IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This is simple, explainable and secure.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 17 02:47:13 UTC 2022 on sn-devel-184
RAP is SMB1, the password change routine requires LM hashes and so everything
here is going away or has now gone, so remove the test.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This fixes the rpc.samr test because we no longer specify an LM hash
to the DSDB layer only to have it rejected by password_hash.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
The removal of LM hash storage changes the expected metadata.
We do not need to track these values exactly to prove the
behaviour here.
This is not due to the changes in password_hash directly, which in
update_final_msg() sets DSDB_FLAG_INTERNAL_FORCE_META_DATA to force
a push out of the removed attribute to the replication state.
However at the stage of a subsequent LDAP Delete there is no longer
a lmPwdHistory nor dBCSPwd attribute, in the directory, so there is
no subsequent version bump to remove them when building a tombstone.
Samba's behaviour is different to that seen by Metze on windows 2022,
where he sees dBCSPwd removed (for the no LM store case) but
lmPwdHistory kept. We in Samba choose to differ, not storing an
ambiguous LM hsitory (of "" values likely), so allowing any version
for these two attributes is the sensible choice.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We no longer generate nor store the LM hash in the Samba AD DC.
This adds much to the knownfail, some future commits will trim this
back down by making the tests understand that the server will not
support or store the LM hash.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is for MIT Kerberos <= 1.19
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This fixes the regressions against KDCs without FAST support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 11 18:06:47 UTC 2022 on sn-devel-184
authenticate_ldap_simple_bind*() needs to pass the
result of the cracknames operation into the auth stack
as user_info->client.{account,domain}_name, because
user_info->client.{account,domain}_name is also used
when forwarding the request via netrLogonSamLogon*
to a remote server, for exactly that the values are
also used in order to map a AUTH_PASSWORD_PLAIN into
AUTH_PASSWORD_RESPONSE, where the NTLMv2 response
contains the account and domain names passed in the
netr_IdentityInfo value.
Otherwise it would not be possible to forward the
LDAP simple bind authentication request to a remote
DC.
Currently this only applies to an RODC that forwards
the request to an RWDC.
But note that LDAP simple binds (as on Windows) only
work for users in the DCs forest, as the DsCrackNames
need to work and it can't work for users of remote
forests. I tested that in a DC of a forest root domain,
if rejected the LDAP simple bind against a different forest,
but allowed it for a users of a child domain in the
same forest. The NTLMSSP bind worked in both cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 10 04:10:54 UTC 2022 on sn-devel-184
mapped_state is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in authsam_check_password_internals()
This doesn't apply here. We should also handle wbinfo -a
authentication UPN names, e.g. administrator@DOMAIN,
even if the account belongs to the local sam.
With this change the behavior is consistent also locally on DCs and
also an RODC can handle these requests locally for cached accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15003
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When winbindd forwards wbinfo -a via netrLogonSamLogon* to a remote
DC work fine for upn names, e.g. administrator@DOMAIN.
But it currently fails locally on a DC against the local sam.
For the RODC only work because it forwards the request to
an RWDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15003
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Using != AUTH_PASSWORD_RESPONSE is not the correct indication
due to the local mappings from AUTH_PASSWORD_PLAIN via
AUTH_PASSWORD_HASH to AUTH_PASSWORD_RESPONSE.
It means an LDAP simble bind will now honour
'old password allowed period'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The commit "99d1f1fa10d smbd: Remove unused "struct connections_key"" removes
also the assignment of information to connections_data, which are needed to list
shares.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14999
Signed-off-by: Jule Anger <janger@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Mon Mar 7 15:27:48 UTC 2022 on sn-devel-184
rpcclient SERVER -c 'dfsenum 5' dumps core
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 7 00:00:32 UTC 2022 on sn-devel-184
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
The most important case is that we still have a previous
password cached at the RODC and the inbound replication
hasn't wiped the cache yet and we also haven't triggered
a new replication yet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Allow delegation to any target if we have delegations set up, but the target is
not specified.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pair-Programmed-With: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This also addresses CVE-2020-17049.
MIT Kerberos 1.20 is in pre-release state at the time writing this commit. It
will be released in autumn 2022. We need to support MIT Kerberos 1.19 till
enough distributions have been released with MIT Kerberos 1.20.
Pair-Programmed-With: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
If a VFS module fails SMB_VFS_GETXATTRAT_SEND/RECV with ENOSYS like currently
vfs_shadow_copy2 or any other module that uses
vfs_not_implemented_getxattrat_send() the ENOSYS error that
vfs_not_implemented_getxattrat_send() sets gets mapped to
NT_STATUS_NOT_SUPPORTED by map_nt_error_from_unix().
Unfortunately when checking whether the async SMB_VFS_GETXATTRAT_SEND() failed
and to determine if the sync fallback should be triggered, we currently only
check for NT_STATUS_NOT_IMPLEMENTED which is the error we get when "store dos
attributes" is disabled.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14957
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Verifies async-dosmode sync fallback works with shadow_copy2 which returns
ENOSYS for SMB_VFS_GET_DOS_ATTRIBUTES_SEND().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14957
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The whole "smbd:force sync [user|root] [path|chdir] safe threadpool" stuff was
removed long ago by 29dd6f3e59.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14957
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
We now return INVALID_PARAMETER when trying to open a
different file with a duplicate lease key on the same
(non-dynamic) share. This will enable us to pass another
Windows test suite leases test.
We now behave the same as Windows10.
Remove knownfail.d/smb2-lease-duplicateopen
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 18 20:12:12 UTC 2022 on sn-devel-184
Checks we return INVALID_PARAMETER when trying to open a
different file with a duplicate lease key on the same share.
Checked against Windows10. Currently fails against smbd
so add knownfail.d/smb2-lease-duplicateopen
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
We have the env variable SERVER_LOG_LEVEL which allows you to change
the log level on the command line. If we force -d0 this will not work.
make test TESTS="samba" SERVER_LOG_LEVEL=10
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This fixes a use-after-free in smb_full_audit_create_file() when
calling SMB_VFS_CREATE_FILE with fsp->fsp_name as smb_fname.
create_file_unixpath() has this comment:
* This is really subtle. If someone passes in an smb_fname
* where smb_fname actually is taken from fsp->fsp_name, then
* the lifetime of these objects is meant to be the same.
so it seems legitimate to call CREATE_FILE this way.
When CREATE_FILE runs into an error, create_file_unixpath() does a
file_free, which also takes fsp->fsp_name with
it. smb_full_audit_create_file() wants to log the failure including
the smb_fname after NEXT_CREATE_FILE has exited, but this will then
use the already free'ed data.
Fix by only doing the file_free() on an fsp that
create_file_unixpath() created itself.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 10 19:11:33 UTC 2022 on sn-devel-184
Run vfstest with this vfstest.cmd under valgrind and you'll see what
happens. Exact explanation a few patches further down...
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Strips off any DFS prefix from the target if passed in.
Remove knownfail selftest/knownfail.d/msdfs-rename.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Feb 4 12:02:36 UTC 2022 on sn-devel-184
We fail this on SMB2 for a subtle reason.
Our client code called from smbclient only sets the SMB2_HDR_FLAG_DFS flag
in the outgoing packet on the SMB2_CREATE call, and SMB2 rename does the
following operations:
SMB2_CREATE(src_path) // We set SMB2_HDR_FLAG_DFS here for a MSDFS share.
SMB2_SETINFO: SMB2_FILE_RENAME_INFO(dst_path). // We don't set SMB2_HDR_FLAG_DFS
However, from smbclient, dst_path is a MSDFS path but we don't set the flag,
so even though the rename code inside smbd will cope with a MSDFS path
(as used in the SMB1 SMBmv call) it fails as the correct flag isn't set.
Add knownfail selftest/knownfail.d/msdfs-rename.
Note we need to add the new test to "selftest/knownfail.d/smb1-tests"
as test_smbclient_s3.sh is run against the (ad_member|nt4_member)
environments first using NT1 (SMB1) protocol and then using SMB3,
but the (ad_member|nt4_member) environments don't support SMB1.
Seems a bit strange to me, but all the other SMB1 tests inside
test_smbclient_s3.sh have already been added to "selftest/knownfail.d/smb1-tests"
so just go with the test environment.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
We pass this already as the cmd_hardlink in smbclient doesn't
do the DFS path conversion on the hardlink target. But it's
good to have the test.
Note we need to add the new test to "selftest/knownfail.d/smb1-tests"
as test_smbclient_s3.sh is run against the (ad_member|nt4_member)
environments first using NT1 (SMB1) protocol and then using SMB3,
but the (ad_member|nt4_member) environments don't support SMB1.
Seems a bit strange to me, but all the other SMB1 tests inside
test_smbclient_s3.sh have already been added to "selftest/knownfail.d/smb1-tests"
so just go with the test environment.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14169
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Identical change as used in cli_unlink(), cli_mkdir(), cli_rmdir()
cli_chkpath() to ensure SMB2 calls correctly set raw_status for
libsmbclient uses.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14938
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 2 21:50:31 UTC 2022 on sn-devel-184
We run the quicktest on each linux distro as part of samba-o3 builds.
We should make sure smb2 signing/enctyption works on all of them
and all different system libraries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
We need to take SMB1+POSIX into account here and do an LSTAT if it's
a POSIX name.
Remove knownfail.d/posix_sylink_rename
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 31 16:26:26 UTC 2022 on sn-devel-184
If filename_convert() fails to convert the path, we never call
check_name(). This means we can return an incorrect error code
(NT_STATUS_ACCESS_DENIED) if we ran into a symlink that points
outside the share to a non-readable directory. We need to make
sure in this case we always call check_name().
Remove knownfail.d/symlink_traversal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
NT_STATUS_OBJECT_PATH_NOT_FOUND for a path component failure.
NT_STATUS_OBJECT_NAME_NOT_FOUND for a terminal component failure.
Remove:
samba3.blackbox.test_symlink_traversal.SMB1.posix
samba3.blackbox.smbclient_s3.*.Ensure\ widelinks\ are\ restricted\(.*\)
samba3.blackbox.smbclient_s3.*.follow\ symlinks\ \=\ no\(.*\)
in knownfail.d/symlink_traversal as we now pass these. Only one more fix
remaining to get rid of knownfail.d/symlink_traversal completely.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
