1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

48856 Commits

Author SHA1 Message Date
Stefan Metzmacher
a579151ee7 s3:libsmb: split out a cli_session_creds_prepare_krb5() function
This can be used temporarily to do the required kinit if we use kerberos
and the password has been specified.

In future this should be done in the gensec layer on demand, but there's
more work attached to doing it in the gensec_gse module.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-19 09:48:24 +01:00
Stefan Metzmacher
b17543a584 s3:torture/masktest: masktest only works with SMB1 currently
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-19 09:48:24 +01:00
Stefan Metzmacher
6a5943cfd0 s3:torture/masktest: Use cli_tree_connect_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-19 09:48:24 +01:00
Stefan Metzmacher
65be3af952 s3:torture: Use cli_tree_connect_creds() where we may use share level auth
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-19 09:48:24 +01:00
Stefan Metzmacher
af9783300c s3:lib/netapi: Use lp_client_ipc_max_protocol() in libnetapi_open_ipc_connection()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-19 09:48:24 +01:00
Ralph Boehme
e717ca65cf vfs_gpfs: simplify stat_with_capability() ifdef
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Dec 17 12:58:07 CET 2016 on sn-devel-144
2016-12-17 12:58:07 +01:00
Ralph Boehme
2e8cdda787 vfs_gpfs: remove updating btime from stat VFS calls
This is now handled by the vfs_gpfs_(f)get_dos_attributes. Getting rid
of this in the stat VFS functions is a huge performance saver. perf
report found that in a kernel copy workload smbd was spending
considerable CPU time in vfs_gpfs_(f|l)stat -> gpfs_get_winattrs.

Most of the time the VFS stat caller is not interested in the btime. The
SMB frontend processing around btime is designed to fetch btime together
with DOS attributes via dos_mode() in all places that need these
attributes. That's the way it is implemented in the default VFS module
and that's what vfs_gpfs now does as well for performance reasons.

This makes vfs_gpfs_fstat a null op and I'm therefor removing it.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2016-12-17 09:11:13 +01:00
Ralph Boehme
adf4cea1db vfs_gpfs: update btime in vfs_gpfs_(f)get_dos_attributes
This paves the way for removing btime updates from the stat VFS
functions.

This way we behave like the default VFS module where DOS attributes and
btime are fetched from the same backing store and the frontend is
designed around using dos_mode() -> SMB_VFS_GET_ATTRIBUTES to update
both attributes as necessary in the SMB processing.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2016-12-17 09:11:13 +01:00
Volker Lendecke
122706550c idmap_autorid: Simplify idmap_autorid_loadconfig
autorid_global_config is a fixed small structure that can be stack-allocated.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Dec 16 21:30:28 CET 2016 on sn-devel-144
2016-12-16 21:30:28 +01:00
Volker Lendecke
4cef6d29ff idmap_autorid: Fix a small memleak
Not long-term, all callers free our "mem_ctx" immediately

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
9c6c2ad26d idmap_autorid: Fix a race condition when acquiring ranges
Here we are in a transaction to create a range, but we already found
one to exist. We need to return the information about this range to the
caller, just as we do when actually allocating the range. This does not
hit us with current code, as we just have one idmap child. However, if
we parallelize that, two children might have found a domain to not exist
and call idmap_autorid_acquire_range simultaneously. One will create
the range, the other one will find it to already exist. The second child
will also have to pass the info up.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
a04cec5c62 idmap_autorid: Use acquire_range directly
idmap_autorid_get_domainrange is reading again for an existing mapping. We
know we need to allocate here, so avoid passing down that r/o boolean :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
ba02936032 idmap_autorid: Make idmap_autorid_acquire_range public
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
ba231d250a idmap_autorid: Fix checks for valid domains to allocate ranges for
The tdc cache is not reliable. The main dynamic check is
netsamlogon_cache_have: The only reliable way to see a domain as valid
for allocating a range for is a successful login. With a recent addition
to netsamlogon_cache_store, we can now reliably tell from there whether
a domain is trusted.

This also adds a few heuristic checks, such as allocation for the local
domains and additional ranges where we already have a mapping for range
index 0 for.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
55daaf10dd idmap_autorid: Add ntstatus to a debug message
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
9fe42eb58e idmap_autorid: Only look at the tdc cache when allocating ranges
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
4cfd824fd3 idmap_autorid: Do a readonly attempt before looking at the tdc cache
If autorid.tdb already has a mapping for a domain range, we can just
return that. Even if the volatile tdc cache at this point does not have
the domain, we should return a correct mapping.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
941d235f70 idmap_autorid: idmap_autorid_sid_to_id_rid only uses rangesize from "global"
Simplification -- from the callers perspective looks like a complex
routine which it is not

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
3ae832de47 idmap_autorid: idmap_autorid_sid_to_id_rid only uses low_id from "range"
Simplification -- from the callers perspective looks like a complex
routine which it is not

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:19 +01:00
Volker Lendecke
f5c9f27e62 idmap_autorid: Tighten idmap_autorid_id_to_sid a bit
We should only allow '#' as a sid/range-number separator in autorid.tdb.

The logic might be a bit clumsy. But the switch statement with failure
fall thru was the clearest I could come up with.

Signed-off-by: Volker Lendecke <vl@samba.org>
2016-12-16 17:38:19 +01:00
Volker Lendecke
751f598043 idmap_autorid: Fix a comment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:19 +01:00
Volker Lendecke
f1c126c2f6 idmap_autorid: Protect against dsize==0
Not sure it can happen, but you never know...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:19 +01:00
Volker Lendecke
b64835a109 idmap_tdb: Harden idmap_tdb_common_unixid_to_sid
A non-null terminated record would make string_to_sid read beyond the
end of allocated data.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:19 +01:00
Volker Lendecke
5ee846fabf idmap_autorid: Slightly simplify idmap_autorid_unixids_to_sids
Avoid an else branch where it's not necessary

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:19 +01:00
Volker Lendecke
321dca7820 samlogon_cache: Rename "user_sid" to "sid"
This is no longer just a user, we can also check for domains

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:19 +01:00
Volker Lendecke
bedc5c0568 samlogon_cache: Add the user's domain sid into the samlogon_cache
This will be used by autorid and possibly others instead of the tdc
cache. The only reliable way to find a domain to be trusted is via a
successful login. We indicate successful login via a netsamlogon_cache.tdb
entry. This patch also adds the user's domain sid with an entry, so we
can check for that existence without traversing the cache.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:19 +01:00
Volker Lendecke
f4ca27f173 samlogon_cache: Simplify netsamlogon_cache_have
We're interested in existence only, we should be able to trust the data
format consistency for this type of query.

netsamlogon_cache_get calls netsamlogon_cache_init for us, now we have
to do it directly.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:19 +01:00
Andreas Schneider
430c2d1844 s3:crypto: Use smb_krb5_kt_open_relative() for MEMORY keytab
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-16 01:55:13 +01:00
Uri Simchoni
c0549aea68 cli-quotas: fix potential memory leak
Fix a memory leak in out-of-memory condition

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 13 22:30:44 CET 2016 on sn-devel-144
2016-12-13 22:30:44 +01:00
Jeremy Allison
2c02146a84 s3: libsmb: Ensure SMB2 operations correctly set cli->raw_status.
Needs to be done even on success (cli_is_error() checks if
cli->raw_status was NT_STATUS_OK).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12468

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-12-13 18:38:17 +01:00
Andreas Schneider
831d60a5df s3:winbind: Do not start with an invalid default idmap backend
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2016-12-12 20:19:11 +01:00
Andreas Schneider
74c2c4647e s3-testparm: Print an error if we have overlapping idmap config
Except if both backends are 'ad'.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2016-12-12 20:19:10 +01:00
Andreas Schneider
3de634d7a0 s3-testparm: Print error if the default backend is incorrect
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2016-12-12 20:19:10 +01:00
Andreas Schneider
46337ce43c s3-testparm: Fix trailing whitespaces
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-12 20:19:10 +01:00
Volker Lendecke
5927c82178 libsmb: Correctly report error for rename failure
This prevents renaming a file over an existing one with SMB2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12468

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-12 20:19:10 +01:00
Volker Lendecke
8a0174dca5 nmbd: xfile->stdio
Unfortunately this is a larger patch. Doing it in small pieces would
have been pretty difficult, as everybody calls everybody else.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-11 11:17:24 +01:00
Volker Lendecke
c07a9b5beb libnbt: lmhosts xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-11 11:17:24 +01:00
Volker Lendecke
3af7ff5c82 printing: Convert aix_cache_reload to stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-11 11:17:24 +01:00
Volker Lendecke
a366463ff9 printing: std_pcap_cache_reload xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-11 11:17:23 +01:00
Volker Lendecke
2d9409341f rpc_server: svcctl xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-11 11:17:23 +01:00
Volker Lendecke
9d12b01496 vfs: expand_msdfs xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-11 11:17:23 +01:00
Volker Lendecke
2adcbc94b8 ntlm_auth3: xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-11 11:17:23 +01:00
Volker Lendecke
9c414677d8 smbd: username map file handling xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-11 11:17:23 +01:00
Volker Lendecke
7437150381 lib: popt_common xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-11 11:17:23 +01:00
Volker Lendecke
d7362baf79 idmap_hash: xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-11 11:17:23 +01:00
Volker Lendecke
2cd1299461 smbclient: xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-11 11:17:23 +01:00
Jeremy Allison
9fbd544b90 s3: ntlm_auth: Don't corrupt the output stream with debug messages.
Calling programs expect to cleanly read from STDOUT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12467

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-12-11 11:17:23 +01:00
Jeremy Allison
b5c0745b0c s3: torture: Adds regression test case for se_access_check() owner rights issue.
This test passes against Win2K12 but fails against smbd
without the previous commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Dec 10 10:11:10 CET 2016 on sn-devel-144
2016-12-10 10:11:09 +01:00
Stefan Metzmacher
5ca59a1772 s3:libsmb: don't pass 'passlen' to cli_tree_connect[_send]() and allow pass=NULL
There're no callers which try to pass a raw lm_response directly anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec  9 13:09:37 CET 2016 on sn-devel-144
2016-12-09 13:09:37 +01:00
Stefan Metzmacher
75aa174e8d s3:libsmb: avoid using cli->{use_kerberos,...} in remote_password_change()
As we pass flags=0 to cli_connect_nb() all values can only be false,
so we can use false directly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00