1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

126816 Commits

Author SHA1 Message Date
Volker Lendecke
4d44db0208 docs: Add vfs_expand_msdfs manpage
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12707

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Aug  5 18:09:11 UTC 2021 on sn-devel-184
2021-08-05 18:09:11 +00:00
Andreas Schneider
104fc35390 mit-samba: Only set the function opening bracket once
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug  5 10:33:18 UTC 2021 on sn-devel-184
2021-08-05 10:33:18 +00:00
Andreas Schneider
60159e0385 mit-samba: Use talloc_get_type_abort() instead of casting
This is safer to use and fixes compiler warnings.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-05 09:46:30 +00:00
Andreas Schneider
dd8138236b mit-samba: Send the logging to the kdc log facility
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-05 09:46:30 +00:00
Andreas Schneider
41d906301b mit-samba: Define debug class for kdb module
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-05 09:46:30 +00:00
Jeremy Allison
4f093ae6c9 s3: VFS: ceph. Fix enumerating directories. dirfsp->fh->fd != AT_FDCWD in this case.
Same as the fix for glusterfs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14766

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Aug  5 06:15:14 UTC 2021 on sn-devel-184
2021-08-05 06:15:14 +00:00
Andreas Schneider
000f389d09 gitlab: Use shorter names for Samba AD DC env with MIT KRB5
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14779

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Aug  3 20:35:49 UTC 2021 on sn-devel-184
2021-08-03 20:35:49 +00:00
Andreas Schneider
aab5cc95e2 s3:winbindd: Add a check for the path length of 'winbindd socket directory'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14779

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-03 19:44:31 +00:00
Andreas Schneider
e2962b4262 configure: Do not put arguments into double quotes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14777

This could create an issue that arguments don't get split by python and then the
following could happen:

    ./configure --libdir=/usr/lib64 --enable-clangdb

    LIBDIR='/usr/lib64 --enable-clangdb'

This ends then up in parameters.all.xml:

    <!ENTITY pathconfig.LIBDIR   '/usr/lib64 --enable-clangdb'>

The python parser then errors out:

    xml.etree.ElementTree.ParseError: not well-formed (invalid token)

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Aug  3 18:36:37 UTC 2021 on sn-devel-184
2021-08-03 18:36:37 +00:00
Stefan Metzmacher
93bac5f122 winbindd_pam: add NT4 DC handling into winbind_samlogon_retry_loop()
Handle the case where a NT4 DC does not fill in the acct_flags in
the samlogon reply info3. Yes, in 2021, there are still admins
arround with real NT4 DCs.

NT4 DCs reject authentication with workstation accounts with
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, even if
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT is specified.

We no longer call dcerpc_samr_QueryUserInfo(level=16)
to get the acct_flags, as we only ever got
ACB_NORMAL back (maybe with ACB_PWNOEXP in addition),
which is easy to calculate on our own.
This was removed in commit (for 4.15.0rc1):

  commit 73528f26ee
  Author:     Ralph Boehme <slow@samba.org>
  AuthorDate: Mon Jan 11 14:59:46 2021 +0100
  Commit:     Jeremy Allison <jra@samba.org>
  CommitDate: Thu Jan 21 22:56:20 2021 +0000

      winbind: remove legacy flags fallback

      Some very old NT4 DCs might have not returned the account flags filled in. This
      shouldn't be a problem anymore. Additionally, on a typical domain member server,
      this request is (and can only be) send to the primary domain, so this will not
      work with accounts from trusted domains.

      Signed-off-by: Ralph Boehme <slow@samba.org>
      Reviewed-by: Jeremy Allison <jra@samba.org>

      Autobuild-User(master): Jeremy Allison <jra@samba.org>
      Autobuild-Date(master): Thu Jan 21 22:56:20 UTC 2021 on sn-devel-184

It means one more caller of the problematic cm_connect_sam()
function is removed! SAMR connections may not be allowed for
machine accounts with modern AD DCs.

For network logons NT4 DCs also skip the
account_name, so we have to fallback to the
one given by the client. We have code to cope
with that deeply hidden inside of netsamlogon_cache_store().

Up to Samba 4.7 netsamlogon_cache_store() operated on the
info3 structure that was passed to the caller of winbind_dual_SamLogon()
and pass propagated up to auth_winbind in smbd.

But for Samba 4.8 the following commit:

  commit f153c95176
  Author: Ralph Boehme <slow@samba.org>
  Date:   Mon Dec 11 16:25:35 2017 +0100

      winbindd: let winbind_dual_SamLogon return validation

      Signed-off-by: Ralph Boehme <slow@samba.org>
      Reviewed-by: Stefan Metzmacher <metze@samba.org>

actually changed the situation and only a temporary info3 structure
was passed into netsamlogon_cache_store(), which means
account_name was NULL and get propagated as "" into auth_winbind
in smbd, where getpwnam() is no longer possible and every
smb access gets NT_STATUS_LOGON_FAILURE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14772

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Aug  3 11:10:27 UTC 2021 on sn-devel-184
2021-08-03 11:10:27 +00:00
Andreas Schneider
23e5b7cc79 s4:torture: Add rpc netlogon fips test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Aug  3 10:18:26 UTC 2021 on sn-devel-184
2021-08-03 10:18:26 +00:00
Andreas Schneider
f1df0c4d0a s4:torture: Remove trailing whitespaces in rpc.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-03 09:28:39 +00:00
Andreas Schneider
fd5b315805 s4:selftest: Pass environ to plansmbtorture4testsuite()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-03 09:28:38 +00:00
Andreas Schneider
e8a2c2fe4e selftest: Fix setting environ for plansmbtorture4testsuite()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-03 09:28:38 +00:00
Andreas Schneider
d6c7a2a700 netlogon:schannel: If weak crypto is disabled, do not announce RC4 support.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-03 09:28:38 +00:00
Andreas Schneider
17cc20ebe6 s4:libnet: Allow libnet_SetPassword() for encrypted SMB connections
This is needed for smbtorture to join a domain in FIPS mode.

FYI: The correct way would be to join using LDAP as the s3 code is doing it. But
this requires a bigger rewrite.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-03 09:28:38 +00:00
Andreas Schneider
1326e7d65d s4:libnet: Remove trailing whitespaces
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-03 09:28:38 +00:00
Andreas Schneider
868a9577d6 s4:rpc_server: Allow to set user password in FIPS mode
Only in case we have an SMB encrypted connection ...

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-03 09:28:38 +00:00
Andreas Schneider
2daf3e7975 auth:gensec: Use lpcfg_weak_crypto()
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-03 09:28:38 +00:00
Ralph Boehme
6d928eb1e8 smbd: only open full fd for directories if needed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14700
RN: File owner not available when file unreadable

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug  2 18:05:04 UTC 2021 on sn-devel-184
2021-08-02 18:05:04 +00:00
Ralph Boehme
e71e373a07 smbd: drop requirement for full open for READ_CONTROL_ACCESS, WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS
This was needed before we had pathref fsps, with pathref fsps we can do
operation requiring WRITE_OWNER_ACCESS, WRITE_DAC_ACCESS and READ_CONTROL_ACCESS
on the pathref fsp.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14700

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-02 17:14:34 +00:00
Volker Lendecke
7818513053 samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry"
With the above combination, some flavor of lp_load() already
initializes global_event_ctx, for which the closeall_except() later on
will happily close the epoll fd for. If we want to close all file
descriptors at startup, this must be the very first thing overall.

Can't really write a proper test for this with knownfail that is
removed with the fix, because if we have clustering+include=registry,
the whole clusteredmember environment does not even start up.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jul 31 16:58:41 UTC 2021 on sn-devel-184
2021-07-31 16:58:41 +00:00
Jeremy Allison
2acad27686 s3: smbd: Don't leak meta-data about the containing directory of the share root.
This is a subtle one. In smbd_dirptr_get_entry() we now
open a pathref fsp on all entries - including "..".

If we're at the root of the share we don't want
a handle to the directory above it, so silently
close the smb_fname->fsp for ".." names to prevent
it from being used to return meta-data to the client
(more than we already have done historically by
calling pathname functions on "..").

The marshalling returned entries and async DOS
code copes with smb_fname->fsp == NULL perfectly
well.

Only in master, but will need fixing for 4.15.rc1
or 2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jul 28 15:07:54 UTC 2021 on sn-devel-184
2021-07-28 15:07:54 +00:00
Jeremy Allison
b004ebb1c6 s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14759

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-07-28 14:16:31 +00:00
Andreas Schneider
696972c832 selftest: Remove fips env variables from client env
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul 28 07:12:55 UTC 2021 on sn-devel-184
2021-07-28 07:12:55 +00:00
Andreas Schneider
ebd00fbdd0 selftest: Pass env variables to fips tests
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-28 06:23:37 +00:00
Andreas Schneider
a324fc01b4 s4:selftests: Pass env variables to fips tests
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-28 06:23:37 +00:00
Andreas Schneider
eabf9803ec s3:selftests: Pass env variables to fips tests
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-28 06:23:37 +00:00
Andreas Schneider
48289b6964 selftest: Add support for setting ENV variables in plantestsuite()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-28 06:23:37 +00:00
Andreas Schneider
3db299e586 selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-28 06:23:37 +00:00
Andreas Schneider
18976a9568 selftest: Re-format long lines in selftesthelpers.py
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-28 06:23:37 +00:00
Pavel Filipenský
7fb741b3b1 krb5_wrap: remove unused code
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jul 27 10:09:03 UTC 2021 on sn-devel-184
2021-07-27 10:09:03 +00:00
Andreas Schneider
7b796b5bb7 lib:cmdline: Use lp_load_global() for servers
As for client we need to enable support for 'config backend = registry'.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 22 14:47:09 UTC 2021 on sn-devel-184
2021-07-22 14:47:09 +00:00
Günther Deschner
11c9eb0ccc s3-torture: Only install vfstest manpage when vfstest binary gets installed.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jul 21 13:41:26 UTC 2021 on sn-devel-184
2021-07-21 13:41:26 +00:00
Günther Deschner
bb7b957e2c s3-torture: give torture test binaries their own wscript_build
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-21 12:52:34 +00:00
Andreas Schneider
ee9dfff617 bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul 21 12:18:30 UTC 2021 on sn-devel-184
2021-07-21 12:18:30 +00:00
Andreas Schneider
e51e9d0145 python:waf: Correctly check for python-dateutil
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-07-21 11:27:36 +00:00
Andreas Schneider
84b9f58616 s3:tests: Add smbclient kerberos tests for ad_dc and ad_dc_fips
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul 21 07:19:00 UTC 2021 on sn-devel-184
2021-07-21 07:19:00 +00:00
Andreas Schneider
42e3fda5be autobuild: Exclude fips envs from samba and samba-mitkrb5
The FIPS envs only work on Fedora. Ubuntu doesn't have FIPS support!

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-07-21 06:30:31 +00:00
Andreas Schneider
e0fa3e359f bootstrap: Install krb5-workstation on Fedora based distros
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-07-21 06:30:31 +00:00
Stefan Metzmacher
0ac7106104 s3:smbd: really support AES-256* in the server
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14764

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 20 16:13:28 UTC 2021 on sn-devel-184
2021-07-20 16:13:28 +00:00
Stefan Metzmacher
407b458242 s4:torture/smb2: add tests to check all signing and encryption algorithms
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14764

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-20 15:25:37 +00:00
Stefan Metzmacher
5512416a8f gnutls: allow gnutls_aead_cipher_encryptv2 with gcm before 3.6.15
The memory leak bug up to 3.6.14 was only related to ccm, but gcm was
fine.

This avoids talloc+memcpy on more systems, e.g. ubuntu 20.04,
and brings ~ 20% less cpu overhead, see:
https://hackmd.io/@asn/samba_crypto_benchmarks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14764

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-20 15:25:37 +00:00
David Mulder
f97f94e93b gpo: Improve debug when extension fails to apply
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-20 15:25:37 +00:00
David Mulder
4a5f6d88ff gpo: Warn when fetching the supported templates fails
When Certificate Auto Enrollment fails to fetch
the list of supported templates, display a
warning.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-20 15:25:37 +00:00
David Mulder
a92b05ec7b gpo: Ensure Network Device Enrollment Service if sscep fails
Prompt the user to check that Network Device
Enrollment Service is installed and configured
if sscep fails to download the certificate root
chain.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-20 15:25:37 +00:00
Stefan Metzmacher
bedeeb0b59 tdb: version 1.4.5
* fix standalone usage of tdb.h

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul 20 11:48:38 UTC 2021 on sn-devel-184
2021-07-20 11:48:37 +00:00
Günther Deschner
aacd3ecb45 tdb: Fix invalid syntax in tdb.h
Defining _PUBLIC_ in the same way as in talloc.h resolves an issue with
a previous fix for Solaris Studio compiler 12.4 that prefixed all calls
in tdb.h with _PUBLIC_.  Thanks to Lukas Slebodnik
<lslebodn@redhat.com>.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14762

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-20 10:57:35 +00:00
Martin Schwenke
b724c1e6a6 utils: Avoid pylint warning
pylint warns:

  Use lazy % formatting in logging functions

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Jul 20 05:29:18 UTC 2021 on sn-devel-184
2021-07-20 05:29:18 +00:00
Martin Schwenke
319e27343d utils: Reformat lines that are longer than 80 columns
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
2021-07-20 04:43:37 +00:00