IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
"make lcov" was failing with:
Processing file bin/default/<stdout>
genhtml: ERROR: cannot read ... <stdout>
Flex adds "#line nnn <stdout>" to the generated source, which then causes
issues with lcov. This commit adds a SAMBA_GENERATOR for es_lexer.l and
sparql_lexer.l that strips out the offending lines.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Note that we're now sanitizing the username we got from the client, as we do
everywhere else.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which
didn't change since DCE RPC channel refactoring.
With the current code we return RPC faul as can be seen in the logs:
2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
in: struct netr_DsRGetForestTrustInformation
server_name : *
server_name : '\\some-dc.example.com'
trusted_domain_name : NULL
flags : 0x00000000 (0)
[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP)
api_rpcTNP: fault(5) return.
This is due to this check in processing a request:
if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
&& (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
return WERR_ACCESS_DENIED;
}
and since we get AuthZ response,
Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC]
Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445]
[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json)
JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000",
"type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1},
"localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017",
"serviceDescription": "netlogon", "authType": "ncacn_np",
"domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500",
"sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC",
"transportProtection": "SMB", "accountFlags": "0x00000010"}}
this means we are actually getting anonymous DCE/RPC access to netlogon
on top of authenticated SMB connection. In such case we have exactly
auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to
DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error.
Update the code to follow the same security level check as in s4 variant
of the call.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Jan 13 15:05:28 UTC 2020 on sn-devel-184
This is a non-negative count. Fix remaing code to not mix int and size_t.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The members of struct utmp are marked as nonstring. This means they
might not be nil-terminated.
Found by covscan.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We don't need any substitution for elasticsearch options.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We currently have the following substitution functions:
talloc_sub_basic()
talloc_sub_advanced()
talloc_sub_basic() currently substitutes a subset of talloc_sub_advanced().
We'll need a function X that only substitutes what talloc_sub_advanced()
substitutes *without* what talloc_sub_basic() does.
To get there rename talloc_sub_advanced() to talloc_sub_full(). A subsequent
commit will then bring back talloc_sub_advanced() as described above.
Examples with fictional replacement letters A and B. Currently:
talloc_sub_basic: A
talloc_sub_advanced: AB
New:
talloc_sub_basic: A
talloc_sub_advanced: B
talloc_sub_full: AB
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13745
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
No change in behaviour, this just changes all functions to take the
policy_handle argument as pointer instead of passing it by value.
This is how all other IDLs pass it.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Oct 9 15:52:55 UTC 2019 on sn-devel-184
Changes:
* Don't initialize the RPC service by calling setup_rpc_module() in the parent
mdssd. This is not needed in the parent, only in the worker childs.
* In the worker childs call setup_rpc_module() instead of init_rpc_module()
which ensures rpc_mdssvc_init() is called with the mdssvc callback which is
needed to initialize mdssvc via mdssvc_init_cb() -> init_service_mdssvc()
* Finally rpc_setup_mdssvc() is adjusted to be a noop if mdssvc is configured to
as external and when called by the main parent smbd via dcesrv_ep_setup() ->
setup_rpc_modules()
I've manually tested all 4 combinations of external=yes|no X module=yes|no with
the new mdfind command.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
No change in behaviour. Simplifies a subsequent logical change.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Now that mdssvc is built by default and also tested in CI, enable it by default,
running as embedded service.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
The mds_ctx object was created in _mdssvc_open() as a talloc child of the pipe
which means as long as the pipe is connected it's not freed.
To ensure we do proper rundown of all resources including backend connections
and pending queries, we must free the mds_ctx object.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Looks like this was never used, it's also available via mds_ctx->snum.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
We should make the behavior change (that gives up some protection)
more obvious, by changing the function names.
At least some OEMs have patches relying on the 4.9/4.10 behaviour
and we want them to detect that they have to do more work when they
need to change directories.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Aug 14 11:48:42 UTC 2019 on sn-devel-184
clang complains about "%lu" not to match size_t on 32-bit FreeBSD
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Aug 9 07:34:05 UTC 2019 on sn-devel-184
Turns out macOS mdssvc doesn't fail the RPC request if the policy handle is all
zero. Also, if it fails with a non-all-zero handle, it returns a different RPC
error, namely DCERPC_NCA_S_PROTO_ERROR, not DCERPC_FAULT_CONTEXT_MISMATCH (or
rather their mapped NT_STATUS codes).
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Move the implementation of this setting down to the actual search query
processing. macOS has no notion of "spotlight = false" at the DCERPC layer and
the open request will always succeed even on all shares.
When later the client issues search requests on such shares, we ensure we use
the noindex backend.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Taken from macOS. We have to return an empty share_path and an empty policy
handle, but not fail the RPC request.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
macOS returns the empty path for an unknown share. This paves the way for that
change. Currently we still fail the RPC request if the share is not known with
DCERPC_FAULT_CANT_PERFORM, but this is wrong and is going to be changed in the
next commit.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
It seems for certain error cases macOS just sends an empty response
blob. So if our mdssvc request processing fails, we should just return an empty
response blob, but not fail the mdssvc request at the DCERPC layer.
Example, passing "xxx" as sharename which does not exist at the server:
$ bin/rpcclient -U slow%pass macmini -c "fetch_attributes xxx /foo/bar 123" -d 10
....
Got pdu len 56, data_len 32
rpc_api_pipe: got frag len of 56 at offset 0: NT_STATUS_OK
rpc_api_pipe: host macmini returned 32 bytes.
mdssvc_cmd: struct mdssvc_cmd
out: struct mdssvc_cmd
fragment : *
fragment : 0x00000000 (0)
response_blob : *
response_blob: struct mdssvc_blob
length : 0x00000000 (0)
size : 0x00010000 (65536)
spotlight_blob : *
spotlight_blob: ARRAY(0)
unkn9 : *
unkn9 : 0x00000000 (0)
...
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
len=0 is invalid, len=8 is an empty array, len>8 is an array with members, so
for the len=8 case we must add the empty cnid array.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Pass the correct tag member tag.size to sl_unpack_CNID(), not
tag.length. tag.size is the size actually used in a buffer of size tag.length.
Cf other users of tag.size that already do this correctly, this was only wrong
in this place.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This is how a correct dump of an empty sl_filemeta_t container should look like:
DALLOC_CTX(#1): {
sl_array_t(#3): {
uint64_t: 0x0023
CNIDs: unkn1: 0x0, unkn2: 0x0
DALLOC_CTX(#0): {
}
sl_filemeta_t(#0): {
}
}
}
This is basically the response from macOS mdssvc for a query that yields no
results: sl_filemeta_t is empty, the CNIDs array as well.
Looking at the raw packet data, the empty sl_filemeta_t container as a size of 8
bytes which fails the following check in sl_unpack_cpx():
case SQ_CPX_TYPE_FILEMETA:
...
if (tag.size < 16) {
*boom*
}
Only tag.size=0 is invalid, tag.size=8 denotes an empty container and tag.size>=16
denotes a sl_filemeta_t container with actual content must be unpacked by
calling sl_unpack(). Note that size is always a muliple of 8.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Avoids failure when at O3 level:
[2082/4232] Compiling source3/rpc_server/mdssvc/marshalling.c
==> /builds/samba-team/devel/samba/samba-o3.stderr <==
In file included from /usr/include/string.h:494,
from /usr/include/bsd/string.h:30,
from ../../lib/tevent/../replace/replace.h:164,
from ../../source3/include/includes.h:23,
from ../../source3/rpc_server/mdssvc/marshalling.c:21:
In function ‘strncpy’,
inlined from ‘sl_pack_string’ at ../../source3/rpc_server/mdssvc/marshalling.c:493:2,
inlined from ‘sl_pack_loop’ at ../../source3/rpc_server/mdssvc/marshalling.c:607:13:
/usr/include/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ output
truncated before terminating nul copying as many bytes from a string as its
length [-Werror=stringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../source3/rpc_server/mdssvc/marshalling.c: In function ‘sl_pack_loop’:
../../source3/rpc_server/mdssvc/marshalling.c:458:8: note: length computed here
458 | len = strlen(s);
| ^~~~~~~~~
cc1: all warnings being treated as errors
Marshalled strings are not 0 terminated.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Spotted this in mdssvc response that containied many results for a search
request: if the mdssvc response blob is larger then ~32k, the server fragments
the response in 32k fragments and sets the "fragment" field to 1.
Note that mdssvc implemenets result set "fragmentation" at the result set layer,
not at the marshalled response buffer layer. Therefor mdssvc always sets this
field to 0.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Add a new default backend that, while allowing mdsvc RPC and search queries from
clients, always returns no results.
Shares using this backend will behave the same way as shares on a macOS SMB
server where indexing is disabled.
This change will later also allow us to compile the Spotlight RPC service by
default which is a big step in the direction of adding tests to CI.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
We need this in a later patchset when adding a mdssvc client library and for
unit tests.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Move mds_dalloc_dump() to dalloc and rename it to dalloc_dump().
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Currently there's only the tracker backend, but subsequent commits will add
other backends.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Not used for now, will be needed in the upcoming Elasticsearch backend.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This moves all Tracker backend logic into a modularized component.
This should not result in any change in behaviour, it just paves the way
for adding additional backends. Currently the only available backend is
Gnome Tracker.
slq_destroy_send/recv is not needed anymore as the problem is solved now by
correctly checking if an async Tracker request was cancelled and we got
G_IO_ERROR_CANCELLED in tracker_con_cb() or tracker_query_cb() and avoid using
user_data in that the case.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 26 03:05:01 UTC 2019 on sn-devel-184
The _netr_NetrEnumerateTrustedDomains()->dcerpc_lsa_open_policy2() error
path checks the policy handle and closes it if non-empty. The policy
handle may be uninitialized in this code-path - fix this.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jul 22 18:04:53 UTC 2019 on sn-devel-184
The exit server routines already call rpc shutdown functions
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
