1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

135156 Commits

Author SHA1 Message Date
Volker Lendecke
f8645c7a10 smbd: Simplify open_file()
We handle O_TRUNC further down anyway by passing local_flags&~O_TRUNC to
reopen_from_fsp(). No need for this FIFO special case.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-10-05 12:58:33 +00:00
Volker Lendecke
df78af9893 smbd: Simplify an if-condition in open_file()
We use the plain (flags&O_TRUNC) a few lines above, make the
if-condition a bit more readable.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-10-05 12:58:33 +00:00
Volker Lendecke
45005d4b71 smbd: Simplify open_file()
We can unconditionally just and-out O_CREAT from local_flags, so
remove an if-condition.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-10-05 12:58:33 +00:00
Volker Lendecke
ad7b119b8b smbd: Don't change incoming flags in open_file()
This will be part of a const struct vfs_open_how soon. Further down in
this function we don't look at O_CREAT or O_EXCL of "flags" anymore
anyway.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-10-05 12:58:33 +00:00
Volker Lendecke
3f4c937dcf smbd: Remove variable "accmode" from open_file()
We directly look at the flags in many other places in this function,
so do this also for O_ACCMODE for clarity.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-10-05 12:58:33 +00:00
Volker Lendecke
236df26a1f smbd: Slightly simplify open_file()
Replace "truncating" variable reference with what it was defined
as. We use "(flags & O_TRUNC)" a few lines above, so it can't be that
bad.

After we set it to "false" further down, it was never used again.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-10-05 12:58:33 +00:00
Volker Lendecke
2a53fdeb44 smbd: Pass "struct vfs_open_how" to reopen_from_fsp()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-10-05 12:58:33 +00:00
Volker Lendecke
7996c07bd8 smbd: Pass "struct vfs_open_how" to fd_open_atomic()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-10-05 12:58:33 +00:00
Volker Lendecke
4b376fff03 smbd: Pass "struct vfs_open_how" to reopen_from_procfd()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-10-05 12:58:33 +00:00
Volker Lendecke
cb89ea70b1 libsmb: Use pidl generated parsing for posix file info
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Oct  4 21:26:20 UTC 2023 on atb-devel-224
2023-10-04 21:26:20 +00:00
Volker Lendecke
cb166028c4 libsmb: Pass NTTIME to interpret_long_date()
Separate concerns of conversion and pulling off the wire. Needed soon
for smb311 pidl generated parsing.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-04 20:31:36 +00:00
Volker Lendecke
82a12f7a9a libndr: Factor out ndr_pull_struct_blob_noalloc()
smb3_file_posix_information is variable length with something behind.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-04 20:31:36 +00:00
Volker Lendecke
7b86570216 smbd: Remove unused marshalling of smb3posix file information
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-04 20:31:36 +00:00
Volker Lendecke
2d6c643ebd smbd: Use Use smb3posix marshalling in in smbd_do_qfilepathinfo()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-04 20:31:36 +00:00
Volker Lendecke
b573e1da92 smbd: Use Use smb3posix marshalling in in smbd_marshall_dir_entry()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-04 20:31:36 +00:00
Volker Lendecke
a8593ad376 smbd: Modernize a DEBUG statement
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-04 20:31:36 +00:00
Volker Lendecke
36fd98a5ef smbd: Add smb3_file_posix_information_init()
Copy the logic from store_smb2_posix_info() to allow use of
ndr_push_smb3_file_posix_information().

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-04 20:31:36 +00:00
Volker Lendecke
6874ed6a9d smbd: Use smb3posix marshalling in smbd_smb2_create_after_exec()
Signed-off-by: Volker Lendecke <vl@samba.org>
2023-10-04 20:31:36 +00:00
Volker Lendecke
8107aafb40 idl: Add smb3posix.idl
Let PIDL take care of encoding SMB2_FILE_POSIX_INFORMATION. This way
we also get parsing.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-04 20:31:36 +00:00
Volker Lendecke
6f91cce14e libsmb: Allow NULL print_name in reparse_data_buffer_marshall()
read_symlink_reparse() does this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-04 20:31:36 +00:00
Volker Lendecke
7f1ee32a1b pylibsmb: Py_BuildValue can build tuples directly
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-04 20:31:36 +00:00
Volker Lendecke
078db302a6 tests: Run smb3unix tests with SMB1
We want to create native FIFOs with smb1 extensions

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-04 20:31:36 +00:00
Volker Lendecke
52c3edb282 tests: We always do smb3 unix extensions
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-04 20:31:36 +00:00
Martin Schwenke
3ee348a966 ctdb-scripts: Convert 40.vsftpd to use threshold-based fail counting
This effectively provides simple testing for the threshold-based
approach.

Add new script option CTDB_VSFTPD_MONITOR_THRESHOLDS.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Tue Oct  3 04:53:38 UTC 2023 on atb-devel-224
2023-10-03 04:53:38 +00:00
Martin Schwenke
8303c3a534 ctdb-scripts: Implement failcount handling with thresholds
This can be used for simple failure counting, without restarts, as
used in the 40.vsftpd event script.  That case will subsequently be
converted and this functionality can also be used elsewhere.

Add documentation to ctdb-script.options(5) to allow parameters that
use this to be more easily described.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2023-10-03 03:53:35 +00:00
Martin Schwenke
4981984dd4 ctdb-scripts: Avoid errors for uninitialised counters
Uninitialised counters are treated as 0, but still produce an error.

The redirect to stderr needs to come before the redirect for a missing
counter file.

The seemingly saner alternative of moving it outside the subshell
works when dash is /bin/sh (e.g. on Debian) but does not work when
bash is /bin/sh (e.g. on Fedora).

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2023-10-03 03:53:35 +00:00
Martin Schwenke
7c468d9d28 ctdb-doc: Add some subsection names in description
A subsequent commit will add a new section, which looks out of place
without these new sections.

Best reviewed with "git show -w".

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2023-10-03 03:53:35 +00:00
Martin Schwenke
749bc56876 ctdb-doc: Update CTDB manual pages to UTF-8
This will allow Unicode characters to be used, resulting in more
readable source files.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2023-10-03 03:53:35 +00:00
Joseph Sutton
7b6c17359b tests/krb5: Test that the correct Asserted Identity SID is added when inner FX‐FAST padata is used
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Sun Oct  1 23:46:44 UTC 2023 on atb-devel-224
2023-10-01 23:46:44 +00:00
Joseph Sutton
77b35c423e s4:kdc: Make use of ‘samba_kdc_entry_pac’ wrapper type
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
bad7a3fcea s4:kdc: Add function to get device PAC entry from Heimdal request structure
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
79b33eeacc s4:kdc: Add function to determine whether a KDC entry represents a trust
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
1ea4b27162 s4:kdc: Fix indentation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
45e8e19719 s4:kdc: Remove unused declaration
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
1c456912a1 s4:kdc: Add ‘samba_kdc_entry_pac’ wrapper type
With embedded Heimdal, we can mark a PAC as being trusted (i.e. not
issued by an RODC). This is convenient, as it saves us needing to carry
that information in flags, hoping it isn’t inadvertently lost.

System Heimdal and MIT Kerberos, however, don’t provide a way to mark a
PAC trusted. So we add a new wrapper type, ‘samba_kdc_entry_pac’, that
contains this extra information if ‘krb5_const_pac’ doesn’t contain it
already. As it also stores a pointer to the client entry, the
structure’s lifetime must therefore be carefully managed. Finally, it
keeps track of whether the PAC came across a trust, to know which is
useful in some circumstances.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
0633e78b57 third_party/heimdal_build: Define HAVE_KRB5_PAC_IS_TRUSTED when using embedded Heimdal
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
46c08652f8 tests/krb5: Add Device Restriction tests for silos and authentication policies in the KDC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
321e0ed675 s4:kdc: Remove unused parameters from samba_kdc_verify_pac()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
3358b04a58 s4:kdc: Remove device PAC validation
In the first place, this check was only applicable to the Heimdal KDC,
the MIT KDC not having support for compounded authentication. Secondly,
it was redundant, because _kdc_fast_check_armor_pac() would have already
been called to verify the armor ticket; a second round of validation
achieved nothing. And finally, the check was flawed: it checked only
*explicitly* armored PACs, and so would have done nothing for an armored
*AS‐REQ*.

In short, this check was useless; remove it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
989fb00985 tests/krb5: Add tests performing AS‐REQs armored with unacceptable tickets
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
849ee95984 tests/krb5: Add method to perform an armored AS‐REQ
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
eba1ab0c84 tests/krb5: Initialize variable
This avoids the following exception:

Exception: Traceback (most recent call last):
  File "/samba/bin/python/samba/tests/krb5/kdc_tgs_tests.py", line 2500, in test_renew_pac_request_false
    tgt = self._modify_tgt(tgt, renewable=True)
  File "samba/bin/python/samba/tests/krb5/kdc_tgs_tests.py", line 3014, in _modify_tgt
    return self.modified_ticket(
  File "/samba/bin/python/samba/tests/krb5/raw_testcase.py", line 5694, in modified_ticket
    auth_data, new_pac,
UnboundLocalError: local variable 'new_pac' referenced before assignment

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
68dc69d86f s4:kdc: Remove ‘asserted_identity’ parameter from samba_kdc_get_user_info_dc()
It was not used.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
3c480886ad s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add an Asserted Identity SID
samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.

By extracting the call to samba_kdc_add_asserted_identity() into the
former function’s callers, we’ll be able to remove the
‘asserted_identity’ parameter in the next commit, reducing the
function’s complexity.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
f250a24e92 s4:kdc: Remove ‘claims_valid’ parameter from samba_kdc_get_user_info_dc()
It was not used.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
cfeb3d75cb s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add the Claims Valid SID
samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.

By extracting the call to samba_kdc_add_claims_valid() into the former
function’s callers, we’ll be able to remove the ‘claims_valid’ parameter
in the next commit, reducing the function’s complexity.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
e0a3dd5499 s4:kdc: Remove ‘compounded_auth’ parameter from samba_kdc_get_user_info_dc()
It was never used.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
41527cfaf9 s4:kdc: Remove unused memory context from samba_kdc_lookup_realm()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
2f9d2ff895 s4:kdc: Add parameters for claims and device info to authn_policy_authenticate_to_service()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
3ae7599830 s4:kdc: Add claims parameter to authn_policy_authenticate_from_device()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00