1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

136581 Commits

Author SHA1 Message Date
Volker Lendecke
6877e4849e lib: Avoid 70k of r/w memory
This adds more .text than it strips .data, but .text is shared between
all processes, .data is copied.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-01-23 23:28:31 +00:00
Volker Lendecke
24ad425e28 lib: Simplify hresult.c
Functions don't need a ; at the end.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-01-23 23:28:31 +00:00
Andreas Schneider
13d98c8fa6 s3:passdb: Fix memory leak caused by recursion of get_global_sam_sid()
Direct leak of 68 byte(s) in 1 object(s) allocated from:
    #0 0x7f4f39cdc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0)
    #1 0x7f4f36fbe427 in malloc_ ../../source3/lib/util_malloc.c:38
    #2 0x7f4f394b5e19 in pdb_generate_sam_sid ../../source3/passdb/machine_sid.c:90
    #3 0x7f4f394b5e19 in get_global_sam_sid ../../source3/passdb/machine_sid.c:211
    #4 0x7f4f394af366 in secrets_store_domain_sid ../../source3/passdb/machine_account_secrets.c:143
    #5 0x7f4f394b5eb5 in pdb_generate_sam_sid ../../source3/passdb/machine_sid.c:110
    #6 0x7f4f394b5eb5 in get_global_sam_sid ../../source3/passdb/machine_sid.c:211
    #7 0x7f4f394af366 in secrets_store_domain_sid ../../source3/passdb/machine_account_secrets.c:143
    #8 0x557a1f11d62c in net_setlocalsid ../../source3/utils/net.c:416
    #9 0x557a1f1c9972 in net_run_function ../../source3/utils/net_util.c:464
    #10 0x557a1f121129 in main ../../source3/utils/net.c:1372
    #11 0x7f4f34c281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jan 23 14:30:58 UTC 2024 on atb-devel-224
2024-01-23 14:30:58 +00:00
Andreas Schneider
dc18e2a222 s3:libads: Fix memory leaks in ads_create_machine_acct()
Indirect leak of 291 byte(s) in 2 object(s) allocated from:
    #0 0x7fd77b6dc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0)
    #1 0x7fd77b094bc2 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
    #2 0x7fd77b096034 in __talloc ../../lib/talloc/talloc.c:825
    #3 0x7fd77b096034 in __talloc_strlendup ../../lib/talloc/talloc.c:2454
    #4 0x7fd77b096034 in talloc_strdup ../../lib/talloc/talloc.c:2470
    #5 0x7fd779996633 in add_string_to_array ../../lib/util/util_strlist.c:504
    #6 0x7fd77b10c754 in ads_create_machine_acct ../../source3/libads/ldap.c:2662
    #7 0x7fd77b46705f in libnet_join_precreate_machine_acct ../../source3/libnet/libnet_join.c:390
    #8 0x7fd77b46705f in libnet_DomainJoin ../../source3/libnet/libnet_join.c:2852
    #9 0x7fd77b46705f in libnet_Join ../../source3/libnet/libnet_join.c:3036
    #10 0x55fb9788d91a in net_ads_join ../../source3/utils/net_ads.c:1853
    #11 0x55fb9793ab86 in net_join ../../source3/utils/net_join.c:45
    #12 0x55fb9793084f in net_run_function ../../source3/utils/net_util.c:454
    #13 0x55fb97889859 in main ../../source3/utils/net.c:1372
    #14 0x7fd7768281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-23 13:23:33 +00:00
Andreas Schneider
18913d384e s3:passdb: Do not leak memory in pdb_tdb
==19938==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 77 byte(s) in 1 object(s) allocated from:
    #0 0x7f7d482841f8 in strdup (/lib64/libasan.so.8+0x841f8) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0)
    #1 0x7f7d47204846  (bin/shared/libsamba-util.so.0+0x4c846) (BuildId: 43b084eb9013442ac68eb1fc17649f142cbb0f94)
    #2 0x7f7d40b1d97a in pdb_init_tdbsam ../../source3/passdb/pdb_tdb.c:1361
    #3 0x7f7d4715f266  (bin/shared/libsamba-passdb.so.0+0x76266) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733)
    #4 0x7f7d4715f57a  (bin/shared/libsamba-passdb.so.0+0x7657a) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733)
    #5 0x7f7d47163700  (bin/shared/libsamba-passdb.so.0+0x7a700) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733)
    #6 0x55a9177d3853 in main ../../source3/smbd/server.c:1928
    #7 0x7f7d434281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-23 13:23:33 +00:00
David Mulder
f05b61b499 gp: Skip site GP list if no site is found
[MS-GPOL] 3.2.5.1.4 Site Search says if the site
search returns ERROR_NO_SITENAME, the GP site
search should be skipped.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15548

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jan 23 11:20:35 UTC 2024 on atb-devel-224
2024-01-23 11:20:35 +00:00
Gabriel Nagy
8579340fc5 gpo: Do not get templates list on first run
This is a visual fix and has no impact on functionality apart from
cleaner log messages.

The point of this is to get the list of supported templates in order to
compute a diff between the current applied templates and the updated
list, so we are able to unapply and reapply the policy in case there are
differences.

However this code path is executed on first applies as well, at which
point the root CA is not yet set up. This causes the
`get_supported_templates` call to fail, which is not a hard failure but
still pollutes the logs. In this case it's safe to avoid executing the
command as the policy will be applied regardless.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jan 22 16:48:57 UTC 2024 on atb-devel-224
2024-01-22 16:48:57 +00:00
Gabriel Nagy
3f3ddfa699 gpo: Decode base64 root cert before importing
The reasoning behind this is described in the previous commit message,
but essentially this should either be wrapped in certificate blocks and
imported as PEM, or converted back to binary and imported as DER.

I've opted for the latter since it's how it used to work before it
regressed in 157335ee93.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-01-22 15:41:36 +00:00
Gabriel Nagy
0d1ff69936 gpo: Test certificate policy without NDES
As of 8231eaf856, the NDES feature is no longer required on Windows, as
cert auto-enroll can use the certificate from the LDAP request.

However, 157335ee93 changed the implementation to convert the LDAP
certificate to base64 due to it failing to cleanly convert to a string.

Because of insufficient test coverage I missed handling the part where
NDES is disabled or not reachable and the LDAP certificate was imported.
The call to load_der_x509_certificate now fails with an error because it
expects binary data, yet it receives a base64 encoded string.

This adds a test to confirm the issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-01-22 15:41:36 +00:00
Ralph Boehme
2713023250 smbd: use dirfsp and atname in open_directory()
On systems without /proc/fd support this avoid the expensive chdir()
logic in non_widelink_open(). open_file_ntcreate() already passes
dirfsp and atname to reopen_from_fsp(), it was just missed in the
conversion.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549

Reviewed-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jan 22 12:00:56 UTC 2024 on atb-devel-224
2024-01-22 12:00:56 +00:00
Ralph Boehme
1965fc77b3 smbd: use safe_symlink_target_path() in symlink_target_below_conn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-22 10:53:29 +00:00
Ralph Boehme
fc80c72d65 smbd: add a directory argument to safe_symlink_target_path()
Existing caller passes NULL, no change in behaviour. Prepares for
replacing symlink_target_below_conn() in open.c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-22 10:53:29 +00:00
Ralph Boehme
0515dded4d smbd: pass symlink target path to safe_symlink_target_path()
Moves creating the symlink target path via symlink_target_path() to the
caller. This prepares for using this in non_widelink_open(), where it will
replace symlink_target_below_conn() with the same functionality.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-22 10:53:29 +00:00
Ralph Boehme
62cbe145c7 CI: disable /proc/fds and RESOLVE_NO_SYMLINK in samba-no-opath-build runner
This is a more sensible combination of missing Linux specific features:

- O_PATH
- openat2() with RESOLVE_NO_SYMLINKS
- somehow safely reopen an O_PATH file handle

Currently only O_PATH is disabled for these jobs, but that doesn't really match
and know OS.

The following list shows which features are available and used by Samba on a few
OSes:

        | O_PATH         | RESOLVE_NO_SYMLINKS | Safe reopen    | CI covered
--------|----------------|---------------------|----------------------------
        | Supported Used | Supported Used      | Supported Used |
============================================================================
Linux   | +         +    | +         +         | +         +    | +
FreeBSD | +         +    | + [1]     -         | + [2]     -    | -
AIX     | -         -    | -         -         | -         -    | +

So by also disabling RESOLVE_NO_SYMLINKS and Safe Reopen, we cover classic UNIX
systems like AIX.

[1] via open() flag O_RESOLVE_BENEATH
[2] via open() flag O_EMPTY_PATH

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-22 10:53:29 +00:00
Ralph Boehme
5c2f96442a vfs_default: allow disabling /proc/fds and RESOLVE_NO_SYMLINK at compile time
This will be used in CI to have a gitlab runner without all modern Linux
features we make use of as part of path processing:

- O_PATH
- openat2() with RESOLVE_NO_SYMLINKS
- somehow safely reopen an O_PATH file handle

That gives what a classix UNIX like AIX or Solaris offers feature wise.

Other OSes support other combinations of those features, but we leave the
exersize of possibly adding more runners supporting those combinations to the
reader.

The following list shows which features are available and used by Samba on a few
OSes:

        | O_PATH         | RESOLVE_NO_SYMLINKS | Safe reopen    | CI covered
--------|----------------|---------------------|----------------------------
        | Supported Used | Supported Used      | Supported Used |
============================================================================
Linux   | +         +    | +         +         | +         +    | +
FreeBSD | +         +    | + [1]     -         | + [2]     -    | -
AIX     | -         -    | -         -         | -         -    | +

[1] via open() flag O_RESOLVE_BENEATH
[2] via open() flag O_EMPTY_PATH

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-22 10:53:29 +00:00
Pavel Filipenský
fdf3656d30 autobuild: Run ad_member_idmap_nss tests as part of samba-admem
Those are currently running as part of the normal 'samba' target. It
makes more sense to run them togehter with the other ad_member tests.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon Jan 22 08:17:32 UTC 2024 on atb-devel-224
2024-01-22 08:17:32 +00:00
Anoop C S
45962d416f source3/lib: Properly log the change in capability
We used to log the following message for both adding and dropping
capability:

DBG_INFO("added capability %d\n", capability);

For better clarity indicate the change as "added" or "dropped"
based on available functional arguments.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Sat Jan 20 18:43:10 UTC 2024 on atb-devel-224
2024-01-20 18:43:10 +00:00
Ralph Boehme
201edcb5c6 winbindd: fix listing trusted domains with NT trusts
Commit e07f8901ec broke handling of NT4 domains
which lack a DNS domain names. As the dns_name is NULL, talloc_steal(dns_name)
returns NULL, which causes _wbint_ListTrustedDomains to return
NT_STATUS_NO_MEMORY.

To make things worse, at that point the new struct netr_DomainTrust is not yet
initialized correctly and the "out->count = n + 1" already increased the array
counter at the start of the loop without initializing it.

Later when NDR-pushing the result in dcesrv_call_dispatch_local(), the ndr_push() can
crash when accesssing the ununitialized values:

2023-12-08T14:07:42.759691+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: ===============================================================
2023-12-08T14:07:42.759702+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: INTERNAL ERROR: Signal 11: Segmentation fault in winbindd (wb[ADDOMAIN]) (domain child [ADDOMAIN]) pid 157227 (4.20.0pre1-DEVELOPERBUILD)
2023-12-08T14:07:42.759712+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
2023-12-08T14:07:42.759723+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: ===============================================================
2023-12-08T14:07:42.759730+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: PANIC (pid 157227): Signal 11: Segmentation fault in 4.20.0pre1-DEVELOPERBUILD
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: BACKTRACE: 36 stack frames:
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #0 bin/shared/private/libgenrand-samba4.so(log_stack_trace+0x1f) [0x7f1396acd441]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #1 bin/shared/private/libgenrand-samba4.so(smb_panic_log+0x20f) [0x7f1396acd3d5]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #2 bin/shared/private/libgenrand-samba4.so(smb_panic+0x18) [0x7f1396acd3f0]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #3 bin/shared/private/libgenrand-samba4.so(+0x2eb5) [0x7f1396acceb5]
92023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #4 bin/shared/private/libgenrand-samba4.so(+0x2eca) [0x7f1396acceca]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #5 /lib64/libc.so.6(+0x3dbb0) [0x7f139687abb0]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #6 bin/shared/private/libsamba-security-samba4.so(ndr_push_dom_sid2+0x2a) [0x7f13977e5437]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #7 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrust+0x4ad) [0x7f1396deb64c]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #8 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrustList+0x204) [0x7f1396dec7a9]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #9 bin/shared/private/libndr-samba4.so(+0x239bf9) [0x7f1397639bf9]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #10 winbindd: domain child [ADDOMAIN](winbind__op_ndr_push+0x5a) [0x55741e6857a8]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #11 bin/shared/libdcerpc-server-core.so.0(dcesrv_call_dispatch_local+0x49b) [0x7f1397be6219]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #12 winbindd: domain child [ADDOMAIN](winbindd_dual_ndrcmd+0x375) [0x55741e67a204]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #13 winbindd: domain child [ADDOMAIN](+0x9cf0d) [0x55741e674f0d]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #14 winbindd: domain child [ADDOMAIN](+0x9f792) [0x55741e677792]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #15 bin/shared/private/libtevent-samba4.so(tevent_common_invoke_fd_handler+0x121) [0x7f139802f816]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #16 bin/shared/private/libtevent-samba4.so(+0x19cef) [0x7f139803bcef]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #17 bin/shared/private/libtevent-samba4.so(+0x1a3dc) [0x7f139803c3dc]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #18 bin/shared/private/libtevent-samba4.so(+0x15b52) [0x7f1398037b52]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #19 bin/shared/private/libtevent-samba4.so(_tevent_loop_once+0x113) [0x7f139802e1db]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #20 winbindd: domain child [ADDOMAIN](+0xa03ca) [0x55741e6783ca]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #21 winbindd: domain child [ADDOMAIN](+0x9ba9c) [0x55741e673a9c]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #22 bin/shared/private/libtevent-samba4.so(_tevent_req_notify_callback+0xba) [0x7f139803194a]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #23 bin/shared/private/libtevent-samba4.so(+0xfadb) [0x7f1398031adb]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #24 bin/shared/private/libtevent-samba4.so(_tevent_req_done+0x25) [0x7f1398031b07]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #25 bin/shared/private/libtevent-samba4.so(+0xf125) [0x7f1398031125]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #26 bin/shared/private/libtevent-samba4.so(+0xe9cf) [0x7f13980309cf]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #27 bin/shared/private/libtevent-samba4.so(tevent_common_invoke_immediate_handler+0x207) [0x7f1398030343]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #28 bin/shared/private/libtevent-samba4.so(tevent_common_loop_immediate+0x37) [0x7f13980304b5]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #29 bin/shared/private/libtevent-samba4.so(+0x1a332) [0x7f139803c332]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #30 bin/shared/private/libtevent-samba4.so(+0x15b52) [0x7f1398037b52]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #31 bin/shared/private/libtevent-samba4.so(_tevent_loop_once+0x113) [0x7f139802e1db]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #32 winbindd: domain child [ADDOMAIN](main+0x1689) [0x55741e6b210a]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #33 /lib64/libc.so.6(+0x27b8a) [0x7f1396864b8a]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #34 /lib64/libc.so.6(__libc_start_main+0x8b) [0x7f1396864c4b]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #35 winbindd: domain child [ADDOMAIN](_start+0x25) [0x55741e63a045]
2023-12-08T14:07:42.760685+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: smb_panic(): calling panic action [cd /data/git/samba/scratch3 && /data/git/samba/scratch3/selftest/gdb_backtrace 157227 ./bin/winbindd]

Deferring assignment of r->out.domains->array and r->out.domains->count to the
end of the function ensures we don't return inconsistent state in case of an
error.

Also, r->out.domains is already set by the NDR layer, no need to create and
assign a struct netr_DomainTrustList object.

Using talloc_move() ensures we don't leave dangling pointers. Better to crash
reliably on accessing NULL, then accessing some unknown memory via a wild
pointer. As talloc_move() can't fail, there's no need to check the return value.

And using a struct initializer ensures all members are properly initialized.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 20 14:23:51 UTC 2024 on atb-devel-224
2024-01-20 14:23:51 +00:00
Ralph Boehme
000bbede59 selftest: test listing trusted domains that includes an NT4 domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-01-20 13:20:37 +00:00
Ralph Boehme
53ca19851d s4/rpc_server: return NULL dns_name for NT4 trusts
That's what Windows returns for an NT4 trust:

  array: struct netr_DomainTrust
      netbios_name             : *
          netbios_name             : 'NT4TRUST'
      dns_name                 : NULL
      trust_flags              : 0x00000020 (32)
             0: NETR_TRUST_FLAG_IN_FOREST
             0: NETR_TRUST_FLAG_OUTBOUND
             0: NETR_TRUST_FLAG_TREEROOT
             0: NETR_TRUST_FLAG_PRIMARY
             0: NETR_TRUST_FLAG_NATIVE
             1: NETR_TRUST_FLAG_INBOUND
             0: NETR_TRUST_FLAG_MIT_KRB5
             0: NETR_TRUST_FLAG_AES
      parent_index             : 0x00000000 (0)
      trust_type               : LSA_TRUST_TYPE_DOWNLEVEL (1)
      trust_attributes         : 0x00000000 (0)
             0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
             0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
             0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
             0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
             0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
             0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
             0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
             0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
             0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION
             0: LSA_TRUST_ATTRIBUTE_PIM_TRUST
             0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION
      sid                      : *
          sid                      : S-1-5-21-4267984555-3675415144-1682400025
      guid                     : 00000000-0000-0000-0000-000000000000

Even though when creating the trust the DNS name must not be NULL and the
trustPartner and name attributes are set to the flatName in the trustedDomain
object:

  dn: CN=NT4TRUST,CN=System,DC=wdom2,DC=site
  objectClass: top
  objectClass: leaf
  objectClass: trustedDomain
  cn: NT4TRUST
  distinguishedName: CN=NT4TRUST,CN=System,DC=wdom2,DC=site
  instanceType: 4
  whenCreated: 20240118175040.0Z
  whenChanged: 20240118175040.0Z
  uSNCreated: 4939915
  uSNChanged: 4939916
  showInAdvancedViewOnly: TRUE
  name: NT4TRUST
  objectGUID: c2273b74-19ff-4f5a-b528-9e5ae21960dd
  securityIdentifier: S-1-5-21-4267984555-3675415144-1682400025
  trustDirection: 1
  trustPartner: NT4TRUST
  trustPosixOffset: 0
  trustType: 1
  trustAttributes: 0
  flatName: NT4TRUST
  objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=wdom2,DC=site
  isCriticalSystemObject: TRUE
  dSCorePropagationData: 16010101000000.0Z

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-01-20 13:20:37 +00:00
Ralph Boehme
3a95e13547 selftest: add a test for NT4 trusts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-01-20 13:20:37 +00:00
Ralph Boehme
645a725603 selftest: create trust between fl2008r2dc and nt4_dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-01-20 13:20:37 +00:00
Ralph Boehme
9725aa932e selftest: rename a variable in setup_fl2008r2dc()
Prepares for adding another variable with a similar name.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-01-20 13:20:37 +00:00
Ralph Boehme
5420af6942 selftest: do early exit in setup_fl2008r2dc() if provision_fl2008r2dc() fails
No change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-01-20 13:20:37 +00:00
Ralph Boehme
d0cdc81aa9 selftest: fix domain name of nt4_dc_smb1 environment
It had the same workgroup as the nt4_dc environment:

$ grep workgroup st/nt4_dc/lib/server.conf st/nt4_dc_smb1/lib/server.conf
st/nt4_dc/lib/server.conf:      workgroup = SAMBA-TEST
st/nt4_dc_smb1/lib/server.conf: workgroup = SAMBA-TEST

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-01-20 13:20:37 +00:00
Ralph Boehme
9d933abd9e winbindd: call add_trusted_domains_dc() in smbcontrol reload-config handler
This allows reloading trust info on an NT4 DC without restarting winbindd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-01-20 13:20:37 +00:00
Ralph Boehme
60ac5b03ef winbindd: make add_trusted_domains_dc() public
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-01-20 13:20:37 +00:00
Ralph Boehme
95bb2acbf0 winbindd: also apply schannel logic as an NT4 DC
This applies the same logic we already added in
06601b3a92 for AD DCs wrt to IPC authentication
when running as an NT4 DC in cm_prepare_connection(). Similarily adjust the
check in cm_connect_lsa() added in 3e17a3b7cd and
in cm_connect_netlogon_transport() added by
532a14dc68 for cm_connect_netlogon_transport().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-01-20 13:20:37 +00:00
Ralph Boehme
9b2920fd36 net: create creds for other domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-01-20 13:20:37 +00:00
Ralph Boehme
449a968d3d net: support NT4 trusts in "net rpc trust create"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-01-20 13:20:37 +00:00
Ralph Boehme
15c0772376 net: fix credentials in trustdom establish
This was broken by ea071d278a. I guess the whole
opt_user_specified dance should be ripped out, but that's a fix for another day.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-01-20 13:20:37 +00:00
Ralph Boehme
340753a255 net: remove a newline
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-01-20 13:20:37 +00:00
Jones Syue
c82a267b2a s3:passdb: smbpasswd reset permissions only if not 0600
Browsing files or download files from samba server, smbd would check user's
id to decide whether this user could access these files, by lookup user's
information from the password file (e.g. /usr/local/samba/private/smbpasswd).
smbd might goes through startsmbfilepwent(), this api calls [f]chmod() to
make sure the password file has valid permissions 0600.

Consider a scenario: we are doing a read performance benchmark about
downloading a bunch of files (e.g. a thousand files) from a samba server,
monitoring file system i/o activities counters, and expecting that should
be only read operations on file system because this is just downloading, no
uploading is involved. But actually found that still write operations on file
system, because smbd lookup user and always reset 0600 permissions on password
file while access each file, it makes dirty pages (inode modification) in ram,
later triggered a kernel journal daemon to sync dirty pages into back storage
(e.g. ext3 kjournald, or ext4 jbd2).
This looks like not friendly for read performance benchmark if it happened on
an entry-level systems with much less memory and limited computation power,
because dirty pages syncing in the meantime slows down read performance.

This patch adds fstat() before [f]chmod(), it would check whether password
file has valid permissions 0600 or not. If 0600 smbd would bypass [f]chmod()
to avoid making dirty pages on file systems. If not 0600 smbd would warn and
go through [f]chmod() to set valid permissions 0600 to password file as
earlier days.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15555

Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jan 18 10:28:19 UTC 2024 on atb-devel-224
2024-01-18 10:28:19 +00:00
Volker Lendecke
0caaa2d172 vfs: Remove shadow_copy2_get_real_filename_at()
The synthetic_pathref() call in shadow_copy2_get_real_filename_at()
fails if shadow:snapdir is set outside of the share root, it creates
an absolute path and non_widelink_open() blocks that.

We don't need shadow_copy2_get_real_filename_at() anymore because the
dirfsp already points at the correct directory in the snapshot
directory. So get_real_filename_full_scan_at() just works fine.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15556

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 16 19:44:53 UTC 2024 on atb-devel-224
2024-01-16 19:44:53 +00:00
Volker Lendecke
6afcb7f0db testing: case insensitive lookups fail in shadow_copy2 snapshots
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15556

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-01-16 18:40:32 +00:00
Björn Jacke
c09d1a3ac1 tests: add a test for "fake directory create times"
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jan 16 15:44:10 UTC 2024 on atb-devel-224
2024-01-16 15:44:10 +00:00
Bjoern Jacke
56c3dbc2ff system.c: fix fake directory create times
This was broken by c9c3d4312d back in 2009 already.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12421

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-16 14:37:31 +00:00
Björn Jacke
85f7d9d5b9 tests: add test for vfs_worm
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-16 14:37:31 +00:00
Björn Jacke
abe1e959bf vfs_worm: add FILE_WRITE_EA to write access mask
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-16 14:37:31 +00:00
Björn Jacke
24227f7ecc vfs_worm: add my copyright
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-16 14:37:31 +00:00
Björn Jacke
30fea0e959 vfs_worm: add some more vfs functions that worm needs to take care of
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10430

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-16 14:37:31 +00:00
Björn Jacke
0022acac9a vfs_worm: move write_access_flags to global
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-16 14:37:31 +00:00
Björn Jacke
58847271e1 vfs_worm: factor out readonly check
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-16 14:37:31 +00:00
Björn Jacke
d27180bd0d vfs_recycle: add connect function to cache parameters
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-16 14:37:31 +00:00
Björn Jacke
f02b0b984b tests: add a test for vfs_recycle
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-16 14:37:31 +00:00
Björn Jacke
2df2e34c3c time.c: fix ctime which was feeded with the mtime seconds
This bug was introduced with 53a1d034f3 in 2020.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15550

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-16 14:37:31 +00:00
Björn Jacke
1a89b5237b test_smbget.sh: reduce sleep time
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-01-16 14:37:31 +00:00
Joseph Sutton
f30a79d7f2 python: Generate HRESULT definitions automatically
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Mon Jan 15 01:56:53 UTC 2024 on atb-devel-224
2024-01-15 01:56:53 +00:00
Joseph Sutton
5199d788f4 s4:scripting: Remove obsolete references to function prototypes
These prototypes were removed in commit
0ffe030c0d.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-01-15 00:48:40 +00:00
Joseph Sutton
16e55406e9 s4:scripting: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-01-15 00:48:40 +00:00