1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

137503 Commits

Author SHA1 Message Date
Stefan Metzmacher
b8b874ef5e s3:rpc_server/mdssvc: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:33 +00:00
Stefan Metzmacher
604413b98a s4:lib/tls: add tstream_tls_params_client_lpcfg()
This will be able simplify the callers a lot...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:33 +00:00
Stefan Metzmacher
3186cdce85 s4:lib/tls: split out tstream_tls_verify_peer() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:33 +00:00
Stefan Metzmacher
15fb8fcc7b s4:lib/tls: include a TLS server name indication in the client handshake
This is not strictly needed, but it might be useful
for load balancers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:33 +00:00
Stefan Metzmacher
ecdd769191 s4:lib/tls: we no longer need ifdef GNUTLS_NO_TICKETS
We require gnutls 3.6.13

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:33 +00:00
Stefan Metzmacher
60b11645b0 s4:lib/tls: split out tstream_tls_prepare_gnutls()
Review with: git show --patience

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:33 +00:00
Stefan Metzmacher
ac4bca7703 s4:lib/tls: assert that event contexts are not mixed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:33 +00:00
Stefan Metzmacher
6688945fa0 s3:lib/tls: we need to call tstream_tls_retry_handshake/disconnect() until all buffers are flushed
Before the handshare or disconnect is over we need to wait until
we delivered the lowlevel messages to the transport/kernel socket.

Otherwise we'll have a problem if another tevent_context is used
after the handshake.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:33 +00:00
Stefan Metzmacher
5844ef27aa s4:lib/tls: remove tstream_tls_push_trigger_write step
At the time of https://bugzilla.samba.org/show_bug.cgi?id=7218,
we tested this versions:
    2.4.1 -> broken
    2.4.2 -> broken
    2.6.0 -> broken
    2.8.0 -> broken
    2.8.1 -> broken
    2.8.2 -> OK
    2.8.3 -> OK
    2.8.4 -> OK
    2.8.5 -> OK
    2.8.6 -> OK
    2.10.0 -> broken
    2.10.1 -> broken
    2.10.2 -> OK

These seemed to be the fixes in gnutls upstream.

Change 2.8.1 -> 2.8.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=28fb34099edaf62e5472cc6e5e2749fed369ea01

Change 2.10.1 -> 2.10.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=0d07d8432d57805a8354ebd6c1e7829f3ab159cb

This shouldn't be a problem with recent (>= 3.6) versions of gnutls.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:33 +00:00
Stefan Metzmacher
68f6a461e1 s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl()
There's no point in asking the server for supportedSASLMechanisms,
every server (we care about) supports GSS-SPNEGO.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:33 +00:00
Stefan Metzmacher
8deba427e2 s4:libcli/ldap: fix no memory error code in ldap_bind_sasl()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:33 +00:00
Stefan Metzmacher
2435ab1ad7 ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to be valid
Without a valid loadparm_context we can't connect.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:33 +00:00
Stefan Metzmacher
8007569e9f s4:libcli/ldap: ldap4_new_connection() requires a valid lp_ctx
Otherwise we'll crash in a lot of places later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:33 +00:00
Stefan Metzmacher
96e4a92f19 tests/segfault.py: make sure samdb.connect(url) has a valid lp_ctx
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:33 +00:00
Volker Lendecke
1cba9de144 Fix a few "might be uninitialized" errors
I've seen them with clang

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 23 19:02:10 UTC 2024 on atb-devel-224
2024-04-23 19:02:10 +00:00
Volker Lendecke
316579b502 smbd: Slightly simplify notifyd_send_delete()
Call messaging_send_iov() instead of messaging_send_iov_from().

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-23 17:53:36 +00:00
Volker Lendecke
190ae0796e smbd: Simplify smb_set_file_unix_link()
Avoid a call to parent_pathref, use the dirfsp that already exists

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-23 17:53:36 +00:00
Volker Lendecke
88921ac177 smbd: Simplify smb_q_posix_symlink()
Use the dirfsp from call_trans2qpathinfo(), avoid a call to parent_pathref()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-23 17:53:36 +00:00
Volker Lendecke
e35b3af2e8 smbd: Simplify call_trans2qpathinfo()
These days filename_convert_dirfsp() always returns a full fsp.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-23 17:53:36 +00:00
Stefan Metzmacher
daf6d371f3 s3:rpc_client: implement bind time feature negotiation
This is not strictly needed as we don't use any of the
optional features yet.

But it will make it easier to add bind time features we'll
actually use later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 23 17:29:55 UTC 2024 on atb-devel-224
2024-04-23 17:29:55 +00:00
Stefan Metzmacher
713a802257 s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context
We should fail if we didn't get DCERPC_BIND_ACK_RESULT_ACCEPTANCE.

It's also not needed to require a single array element.

We already checked above that we have at least one.

The next patch will all bind time feature negotiation
and that means we'll have 2 array elements...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 16:23:38 +00:00
Stefan Metzmacher
6548ccb31b s3:rpc_client: pass struct rpc_pipe_client to check_bind_response()
This prepares adding bind time feature negotiation in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 16:23:38 +00:00
Stefan Metzmacher
0cc0970d35 dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags()
dcerpc_ncacn_push_auth() already calls dcerpc_set_frag_length().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 16:23:38 +00:00
Stefan Metzmacher
2674df4cc0 s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed
Only legacy protocols need a password for share level authentication,
so avoid triggering the password prompt for the common case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 23 15:21:38 UTC 2024 on atb-devel-224
2024-04-23 15:21:38 +00:00
Stefan Metzmacher
aff2932c42 python/samba/getopt: don't prompt for a password for --use-krb5-ccache=...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-04-23 14:17:32 +00:00
Stefan Metzmacher
0ba9e5dacb lib/cmdline: only call cli_credentials_get_password_and_obtained if needed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-04-23 14:17:32 +00:00
Stefan Metzmacher
994e12e8f7 lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of POPT_CALLBACK_REASON_POST
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-04-23 14:17:32 +00:00
Stefan Metzmacher
e2170431f1 s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-04-23 14:17:32 +00:00
Stefan Metzmacher
5af5bf2645 auth/credentials: don't call talloc_free(ccache_name) on callers memory
The internally allocated ccache_name has ccc as parent,
so we don't need to cleanup explicitly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-04-23 14:17:32 +00:00
Stefan Metzmacher
d221f930ef auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy()
A simple krb5_cc_close() doesn't remove it from the global memory list.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-04-23 14:17:32 +00:00
Stefan Metzmacher
126357e2e7 lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal krb5_cc_get_lifetime
If the ccache doesn't have a intial TGT the shortest lifetime of
service tickets should be returned.

This is needed in order to work with special ccaches used for
things like S2U4Self/S4U2Proxy tickets or other things
where the caller only wants to pass a single service ticket.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-04-23 14:17:32 +00:00
Stefan Metzmacher
e58f83d395 s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as strings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-04-23 14:17:32 +00:00
Stefan Metzmacher
e6f92edba6 s3:notify: don't log user_can_stat_name_under_fsp with level 0 for OBJECT_NAME_NOT_FOUND
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-04-23 14:17:32 +00:00
Douglas Bagnall
c49c48afe0 ldb:utf8: ldb_ascii_toupper() avoids real toupper()
If a non-lowercase ASCII character has an uppercase counterpart in
some locale, toupper() will convert it to an int codepoint. Probably
that codepoint is too big to fit in our char return type, so we would
truncate it to 8 bit. So it becomes an arbitrary mapping.

It would also behave strangely with a byte with the top bit set, say
0xE2. If char is unsigned on this system, that is 'â', which
uppercases to 'Â', with the codepoint 0xC2. That seems fine in
isolation, but remember this is ldb_utf8.c, and that byte was not a
codepoint but a piece of a long utf-8 encoding. In the more likely
case where char is signed, toupper() is being passed a negative
number, the result of which is undefined.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 23 02:37:25 UTC 2024 on atb-devel-224
2024-04-23 02:37:25 +00:00
Douglas Bagnall
dca6b2d255 ldb:attrib_handlers: use ldb_ascii_toupper() in first loop
In a dotless-I locale, we might meet an 'i' before we meet a byte with
the high bit set, in which case we still want the ldb casefold
comparison.

Many ldb operations will do some case-folding before getting here, so
hitting this might be quite rare even in those locales.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
078ecf486a ldb:pytests: test for Turkic i-dots in ldb_comparison_fold
In tr_TR and some other locales where the letter 'i' uppercases to
'İ', which is not ideal for LDB as we need certain strings like 'guid'
to casefold in the ASCII way.

In fixing https://bugzilla.samba.org/show_bug.cgi?id=15248) we solved
this problem in many cases, but for unindexed searches where the 'i'
is not the last character in the string. This test shows that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
a75c98ad68 ldb:attrib_handlers: make ldb_comparison_Boolean more consistent
This isn't supposed to be used for sorting, but it is hard to say it
won't be, so we might as well make it sort properly.

Following long-standing behaviour, we try to sort "FALSE" > "TRUE", by
length, then switch to using strncasecmp().

strncasecmp would sort the other way, so we swap the operands. This is
to make e.g. "TRUE\0" sort the same as "TRUE".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
7280c8e53f ldb-samba:ldif_handlers: dn_link_comparison: sort invalid DNs
If both DNs are invalid, we can say they are equal.

This means invalid or NULL DNs will sort to the end of the array,
before deleted DNs:

[ valid DNs, sorted | invalid/NULL DNs | deleted DNs, sorted ]

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
341b8fb60e ldb-samba:ldif_handlers: dn_link_comparison leaks less
dn1 and dn2 can be invalid but still occupying memory.
(ldb_dn_validate(dn2) does contain a NULL check, but a lot more besides).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
7035659256 ldb-samba:ldif_handlers: dn_link_comparison correctly sorts deleted objects
This changes the behaviour of the DN syntax .comparison_fn when being
used in a search, if the search key is a deleted DN.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
11d5a80932 ldb-samba:ldif_handlers: dn_link_comparison semi-sorts invalid DNs
these tend to go to the end of the sorted array.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
db963b1674 ldb-samba:ldif_handlers: dn_link_comparison semi-sorts deleted objects
We were always returning -1 for a deleted object, which works for an
equality test, but not a relative comparison.

This sorts deleted DNs toward the end of the list -- except when both
DNs are deleted. What should happen there is yet to be determined.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
2d3b917d0a ldb-samba:ldif_handlers: extended_dn_read_Sid(): free on failure
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
42f2d96f82 ldb-samba:ldif_handlers: ldif_read_objectSid(): free a thing on failure
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
6722e80d1b ldb-samba: ldif-handlers: make ldif_comparison_objectSid() accurate
This function compares blobs that might be SID strings or might be SID
structures. Until now, if they were both (seemingly) strings, they were
compared as strings, otherwise if either was a string it was converted to
a structure blob, then the blobs were compared. This had two big problems:

1. There is variety in the way a SID can be stringified. For example,
   "s-1-02-3" means the same SID as "S-1-2-3", but those wouldn't compare
   equal.

2. SID comparison was crazily non-transitive. Consider the three values
     a = "S-1-2-3-4-5",
     b = "S-1-9-1",
     c = SID("S-1-11-1"), where c is a struct and the others are string.

   then we had,
     a < b, because the 5th character '2' < '9'.
     a > c, because when converted to a structure, the number of sub-auths
            is the first varying byte. a has 3, c has 0.
     b < c, because after the sub-auth count comes the id_auth value
            (big-endian, which doesn't matter in this case).

That made the function unreliable for sorting, AND for simple equality
tests. Also it leaked.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
4af670384a s4:dsdb: fix spelling in comment
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
a9eaf8a3ab ldb: comment for ldb_dn_compare_base
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
6229feab74 s4:rpcsrv:samr: improve a comment in compare_msgRid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
7be535315a s4:rpcsrv:dnsserver: make dns_name_compare transitive with NULLs
Returning 0 on `(name1 == NULL || name2 == NULL)` made NULL equal to
everything, which confuses a sort (consider {A, B, NULL} where A > B,
but A == NULL == B).

The only caller is dnsserver_enumerate_records() which fails if it
finds a NULL in the sorted list. We make the happen more quickly by
sorting NULLs to the front.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00
Douglas Bagnall
31c322874b s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 01:33:29 +00:00