IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Updating things like the bad pwd count should not clear the
stored LM HASH with 'lanman auth = no'.
This allows testing with 'lanman auth = no' and 'lanman auth = yes'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This demonstrates that we currently have problems with
plaintext and lanman authentication. In both domain member
and standalone setups.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
DEBUG_PASSWORDS --> DEBUG_PASSWORD
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Wed Jul 17 08:49:46 UTC 2024 on atb-devel-224
"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: tainted_data_return: Called function ""read(sock_fd, namebuf + nread, talloc_get_size(namebuf) - nread)"", and a possible return value may be less than zero.
samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: assign: Assigning: ""thistime"" = ""read(sock_fd, namebuf + nread, talloc_get_size(namebuf) - nread)"".
samba-4.20.0rc2/source3/modules/vfs_preopen.c:221: overflow: The expression ""nread"" is considered to have possibly overflowed.
samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: overflow: The expression ""talloc_get_size(namebuf) - nread"" is deemed overflowed because at least one of its arguments has overflowed.
samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: overflow_sink: ""talloc_get_size(namebuf) - nread"", which might have underflowed, is passed to ""read(sock_fd, namebuf + nread, talloc_get_size(namebuf) - nread)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
213| ssize_t thistime;
214|
215|-> thistime = read(sock_fd, namebuf + nread,
216| talloc_get_size(namebuf) - nread);
217| if (thistime <= 0) {"
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Can't test these in selftest, we can't create devices and I don't want
us to depend on /dev to exist. Tested manually on a system where
/dev/null exists:
Try "help" to get a list of possible commands.
smb: \> allinfo null
altname: null
create_time: Fri Jun 21 02:45:59 PM 2024 CEST
access_time: Fri Jun 21 02:45:59 PM 2024 CEST
write_time: Fri Jun 21 02:45:59 PM 2024 CEST
change_time: Fri Jun 21 02:45:59 PM 2024 CEST
attributes: (480)
stream: [::$DATA], 0 bytes
0x80000014 (IO_REPARSE_TAG_NFS)
0x524843 (NFS_SPECFILE_CHR)
1/3
smb: \>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 12 21:36:16 UTC 2024 on atb-devel-224
For the last major release(v4.20) we had a warning issued(fe16ae1fe8)
to inform about the plan to disable building vfs_ceph in the absence of
certain required APIs. This is now due to make the changes and further
disable building the module if minimum required libcephfs APIs are not
present. As we speak this requirement includes ceph_select_filesystem()
and *at() variants of libcephfs APIs. These were around since v17(even
earlier for ceph_select_filesystem) which is the lowest non-EOL version
of Ceph available[1] at the moment.
[1] https://docs.ceph.com/en/latest/releases/#ceph-releases-index
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Tue Jul 9 13:05:47 UTC 2024 on atb-devel-224
"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source3/registry/regfio.c:175: tainted_data_argument: The check ""bytes_read < block_size"" contains the tainted expression ""bytes_read"" which causes ""block_size"" to be considered tainted.
samba-4.20.0rc2/source3/registry/regfio.c:176: overflow: The expression ""block_size - bytes_read"" is deemed overflowed because at least one of its arguments has overflowed.
samba-4.20.0rc2/source3/registry/regfio.c:176: overflow_sink: ""block_size - bytes_read"", which might have underflowed, is passed to ""read(file->fd, buffer + bytes_read, block_size - bytes_read)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
174|
175| while ( bytes_read < block_size ) {
176|-> if ( (returned = read( file->fd, buffer+bytes_read, block_size-bytes_read )) == -1 ) {
177| DEBUG(0,(""read_block: read() failed (%s)\n"", strerror(errno) ));
178| return False;"
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Run ntlm_auth with options --lm-response/--nt-response/--challenge, and pass
wrong length to these options, got error prompted logs about 'only got xxx
bytes', which are not consistent with length check. This patch revise logs
for length check to make it more consistent.
For example --lm-response requires exact 24 hex, let us input three kinds
of length 23 24 25, prompted logs said 'only got 25 bytes' seems confusing.
script:
for length in 23 24 25; \
do \
ntlm_auth --username=${un} --password=${pw} \
--lm-response="`openssl rand -hex ${length}`"; \
done;
output:
hex decode of 04db772593f5e6023d0ab4bc67a942c9179963477eb49d failed! (only got 23 bytes)
NT_STATUS_OK: The operation completed successfully. (0x0)
hex decode of 1e57749feb46bedcf969af6cbbe10e21d0232e35c27eb07294 failed! (only got 25 bytes)
After patch it shows 'got 25 bytes, expected 24' seems more consistent:
hex decode of e13e70c9cf2ac1e20015657c4bec53435b1b948febb63f failed! (got 23 bytes, expected 24)
NT_STATUS_OK: The operation completed successfully. (0x0)
hex decode of 64647005243092b036856f572faad262e0b69386d095d60f54 failed! (got 25 bytes, expected 24)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15677
Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jul 6 00:52:02 UTC 2024 on atb-devel-224
Only temporary, next step is a new more general symlink_target_path
routine, we'll need that in libcli/smb as well.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Review with: git show -U5
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 3 11:41:12 UTC 2024 on atb-devel-224
It has been a while since --with-libcephfs option was dropped. Therefore
stop advertising it through waf scripts.
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
If either of HAVE_FSTATFS and HAVE_LINUX_MAGIC_H are not defined, gcc
produces the following error:
../../source3/smbd/open.c: In function ‘reopen_from_fsp’:
../../source3/smbd/open.c:1222:1: error: label ‘namebased_open’ defined but not used [-Werror=unused-label]
1222 | namebased_open:
| ^~~~~~~~~~~~~~
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Jul 2 04:44:56 UTC 2024 on atb-devel-224
"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source3/winbindd/winbindd_cache.c:849: cast_overflow: Truncation due to cast operation on ""len"" from 32 to 8 bits.
samba-4.20.0rc2/source3/winbindd/winbindd_cache.c:851: overflow_sink: ""len"", which might have overflowed, is passed to ""memcpy(centry->data + centry->ofs, s, len)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
849| centry_put_uint8(centry, len);
850| centry_expand(centry, len);
851|-> memcpy(centry->data + centry->ofs, s, len);
852| centry->ofs += len;
853| }"
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
"Error: REVERSE_NEGATIVE (CWE-191):
samba-4.20.0rc2/source3/libsmb/pylibsmb.c:215: negative_sink_in_call: Passing ""t->shutdown_pipe[1]"" to a parameter that cannot be negative.
samba-4.20.0rc2/source3/libsmb/pylibsmb.c:230: check_after_sink: You might be using variable ""t->shutdown_pipe[1]"" before verifying that it is >= 0.
228| t->shutdown_pipe[0] = -1;
229| }
230|-> if (t->shutdown_pipe[1] != -1) {
231| close(t->shutdown_pipe[1]);
232| t->shutdown_pipe[1] = -1;"
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
The callers of fset_dos_mode must set the cached attributes
themselves, which I did not see. I tried, but I did not find a clean
way to fix this behind SMB_VFS_FSET_DOS_ATTRIBUTES, with a smb_fname
and smb_fname->fsp->fsp_name we might have two copies of the cached
dos attributes around and if we only update fsp->fsp_name, we might
miss the outer one.
Not doing a test, this is really fresh code, and in the future we must
reorganize setting and caching dos attributes anyway.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jun 28 14:32:27 UTC 2024 on atb-devel-224
We don't need that else branch, this could be a switch as well
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
copy_stat_ex_timestamps doesn't need the fsp, it only needs the
destination stat struct
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
mdscli_ctx->mdscmd_open.share_path is an array of size 1025. The
boundary is 1025 and not UINT16_MAX.
"Error: OVERRUN (CWE-119):
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_at_least: Checking ""share_path_len < 1UL"" implies that ""share_path_len"" is at least 1 on the false branch.
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_between: Checking ""share_path_len > 65535UL"" implies that ""share_path_len"" is between 1 and 65535 (inclusive) on the false branch.
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:133: overrun-local: Overrunning array ""mdscli_ctx->mdscmd_open.share_path"" of 1025 bytes at byte offset 65534 using index ""share_path_len - 1UL"" (which evaluates to 65534).
131| mdscli_ctx->mdscmd_open.share_path_len = share_path_len;
132|
133|-> if (mdscli_ctx->mdscmd_open.share_path[share_path_len-1] == '/') {
134| mdscli_ctx->mdscmd_open.share_path[share_path_len-1] = '\0';
135| mdscli_ctx->mdscmd_open.share_path_len--;"
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
We get ENOENT on /proc/self/fd/<fdnum> when we try to turn the
mountpoint's O_PATH handle into a real one. This does not trigger a
mount attempt, you have to use name-based calls.
This is not the real fix, because if the autofs mount triggers, the
inode number will change. For directories this is not a huge problem
as we don't touch the share mode database before we open the "real"
fd. We would only violate potential share modes with other pure
READ_ATTRIBUTES (i.e. stat-) opens that came before the mount
trigger.
As I don't think share modes on directories are really relevant, I
think we can live with this "fix". Once we do directory leases this
will potentially change.
As a quick remedy we could use our defer_open() mechanism that starts
path processing from scratch. But as long as this seems not really
required, we should not add users of this really bad way of going back
to square 1.
The "real" fix would be to go back to the point where we open the last
component with openat(). In the retry round we need to do this without
O_PATH to trigger the mount and only then do the initial fstat.
Right now I don't see an easy way to properly test this
behaviour. Intercepting with vfs_error_inject is certainly possible,
but nailing the exact call would clutter the main code path. So I have
just tested this manually.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jun 27 11:59:05 UTC 2024 on atb-devel-224
When setting explicit value to 'errno' use same coding-style as used in
this entire module (spaces before and after assignment operator).
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Jun 27 06:35:19 UTC 2024 on atb-devel-224
When a call to 'ceph_statfs' from with 'cephwrap_disk_free' returns
non-zero status do an explicit cast to uint64_t for the negative (-1)
value returned by 'status_code'.
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
The common convention in 'vfs_ceph.c' module is to bailout (by return or
goto) whenever the return value from libcephfs call is not OK. Apply
this code-style to cephwrap_disk_free hook.
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
The WRAP_RETURN is a non-hygienic macro, and as such has the potential
of creating bogus code (e.g. 'return WRAP_RETURN(ret);' which existed
in the code in the past but did not yield any compiler warning). Prefer
simple convenience helper functions instead, which are also type safe.
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Prefer talloc_asprintf over asprintf when resolving realpath.
Re-format code using 'git clang-format'.
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Code cleanup: prefer standard convenience helpers for unimplemented
VFS hooks.
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Coding standard requires following Linux kernel style guide, with an
explicit statement that "Maximum Line Width is 80 Characters". Align
vfs_ceph.c with this convention: split long lines into multiple lines
and use 'git clang-format' to do auto-formatting based on Samba project
'.clang-format' settings.
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Minor code cleanup: use local variable to reference current-work dir.
This commit is in preparation to following code-cleanup which aligns
line-length with Samba's coding conventions.
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
This is exactly the application talloc_tos() was made for
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jun 24 17:27:04 UTC 2024 on atb-devel-224
Found by Covscan.
"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source3/utils/regedit_list.c:522: tainted_data_return: Called function ""get_window_height(list)"", and a possible return value may be less than zero.
samba-4.20.0rc2/source3/utils/regedit_list.c:522: cast_underflow: An assign of a possibly negative number to an unsigned type, which might trigger an underflow.
samba-4.20.0rc2/source3/utils/regedit_list.c:526: overflow: The expression ""list->cursor_row -= page"" is deemed underflowed because at least one of its arguments has underflowed.
samba-4.20.0rc2/source3/utils/regedit_list.c:529: overflow_sink: ""list->cursor_row"", which might have underflowed, is passed to ""data_get_row_n(list, list->cursor_row)"".
527| list->start_row -= page;
528| }
529|-> tmp = data_get_row_n(list, list->cursor_row);
530| break;
531| case ML_CURSOR_PGDN:"
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Found by Covscan.
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/rpc_server/samr/srv_samr_nt.c:235: var_decl: Declaring variable ""ace"" without initializer.
samba-4.20.0rc2/source3/rpc_server/samr/srv_samr_nt.c:269: uninit_use_in_call: Using uninitialized value ""*ace"". Field ""ace->object"" is uninitialized when calling ""make_sec_acl"".
267| /* create the security descriptor */
268|
269|-> if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
270| return NT_STATUS_NO_MEMORY;
271|"
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
This should not change during the lifetime of the tcon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
This was only added to demonstrate the problem more reliable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
If the configuration is reloaded strings and string lists
in recycle_config_data could become stale pointers
leading to segmentation faults...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
That makes the cleanup more clear...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
We can use talloc_asprintf() instead of asprintf() followed
by talloc_strdup().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Forcing a reload of the smb.conf option values means the pointer learned
in vfs_recycle_connect() become stale.
This will be reverted at the end of the patset again.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
If a client for whatever reason calls FSCTL_SRV_COPYCHUNK[_WRITE] without
FSCTL_SRV_REQUEST_RESUME_KEY, we call vfswrap_offload_write_send
before vfswrap_offload_read_send.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jun 17 18:02:27 UTC 2024 on atb-devel-224
This patch also removes known fail for existing test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 11 19:31:40 UTC 2024 on atb-devel-224
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 11 17:00:38 UTC 2024 on atb-devel-224
Grant owner sid to check for owner rights.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15648
Signed-off-by: MikeLiu <mikeliu@qnap.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun 7 18:30:34 UTC 2024 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 6 21:32:53 UTC 2024 on atb-devel-224
This is not used anywhere in that functions or the functions we are
calling. It was replaced by command line cli credentials stored in
c->creds. This fixes a memory leak.
Direct leak of 12 byte(s) in 1 object(s) allocated from:
#0 0x7f17fdaf5830 in strdup ../../../../libsanitizer/asan/asan_interceptors.cpp:578
#1 0x7f17fc7e7339 in smb_xstrdup ../../lib/util/util.c:752
#2 0x55f079bf0723 in rpc_trustdom_establish ../../source3/utils/net_rpc.c:6591
#3 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#4 0x55f079bdbecf in rpc_trustdom ../../source3/utils/net_rpc.c:7483
#5 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#6 0x55f079bfe7de in net_rpc ../../source3/utils/net_rpc.c:8413
#7 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#8 0x55f079baa0a8 in main ../../source3/utils/net.c:1436
#9 0x7f17f8a2a1ef in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Otherwise we don't get the correct header include paths and krb5.h in
a non default location won't be found.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In case of a trusted domain, we are providing the realm of the primary
trust but specify the KDC IP of the trusted domain. This leads to
Kerberos ticket requests to the trusted domain KDC which doesn't know
about the machine account. However we need a ticket from our primary
trust KDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The IP should be optional and we should look it up if not provided.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Remove the requirement to provide an IP address. We should look up the
IP of the KDC and use it for the specified realm/workgroup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 4 17:39:21 UTC 2024 on atb-devel-224
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Jun 4 09:39:42 UTC 2024 on atb-devel-224
In this case a nested if seems easier to understand to me than another
if-expression duplicating half of a previous one.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Previously we added an implementation for SMB_VFS_FGET_DOS_ATTRIBUTES
so that the btime is always preserved unless explicitly changed using
SMB_VFS_FNTIMES. But there are situations with open file handle where
btime stored on dos attributes as create_time has to be precise for
comparison because a one-to-one conversion between timepsec and nttime
is not always guaranteed.
Accordingly preserve btime via SMB_VFS_FSET_DOS_ATTRIBUTES so that we
always compare the exact btime from fsp stat information while the file
handle is still open.
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Jun 3 11:10:11 UTC 2024 on atb-devel-224
We insert 999 keys, but if two of them happen to be the same, we
don't find 1000 nodes, and that is upsetting for CI:
[130(1421)/303 at 4m46s] samba3.smbtorture_s3.LOCAL-RBTREE
UNEXPECTED(failure): samba3.smbtorture_s3.LOCAL-RBTREE.smbtorture(none)
REASON: Exception: Exception: using seed 1716333987
host=foo share=bar user= myname=runner-jlguopmm-project-6378020-concurrent-0
Running LOCAL-RBTREE
run_local_rbtree: read1: 999 999, NT_STATUS_OK
run_local_rbtree: delete: 999 999, NT_STATUS_OK
run_local_rbtree: read2: 0 0, NT_STATUS_OK
TEST LOCAL-RBTREE FAILED!
LOCAL-RBTREE took 0.002706 secs
This has been flapping very occasionally for a long time:
https://lists.samba.org/archive/samba-technical/2016-March/112861.html
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
We should mark sessions/tcons with anonymous encryption or signing
in a special way, as the value of it is void, all based on a
session key with 16 zero bytes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu May 23 13:37:09 UTC 2024 on atb-devel-224
I have captures where a client tries smb3 encryption on an anonymous session,
we used to allow that before commit da7dcc443f
was released with samba-4.15.0rc1.
Testing against Windows Server 2022 revealed that anonymous signing is always
allowed (with the session key derived from 16 zero bytes) and
anonymous encryption is allowed after one authenticated session setup on
the tcp connection.
https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
We already do that for sessions and also for the json output,
but it was missing in the non-json output for tcons.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
We already do that for sessions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
We never use the signing flags from the session, as the tcon
has its own signing flags.
https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
name_to_fqdn() requires /etc/hosts to be set up in a special way to find
out the fqdn for dns updates. They are not set up by default and the
DNS update fails. Normally the fqdn is just <lp_netbios_name>.<realm>
and we should just use that. However if it is different, you can set
it to the special value in the smb.conf now.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We got this wrong in commit 31101a9fa1.
In fact, we should probably not reorder the inherited ACLs, but that
is for another patch series.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We're directly overwriting state->mask without actually using it for
anything real.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We have dereferenced p_last_name_raw before in the call to
data_blob_free, our only caller does give us a pointer
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
"lock" is a variable on the stack, and initializing it is all that
init_strict_lock_struct does. We've done the corresponding checks
already in smbd_smb2_read_send
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Make sure all fields in the target struct are initialized
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This code went in with e8e98c9ea0 in 2001 without any mention in the
commit message.
I don't remember all details, but there was some discussion around the
offset=0,length=0 lock being somehow special. These days [MS-FSA]
defines the required behaviour (don't conflict) and we implement that
behaviour.
If someone still remembers why this code is in and thinks it's
worthwhile, that's what version control is for.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It means that keytabs generated via 'net rpc vampire keytab' are
able to decrypt cross-realm tickets in wireshark.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This way we can easily re-use the logic in the next commits...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It happens in setups with 'nt hash store = never'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 15 17:56:24 UTC 2024 on atb-devel-224
We don't need to explicitly call fetch_share_mode_unlocked,
get_file_infos does it for us behind the scenes
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
notify_fname only sends a message to the notify daemon. There is no
potential deadlock anymore.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 14 23:29:46 UTC 2024 on atb-devel-224
The caller does not necessarily query max values for smb1 and smb2+.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(SMB_FILE_ALL_INFORMATION - 1000) looks a bit silly if you look at the
definition of SMB_FILE_ALL_INFORMATION...
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This will enable this routine to be used for SMB2 as well. The
translation table is from [MS-CIFS] 2.2.8.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This change does NOT affect WHAT and HOW is cached. It only avoids
undefined behavior for "NDR" and "TRUSTDOMCACHE" when processed in
wcache_flush_cache() and wbcache_upgrade_v1_to_v2().
winbindd_cache.tdb contains two types of entries:
1) cache entries (typed as 'struct cache_entry')
- internal format is: [ntstatus; sequence_number; timeout]
2) non cache entries (keys listed in non_centry_keys)
- for "NDR" internal format is: [sequence_number; timeout]
Without this commit, "NDR" would be processed as the first type (instead
as the second type). E.g. in the stack below:
wcache_fetch_raw()
traverse_fn_cleanup()
wcache_flush_cache()
the triplet [ntstatus; sequence_number; timeout] would be initialized
from data containing only [sequence_number; timeout], leading to
mismatched values ('ntstatus' would be filled from 'sequence_number').
Anyway, current code is never calling wcache_flush_cache(), since
wcache_flush_cache() can be called only from get_cache() and get_cache()
will call it only if global/static wcache was not set yet. But wcache is
set very early in the main winbind (and all winbind children get it
after fork), sooner than any call of get_cache() can happen:
#1 init_wcache + 0x19
#2 initialize_winbindd_cache + 0x35
#3 winbindd_cache_validate_and_initialize + 0x25
#4 main + 0x806
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 14 21:04:57 UTC 2024 on atb-devel-224
tdb_store() should use as a flag TDB_REPLACE instead of undocumented 0
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
That was a long way, but now we're cli_credentials/gensec only :-)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This is better than the value from cli_credentials_get_username()...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This reconnect is only useful for long running connections (e.g. in winbindd)
and there we'll make use of it...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
In future ads_connect_creds() will be used by callers directly instead
of using ads_connect().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
There's no reason to pass the LDAP servers time to the kerberos
libraries, as we may talk to a KDC different than the LDAP server!
Also Heimdal handles AS-REQ with KRB5KRB_AP_ERR_SKEW fine and
retries with the time from the krb-error.
MIT records the time from the KDC_ERR_PREAUTH_REQUIRED response
in order to use the KDCs time.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The lifetime of a service ticket is never longer than
the lifetime of the TGT...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
There's really no need to get a reneable ticket for an ldap connection,
we currently always do a kinit for each connection anyway.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
For now we still do the ads_kinit_password() in ads_legacy_creds()
for callers that rely on the global krb5ccache to be filled.
E.g. the dns update code and the kpasswd code.
But at least ads_connect_internal() and ads_sasl_spnego_bind()
will allow to do the kinit in the gensec layer only if needed...
We'll remove ads_legacy_creds() during the following commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
That's better then using !ADS_AUTH_NO_BIND. And it allows callers
to be more flexible in future.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
We should only operate on the creds structure and
avoid using ads->auth.{user_name,realm}.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
In future we'll pass in creds from the caller, so we better
restore the original krb5_state at the end of ads_sasl_spnego_bind().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
We should only operate on the creds structure and avoid ads->auth.flags
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This is just a temporary change until the highlevel caller
will pass in a cli_credentials structure and we'll get rid of
ads->auth.{user_name,realm,password}.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This means we may call kinit multiple times for now,
but we'll remove the kinit from the callers soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This happened implicitly as the gse_krb5 module always used the default
krb5 ccache, but that will change soon.
If kerberos is requested without a fallback to ntlm AND
the caller doesn't provide a password we'll use the
default ccache. This will keep our the following tests
happy once the gse_krb5 module changes the behavior:
samba3.blackbox.krbsmbspool
samba3.blackbox.smbget
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Before this silently happened because the gse_krb5 module just used the
default ccache, but that will change soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This should not happen, if we ever need that behaviour
we should add an ads_kdestroy_default() helper.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This fixes a problem introduced in the commit:
commit e6c693b705
Author: Stefan Metzmacher <metze@samba.org>
Date: Wed Feb 28 17:28:43 2024 +0100
s3:winbindd: pass a NULL ccache to kerberos_return_pac() for a MEMORY ccache
It means kerberos_return_pac() will use smb_krb5_cc_new_unique_memory().
...
Before that commit cc was never NULL as generate_krb5_ccache()
returned "MEMORY:winbindd_pam_ccache" as fallback.
So we called ads_kdestroy("MEMORY:winbindd_pam_ccache").
Now we have cc == NULL if user_ccache_file == NULL.
and kerberos_return_pac() uses smb_krb5_cc_new_unique_memory()
and krb5_cc_destroy() internally.
It means unless user_ccache_file != NULL we should not
call ads_kdestroy(cc) as cc is NULL and means we would destroy
any global default krb5 ccache.
Review with: git show -U25
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May 7 12:33:29 UTC 2024 on atb-devel-224
It means kerberos_return_pac() will use smb_krb5_cc_new_unique_memory().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Currently we rely on a valid default credential cache being available
and don't make use of the password.
In future we'll do a kinit on demand, but that's for another day.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Using cli_credentials_get_password_obtained() is more lightweight as
it avoids a possible password prompt.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May 6 21:55:03 UTC 2024 on atb-devel-224
Store the data in the "user.SmbReparse" xattr. Only allow this on
regular files. Windows does it for directories too, but we can not
allow this: Setting a symlink reparse point in a xattr on a directory
would go unnoticed by our openat2-optimization. If someone really
needs this, we could have a VFS module disallowing openat2 and doing
the appropriate checks on every openat-call.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
We'll need this in many places, for example when listing directories
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
We only need to transmit the file_id and share_file_id. Next patch
will show why :-)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
dom_sid_string() does an implicit talloc_strdup() which is not
necessary here.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
GUID_buf_string is supposed to never fail except if the guid passed in
is NULL. Our only current caller already checks
that. dbwrap_purge_bystring() could actually fail, so put the result
into a variable for the debugger.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(state->current_sid == NULL) is true if and only if we could not
assign state->current_sid because num_sids was too small. Make that
more explicit.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Inherit-only flag applies only to the container it was set to and it
shouldn't be automatically propagated to children.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636
Signed-off-by: Anna Popova <popova.anna235@gmail.com>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Apr 29 10:56:48 UTC 2024 on atb-devel-224
Direct leak of 885 byte(s) in 1 object(s) allocated from:
#0 0x7f261b8dc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0)
#1 0x7f261b2c2bc2 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
#2 0x7f261b2c543c in _talloc_pool ../../lib/talloc/talloc.c:838
#3 0x7f261b2c543c in _talloc_pooled_object ../../lib/talloc/talloc.c:906
#4 0x7f261a69cac9 in __tevent_req_create ../../lib/tevent/tevent_req.c:98
#5 0x7f261a75bf55 in cli_full_connection_creds_send ../../source3/libsmb/cliconnect.c:3455
#6 0x7f261a75c4b7 in cli_full_connection_creds ../../source3/libsmb/cliconnect.c:3818
#7 0x7f261b70d39f in libnet_join_connect_dc_ipc ../../source3/libnet/libnet_join.c:1146
#8 0x7f261b715794 in libnet_join_lookup_dc_rpc ../../source3/libnet/libnet_join.c:1188
#9 0x7f261b715794 in libnet_DomainJoin ../../source3/libnet/libnet_join.c:2812
#10 0x7f261b715794 in libnet_Join ../../source3/libnet/libnet_join.c:3040
#11 0x555bd93671ea in net_ads_join ../../source3/utils/net_ads.c:1855
#12 0x555bd9415ca9 in net_join ../../source3/utils/net_join.c:45
#13 0x555bd940b972 in net_run_function ../../source3/utils/net_util.c:464
#14 0x555bd9363129 in main ../../source3/utils/net.c:1372
#15 0x7f2616a281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
In order to use SASL authentitation within a TLS connection
we now provide "client ldap sasl wrapping = starttls" or
"client ldap sasl wrapping = ldaps".
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
There's no point in trying to support --with-ads, but only use
plaintext ldap without sign/seal.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Using 'Sockbuf_IO_Desc' in idl implicitly means pidl will use
'struct Sockbuf_IO_Desc', which doesn't exist!
Using 'struct sockbuf_io_desc' which is used in OpenLDAP to
typedef Sockbuf_IO_Desc, we won't need to cast the assign the
'sbiod' pointer.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Every AD DC supports kerberos so we can just use it without
asking the server (in an untrusted way) if kerberos is supported.
So remove another useless roundtrip.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Every AD DC supports 'GSS-SPNEGO' and that's the only one we use anyway,
so remove an unused roundtrip.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Also allow resetting to plain.
We now have ld->active as the currently active
tstream, which will allow us to add tls support
soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We should not use the sync gensec_update() in async code!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
An LDAP pdu is at least 7 bytes long, so we read at least 7 bytes,
then it's easy to use asn1_peek_full_tag() in order to find out the
whole length of the pdu on one go.
As a side effect it's now possible that wireshark can reassemble
the fragments in a socket_wrapper generated pcap file.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ldap server require strong auth = allow_sasl_over_tls
is now an alias for 'allow_sasl_without_tls_channel_bindings'
and should be avoided and changed to 'yes' or
'allow_sasl_without_tls_channel_bindings'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>