1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

106089 Commits

Author SHA1 Message Date
Volker Lendecke
d7362baf79 idmap_hash: xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-11 11:17:23 +01:00
Volker Lendecke
2cd1299461 smbclient: xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-11 11:17:23 +01:00
Volker Lendecke
b62abd73a4 smbclient4: xfile->stdio
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-11 11:17:23 +01:00
Jeremy Allison
9fbd544b90 s3: ntlm_auth: Don't corrupt the output stream with debug messages.
Calling programs expect to cleanly read from STDOUT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12467

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-12-11 11:17:23 +01:00
Jeremy Allison
b5c0745b0c s3: torture: Adds regression test case for se_access_check() owner rights issue.
This test passes against Win2K12 but fails against smbd
without the previous commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Dec 10 10:11:10 CET 2016 on sn-devel-144
2016-12-10 10:11:09 +01:00
Jeremy Allison
29b02cf22f lib: security: se_access_check() incorrectly processes owner rights (S-1-3-4) DENY ace entries
Reported and proposed fix by Shilpa K <shilpa.krishnareddy@gmail.com>.

When processing DENY ACE entries for owner rights SIDs (S-1-3-4) the
code OR's in the deny access mask bits without taking into account if
they were being requested in the requested access mask.

E.g. The current logic has:

An ACL containining:

[0] SID: S-1-3-4
    TYPE: DENY
    MASK: WRITE_DATA
[1] SID: S-1-3-4
    TYPE: ALLOW
    MASK: ALLOW_ALL

prohibits an open request by the owner for READ_DATA - even though this
is explicitly allowed.

Furthermore a non-canonical ACL containing:

[0] SID: User SID 1-5-21-something
    TYPE: ALLOW
    MASK: READ_DATA

[1] SID: S-1-3-4
    TYPE: DENY
    MASK: READ_DATA

[2] SID: User SID 1-5-21-something
    TYPE: ALLOW
    MASK: WRITE_DATA

prohibits an open request by the owner for READ_DATA|WRITE_DATA - even
though READ_DATA is explicitly allowed in ACE no 0 and is thus already
filtered out of the "access-still-needed" mask when the deny ACE no 1 is
evaluated.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12466

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-12-10 06:24:11 +01:00
Björn Jacke
44a01a2d3d util: use SCOPE_DELIMITER for the IPv6 scope delimiter
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Fri Dec  9 20:45:15 CET 2016 on sn-devel-144
2016-12-09 20:45:15 +01:00
Björn Jacke
bfc6adfb20 replace: make sure we have a SCOPE_DELIMITER define
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-09 16:58:11 +01:00
Björn Jacke
ab8616f20c ad/provision: change http://samba.org to https://www.samba.org
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Karolin Seeger <kseeger@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Fri Dec  9 16:57:31 CET 2016 on sn-devel-144
2016-12-09 16:57:31 +01:00
Björn Jacke
c44e1916eb man pages: change http://samba.org to https://www.samba.org
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
2016-12-09 13:10:26 +01:00
Björn Jacke
8a89b9bbcb docs-xml: change http://samba.org to https://www.samba.org
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
2016-12-09 13:10:26 +01:00
Stefan Metzmacher
5ca59a1772 s3:libsmb: don't pass 'passlen' to cli_tree_connect[_send]() and allow pass=NULL
There're no callers which try to pass a raw lm_response directly anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec  9 13:09:37 CET 2016 on sn-devel-144
2016-12-09 13:09:37 +01:00
Stefan Metzmacher
75aa174e8d s3:libsmb: avoid using cli->{use_kerberos,...} in remote_password_change()
As we pass flags=0 to cli_connect_nb() all values can only be false,
so we can use false directly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
Stefan Metzmacher
77a7e72f88 s3:client: avoid using cli->{use_kerberos,...} for cli_session_creds_init() in smbspool.c
CLI_FULL_CONNECTION_USE_KERBEROS is the only possible flag the
caller of smb_complete_connection() will pass, so we can avoid
use it directly instead of going via cli_start_connection()
to use cli->use_kerberos.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
Stefan Metzmacher
9bf8805ee9 s3:client: make use of cli_tree_connect_creds() in smbspool.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
Stefan Metzmacher
bae607af36 s3:libsmb: add cli_tree_connect_creds()
This can be used with a valid creds structure in order
to do a share level authentication or with NULL in the cases
we assume a modern server already.

Later we can change the ordering and implement
cli_tree_connect() on top of cli_tree_connect_creds().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
Stefan Metzmacher
d0d17cdb77 s3:libsmb: fix 'client lanman auth = no' DEBUG message in cli_session_setup_creds_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
Stefan Metzmacher
d6216b8f37 s3:libsmb: fix memory leak in cli_raw_ntlm_smb_encryption_start()
smb_trans_enc_state is a talloc pointer now, so we can talloc_move()
the gensec_security to the correct talloc parent.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12408

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
Stefan Metzmacher
3c8e9a0ad3 s3:torture: make use of cli_full_connection_creds() in torture.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
Stefan Metzmacher
182d5e73a9 auth/credentials: clear all unused blobs in cli_credentials_get_ntlm_response()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
Stefan Metzmacher
4c9462f93b auth/credentials: fix cut'n'paste error in cli_credentials_get_principal_and_obtained()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
Stefan Metzmacher
5d4aa22f55 auth/credentials: let cli_credentials_parse_string() handle the "winbind separator"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-09 09:24:27 +01:00
David Disseldorp
f5536ce1f6 ctdb: add test script for ctdb_mutex_ceph_rados_helper
This standalone test script performs the following:
- using ctdb_mutex_ceph_rados_helper, take a lock on the Ceph RADOS
  object a CLUSTER/$POOL/$OBJECT using the Ceph keyring for $USER
  + confirm that lock is obtained, via ctdb_mutex_ceph_rados_helper "0"
    output
- check RADOS object lock state, using the "rados lock info" command
- attempt to obtain the lock again, using ctdb_mutex_ceph_rados_helper
  + confirm that the lock is not successfully taken
- tell the first locker to drop the lock and exit, via SIGTERM
- once the first locker has exited, attempt to get the lock again
  + confirm that this attempt succeeds

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Fri Dec  9 07:59:33 CET 2016 on sn-devel-144
2016-12-09 07:59:33 +01:00
David Disseldorp
8aba284fc4 ctdb/doc: man page for Ceph RADOS cluster mutex helper
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2016-12-09 04:10:20 +01:00
David Disseldorp
d8b61863ec ctdb: cluster mutex helper using Ceph RADOS
ctdb_mutex_ceph_rados_helper implements the cluster mutex helper API
atop Ceph using the librados rados_lock_exclusive()/rados_unlock()
functionality.

Once configured, split brain avoidance during CTDB recovery will be
handled using locks against an object located in a Ceph RADOS pool.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2016-12-09 04:10:20 +01:00
David Disseldorp
cbc81dd78e ctdb-build: configure time switch for etcd support
Disable generation/installation of the etcd cluster mutex helper by
default. Support can be explicitly enabled at configure time with
--enable-etcd-reclock.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2016-12-09 04:10:20 +01:00
David Disseldorp
832711718e ctdb-build: move ctdb_etcd_lock to utils/etcd
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2016-12-09 04:10:20 +01:00
Amitay Isaacs
c7c2f15883 ctdb-build: Generate pre-built documentation in wscript itself
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2016-12-09 04:10:20 +01:00
Amitay Isaacs
27bd4c9eeb ctdb-build: Avoid duplicate list of man pages
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2016-12-09 04:10:20 +01:00
Anoop C S
ee0475d89d lib/util: Fix indentation within routine description for dbghdrclass
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Dec  9 02:02:36 CET 2016 on sn-devel-144
2016-12-09 02:02:36 +01:00
Anoop C S
c832188b78 lib/util: Fix input arguments description for dbghdrclass() routine
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2016-12-08 22:12:12 +01:00
Lukas Slebodnik
701c6ad53c tevent: remove shebang from tevent.py
The tevent.py is not a executable python script.
And rpmlint consider it as an error if module file
contians shebang

    python2-tevent.x86_64: E: non-executable-script
        /usr/lib64/python2.7/site-packages/tevent.py 644 /usr/bin/python
    python3-tevent.x86_64: E: non-executable-script
        /usr/lib64/python3.5/site-packages/tevent.py 644 /usr/bin/python

Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2016-12-08 22:12:12 +01:00
Stefan Metzmacher
ec0297bbd0 s4:repl_meta_data: normalize rdn attribute name via the schema
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12399

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec  8 17:16:47 CET 2016 on sn-devel-144
2016-12-08 17:16:47 +01:00
Andrew Bartlett
50dff7e094 pidl: Make dcesrv\_$name\_interface "static const"
This moves it out of the global namespace

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec  8 13:25:57 CET 2016 on sn-devel-144
2016-12-08 13:25:57 +01:00
Andrew Bartlett
0e2f03f9bd s4-rpc_server: Avoid extern reference to dcesrv_mgmt_interface and memcpy()
Use a typesafe struct-returning function instead

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-08 09:28:26 +01:00
Jeremy Allison
52fad16f1c s3: torture: Regression test case for permissions check on rename.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Dec  7 11:52:03 CET 2016 on sn-devel-144
2016-12-07 11:52:03 +01:00
Jeremy Allison
91b591224a s3: smbd: Add missing permissions check on destination folder.
Based on code from Michael Zeis <mzeis.quantum@gmail.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-12-07 07:58:26 +01:00
Jeremy Allison
beb8a73e95 s3: smbd: Make check_parent_access() available to rename code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-12-07 07:58:26 +01:00
Jeremy Allison
2bfad1c9d3 s3: smbd: rename - missing early error exit if source and destination prefixes are different.
Noticed by Michael Zeis <mzeis.quantum@gmail.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12460

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-12-07 07:58:26 +01:00
Volker Lendecke
3aecad2ffd winbind: dom_sid_parse_endp always initializes "endp" when ok
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec  7 00:11:03 CET 2016 on sn-devel-144
2016-12-07 00:11:03 +01:00
Volker Lendecke
5bded5b483 idmap_autorid: dom_sid_parse_endp always initializes "endp" when ok
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-06 20:24:22 +01:00
Volker Lendecke
a5902383e3 lib: Make dom_sid_parse_endp init "endp" on all "ok" paths
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-06 20:24:22 +01:00
Volker Lendecke
61d5009888 idmap_autorid: Add a {} pair in an if-statement
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-06 20:24:22 +01:00
Andreas Schneider
a3add017e4 printing: Fix building with CUPS version older than 1.7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12183

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Dec  6 13:54:28 CET 2016 on sn-devel-144
2016-12-06 13:54:28 +01:00
Jose A. Rivera
4e32944b78 ctdb: Add new helper ctdb_etcd_lock
This introduces a mutex helper called ctdb_etcd_lock, which allows CTDB to
use an existing etcd cluster to provide the functionality of a recovery lock
using the API outlined in ctdb/doc/cluster_mutex_helper.txt.

Signed-off-by: Jose A. Rivera <jarrpa@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): José A. Rivera <jarrpa@samba.org>
Autobuild-Date(master): Mon Dec  5 19:39:10 CET 2016 on sn-devel-144
2016-12-05 19:39:10 +01:00
Amitay Isaacs
41c964fdbc ctdb-recovery: Start recovery helper with ctdb_vfork_exec
The recovery helper does it's own logging, so there is no need to
pass logfd.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Dec  5 11:59:42 CET 2016 on sn-devel-144
2016-12-05 11:59:42 +01:00
Amitay Isaacs
1b7f0a7bbb ctdb-locking: Start locking helper using ctdb_vfork_exec
This avoids the extra argument of logfd to ctdb_lock_helper.  The log
messages from lock helper are captured by ctdbd.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2016-12-05 08:09:23 +01:00
Amitay Isaacs
c43856342f ctdb-daemon: Add ctdb_vfork_exec()
This will replace ctdb_vfork_with_logging().

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2016-12-05 08:09:23 +01:00
Amitay Isaacs
ecf3f56138 ctdb-daemon: Log to stderr when running in interactive mode
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2016-12-05 08:09:23 +01:00
Amitay Isaacs
d53dbd0dcc ctdb-daemon: Initialize logging in recovery daemon
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2016-12-05 08:09:22 +01:00