVore
232054c09b lib/util: remove extra safe_string.h file
lib/util/safe_string.h is similar to source3/include/safe_string.h, but
the former has fewer checks. It is missing bcopy, strcasecmp, and
strncasecmp.

Add the missing elements to lib/util/safe_string.h remove the other
safe_string.h which is in the source3-specific path. To accomodate
existing uses of str(n?)casecmp, add #undef lines to source files where
they are used.

Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
2020-08-28 02:18:40 +00:00
Matthew DeVore
c2ac923c6a s3: safe_string: do not include string_wrappers.h
Rather than have safe_string.h #include string_wrappers.h, make users of
string_wrappers.h include it explicitly.

includes.h now no longer includes string_wrappers.h transitively. Still
allow includes.h to #include safe_string.h for now so that as many
modules as possible get the safety checks in it.

Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-28 00:56:34 +00:00
David Mulder
a4f598fde8 gpo: Apply Group Policy Message of the day
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-27 15:59:34 +00:00
David Mulder
3303869c4b gpo: Add CSE for applying smb.conf
Add an extension that applies smb.conf params
applied via the smb.conf admx files.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-27 15:59:34 +00:00
David Mulder
c887f7a7d2 gpo: Fix unapply failure when multiple extensions run
When multiple Group Policy Extensions are present,
only the last executed extension saves it's
changes to the Group Policy Database, due to the
database being loaded seperately for each
extension.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-27 15:59:33 +00:00
Douglas Bagnall
3c026ba492 tests/vlv: attempt to cause trouble by changing sort attribute
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-08-24 01:46:29 +00:00
Douglas Bagnall
d64886f3e5 tests/vlv: remove redundant assignments
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-08-24 01:46:29 +00:00
Douglas Bagnall
df98e7db04 s4/dns: do not crash when additional data not found
Found by Francis Brosnan Blázquez <francis@aspl.es>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184
2020-08-24 00:21:41 +00:00
Douglas Bagnall
7afe449e72 s4: dns: Ensure variable initialization with NULL.
Ensure no use after free.

Based on patches from Francis Brosnan Blázquez <francis@aspl.es>
and Jeremy Allison <jra@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-23 22:55:29 +00:00
Volker Lendecke
eb72f887b0 ldap_server: Terminate LDAP connections on krb ticket expiry
See RFC4511 section 4.4.1 and

https://lists.samba.org/archive/cifs-protocol/2020-August/003515.html

for details: Windows terminates LDAP connections when the krb5 ticket
expires, Samba should do the same. This patch slightly deviates from
Windows behaviour by sending a LDAP exop response with msgid 0 that is
ASN1-encoded conforming to RFC4511.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-21 19:14:32 +00:00
Volker Lendecke
77f72fb01f ldap_server: Add the krb5 expiry to conn->limits
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-21 19:14:32 +00:00
Volker Lendecke
35c4bb0b0c torture: Test ldap session expiry
LDAP connections should time out when the kerberos ticket used to authenticate
expires. Windows does this with a RFC4511 section 4.4.1 message (that as of
August 2020 is encoded not according to the RFC) followed by a TCP disconnect.

ldb sees the section 4.4.1 as a protocol violation and returns
LDB_ERR_PROTOCOL_ERROR.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-21 19:14:32 +00:00
Volker Lendecke
c8c2f8ba73 build: Wrap a long line
There will be another entry in the next commit

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-21 19:14:32 +00:00
Volker Lendecke
ef57bc6d4b torture: Fix ldap.basic multibind test
It gets LDAP_STRONG_AUTH_REQUIRED from current AD servers

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Aug 20 18:44:49 UTC 2020 on sn-devel-184
2020-08-20 18:44:49 +00:00
Volker Lendecke
c5e85f4b08 torture: Inline test_bind_simple()
Avoid losing the specific error code with this simple wrapper function

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-20 17:20:29 +00:00
Volker Lendecke
0c36316ecb torture: Pass DN and password to ldap.basic test
Without this, test_multibind() only gets NULL for userdn and password,
not doing what the test claims. This now fails, because our LDAP
server does not allow plain text binds.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-20 17:20:29 +00:00
Volker Lendecke
0a5264838e torture: Add subunit output to ldap.basic test
The next commit will make this fail, and we need to detect this in
knownfail.d/ldap. Without subunit output filter-subunit won't find it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-20 17:20:29 +00:00
Andreas Schneider
81052e41da s4:libcli: Require signing for SMB encryption
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:43 +00:00
Andreas Schneider
d546dd1e5b s4:libcli: Add smb2_connect_enc_start()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:43 +00:00
Andreas Schneider
6454ed761a s3:libcli: Split out smb2_connect_tcon_start()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:43 +00:00
Andreas Schneider
7387c1da31 s4:libcli: Return if encryption is requested for SMB1
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:43 +00:00
Andreas Schneider
e2287011f4 s4:libcli: Return NTSTATUS errors for smb_composite_connect_send()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:43 +00:00
Andreas Schneider
59a1272a6c auth:creds: Remove unused credentials autoproto header
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Volker Lendecke
f05f40316d Fix a comment typo copied around
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-17 19:35:38 +00:00
Volker Lendecke
4f3ab0e9ca ldap_server: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-17 19:35:37 +00:00
Volker Lendecke
07c6484433 torture: Align a few integer types
Also move a variable closer to its use

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-17 19:35:37 +00:00
Volker Lendecke
a6e506afd8 torture: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-17 19:35:37 +00:00
Volker Lendecke
5416fd2ce3 torture: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-17 19:35:37 +00:00
Volker Lendecke
3514e4100c ldap_server: Do an early TALLOC_FREE()
We don't need the asn1 struct after this point anymore

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Aug 17 11:10:04 UTC 2020 on sn-devel-184
2020-08-17 11:10:04 +00:00
Volker Lendecke
86ab467667 ldap_server: Avoid talloc_memdup() for ldap_decode()
Slight optimization for the ldap server: We don't need to copy the
client PDU into the ASN1 struct, the decoding process happens
immediately in the same routine.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-08-17 09:46:36 +00:00
Matthew DeVore
53a1d034f3 lib/util: Standardize use of st_[acm]time ns
Commit 810397f89a, and possibly others, broke the build for macOS and
other environments which don't have st_[acm]tim fields on 'struct stat'.

Multiple places in the codebase used the config.h values to determine
how to access the nanosecond or microsecond values of the stat
timestamps, so rather than add more, centralize them all into
lib/util/time.c.

Also allow pvfs_fileinfo.c to read nanosecond-granularity timestamps on
platforms where it didn't before, since its #if branches were not
complete.

Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sat Aug 15 08:51:09 UTC 2020 on sn-devel-184
2020-08-15 08:51:09 +00:00
Douglas Bagnall
f0860de5bb python compat: remove text_type
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2020-08-11 16:37:35 +00:00
Isaac Boukris
08909e66ef Revert "selftest: add tests for net-ads over TLS"
As we are removing the option.

This reverts commit 10f61cd39b.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14462

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-11 09:32:34 +00:00
Jeremy Allison
156f1dfc39 s4: tests: Add new async DNS unit test - samba4.blackbox.net_ads_dns_async(ad_member:local).
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-08-07 06:34:36 +00:00
Andrew Bartlett
889c461c00 kdc: Remind us that these values need to match other values
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-07 03:23:44 +00:00
Andrew Bartlett
b063bbf8fd heimdal_build: Add missing dependency on heimbase
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-07 03:23:44 +00:00
Gary Lockyer
fb0412360c heimdal_build: Do not allow warnings in the heimdal code!
(const excepted)

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Updated to 2020 requirements since changes in
13a2f70a4d

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-08-07 03:23:44 +00:00
Andrew Bartlett
c51c15144e Compile .l files (flex) with the waf rule at runtime
Other parts of Samba already compile these directly.

This makes these files compile with modern compiler warnings.

The primary difference (other than being built with a newer
flex) is the loss of the #include "config.h" but
this is not used in the other .l files elsewehre and does not
seem to matter on modern systems.

The generated output from compile_et asn1_compile has not changed
(so I think the hx509 case is safe).

The mdssvc case just has changed file locations and line numbers.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-07 03:23:44 +00:00
Gary Lockyer
8a148193da heimdal_build: provide a prototype with the dummy afs header-only function stubs
We do not do AFS in Samba

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-07 03:23:43 +00:00
Gary Lockyer
e8f5a25fa7 heimdal_build: Include keys.c in the hdb autoproto
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-07 03:23:43 +00:00
Gary Lockyer
cb721715b9 Make HEIMDAL_WARN_UNUSED_RESULT_ATTRIBUTE available in krb5.h
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-07 03:23:43 +00:00
Andrew Bartlett
1663ada975 heimdal: Exclude more of plugin.c if HAVE_DLOPEN (which Samba unsets) is not set
This allows us to avoid warnings and errors due to unsued variables
and functions.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-07 03:23:43 +00:00
Gary Lockyer
1687813ec2 heimdal: Use #ifdef HAVE_DLOPEN around function used by HAVE_DLOPEN
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-07 03:23:43 +00:00
Gary Lockyer
4e8f3fdf82 heimdal: Use #ifdef HAVE_DLOPEN around functions used only by HAVE_DLOPEN
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-07 03:23:43 +00:00
David Mulder
627fb5471b gpo: Extract Access policy from Security extension
Rewrite the extension to be easier to understand,
and to remove references to gp_ext_setter.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
8971876128 gpo: Extract Kerberos policy from Security extension
Rewrite the extension to be easier to understand,
and to remove references to gp_ext_setter.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
f5202c7b55 gpo: Add --rsop option to samba-gpupdate
This command prints the Resultant Set of Policy
for applicable GPOs, for either the Computer or
User policy (depending on the target specified).
Policy specific output must be implemented for
each client side extension.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
88b6266168 gpo: Apply Group Policy Sudo Rights
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
Jeremy Allison
7ad92b3702 s3/s4: Cleanup. Move TALLOC_CTX * parameter to be first in resolve_lmhosts_file_as_sockaddr() to match modern conventions.
No logic changes.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2020-08-04 08:51:42 +00:00
Ralph Boehme
2327471756 lib: relicense smb_strtoul(l) under LGPLv3
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug  3 22:21:04 UTC 2020 on sn-devel-184
2020-08-03 22:21:02 +00:00
Stefan Metzmacher
4baa7cc8e4 kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for Primary:Kerberos
Currently we only ignore KRB5_PROG_ETYPE_NOSUPP for
Primary:Kerberos-Newer-Keys, but not for Primary:Kerberos.

If a service account has msDS-SupportedEncryptionTypes: 31
and DES keys stored in Primary:Kerberos, we'll pass the
DES key to smb_krb5_keyblock_init_contents(), but may get
KRB5_PROG_ETYPE_NOSUPP.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul 28 14:04:26 UTC 2020 on sn-devel-184
2020-07-28 14:04:26 +00:00
Isaac Boukris
0739983179 Add a test with old msDS-SupportedEncryptionTypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-07-28 12:40:26 +00:00
Douglas Bagnall
e15ee51ef5 s4/scripting/samba_dnsupdate: remove unreachable code
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2020-07-17 07:17:40 +00:00
Douglas Bagnall
8e1d72b713 s4/torture: fix compilation in smb2/multichannel
GCC 9.3.0 doesn't like a true array being compared to NULL.

[3628/3972] Compiling source4/torture/smb2/multichannel.c
../../source4/torture/smb2/multichannel.c:1077:7: error: comparison of array 'trees2' equal to a null pointer is always false [-Werror,-Wtautological-pointer-compare]
                if (trees2 == NULL || trees2[i] == NULL) {
                    ^~~~~~    ~~~~
../../source4/torture/smb2/multichannel.c:1284:7: error: comparison of array 'trees2' equal to a null pointer is always false [-Werror,-Wtautological-pointer-compare]
                if (trees2 == NULL || trees2[i] == NULL) {
                    ^~~~~~    ~~~~
../../source4/torture/smb2/multichannel.c:2337:7: error: comparison of array 'trees2' equal to a null pointer is always false [-Werror,-Wtautological-pointer-compare]
                if (trees2 == NULL || trees2[i] == NULL) {
                    ^~~~~~    ~~~~
3 errors generated.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jul 17 07:16:31 UTC 2020 on sn-devel-184
2020-07-17 07:16:31 +00:00
Douglas Bagnall
5e4e18d0c0 s4/torture/smb2/oplock: fix compilation by initialising variable
With gcc (Ubuntu 9.3.0-10ubuntu2) 9.3.0:

../../source4/torture/smb2/oplock.c:2709:2: error: variable 'h2' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized]
        torture_assert_ntstatus_ok_goto(tctx, status, ret, done, "Incorrect status");
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../lib/torture/torture.h:734:3: note: expanded from macro 'torture_assert_ntstatus_ok_goto'
                torture_assert_ntstatus_equal_goto(torture_ctx,expr,NT_STATUS_OK,ret,label,cmt)
                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../lib/torture/torture.h:302:6: note: expanded from macro 'torture_assert_ntstatus_equal_goto'
        if (!NT_STATUS_EQUAL(__got, __expected)) { \
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../source4/torture/smb2/oplock.c:2730:25: note: uninitialized use occurs here
        smb2_util_close(tree1, h2);
                               ^~
../../source4/torture/smb2/oplock.c:2709:2: note: remove the 'if' if its condition is always false
        torture_assert_ntstatus_ok_goto(tctx, status, ret, done, "Incorrect status");
        ^
../../lib/torture/torture.h:734:3: note: expanded from macro 'torture_assert_ntstatus_ok_goto'
                torture_assert_ntstatus_equal_goto(torture_ctx,expr,NT_STATUS_OK,ret,label,cmt)
                ^
../../lib/torture/torture.h:302:2: note: expanded from macro 'torture_assert_ntstatus_equal_goto'
        if (!NT_STATUS_EQUAL(__got, __expected)) { \
        ^
../../source4/torture/smb2/oplock.c:2652:2: note: variable 'h2' is declared here
        struct smb2_handle h, h1, h2;
        ^
1 error generated.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-07-17 05:55:49 +00:00
Christof Schmitt
268994f514 s4:client: Remove code inside #ifdef NEXT2
This is dead code, the define is never set.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2020-07-16 01:29:45 +00:00
Stefan Metzmacher
8fbb7ad275 s4:torture/smb2: make smb2.durable-v2-delay tests more robust
We should not crash when the test fails, so we use a 2nd independent
connection to unlink the file at the end.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2020-07-14 13:38:35 +00:00
Stefan Metzmacher
3fa9c3d5bb s4:torture/smb2: split replay_smb3_specification into durable handle and multichannel
It's better to have durable handles and multichannel tested separate:
1. we test both cases in the server
2. it makes it easier to deal with knownfail entries if only one
   of these features is active on the server.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2020-07-14 13:38:35 +00:00
Isaac Boukris
10f61cd39b selftest: add tests for net-ads over TLS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-13 10:41:37 +00:00
Stefan Metzmacher
5ad618bc67 s4:torture/smb2: add smb2.multichannel.oplocks.test3{_windows,specification}
This is similar to the smb2.multichannel.leases.test5,
but it tests the oplock case instead of leases.

With Oplocks Windows only sends a single break on the latest channel,
this is not what the spec says...

Maybe we should have a similar test that would expect the
behavior from the [MS-SMB2] (3/4/2020 rev 60.0)
"3.3.4.6 Object Store Indicates an Oplock Break":

  ...

  If the server implements the SMB 3.x dialect family, SMB2 Oplock Break
  Notification MUST be sent to the client using the first available
  connection in Open.Session.ChannelList where Channel.Connection is not
  NULL. If the server fails to send the notification to the client, the
  server MUST retry the send using an alternate connection, if available,
  in Open.Session.ChannelList.
  ...

Here I add one test that demonstrates the Windows behavior:
 smb2.multichannel.oplocks.test3_windows
and a 2nd test that demonstrates the behavior from MS-SMB2.
 smb2.multichannel.oplocks.test3_specification

Note that Windows 10 seems to behave differently and it's not
possible to open all 32 channel used by this test.

Against remote servers it's required to run iptables as root:

 #> smbtorture //server/torture -Uu%p \
    --option="torture:use_iptables=yes" \
    --option="torture:iptables_command=sudo /sbin/iptables" \
    smb2.multichannel.oplocks.test3_windows

 #> smbtorture //server/torture -Uu%p \
    --option="torture:use_iptables=yes" \
    --option="torture:iptables_command=sudo /sbin/iptables" \
    smb2.multichannel.oplocks.test3_specification

The test will also work against a Samba server
with 'smbd:FSCTL_SMBTORTURE = yes', and won't require iptables
in that case.

Samba will get a "smb2 disable oplock break retry" configuration
option to switch between both behaviors, as it's much more common with Samba
that leases are not supported and clients will fallback to
oplocks together with multichannel.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:39 +00:00
Stefan Metzmacher
5bb9da8cd7 s4:torture/smb2: (re-)add smb2.multichannel.leases.test4
This tests 32 channels, which is the maximum Windows Server
versions support. (Note that Windows 10 (a Client OS as SMB server,
seems to support only 20 channels and may differ in other aspects,
so we ignore that for now).

This works at least against Windows Server 2019
and we see lease break notification retries every ~ 1.3 seconds
with ~ 5 TCP retransmissions. At that rate we see the remaining
5 retries after the conflicting SMB2 Create already returned.

Older Windows Server versions use much longer timeouts in the TCP-stack,
they send lease break notification retries less often and only 4 in
total, all other channels get TCP-RST packets because of missing
TCP keepalive packets before they're used.
The intervals between lease break notification retries are
~19 seconds for 2012[_R2] and ~25 seconds for 2016.
It means that only ~2 lease break notifications arrive before
the open returns after ~35 seconds.

Note that Windows 10 seems to behave differently and it's not
possible to open all 32 channel used by this test.

Against remote servers it's required to run iptables as root:

 #> smbtorture //server/torture -Uu%p \
    --option="torture:use_iptables=yes" \
    --option="torture:iptables_command=sudo /sbin/iptables" \
    smb2.multichannel.leases.test4

The test will also work against a Samba server
with 'smbd:FSCTL_SMBTORTURE = yes', and won't require iptables
in that case.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:39 +00:00
Stefan Metzmacher
2da65bed80 s4:torture/smb2: remove useless 'smb2.multichannel.leases.test4'
Having a test that would only pass against Samba makes things way
to complex, they're already complex and we should try to behave
like windows as much as possible.

The next commit will add a better test that will work against Windows
Servers and the future Samba servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:39 +00:00
Stefan Metzmacher
f92f24ee26 s4:torture/smb2: fix smb2.multichannel.leases.test2 against windows
We still receive the break on the blocked channel,
it's only the response ACKs, which we are blocking (or simulate to
block).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:39 +00:00
Stefan Metzmacher
31e2b7f04b s4:torture/smb2: split smb2.oplock.batch22 into a and b
batch22a tests the timeout on a valid connection
and batch22b tests the timeout on a broken/blocked connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:39 +00:00
Stefan Metzmacher
3d7f81979c s4:torture/smb2: move smb2_transport blocking to the generic block.[ch]
We may want to use this in other places too, not only multichannel.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:39 +00:00
Stefan Metzmacher
68a351b762 s4:torture/smb2: make use of FSCTL_SMBTORTURE_FORCE_UNACKED_TIMEOUT
This is a way to test without being able to use iptables.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:39 +00:00
Stefan Metzmacher
8c7bb245ff s4:torture/smb2: refactor block.c to block the OUTPUT path
In order to create useful tests, we should block the outgoing
tcp packets only. That means we're able to see incoming
break notifications, but prevent outgoing TCP ACKs to be delivered
to the server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:39 +00:00
Stefan Metzmacher
a52e7114df s4:torture/smb2: add break_info.oplock_skip_ack
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:39 +00:00
Günther Deschner
2181f728ed s4:torture/smb2: move interface_info test to smb2.multichannel.generic
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-07-08 15:54:38 +00:00
Stefan Metzmacher
3559a1df9b s4:torture/smb2: make use of transport_options.only_negprot for multichannel connections
This avoid useless session setups and tree connects on the wire.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:38 +00:00
Günther Deschner
d2b8274438 s4:torture/smb2: simplify code to generate list of smb2 channels
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2020-07-08 15:54:38 +00:00
Stefan Metzmacher
5451882004 s4:torture/smb2: add const to options for test_multichannel_create_channel()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:38 +00:00
Stefan Metzmacher
ce7eaca735 s4:libcli/smb2: add const to struct smbcli_options *options for smb2_connect()
It will just be passed to smb2_connect_ext(), which already takes a
const pointer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:38 +00:00
Stefan Metzmacher
7d06874478 s4:libcli/smb2: allow smb2_connect*() to fake session and tcon
For multichannel connection we want a way to have just a connection
with a negprot finished.

For now we just fake a tcon and session in order to avoid changes in the
caller. We can clean that up later if needed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:38 +00:00
Stefan Metzmacher
fe6a6ec4d4 s4:param: use struct initializer in lpcfg_smbcli_session_options()
We should zero all fields not initialiazed explicitly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:38 +00:00
Stefan Metzmacher
9f3ab6a113 s4:param: use struct initializer in lpcfg_smbcli_options()
We should zero all fields not initialiazed explicitly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:38 +00:00
Noel Power
449259f6e1 selftest: run smbcacls test against a share with a DFS link
The commit creates a dfs link in existing 'fileserver' env
share msdfs_share. Additionally we create a new dfs target in
a new share (with associated directory)

Additionally add a known fail as smbcacls doesn't not yet navigate DFS links.
A subsequent commit will fix smcacls to handle DFS (and remove the
knownfail)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-07-07 21:40:33 +00:00
Noel Power
3dced6a436 selftest: Add basic smbcacls test(s)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-07-07 21:40:33 +00:00
Samuel Cabrero
61e93698e5 s4:rpc_server: Implement epmapper LookupHandleFree
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Tue Jul  7 13:43:14 UTC 2020 on sn-devel-184
2020-07-07 13:43:14 +00:00
Samuel Cabrero
072cdbd371 s4:torture: Do not skip epmapper lookup terminate test in samba4
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-07 12:17:30 +00:00
Sachin Prabhu
31d187be0f s4:selftest: test for smbtorture subunit names with and without --fullname
We check the output with both --fullname and with the default shortname
to ensure it works as expected.

We also do tests for each level and test relative names are used.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User((no branch)): Stefan Metzmacher <metze@samba.org>
Autobuild-Date((no branch)): Tue Jul  7 12:16:34 UTC 2020 on sn-devel-184
2020-07-07 12:16:34 +00:00
Sachin Prabhu
32f05b05ac s4:torture/local: Add new test to check smbtorture --fullname
Add new always pass test to test smbtorture --fullname.

Since we test the printing of the fullname of the test, the test is
placed at the bottom of several levels of test suites.

test : local.smbtorture.level1.level2.level3.always_pass

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-07 10:30:40 +00:00
Sachin Prabhu
8902eb82d9 s4:torture: Add command line parameter --fullname
This argument is used to print out the the full name which includes the
name of the test suite.

For example, the name in the output for the test smb2.read.dir is "dir".
By using the --fullname parameter, the name used will be
"smb2.read.dir".

The default continues to be to use the shortname.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-07 10:30:40 +00:00
Stefan Metzmacher
4e39e43730 s4:torture: avoid multiple recursions into the test lists
torture_run_suite_restricted() and torture_run_tcase_restricted()
already handle recursion. If we call them from smbtorture
we should avoid our own recursion.

Without this passing 'smb2.multichannel.*' results in running
tests more than once.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-07 10:30:40 +00:00
Stefan Metzmacher
9025192333 s4:torture: use prefix_name() for all names in run_matching()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-07 10:30:40 +00:00
Douglas Bagnall
8bd7669d8d dsdb/password_hash: don't double assign variables (CID 1363048, 1034720)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul  6 13:56:17 UTC 2020 on sn-devel-184
2020-07-06 13:56:17 +00:00
Douglas Bagnall
e78db8a7eb policy/gp: always close a file (CID 1445119)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-07-06 12:30:33 +00:00
Douglas Bagnall
213a8d551d s4/winbind/idmap: check the right variable (CID 1272950)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-07-06 12:30:33 +00:00