1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

127046 Commits

Author SHA1 Message Date
Ralph Boehme
d0f6d54354 winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14804

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Sep  2 15:20:06 UTC 2021 on sn-devel-184
2021-09-02 15:20:06 +00:00
Ralph Boehme
39c2ec72cb winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14804

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2021-09-02 14:29:35 +00:00
Andrew Bartlett
10baaf0852 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
This allows our code to still pass with the error code that
MIT and Heimdal have chosen

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Sep  2 14:28:31 UTC 2021 on sn-devel-184
2021-09-02 14:28:31 +00:00
Luke Howard
b0f4455e52 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour.

[abartlet@samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd
and knownfail added]

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
ebd673e976 tests/krb5: Allow expected_error_mode to be a container type
This allows a range of possible error codes to be checked against, for
cases when the particular error code returned is not so important.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
24914ae17d tests/krb5: Add tests for omitting sname in inner request
Note: the test 'test_fast_tgs_inner_no_sname' crashes the MIT KDC.

This is fixed in MIT Krb5 commit d775c95af7606a51bf79547a94fa52ddd1cb7f49
and was given CVE-2021-37750

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
c6d7e19ecf tests/krb5: Allow specifying parameters specific to the inner FAST request body
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
bbbb13caf7 tests/krb5: Add tests for omitting sname in request
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
1e4d757394 tests/krb5: Check PADATA-PW-SALT element in e-data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
e373c6461a tests/krb5: Check e-data element for TGS-REP errors without FAST
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Andrew Bartlett
3330eaf39c tests/krb5: Remove harmful and a-typical return in as_req testcase
A test in a TestCase class should not return a value, the
test is determined by the assertions raised.

Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2]
to not always be filled, so we need to remove this
rudundent code.

This also fixes a *lot* of tests against the MIT KDC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
b8e2515552 CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would
crash the Heimdal KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Luke Howard
0cb4b939f1 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
In tgs_build_reply(), validate the server name in the TGS-REQ is present before
dereferencing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

[abartlet@samba.org backported from from Heimdal
commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference
to an earlier patch by Joseph Sutton]

RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ

Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
15f9f040fe tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST
Note: This test crashed the MIT KDC prior to MIT commit
fc98f520caefff2e5ee9a0026fdf5109944b3562 which was given
CVE-2021-36222.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
36798f5b65 tests/krb5: Make cname checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
79dda329f2 tests/krb5: Make e-data checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC, instead failing when obtaining a TGT for the user or machine.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Andrew Bartlett
d9edad89f3 Update common on currently supported Fedora versions
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Andrew Bartlett
5805a7c49a bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Andrew Bartlett
e9c8ac4adb bootstrap: Update to get newer krb5 on Fedora 34
We need the update FEDORA-2021-20b495cb94 (krb5) to
get a fix for CVE-2021-37750 (explicit NULL deref on KDC)
so our CI will pass as we have a test for this.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Andrew Bartlett
40b65fcb58 script/autobuild.py: Restore MIT ADDC tests against fl2008*
Commit 7387da74e6 incorrectly
ran the fl2000dc and fl2003dc tests twice, rather than the
fl2008dc and fl2008r2dc tests in samba-ad-dc-4b-mitkrb5.

(Now ad-dc-mit-4b)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14815

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Sep  2 05:56:12 UTC 2021 on sn-devel-184
2021-09-02 05:56:12 +00:00
Andrew Bartlett
17ae0319db selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass
This generates a single test per bit which is easier to
debug.  Elsewhere we use this pattern where we want to
be able to put some cases in a knownfail, which is otherwise
not possible.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-02 05:03:31 +00:00
Andrew Bartlett
60f1b6cf0e selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass
This generates a single test per bit which is easier to
debug.  Elsewhere we use this pattern where we want to
be able to put some cases in a knownfail, which is otherwise
not possible.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-02 05:03:31 +00:00
Andrew Bartlett
8701ce492f selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify()
This is a nice easy example of how the test generation
code works, and it combined nicely with the earlier
patch to return string names from the UF_ constants.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-02 05:03:31 +00:00
Andrew Bartlett
fb6c0b9e2a pydsdb: Add API to return strings of known UF_ flags
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-02 05:03:31 +00:00
Andrew Bartlett
8c45526816 selftest: Use addCleanup rather than tearDown in user_account_control.py
self.addCleanup() is called regardless of the test failure or error status
and so is more reliable, particularly during development.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-02 05:03:31 +00:00
Andrew Bartlett
8b078bbf87 selftest: Modernise user_account_control.py tests use a common self.OU
We set and use a single self.OU to ensure consistancy and
reduce string duplication.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-02 05:03:31 +00:00
Bjoern Jacke
1209c89dcf util_sock: fix assignment of sa_socklen
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14800

Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Tue Aug 31 09:54:35 UTC 2021 on sn-devel-184
2021-08-31 09:54:35 +00:00
Andrew Bartlett
638c6d423e selftest: Remove skip of samba4.rpc.unixinfo
This test, and the rpcclient getwpuid call on a "real" system
with nss_winbind (under docker in my test) also works fine.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14691

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 31 00:12:53 UTC 2021 on sn-devel-184
2021-08-31 00:12:53 +00:00
David Mulder
d5118eb68a gpo: Add Group Policy Firefox Extension
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug 30 21:57:09 UTC 2021 on sn-devel-184
2021-08-30 21:57:09 +00:00
David Mulder
c5bbb1777e gpo: Test Group Policy Firefox Extension
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-30 21:08:36 +00:00
Ralph Boehme
fead05a455 vfs_gpfs: deal with pathrefs fsps in smbd_gpfs_set_times()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Aug 26 20:08:51 UTC 2021 on sn-devel-184
2021-08-26 20:08:51 +00:00
Ralph Boehme
93a48399f4 lib/gpfswrap: add gpfs_set_times_path() wrapper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2021-08-26 19:18:31 +00:00
Ralph Boehme
1bbdb81899 vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fntimes()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2021-08-26 19:18:31 +00:00
Ralph Boehme
9a237e168a vfs_gpfs: pass fsp to smbd_gpfs_set_times()
No change in behaviour. Prepares for dealing with pathref fsps in
smbd_gpfs_set_times().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2021-08-26 19:18:31 +00:00
Ralph Boehme
443608ee81 vfs_gpfs: deal with pathref fsps in vfs_gpfs_fntimes()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2021-08-26 19:18:31 +00:00
Ralph Boehme
882a466ea5 vfs_gpfs: add sys_proc_fd_path() fallback to vfs_gpfs_fset_dos_attributes()
gpfs_set_winattrs() is a modifying operation, my expectation thus is that it is
not allowed on pathref (O_PATH) handles even though a recent Linux kernel commit
44a3b87444058b2cb055092cdebc63858707bf66 allowed calling utimensat() on pathref
handles.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771
RN: Some VFS operations on pathref (O_PATH) handles fail on GPFS

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2021-08-26 19:18:31 +00:00
Ralph Boehme
3679f54f17 vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fset_dos_attributes()
This API call has existed for a long time, so we can safely assume that this
always works.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771

Pair-Programmed-With: Christof Schmitt <cs@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Christof Schmitt <cs@samba.org>
2021-08-26 19:18:31 +00:00
Ralph Boehme
fde1b98143 vfs_gpfs: add path based fallback for gpfswrap_fstat_x() on pathref handles
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2021-08-26 19:18:31 +00:00
Ralph Boehme
730f8c49a9 vfs_gpfs: check for O_PATH support in gpfswrap_fstat_x()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2021-08-26 19:18:31 +00:00
Ralph Boehme
1a3ac7a940 vfs_gpfs: make vfs_gpfs_connect() a no-op on IPC shares
We don't ever expect any filesystem IO operations to be called on an IPC shares,
so there's no need to initialize the module here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2021-08-26 19:18:31 +00:00
Stefan Metzmacher
070dce224b vfs_gpfs: don't check for struct gpfs_config_data in vfs_gpfs_[l]stat()
This is unused and the config object won't be avilable for IPC$ anymore with the
next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2021-08-26 19:18:31 +00:00
Ralph Boehme
145e739c44 vfs_gpfs: call SMB_VFS_NEXT_CONNECT() before running some module initialization code
No change in behaviour. Prepares for a subsequent commit that checks for IPC shares.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2021-08-26 19:18:31 +00:00
Ralph Boehme
bcd6bed7b8 smbd: avoid calling creating a pathref in smb_set_file_dosmode()
We already have a fsp with a valid fsp->base_fsp if it's a stream.

Also remove the struct smb_filename arg, it's not needed, the only caller
already checks for a valid fsp.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14771

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2021-08-26 19:18:31 +00:00
Stefan Metzmacher
5d53b848f6 wafsamba: always generate compile_commands.json again, but only when the samba dependencies changed
This means the costs of the generation on a empty build are not paid
anymore, which was the reason for the explicit --enable-clangdb option.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug 26 13:06:09 UTC 2021 on sn-devel-184
2021-08-26 13:06:09 +00:00
Andrew Bartlett
9b9fd2a0d9 mit-kdc: Remove build time support for KDB_API < 10
The previous commits restricted to MIT KDC build to MIT 1.19 and this removes the
 #ifdef in the code of what will become untested code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug 26 07:05:44 UTC 2021 on sn-devel-184
2021-08-26 07:05:44 +00:00
Andrew Bartlett
554bdfa8a0 build: Move minimum MIT krb5 version to 1.19 to align with what is tested
This avoid shipping untested code and aligns with the version
used in GitLab CI for all the MIT builds.

The "bronze bit" (CVE-2020-17049) security fixes will need
a new MIT KDB version in any case, this prepares the ground
by removing the older version support.

(knownfail_mit_kdc updates taken from a patch by
Andreas Schneider <asn@samba.org> that did this optionally)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-26 06:16:35 +00:00
Andrew Bartlett
ff267c3c79 autobuild.py: Do not build MIT builds by default (eg sn-devel)
This avoids the need for MIT KDC tests and the MIT KDC glue code to
operate against the older MIT 1.16 found on Ubuntu 18.04, which
is our current build environment.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-26 06:16:35 +00:00
Andrew Bartlett
649b0741e1 gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC
Fedora packages current MIT builds pretty fast so we base our
MIT KDC tests there, as this avoids backporting and tests against
the most current code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-26 06:16:35 +00:00
Andrew Bartlett
6145c388d2 gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos
Because the MIT KDC builds are moving to current MIT and out of the default autobuild
this ensures that on our default host, which is closer to what most of our
users operate, Samba still works with Kerberos.

This uses the ktest environment that does not require the KDC to exist
and instead uses a static ccache and keytab.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-26 06:16:35 +00:00
Andrew Bartlett
167ad96136 autobuild.py: Explain why each job is removed from the default set
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-26 06:16:35 +00:00