1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

50803 Commits

Author SHA1 Message Date
Andreas Schneider
5e62c1cb36 s3:printing: Fix size check in get_file_version()
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-21 20:43:19 +01:00
Jeremy Allison
5c909ea453 s3: smbd: Fruit. Make the use of dom_sid_compare_domain() much clearer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-21 13:11:14 +01:00
Andreas Schneider
e9d42e5681 s3:registry: Fix size types and length calculations
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 21 04:25:39 CET 2018 on sn-devel-144
2018-03-21 04:25:39 +01:00
Andreas Schneider
0f7a86c46f s3:vfs_preopen: Change to a do-while loop and fix the check
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:16 +01:00
Andreas Schneider
9f6de82ef2 s3:locking: Fix integer overflow check in posix_lock_in_range()
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:16 +01:00
Andreas Schneider
3a383038ee s3:nmbd: Fix possible integer overflow
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:16 +01:00
Andreas Schneider
d0c882434c s3:rpcclient: Fix size types
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:16 +01:00
Andreas Schneider
e3483f955b s3:rpc_server: Fix size types in spoolss
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:16 +01:00
Andreas Schneider
db31156daf s3:passdb: Fix size types
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:16 +01:00
Andreas Schneider
59b6894747 s3:modules: Fix size type in getdate
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:16 +01:00
Andreas Schneider
c6b5297b40 s3:nmbd: Fix size type in nmbd_browsesync.c
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:16 +01:00
Andreas Schneider
dfb69482c4 s3:utils: Fix size type in log2pcaphex
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:16 +01:00
Andreas Schneider
c2e9fb63c0 s3:rpc_server: Fix size types in srvsvc
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:16 +01:00
Andreas Schneider
b19a810206 s3:vfs_nettalk: Fix size types
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:16 +01:00
Andreas Schneider
8a108f624d s3:winbindd: Fix size types in idmap_tdb_common
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:15 +01:00
Andreas Schneider
206bbec4f9 s3:printing: Fix size type in printing_db
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:15 +01:00
Andreas Schneider
eb0bdefd2d s3:avahi: Fix size types
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:15 +01:00
Andreas Schneider
75c28a2642 s3:client: Fix size types
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:15 +01:00
Andreas Schneider
ba3e21cea0 s3:libsmb: Fix size types in nmblib
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:15 +01:00
Andreas Schneider
87ebb195d3 s3:param: Fix size types
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:15 +01:00
Andreas Schneider
bbbe675a1a s3:libads: Fix size types in kerberos functions
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:14 +01:00
Swen Schillig
62c3a7a6bd s3: Fix possible mem leak
The call to full_path_tos() might allocate memory which needs to be free'd
once processign is done.

Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-03-20 23:16:14 +01:00
Stefan Metzmacher
9bbabf628e pdb_samba_dsdb: make use of dom_sid_is_valid_account_domain()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Mar 20 01:29:40 CET 2018 on sn-devel-144
2018-03-20 01:29:40 +01:00
Stefan Metzmacher
1f1e221a8f s3:libsmb/samlogon_cache: zero session keys before storing the info3 structure
The samlogon_cache is only used to get group memberships of the account
without asking the dc.

But for authentication we always ask the dc.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:52 +01:00
Stefan Metzmacher
a0c091eba7 s3:auth: support AUTH_SESSION_INFO_NTLM in finalize_local_nt_token()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:49 +01:00
Stefan Metzmacher
0b261dc4e3 s3:auth: make use of create_builtin_guests() in finalize_local_nt_token()
This makes the Builtin_Guests handling more dynamic,
by having a persistent storage for the memberships.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:49 +01:00
Stefan Metzmacher
6c8cf7b6ec s3:libnet_join: make use of create_builtin_guests()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:49 +01:00
Stefan Metzmacher
c5874b9b68 s3:passdb: add create_builtin_guests()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:49 +01:00
Stefan Metzmacher
c2480b96b5 s3:auth: rename "guest" methods to "anonymous"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:49 +01:00
Simo Sorce
01319b6e65 Revert "Use "localhost" to be ipv6 only friendly"
This reverts commit 54548f6dde3cf74f0e90ef577a55fd720dca6d93.
2018-03-19 15:34:32 +01:00
Simo Sorce
3e8c50901c Use "localhost" to be ipv6 only friendly
Signed-off-by: Simo Sorce <idra@samba.org>
2018-03-19 15:34:32 +01:00
Ralph Boehme
013aaffe7f selftest: run vfs.fruit_netatalk test against seperate share
These tests require a fs with xattr support. This allows adding
xattr_tdb to all other shares in the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-03-16 23:07:09 +01:00
Jeremy Allison
875ff2575f s3: smbd: vfs_fruit: Replace code in fruit_fget_nt_acl() with remove_virtual_nfs_aces().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-16 23:07:09 +01:00
Jeremy Allison
a3c925d804 s3: smbd: vfs_fruit: Replace code in check_ms_nfs() with remove_virtual_nfs_aces().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-16 23:07:09 +01:00
Jeremy Allison
ef091e2cf8 s3: smbd: vfs_fruit: Add remove_virtual_nfs_aces() a generic NFS ACE remover.
Not yet used, will be used to tidyup existing code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-16 23:07:09 +01:00
Stefan Metzmacher
3056e24a4b test_smbclient_s3.sh: force LANG=C during test_utimes()
This makes the test independent from the developers environment.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-16 14:47:37 +01:00
Ralph Boehme
26e75cf661 s3: gse: use "gensec_gssapi:requested_life_time"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 16 07:48:37 CET 2018 on sn-devel-144
2018-03-16 07:48:37 +01:00
Anton Nefedov via samba-technical
9862312944 s3:smbd: map nterror on smb2_flush errorpath
smbd_smb2_flush_recv() expects nterror in tevent_req, and otherwise
aborts in tevent_req_is_nterror()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13338

Signed-off-by: Anton Nefedov <anton.nefedov@virtuozzo.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-03-16 03:04:58 +01:00
Stefan Metzmacher
1957bf11f1 s3:auth: make use of make_{server,session}_info_anonymous()
It's important to have them separated from make_{server,session}_info_guest(),
because there's a fundamental difference between anonymous (the client requested
no authentication) and guest (the server lies about the authentication failure).

When it's really an anonymous connection, we should reflect that in the
resulting session info.

This should fix a problem where Windows 10 tries to join
a Samba hosted NT4 domain and has SMB2/3 enabled.

We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST
for true anonymous connections.

The commit message from a few commit before shows the resulting
auth_session_info change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144
2018-03-16 03:03:31 +01:00
Stefan Metzmacher
0ee9a55094 s3:rpc_server: make use of make_session_info_anonymous()
For unauthenticated connections we should default to a
session info with an anonymous nt token.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:17 +01:00
Stefan Metzmacher
6afb6b67a1 s3:auth: add make_{server,session}_info_anonymous()
It's important to have them separated from make_{server,session}_info_guest(),
because there's a fundamental difference between anonymous (the client requested
no authentication) and guest (the server lies about the authentication failure).

The following is the difference between guest and anonymous token:

             security_token: struct security_token
-                num_sids                 : 0x0000000a (10)
-                sids: ARRAY(10)
-                    sids                     : S-1-5-21-3793881525-3372187982-3724979742-501
-                    sids                     : S-1-5-21-3793881525-3372187982-3724979742-514
-                    sids                     : S-1-22-2-65534
-                    sids                     : S-1-22-2-65533
+                num_sids                 : 0x00000009 (9)
+                sids: ARRAY(9)
+                    sids                     : S-1-5-7
                     sids                     : S-1-1-0
                     sids                     : S-1-5-2
-                    sids                     : S-1-5-32-546
                     sids                     : S-1-22-1-65533
+                    sids                     : S-1-22-2-65534
+                    sids                     : S-1-22-2-100004
                     sids                     : S-1-22-2-100002
                     sids                     : S-1-22-2-100003
+                    sids                     : S-1-22-2-65533
                 privilege_mask           : 0x0000000000000000 (0)

...

         unix_token               : *
             unix_token: struct security_unix_token
                 uid                      : 0x000000000000fffd (65533)
                 gid                      : 0x000000000000fffe (65534)
-                ngroups                  : 0x00000004 (4)
-                groups: ARRAY(4)
+                ngroups                  : 0x00000005 (5)
+                groups: ARRAY(5)
                     groups                   : 0x000000000000fffe (65534)
-                    groups                   : 0x000000000000fffd (65533)
+                    groups                   : 0x00000000000186a4 (100004)
                     groups                   : 0x00000000000186a2 (100002)
                     groups                   : 0x00000000000186a3 (100003)
+                    groups                   : 0x000000000000fffd (65533)

             info: struct auth_user_info
                 account_name             : *
-                    account_name             : 'nobody'
+                    account_name             : 'ANONYMOUS LOGON'
                 user_principal_name      : NULL
                 user_principal_constructed: 0x00 (0)
                 domain_name              : *
-                    domain_name              : 'SAMBA-TEST'
+                    domain_name              : 'NT AUTHORITY'
                 dns_domain_name          : NULL
-                full_name                : NULL
-                logon_script             : NULL
-                profile_path             : NULL
-                home_directory           : NULL
-                home_drive               : NULL
-                logon_server             : NULL
+                full_name                : *
+                    full_name                : 'Anonymous Logon'
+                logon_script             : *
+                    logon_script             : ''
+                profile_path             : *
+                    profile_path             : ''
+                home_directory           : *
+                    home_directory           : ''
+                home_drive               : *
+                    home_drive               : ''
+                logon_server             : *
+                    logon_server             : 'LOCALNT4DC2'
                 last_logon               : NTTIME(0)
                 last_logoff              : NTTIME(0)
                 acct_expiry              : NTTIME(0)
                 last_password_change     : NTTIME(0)
                 allow_password_change    : NTTIME(0)
                 force_password_change    : NTTIME(0)
                 logon_count              : 0x0000 (0)
                 bad_password_count       : 0x0000 (0)
-                acct_flags               : 0x00000000 (0)
+                acct_flags               : 0x00000010 (16)
                 authenticated            : 0x00 (0)
             security_token: struct security_token
                 num_sids                 : 0x00000006 (6)
                 sids: ARRAY(6)
+                    sids                     : S-1-5-7
+                    sids                     : S-1-1-0
+                    sids                     : S-1-5-2
                     sids                     : S-1-22-1-65533
                     sids                     : S-1-22-2-65534
                     sids                     : S-1-22-2-65533
-                    sids                     : S-1-1-0
-                    sids                     : S-1-5-2
-                    sids                     : S-1-5-32-546
                 privilege_mask           : 0x0000000000000000 (0)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:17 +01:00
Stefan Metzmacher
a2a289d044 s3:auth: pass the whole auth_session_info from copy_session_info_serverinfo_guest() to create_local_token()
We only need to adjust sanitized_username in order to keep the same behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:17 +01:00
Stefan Metzmacher
e8402ec048 s3:auth: base make_new_session_info_system() on auth_system_user_info_dc() and auth3_create_session_info()
The changes in the resulting token look like this:

           unix_token               : *
               unix_token: struct security_unix_token
                   uid                      : 0x0000000000000000 (0)
                   gid                      : 0x0000000000000000 (0)
-                  ngroups                  : 0x00000000 (0)
-                  groups: ARRAY(0)
+                  ngroups                  : 0x00000001 (1)
+                  groups: ARRAY(1)
+                      groups                   : 0x0000000000000000 (0)

...

                   domain_name              : *
                       domain_name              : 'NT AUTHORITY'
                   dns_domain_name          : NULL
-                  full_name                : NULL
-                  logon_script             : NULL
-                  profile_path             : NULL
-                  home_directory           : NULL
-                  home_drive               : NULL
-                  logon_server             : NULL
+                  full_name                : *
+                      full_name                : 'System'
+                  logon_script             : *
+                      logon_script             : ''
+                  profile_path             : *
+                      profile_path             : ''
+                  home_directory           : *
+                      home_directory           : ''
+                  home_drive               : *
+                      home_drive               : ''
+                  logon_server             : *
+                      logon_server             : 'SLOWSERVER'
                   last_logon               : NTTIME(0)
                   last_logoff              : NTTIME(0)
                   acct_expiry              : NTTIME(0)
                   last_password_change     : NTTIME(0)
                   allow_password_change    : NTTIME(0)
                   force_password_change    : NTTIME(0)
                   logon_count              : 0x0000 (0)
                   bad_password_count       : 0x0000 (0)
-                  acct_flags               : 0x00000000 (0)
+                  acct_flags               : 0x00000010 (16)
                   authenticated            : 0x01 (1)
           unix_info                : *

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:17 +01:00
Stefan Metzmacher
af4bc135e4 s3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create()
These functions make it possible to construct a full auth_session_info
from the information available from an auth_user_info_dc structure.

This has all the logic from create_local_token() that is used
to transform a auth_serversupplied_info to a full auth_session_info.

In order to workarround the restriction that auth_user_info_dc
doesn't contain hints for the unix token/name, we use
the special S-1-5-88 (Unix_NFS) sids:

 - S-1-5-88-1-Y gives the uid=Y
 - S-1-5-88-2-Y gives the gid=Y
 - S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_*

The currently implemented flags are:

- AUTH3_UNIX_HINT_QUALIFIED_NAME
  unix_name = DOMAIN+ACCOUNT

- AUTH3_UNIX_HINT_ISLOLATED_NAME
  unix_name = ACCOUNT

- AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS
  Don't translate the nt token SIDS into uid/gids
  using sid mapping.

- AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS
  Don't translate the unix token uid/gids to S-1-22-X-Y SIDS

- AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS
  The unix token won't get expanded gid values
  from getgroups_unix_user()

By using the hints it is possible to keep the current logic
where an authentication backend provides uid/gid values and
the unix name.

Note the S-1-5-88-* SIDS never appear in the final security_token.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:17 +01:00
Stefan Metzmacher
7f47f9e1f2 s3:auth: remove static from finalize_local_nt_token()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:17 +01:00
Stefan Metzmacher
d3aae5ba65 s3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:17 +01:00
Stefan Metzmacher
4f81ef9353 s3:auth: don't try to expand system or anonymous tokens in finalize_local_nt_token()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:16 +01:00
Stefan Metzmacher
e8dc55d2b9 s3:auth: add add_builtin_guests() handling to finalize_local_nt_token()
We should add Builtin_Guests depending on the current token
not based on 'is_guest'. Even authenticated users can be member
a guest related group and therefore get Builtin_Guests.

Sadly we still need to use 'is_guest' within create_local_nt_token()
as we only have S-1-22-* SIDs there and still need to
add Builtin_Guests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:16 +01:00
Stefan Metzmacher
c2ffbf9f76 s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:16 +01:00
Stefan Metzmacher
efdc617c76 s3:passdb: handle dom_sid=NULL in create_builtin_{users,administrators}()
We should not crash if we're called with NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:16 +01:00
Stefan Metzmacher
df3d278853 s3:auth: move add_local_groups() out of finalize_local_nt_token()
finalize_local_nt_token() will be used in another place,
were we don't want to add local groups in a following commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:16 +01:00
Stefan Metzmacher
f3ca3e71cc s3:auth: add the "Unix Groups" sid for the primary gid
The primary gid might not be in the gid array.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:16 +01:00
Stefan Metzmacher
28ad1306b8 s3:auth: remove unused auth_serversupplied_info->system
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:16 +01:00
Stefan Metzmacher
bf707a1eba s3:selftest: run SMB2-ANONYMOUS
This fails against a non AD DC smbd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:16 +01:00
Stefan Metzmacher
82d8aa3b9c s3:torture: add SMB2-ANONYMOUS which asserts no GUEST bit for anonymous
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:16 +01:00
Ralph Boehme
c37fbfcb24 winbindd: add retry to _winbind_SendToSam
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar 15 20:57:44 CET 2018 on sn-devel-144
2018-03-15 20:57:43 +01:00
Ralph Boehme
e608f058b8 winbindd: add retry to _winbind_DsrUpdateReadOnlyServerDnsRecords
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:10 +01:00
Ralph Boehme
fcf8edf9b8 winbindd: add retry to _wbint_DsGetDcName
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:10 +01:00
Ralph Boehme
c2cd2d3f31 winbindd: add retry to _wbint_LookupSids()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:10 +01:00
Ralph Boehme
6244a2beb1 winbindd: use reset_cm_connection_on_error() instead of dcerpc_binding_handle_is_connected()
This catches more errors and triggers retry as appropriate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:10 +01:00
Ralph Boehme
08718af36f winbindd: fix logic calling dcerpc_binding_handle_is_connected()
The calls were missing the negation operator, a retry should be
attempted is the binding handle got somehow disconnected behind the
scenes and is NOT connected.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
966ff3793a winbindd: call dcerpc_binding_handle_is_connected() from reset_cm_connection_on_error()
To consolidate the error handling for RPC calls, add the binding handle
as an additional argument to reset_cm_connection_on_error().

All callers pass NULL for now, so no change in behaviour up to here.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
2d1f00cc3a winbindd: force netlogon reauth for certain errors in reset_cm_connection_on_error()
NT_STATUS_RPC_SEC_PKG_ERROR is returned by the server if the server
doesn't know the server-side netlogon credentials anymore, eg after a
reboot. If this happens we must force a full netlogon reauth.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
2837b796af winbindd: call reset_cm_connection_on_error() from reconnect_need_retry()
This ensures we use the same disconnect logic in the reconnect backend,
which calls reconnect_need_retry(), and in the dual_srv frontend which
calls reset_cm_connection_on_error.

Both reset_cm_connection_on_error() and reconnect_need_retry() are very
similar, both return a bool indicating whether a retry should be
attempted, unfortunately the functions have a different default return,
so I don't dare unifying them, but instead just call one from the other.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
17749a5d9f winbindd: make reset_cm_connection_on_error() public
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
a33c1d25e0 winbindd: check for NT_STATUS_IO_DEVICE_ERROR in reset_cm_connection_on_error()
reconnect_need_retry() already checks for this error, it surfaces up
from tstream_smbXcli_np as a mapping for EIO.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
a8d5e4d367 winbindd: add and use ldap_reconnect_need_retry() in winbindd_reconnect_ads.c
ldap_reconnect_need_retry() is a copy of reconnect_need_retry() minus
the RPC connection invalidation.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Volker Lendecke
4b7a9d560a winbind: Keep "force_reauth" in invalidate_cm_connection
Right now I don't see a way to actually force a re-serverauth
from the client side as long as an entry in netlogon_creds_cli.tdb
exists. cm_connect_netlogon goes through invalidate_cm_connection, and
this wipes our wish to force a reauthenticatoin. Keep this intact until
we actually did reauthenticate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-15 15:46:09 +01:00
Volker Lendecke
0af88b98e7 winbind: Add smbcontrol disconnect-dc
Make a winbind child drop all DC connections

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 15:46:09 +01:00
Volker Lendecke
bffae41842 utils: Add destroy_netlogon_creds_cli
This is a pure testing utility that will garble the netlogon_creds_cli
session_key. This creates a similar effect to our schannel credentials
as does a domain controller reboot.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-15 15:46:09 +01:00
Jeremy Allison
c41895be82 CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 13 16:06:10 CET 2018 on sn-devel-144
2018-03-13 16:06:10 +01:00
Swen Schillig
b97d18f0fe s3: Fix max indentation and max column
Minor cleanup reducing the max indentation level and max column length.

Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2018-03-12 20:39:16 +01:00
Jeremy Allison
e0b147f650 s3: vfs_fruit. Change check_ms_nfs() to remove the virtual ACE's generated by fruit_fget_nt_acl().
Ensures they don't get stored in the underlying ACL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar  8 04:09:38 CET 2018 on sn-devel-144
2018-03-08 04:09:38 +01:00
Jeremy Allison
8edad37e47 s3: vfs_fruit. If the security descriptor was modified, ensure we set the flags correctly to reflect the ACE's left.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-07 23:11:21 +01:00
Jeremy Allison
019a1bc4ca s3: vfs_fruit: Ensure we operate on a copy of the incoming security descriptor.
This will allow us to modify it in the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-07 23:11:21 +01:00
Jeremy Allison
e9059c7b40 s3: vfs_fruit. Ensure we only return one set of the 'virtual' UNIX ACE entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-07 23:11:21 +01:00
Andreas Schneider
c5857f1002 s3:tests: Skip smbd error test if we do not log to stdout
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2018-03-03 00:01:23 +01:00
Noel Power
0af66455ef s3:libads: 'net ads keytab create' shouldn't write SPN(s)
Modify default behaviour of 'net ads keytab create'

The change modifies the behaviour of 'net ads keytab create' such
that only the keytab file is modified. The current behaviour doesn't
make sense, existing SPN(s) pulled from the computer AD object have
the format 'serviceclass/host:port/servicename'.
'ads_keytab_create_default' calls ads_keytab_add_entry passing
'serviceclass' for each SPN retrieved from the AD. For each
serviceclass passed in a new pair of SPN(s) is generated as follows
    i) long form 'param/full_qualified_dns'
   ii) short form 'param/netbios_name'

This doesn't make sense as we are creating a new SPN(s) from an existing
one probably replacing the existing host with the 'client' machine.

If the keytab file exists then additionally each kerberos principal in the
keytab file is parsed to strip out the primary, then 'ads_keytab_add_entry'
is called which then tries by default to generate a SPN from any primary
that doesn't end in '$'. By default those SPNs are then added to the AD
computer account for the client running the command.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:15 +01:00
Noel Power
5adb29f242 s3:utils: Modify default behaviour of 'net ads keytab add'
This change modifies the behaviour of 'net ads keytab add' such
that only the keytab file is modified.

A new command 'net ads keytab add_update_ads' has been added that
preserves the legacy behaviour which can update the AD computer
object with Winows SPN(s) as appropriate. Alternatively the new
command 'net ads setspn add' can be used to manually add the
windows SPN(s) that previously would have been added.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:15 +01:00
Noel Power
4e518ecdda s3:libads: add param to prevent writing spn(s) to ads
'net ads keytab add' currently in addition to adding to the
keytab file this command also can update AD computer objects
via ldap. This behaviour isn't very intuitive or expected given
the command name. By default we shouldn't write to the ADS.

Prepare to change the default behaviour by modifying the function
'ads_keytab_add_entry' to take a paramater to modify the existing
behaviour to optionally update the AD (or not).

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:15 +01:00
Noel Power
6cac9a4720 s3:libads: Allow 'net ads keytab add' handle Windows SPN(s) part 2
This patch addresses how the windows SPN is written to the AD.

If a legacy service (e.g. cifs, http etc.) is passed as param to
'net ads keytab add param' then windows SPNs are generated from
'param' as follows
          i) long form 'param/full_qualified_dns'
         ii) short form 'param/netbios_name'

If the SPN is a is a Windows SPN (e.g. conforming to format
'serviceclass/host:port') then this is the SPN that is passed to
the AD.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:15 +01:00
Noel Power
efabfb1c17 s3:libads: Allow 'net ads keytab add' handle Windows SPN(s) part 1
This patch addresses how the windows SPN is converted into a kerberos
priniciple to be written to the keytab file. A followup patch will
deal with writing Window SPN(s) to the AD.

Before this change 'net ads keytab add' handled three scenarios

a) 'net ads keytab add param' is passed a fully qualified kerberos principal
   (identified by the presence of '@' in param) In this scenario the keytab
   file alone is updated with the principal contained in 'param'.
b) 'net ads keytab add param'; is passed a machine name (identified by
   the paramater ending with '$'). In this case the machine name
   is converted to a kerberos principal with according to the recipe
   'param@realm' where realm is determined by lp_realm().
c) 'net ads keytab add param' is passed a service (e.g. nfs, http etc.)
   In this scenario the param containing the service is first converted to
   into 2 kerberos principals (long and short forms) according to the
   following recipe
      i) long form:  'param/fully_qualified_dns@realm'
     ii) short form: 'param/netbios_name@realm'
     where 'fully_qualified_dns is retrieved from 'dNSHostName' attribute of
     'this' machines computer account on the AD.
     The principals are written to the keytab file
   Secondly 2 windows SPNs are generated from 'param' as follows
      i) long form 'param/full_qualified_dns'
     ii) short form 'param/netbios_name'
   These SPNs are written to the AD computer account object

After this change a) & b) & c) will retain legacy behaviour except
in the case of c) where if the 'param' passed to c) is a Windows SPN
(e.g. conforming to format 'serviceclass/host:port'
  i) 'param' will get converted to a kerberos principal (just a single one)
     with the following recipe: 'serviceclass/host@realm' which will
     be written to the keytab file. The SPN written to the AD is created
     as before and the legacy behaviour is preserved.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
5fa82263ad s3:utils: add new 'net ads setspn delete' subcommand
This patch adds 'delete' to the 'net ads setspn' subcommand

(see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Usage:

    net ads setspn delete <computer> <SPN>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
8a6c3c5ae2 s3:utils: add new 'net ads setspn add' subcommand
This patch adds 'add' to the 'net ads setspn' subcommand

(see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Usage:

     net ads setspn add <computer> <SPN>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
65ef044b8d s3:utils: add new 'net ads setspn list' subcommand
This patch adds basic functionality not unlike the setspn.exe
command that is provided by windows for adminsistering SPN on
the AD. (see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Only the basic list operation (that corresponds to the -l
    switch for setspn.exe is implemented)

Usage:

     net ads setspn list <computer>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
1400ab709e s3:libads: change ads_add_service_principal_name implementation
Previously the function 'ads_add_service_principal_name' created
the SPNs based on the machine_name and dns name passed to the function.
In order to prepare for a future patch that will also need to write
SPN(s) to the AD computer account, the function implementation will
need to be changed. Instead of the function creating the SPN(s) it
will now take the list SPN(s) to write to the AD 'machine_name' account
as an input param instead.
The name of the function has been changed to
'ads_add_service_principal_names' to reflect this. Additionally  client
code now needs to construct the SPNs to be passed into the function.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
cf0823fb9e s3:libads: Add a basic Windows SPN parser.
(see https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
d9593803ea s3:libads: Clean up code a little rename 'ads_get_samaccountname()'
Function 'ads_get_samaccountname()' basically returns the machine_name passed
as an input param (appended with '$') if it exists on the ad. The function
really is testing for the existence of the samaccountname and is not really
'getting' it. This is also the way it is used. Renaming this function to
'ads_has_samaccountname()' better reflects what it is actually doing and how
clients calling the code use it. It also makes the client code using calling
this function less confusing.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
2dd94e41f6 s3:libads: ads_get_dnshostname & ads_get_samaccountname don't use param
Both ads_get_dnshostname() & ads_get_samaccountname() are passed
a param machinename as a argument. Instead of using 'machinename' these
functions are erroneously using lp_netbiosname() instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Andreas Schneider
a89a714656 s3:smbd: Do not crash if we fail to init the session table
This should the following segfault with SMB1:

  #6  sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94
  #7  <signal handler called>
  #8  smbXsrv_session_create (conn=conn@entry=0x5654d3512af0, now=now@entry=131594481900356690, _session=_session@entry=0x7ffc93a778e8)
      at ../source3/smbd/smbXsrv_session.c:1212
  #9  0x00007f7618aa21ef in reply_sesssetup_and_X (req=req@entry=0x5654d35174b0) at ../source3/smbd/sesssetup.c:961
  #10 0x00007f7618ae17b0 in switch_message (type=<optimized out>, req=req@entry=0x5654d35174b0) at ../source3/smbd/process.c:1726
  #11 0x00007f7618ae3550 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=140, inbuf=0x0, xconn=0x5654d35146d0)
      at ../source3/smbd/process.c:1762
  #12 process_smb (xconn=xconn@entry=0x5654d3512af0, inbuf=<optimized out>, nread=140, unread_bytes=0, seqnum=0, encrypted=<optimized out>,
      deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2008
  #13 0x00007f7618ae4c41 in smbd_server_connection_read_handler (xconn=0x5654d3512af0, fd=40) at ../source3/smbd/process.c:2608
  #14 0x00007f761587eedb in epoll_event_loop_once () from /lib64/libtevent.so.0

Inspection the core shows that:
  conn->client-session_table is NULL
  conn->protocol is PROTOCOL_NONE

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13315

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-03-02 00:39:59 +01:00
Dan Robertson
b67ffaf518 libsmb: Use smb2 tcon if conn_protocol >= SMB2_02
When the connection protocol is SMB2 the tid from the smb1 member is
used instead of smb2 in cli_state_set_tid which often results in a null
deref.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13310

Signed-off-by: Dan Robertson <drobertson@tripwire.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 00:39:58 +01:00
Volker Lendecke
c38062604b winbind: Fix --ping-dc error handling
If the child dies at the wrong moment, we get an error in the "req" itself.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar  1 14:48:19 CET 2018 on sn-devel-144
2018-03-01 14:48:19 +01:00
Volker Lendecke
49adb5ac8f winbind: Fix a race between the sigchld and 0-sized socket read
Fix a bug when a child dies when a request is pending in the child. If the
signal handler fires before epoll finds out the other end of the parent-child
socket is closed, we close the socket on our side without taking care of the
pending request. This causes two problems: First, that one pending request
never is replied to properly, and secondly, we might end up with EPOLL_DEL on a
wrong file descriptor. This causes all sorts of trouble if we hit an active
one.

The fix for this problem is not to close the socket in winbind_child_died().
This however stops an idle child that dies hard from being properly cleaned up.
The fix for that is to add the child->monitor_fde that is set pending only when
no child request is active. This way we can remove the close(sock) in the
signal handler.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:46 +01:00
Volker Lendecke
33f5f5c461 winbind: Remove the "winbindd_children" global
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:46 +01:00
Volker Lendecke
09677053f7 winbind: Use forall_children in reinit_after_fork()
This removes the special handling for idmap_child() after the "This is
a little tricky" comment. I believe this was not required at all, the
idmap_child is part of the winbindd_children list.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
0e6d3a59eb winbind: Use forall_children in winbind_msg_ip_dropped_parent()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
dba9a12e30 winbind: Use forall_domain_children in winbind_msg_online
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
0c58fb365a winbind: Use forall_domain_children in winbind_msg_offline()
Note that we only walk the domain children, which all have
child->domain != NULL. So we don't need that check anymore.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
815bdc65a2 winbind: Remove unused winbindd_internal_child()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
723560aed2 winbind: "internal" children never have a domain set
Look at setup_domain_child(): There we always set child->domain. The only other
two children are the idmap and locator children, which don't have a domain set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
94c02211f9 winbind: Use forall_children in winbind_child_died()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
4f76a1deae winbind: Implement forall_children()
Step 0 in removing winbindd_children as a variable: We have access to
all children via our domain list and the two explicit children. There's
no need to separately maintain a list of winbind children. Maintaining
child->pid != 0 is sufficient to make sure we only walk active children.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Andreas Schneider
1aabfff8a6 libsmb: Remove incorrect fall through comment in trusts_util.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar  1 09:52:37 CET 2018 on sn-devel-144
2018-03-01 09:52:37 +01:00
Andreas Schneider
d4ccca2d66 s3:spoolss: Remove incorrect fall through comment in srv_spoolss_nt.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:44 +01:00
Andreas Schneider
7619442a79 s3:winbindd: Add FALL_THROUGH statements in idmap_autorid.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
5ba0b72fa3 s3:utils: Add FALL_THROUGH statements in ntlm_auth.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
45153120cb s3:utils: Add FALL_THROUGH statements in net_registry_check.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
29b5de26df s3:smbd: Add FALL_THROUGH statements in reply.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
3e2e4096cc s3:rpcclient: Add FALL_THROUGH statements in rpcclient.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
cafe8ac965 s3:lsa: Add FALL_THROUGH statements in srv_lsa_nt.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
824fa2c4db s3:modules: Add FALL_THROUGH statements in getdate.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
f5d69d7134 s3:libnet: Add FALL_THROUGH statements in libnet_join.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
d17cb7cebf s3:rpc_server: Add FALL_THROUGH statements in rpc_server.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
7b946e3480 s3:utils: Add FALL_THROUGH statements in net_rpc_conf.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
36315769b8 s3:utils: Add FALL_THROUGH statements in net_conf.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
273ef59761 s3:utils: Add FALL_THROUGH statements in regedit.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
964b2d4aae s3:smbd: Add FALL_THROUGH statements in trans2.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
a4623fac64 s3:smbd: Add FALL_THROUGH statements in nttrans.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
4744b777f5 s3:modules: Add FALL_THROUGH statements in vfs_acl_common.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
2cc130683e s3:libsmb: Add FALL_THROUGH statements in dsgetdcname.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
3b9aa1c625 s3:lib: Add FALL_THROUGH statements in util_sd.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
feeb49f4cf s3:lib: Add FALL_THROUGH statements in sysacls.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
3f1a4b749d s3:lib: Add FALL_THROUGH statements in cbuf.c 2018-03-01 04:37:42 +01:00
Andreas Schneider
03ed979eb0 s3:auth: Add FALL_THROUGH statements in pampass.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
6744e8c7d4 s3:auth: Add FALL_THROUGH statements in auth_sam.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
16d14fa863 s3:lib: Add FALL_THROUGH statements in util_str.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:41 +01:00
Andreas Schneider
9fed4562ca s3:lib: Add FALL_THROUGH statements in util_path.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:41 +01:00
Andreas Schneider
d78d1a71ff s3:lib: Add FALL_THROUGH statements in substitute_generic.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:41 +01:00
Stefan Metzmacher
afd97e7209 winbindd: disable support for CROSS_ORGANIZATION domains
We don't support selective authentication yet,
so we shouldn't silently allow domain wide authentication
for such a trust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-28 14:33:19 +01:00
Volker Lendecke
5f4b71d21d winbindd: Remove "DUMP_EVENT_LIST" message
This was no longer implemented, remove it completely

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-26 22:30:14 +01:00
Poornima G
46e6626f73 vfs_glusterfs: Fix the wrong pointer being sent in glfs_fsync_async
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13297

Pair-Programmed-With: Anoop C S <anoopcs@redhat.com>
Signed-off-by: Poornima G <pgurusid@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Feb 26 20:17:50 CET 2018 on sn-devel-144
2018-02-26 20:17:50 +01:00
Andreas Schneider
0258122535 s3:selftest: Run the smbtorture3 TLDAP test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-24 10:54:07 +01:00
Jeremy Allison
5ad5e7966f s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir()
HPUX has this problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13270

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Feb 23 22:56:35 CET 2018 on sn-devel-144
2018-02-23 22:56:35 +01:00
Stefan Metzmacher
06601b3a92 winbind: don't try to do an authenticated SMB connection as AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 23 17:58:23 CET 2018 on sn-devel-144
2018-02-23 17:58:23 +01:00
Stefan Metzmacher
55c3af89f1 winbind: set_dc_type_and_flags() is not needed on a DC
On a DC we load the trusts in the parent in add_trusted_domains_dc()
from our local configuration. There's no need to find out the trust details
via network calls.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
18f27b5385 winbind: make sure we don't contact trusted domains via LDAP as AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
32a63e3ea9 winbind: make sure we don't contact trusted domains via SAMR as AD DC
This is not needed for the normal operation of an AD DC.

Administrators should just use other tools instead of
wbinfo to list and query users and groups.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
532a14dc68 winbind: let cm_connect_netlogon_transport() only work against direct trust as AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
3e17a3b7cd winbind: force the usage of schannel in cm_connect_lsa() as AD DC
This makes sure we only talk to direct trusts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
c58f8c3cd8 s3:smb_macros.h: add IS_AD_DC as addition to IS_DC
In the long run we should remove this again (as well as IS_DC).

But for now this makes some code changes in winbindd easier to
follow.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Ralph Boehme
f9e2cb1369 vfs_fruit: use off_t, not size_t for TM size calculations
size_t is only a 32-bit integer on 32-bit platforms. We must use off_t
for file sizes.

https://bugzilla.samba.org/show_bug.cgi?id=13296

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
7f2d45a6c2 winbind: Use one queue for all domain children
If we have multiple domain children, it's important
that the first idle child takes over the next waiting request.

Before we had the problem that a request could get stuck in the
queue of a busy child, while later requests could get served fine by
other children.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 23 09:04:23 CET 2018 on sn-devel-144
2018-02-23 09:04:23 +01:00
Volker Lendecke
b518cb0597 winbind: Maintain a binding handle per domain and always go via wb_domain_request_send()
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
5116aff286 winbind: make choose_domain_child() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
44ebaaac89 winbind: add locator_child_handle() and use it instead of child->binding_handle
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
c2d78a0a0a winbind: add idmap_child_handle() and use it instead of child->binding_handle
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
1f41193e00 winbind: improve wb_domain_request_send() to use wb_dsgetdcname_send() for a foreign domain
Commit ed3bc614cc got the logic wrong while
trying to implement the logic we had in init_child_connection(),
which was removed by commit d61f3626b7.

Instead of doing a WINBINDD_GETDCNAME request (which would caused an error
because the implementation was removed in commit
958fdaf5c3), we sent the callers request
and interpreted the result as WINBINDD_GETDCNAME response, which
led to an empty dcname variable. As result the domain child
opened a connection to the primary domain in order to lookup
a dc.

If we want to connect the primary domain from the parent via
a domain child of the primary domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13295

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
4d804f5f3e winbind: use state->{ev,request} in wb_domain_request_send()
This will reduce the diff for the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13295

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
d73e3d4519 winbind: avoid using fstrcpy(dcname,...) in _dual_init_connection
domain->dcname was converted from fstring to char * by commit
14bae61ba3.

Luckily this was only ever called with an empty string in
state->request->data.init_conn.dcname.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13294

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
b158d4e4c1 winbind: cleanup winbindd_cli_state->pwent_state if winbindd_getpwent_recv() returns an error
A client may skip the explicit endpwent() if getgrent() fails.

This allows client_is_idle() return true in more cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13293

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
b7789da846 winbind: cleanup winbindd_cli_state->grent_state if winbindd_getgrent_recv() returns an error
A client may skip the explicit endgrent() if getgrent() fails.

This allows client_is_idle() return true in more cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13293

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
6548b82b5c winbind: call lp_winbind_enum_{users,groups}() already in set{pw,gr}ent()
This way we don't keep winbindd_cli_state->{pw,gr}ent_state arround forever,
if the client forgets an explicit end{pw,gr}ent().

This allows client_is_idle() return true in more cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13293

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
43af57d872 winbind: protect a pending wb_child_request against a talloc_free()
If the (winbind) client gave up we call TALLOC_FREE(state->mem_ctx)
in remove_client(). This triggers a recursive talloc_free() for all
in flight requests.

In order to maintain the winbindd parent-child protocol, we need
to keep the orphaned wb_simple_trans request until the parent
got the response from the child.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13290

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
d29dda141e winbind: use tevent_queue_wait_send/recv in wb_child_request_*()
We need a way to keep the child->queue blocked without relying on
the current 'req' (wb_child_request_state).

The next commit will make use of this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13290

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
e039e9b0d2 s3:cliconnect.c: remove useless ';'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-22 23:15:16 +01:00
Stefan Metzmacher
0786a65cab s3:libsmb: allow -U"\\administrator" to work
cli_credentials_get_principal() returns NULL in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-22 23:15:16 +01:00
Günther Deschner
6a59619844 build: fix libceph-common detection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13277

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Feb 22 19:30:12 CET 2018 on sn-devel-144
2018-02-22 19:30:12 +01:00
Douglas Bagnall
a4c853a7de util/rfc1738_unescape(): return end pointer or NULL on error
At present we don't detect errors, but when we do we'll return NULL.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-22 01:04:18 +01:00
Stefan Metzmacher
3ffebee3de winbindd: implement wb_irpc_lsa_{LookupNames4,LookupSids3}()
This will be used by the LSA Server on an AD DC to request remote views
from trusts.

In future we should implement wb_lookupnames_send/recv similar to
wb_lookupsids_send/recv, but for now using wb_lookupname_send/recv in a loop
works as a first step.

We also need to make use of req->in.level and req->in.client_revision
once we want to support more than one domain within our own forest.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:19 +01:00
Stefan Metzmacher
76868818e8 rpcclient: add lookupsids_level command
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Ralph Boehme
9ccc6eef14 rpcclient: fix variable initialisation and add parenthesis to if clauses
Just a few README.Coding fixes.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
c376ab29d1 winbindd: make use of talloc_zero_array() in wb_lookupsids*()
It just feels better for such a complex function.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13281

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:17 +01:00
Stefan Metzmacher
569c910b95 s3:cli_lsarpc: use talloc_zero_array() in dcerpc_lsa_lookup_names_generic()
It just feels better for such a complex function.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13281

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-21 14:19:17 +01:00
Stefan Metzmacher
5cae7da1de s3:cli_lsarpc: use talloc_zero_array() in dcerpc_lsa_lookup_sids_generic()
It just feels better for such a complex function.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13281

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-21 14:19:17 +01:00
Stefan Metzmacher
b5ffa0e21f winbindd: initialize type = SID_NAME_UNKNOWN in wb_lookupsids_single_done()
We check for !NT_STATUS_LOOKUP_ERR(), but wb_lookupsid_recv()
only initializes the results together with NT_STATUS_OK.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13280

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:17 +01:00
Stefan Metzmacher
17c48f26de winbindd: don't split the rid for SID_NAME_DOMAIN sids in wb_lookupsids
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13279

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:17 +01:00
Björn Jacke
29aa5c93d7 wscript: drop checks for setnetgrent/endnetgrent/getnetgrent
we don't use setnetgrent/endnetgrent/getnetgrent since security share passed
away.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-21 14:19:17 +01:00
Björn Jacke
14f798cbcc s3: remove dead already commented code
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-21 14:19:17 +01:00
Andreas Schneider
6f9c6d369f s3:auth: Pass mem_ctx to init_system_session_info()
We have a stackframe we can use for the lifetime of the session.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 21 02:46:40 CET 2018 on sn-devel-144
2018-02-21 02:46:40 +01:00
Andreas Schneider
7f47cec234 s3:auth: Pass mem_ctx to init_guest_session_info()
Use a mem_ctx which gets freed if possible.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-20 21:55:13 +01:00
Andreas Schneider
b2aec11c76 s3:auth: Pass a mem_ctx to make_new_session_info_guest()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-20 21:55:13 +01:00
Volker Lendecke
9abe97285b tldap: Dump unnecessary includes
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-20 21:55:13 +01:00
Andreas Schneider
a6eac8f649 smbspool: Improve URI handling code
This also checks that the URI given via the environment variables
starts with smb://

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Feb 20 21:46:38 CET 2018 on sn-devel-144
2018-02-20 21:46:38 +01:00
Andreas Schneider
7573b2a960 tests: Add tests for parsing LDAPv3 and LDAPv2 filter strings
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb 19 23:47:08 CET 2018 on sn-devel-144
2018-02-19 23:47:08 +01:00
Andreas Schneider
654b76739a s3:tldap: Comment code for to LDAP escaping version
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-19 19:17:12 +01:00
Andreas Schneider
c96dc78aa6 s3:tldap: Fix parsing LDAPv2 escaped strings
Yes, this is outdated, but the missing 'break' produces a compiler
warning.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-19 19:17:12 +01:00
Timur I. Bakeyev
e2023e86d5 Remove some bashisms from the test scripts
Signed-off-by: Timur I. Bakeyev <timur@iXsystems.com>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2018-02-19 07:36:23 +01:00
Volker Lendecke
f8313d715b winbind: Don't send "server_id" explicitly for DUMP_DOMAIN_LIST
messaging already provides the sender id

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 16 00:56:36 CET 2018 on sn-devel-144
2018-02-16 00:56:36 +01:00
Volker Lendecke
0e3c2c8bc6 winbind: Don't explicitly send "server_id" for ONLINESTATUS
Messaging already provides the sender id

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-15 20:32:24 +01:00
Andreas Schneider
23ec302122 smbspool: Initialize empty_str on declaration
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:29 +01:00
Volker Lendecke
46148e657f net: Slightly simplify net_lookup_dsgetdcname()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-13 16:42:22 +01:00
Volker Lendecke
093871d931 dsgetdcname: Add some const
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-13 16:42:22 +01:00
Volker Lendecke
3781dba923 libsmb: Fix an error path memleak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-13 16:42:22 +01:00
Volker Lendecke
aa29a695fb libsmb: Fix destructor setup in unexpected.c
The destructor does DLIST_REMOVE, so better make sure "client" is in fact
member of that list when the destructor fires

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-13 16:42:22 +01:00
Volker Lendecke
77c1df57a8 net: Add some {}
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-13 16:42:22 +01:00
Volker Lendecke
3bbc575644 smbd: remove "id" from share_mode_entry
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Feb 13 05:01:38 CET 2018 on sn-devel-144
2018-02-13 05:01:38 +01:00
Volker Lendecke
f7e65719a4 smbd: Pass "file_id" explicitly to send_break_to_none
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
1e2659e96d smbd: Pass "file_id" explicitly to send_break_message()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
9d7701c923 srvsvc: Avoid a dependency on share_mode_entry->id
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
d9e5148470 smbd: Avoid a dependency on share_mode_entry->id
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
ddb1524669 smbd: Avoid a dependency on share_mode_entry->id
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
b7e29d04c6 smbd: Pass "file_id" explicitly to message_to_share_mode_entry()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
fc424b28cd smbd: Pass "file_id" explicitly into share_mode_entry_to_message()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
5fdc62b236 smbd: Remove a redundant check
The file ids in all share modes match the share_mode_data's one

We don't have a paranoia check for this, but the share mode is per inode.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
bab8bf7acb smbd: Use "share_mode_data->id", not "share_mode_entry->id"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
c1079e3d2a srvsvc: Use the passed-in file_id
The one in share_mode_entry will go

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
3434b32b88 smbd: Pass in "file_id" into validate_my_share_entries
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
9487510e9e smbd: Pass in "file_id" into share_mode_str()
This used to directly access share_entry->id, which will go

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
786e307fd4 srvsvc: Use the passed-in file id, not the one from share_mode_entry
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
f519162657 smbd: Pass "file_id" through share_entry_forall
It's also in the share_entry, but that is redundant and will go

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00