IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jan 8 10:16:50 UTC 2025 on atb-devel-224
This will help us to lookup the tdo object using a <GUID=TDO-GUID>
search base.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
We need to use the longest dnsname match as possible.
If we are the domain samba.example.com and have a trust
to example.com, a routing request for dc.samba.example.com
should return the tdo for samba.example.com instead
of example.com.
I reproduced the problem with the following diff:
> diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
> index 15d7692b5d64..6e9595b784c4 100644
> --- a/selftest/target/Samba.pm
> +++ b/selftest/target/Samba.pm
> @@ -564,7 +564,7 @@ sub realm_to_ip_mappings
> 'samba2000.example.com' => 'dc5',
> 'samba2003.example.com' => 'dc6',
> 'samba2008r2.example.com' => 'dc7',
> - 'addom.samba.example.com' => 'addc',
> + 'addom.samba2008r2.example.com' => 'addc',
> 'addom2.samba.example.com' => 'addcsmb1',
> 'sub.samba.example.com' => 'localsubdc',
> 'chgdcpassword.samba.example.com' => 'chgdcpass',
> diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
> index 0e4cf50235c3..6bca0cfd0c89 100755
> --- a/selftest/target/Samba4.pm
> +++ b/selftest/target/Samba4.pm
> @@ -2631,7 +2631,7 @@ sub setup_fl2008r2dc
> return undef;
> }
>
> - $env = $self->setup_trust($env, $ad_dc_vars, "forest", "");
> + $env = $self->setup_trust($env, $ad_dc_vars, "forest", "--skip-validation");
> if (!defined $env) {
> return undef;
> }
> @@ -2843,7 +2843,7 @@ sub _setup_ad_dc
> $server = "addc";
> }
> if (!defined($dom)) {
> - $dom = "addom.samba.example.com";
> + $dom = "addom.samba2008r2.example.com";
> }
> my $env = $self->provision_ad_dc($path, $server, "ADDOMAIN",
> $dom,
and running:
make -j testenv SELFTEST_TESTENV="fl2008r2dc:local"
Inside the testenv:
bin/smbclient //addc.addom.samba2008r2.example.com/netlogon \
-U$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD \
--use-kerberos=required \
-c 'ls'
It lets the KDC of ADDOM.SAMBA2008R2.EXAMPLE.COM to
generate a (referral) ticket for
krbtgt/SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA2008R2.EXAMPLE.COM
instead of
cifs/addc.addom.samba2008r2.example.com@ADDOM.SAMBA2008R2.EXAMPLE.COM
As ADDOM.SAMBA2008R2.EXAMPLE.COM has a forest trust (without msDS-TrustForestTrustInfo)
to SAMBA2008R2.EXAMPLE.COM dsdb_trust_update_best_tln() overwrote the
best match of addom.samba2008r2.example.com with samba2008r2.example.com.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15778
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Jan 8 04:14:47 UTC 2025 on atb-devel-224
This test proves that Windows will not enforce append behaviour when using
SEC_FILE_APPEND_DATA: writing with an offset and length into existing data is
not mapped to an append operation. According to
https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntcreatefile
Windows internal APIs seemt to support append-IO:
If only the FILE_APPEND_DATA and SYNCHRONIZE flags are set, the caller can
write only to the end of the file, and any offset information on writes to the
file is ignored. However, the file is automatically extended as necessary for
this type of write operation.
...but at least over SMB2 it doesn't work.
This also demonstrates that Windows behaves as documented in the footnote in
MS-SMB2 3.3.5.13 "Receiving an SMB2 WRITE Request":
If the range being written to is within the existing file size and
Open.GrantedAccess does not include FILE_WRITE_DATA, or if the range being
written to extends the file size and Open.GrantedAccess does not include
FILE_APPEND_DATA, the server SHOULD<358> fail the request with
STATUS_ACCESS_DENIED.
MS-SMB2 <358> Section 3.3.5.13:
Windows SMB2 servers allow the operation when either FILE_APPEND_DATA or
FILE_WRITE_DATA is set in Open.GrantedAccess.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15751
Signed-off-by: Ralph Boehme <slow@samba.org>
Lots of samba libraries has incomplete dependencies listed
in wscript files. This usually is not a problem since the
link line includes dependencies of their dependencies of
their dependencies, and somewhere down that line all immediate
dependencies which are missing are actually present. But
sometimes this becomes a problem when a library does not
declare direct dependency on at least one private library
which it actually uses: in case no private library is
listed as direct dependency, private library directory is
not put into RUNPATH of the resulting binary, so the binary
can not find its own dependencies.
Fix a few such places, including some libraries which are
a part of public abi (libsmbldap, libndr).
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
This will be used by Python also.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15756
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
This will make the next patch simpler.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15756
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Commit 6877e4849e81ed8f7f355fa4069f13a134e999ce reversed the
return values of hresult_errstr() and hresult_errstr_const().
hresult_errstr() should return "HRES_SEC_E_WRONG_PRINCIPAL",
while hresult_errstr_const() should return
"The target principal name is incorrect.".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15769
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
torture_winbind_struct_show_sequence() is failing if run as:
make -j8 test TESTS="samba4.rpc.lsa.trusted.*ad_dc samba4.winbind.struct.ad_dc"
The reason is that the test constructs two lists of domains and assumes
that the list contain same domains in the same order.
However:
- the list based on DO_STRUCT_REQ_REP(WINBINDD_SHOW_SEQUENCE, &req, &rep) contains 51 domains
- the list based on DO_STRUCT_REQ_REP(WINBINDD_LIST_TRUSTDOM, &req, &rep) contains 39 domains
and we got:
failure: show_sequence [ ../../source4/torture/winbind/struct_based.c:824: domlist[i].netbios_name was TORTURE201, expected TORTURE200: inconsistent order of domain lists
]
Both list are based on full domain list, however the smaller one filters
out domain without trust_type in winbindd_list_trusted_domains():
trust_type = get_trust_type_string(talloc_tos(), d, domain);
if (trust_type == NULL) {
continue;
}
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec 12 15:00:10 UTC 2024 on atb-devel-224
With netr_ServerAuthenticateKerberos() clients also use
krb5 for lsa_LookupSids3 and lsa_LookupNames4.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Works against Windows 2025 preview:
SMB_CONF_PATH=/dev/null \
SERVER=172.31.9.115 DC_SERVER=w2025p-115.w2025p-l8.base \
DOMAIN="W2025P-L8" REALM="W2025P-L8.BASE" \
ADMIN_USERNAME="Administrator" ADMIN_PASSWORD="A1b2C3d4" \
NETLOGON_STRONG_KEY_SUPPORT=1 NETLOGON_AUTH_KRB5_SUPPORT=1 \
STRICT_CHECKING=0 python/samba/tests/krb5/netlogon.py
The code still works against Windows 2022 with the
following options:
SMB_CONF_PATH=/dev/null \
SERVER=172.31.9.118 DC_SERVER=w2022-118.w2022-l7.base \
DOMAIN="W2022-L7" REALM="W2022-L7.BASE" \
ADMIN_USERNAME="Administrator" ADMIN_PASSWORD="A1b2C3d4" \
NETLOGON_STRONG_KEY_SUPPORT=1 NETLOGON_AUTH_KRB5_SUPPORT=0 \
STRICT_CHECKING=0 python/samba/tests/krb5/netlogon.py
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Currently this should not be needed, but it's better to
call dcesrv_assoc_group_common_destructor() in all assoc_group
destructors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15765
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec 12 07:22:29 UTC 2024 on atb-devel-224
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec 5 17:46:49 UTC 2024 on atb-devel-224
This might be the better option when we implement
netr_ServerAuthenticateKerberos().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This breaks compat with 4.21 and moves stuff out of
netlogon_creds_CredentialState_extra_info.
It also prepares support for netr_ServerAuthenticateKerberos()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
"If a file is removed from or added to the directory after the most recent call
to opendir() or rewinddir(), whether a subsequent call to readdir() returns
an entry for that file is unspecified."
https://pubs.opengroup.org/onlinepubs/009604599/functions/readdir.html
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Nov 29 15:10:13 UTC 2024 on atb-devel-224
If a file is removed from or added to the directory after the most recent call
to opendir() or rewinddir(), whether a subsequent call to readdir() returns
an entry for that file is unspecified."
https://pubs.opengroup.org/onlinepubs/009604599/functions/readdir.html
As it is unspecified, the different filesystems on Linux implement this
differently:
ext4:
./a.out
opendir(foo)
creat(foo/bar)
readdir() loop
readdir entry: bar
readdir entry: ..
readdir entry: .
readdir() detected the newly created file `foo`
btrfs:
./a.out
opendir(foo)
creat(foo/bar)
readdir() loop
readdir entry: .
readdir entry: ..
readdir() did not detect the newly created file `foo`
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This structure is only used in torture/ldap/netlogon.c now for
historic reasons. Replacing it with something else would be the right
thing to do...
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This will supersede the direct cldap based netlogon tests
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This slightly changes behaviour: It uses separate client sockets per
ping instead of just one, but it allows to compare CLDAP with LDAP and
LDAPS (spoiler: LDAPS is *much* slower...)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
