1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

62178 Commits

Author SHA1 Message Date
Stefan Metzmacher
9afe7b7a0f s3:passdb: don't clear the LM HASH without a password change
Updating things like the bad pwd count should not clear the
stored LM HASH with 'lanman auth = no'.

This allows testing with 'lanman auth = no' and 'lanman auth = yes'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-07-17 10:12:36 +00:00
Stefan Metzmacher
8e35933ceb s3:selftest: add samba3.blackbox.smb1_lanman_plaintext tests
This demonstrates that we currently have problems with
plaintext and lanman authentication. In both domain member
and standalone setups.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-07-17 10:12:36 +00:00
Pavel Filipenský
eaed0cd940 s3:lib: Fix a typo in MACRO
DEBUG_PASSWORDS --> DEBUG_PASSWORD

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Wed Jul 17 08:49:46 UTC 2024 on atb-devel-224
2024-07-17 08:49:46 +00:00
Pavel Filipenský
47f552c688 s3:librpc: Fix a typo in DEBUG text
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-17 07:48:31 +00:00
Andreas Schneider
c3abd320e6 s3:services: Initialize struct security_ace array
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andreas Schneider
f3da16937a s3:modules: Make nread a size_t and check for possible overflow
"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: tainted_data_return: Called function ""read(sock_fd, namebuf + nread, talloc_get_size(namebuf) - nread)"", and a possible return value may be less than zero.
samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: assign: Assigning: ""thistime"" = ""read(sock_fd, namebuf + nread, talloc_get_size(namebuf) - nread)"".
samba-4.20.0rc2/source3/modules/vfs_preopen.c:221: overflow: The expression ""nread"" is considered to have possibly overflowed.
samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: overflow: The expression ""talloc_get_size(namebuf) - nread"" is deemed overflowed because at least one of its arguments has overflowed.
samba-4.20.0rc2/source3/modules/vfs_preopen.c:215: overflow_sink: ""talloc_get_size(namebuf) - nread"", which might have underflowed, is passed to ""read(sock_fd, namebuf + nread, talloc_get_size(namebuf) - nread)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
  213|   		ssize_t thistime;
  214|
  215|-> 		thistime = read(sock_fd, namebuf + nread,
  216|   				talloc_get_size(namebuf) - nread);
  217|   		if (thistime <= 0) {"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andreas Schneider
a541a7d716 s3:modules: Move chunk out of the loop
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andreas Schneider
862ba429f9 s3:modules: Rename thistime to chunk
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Volker Lendecke
bbe2c82f62 smbd: Show blk and chr devices as nfs reparse points
Can't test these in selftest, we can't create devices and I don't want
us to depend on /dev to exist. Tested manually on a system where
/dev/null exists:

Try "help" to get a list of possible commands.
smb: \> allinfo null
altname: null
create_time:    Fri Jun 21 02:45:59 PM 2024 CEST
access_time:    Fri Jun 21 02:45:59 PM 2024 CEST
write_time:     Fri Jun 21 02:45:59 PM 2024 CEST
change_time:    Fri Jun 21 02:45:59 PM 2024 CEST
attributes:  (480)
stream: [::$DATA], 0 bytes
0x80000014 (IO_REPARSE_TAG_NFS)
 0x524843 (NFS_SPECFILE_CHR)
 1/3
smb: \>

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 12 21:36:16 UTC 2024 on atb-devel-224
2024-07-12 21:36:16 +00:00
Volker Lendecke
cd7889deb8 smbd: Report sockets as NFS style reparse points
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-07-12 20:35:34 +00:00
Volker Lendecke
3326ffa8d0 smbd: Factor out fsctl_get_reparse_point_int
We'll use it for the other special files as well

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-07-12 20:35:34 +00:00
Volker Lendecke
51ded0ae7c smbd: Show sockets as reparse points in fdos_mode
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-07-12 20:35:34 +00:00
Volker Lendecke
57b6a8539f smbd: Report FIFOs as NFS style reparse points
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-07-12 20:35:34 +00:00
Volker Lendecke
b311f4eca3 smbd: Turn an if-statement getting reparse points into a switch
There will be more cases soon

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-07-12 20:35:34 +00:00
Volker Lendecke
a03f339e96 smbd: Show fifos as reparse points in fdos_mode
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-07-12 20:35:34 +00:00
Volker Lendecke
f1440cebf2 smbd: Turn file type handling in fdos_mode into a switch
There will be more cases soon

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-07-12 20:35:34 +00:00
Volker Lendecke
e4e5242b27 smbd: Add DBG to return tag for SMB_FILE_ATTRIBUTE_TAG_INFORMATION
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-07-12 20:35:34 +00:00
Volker Lendecke
4a294d5ab0 tests: Run reparsepoint tests in fileserver_smb1
We'll need posix extensions soon

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-07-12 20:35:34 +00:00
Volker Lendecke
e76b7578db vfs: xattr calls give EBADF for sockets
This is required for make test with disabled O_PATH

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-07-12 20:35:34 +00:00
Anoop C S
ef0068cd2c vfs_ceph: Disable the module on unsupported Ceph versions
For the last major release(v4.20) we had a warning issued(fe16ae1fe8)
to inform about the plan to disable building vfs_ceph in the absence of
certain required APIs. This is now due to make the changes and further
disable building the module if minimum required libcephfs APIs are not
present. As we speak this requirement includes ceph_select_filesystem()
and *at() variants of libcephfs APIs. These were around since v17(even
earlier for ceph_select_filesystem) which is the lowest non-EOL version
of Ceph available[1] at the moment.

[1] https://docs.ceph.com/en/latest/releases/#ceph-releases-index

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Tue Jul  9 13:05:47 UTC 2024 on atb-devel-224
2024-07-09 13:05:47 +00:00
Andreas Schneider
26c56ae51e s3:rpc_server: Initialize array
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/rpc_server/svcctl/srv_svcctl_nt.c:163: var_decl: Declaring variable ""ace"" without initializer.
samba-4.20.0rc2/source3/rpc_server/svcctl/srv_svcctl_nt.c:182: uninit_use_in_call: Using uninitialized value ""*ace"". Field ""ace->object"" is uninitialized when calling ""make_sec_acl"".
  180|   	/* create the security descriptor */
  181|
  182|-> 	if ( !(theacl = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) )
  183|   		return NULL;
  184|"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul  8 08:37:46 UTC 2024 on atb-devel-224
2024-07-08 08:37:46 +00:00
Andreas Schneider
0131e4737c s3:smbd: Fix invalid memory free
"Error: BAD_FREE (CWE-590):
samba-4.20.0rc2/source3/smbd/smb1_process.c:1485: array_free: ""smb1_srv_send"" frees array ""errbuf"".
 1483|   		char errbuf[smb_size];
 1484|   		error_packet(errbuf, 0, 0, status, __LINE__, __FILE__);
 1485|-> 		if (!smb1_srv_send(req->xconn,
 1486|   				   errbuf,
 1487|   				   true,"

Pair-Programmed-With: Ralph Boehme <slow@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-07-08 07:36:32 +00:00
Andreas Schneider
94b8fa4134 s3:smbd: Remove trailing spaces in seal.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-07-08 07:36:32 +00:00
Andreas Schneider
982c6b2bfa s3:smbd: Remove trailing spaces in smb1_process.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-07-08 07:36:32 +00:00
Andreas Schneider
8abda0a134 s3:registry: Use correct integer sizes
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-07-08 07:36:32 +00:00
Andreas Schneider
6cadb1d695 s3:registry: Check for integer overflow
"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source3/registry/regfio.c:175: tainted_data_argument: The check ""bytes_read < block_size"" contains the tainted expression ""bytes_read"" which causes ""block_size"" to be considered tainted.
samba-4.20.0rc2/source3/registry/regfio.c:176: overflow: The expression ""block_size - bytes_read"" is deemed overflowed because at least one of its arguments has overflowed.
samba-4.20.0rc2/source3/registry/regfio.c:176: overflow_sink: ""block_size - bytes_read"", which might have underflowed, is passed to ""read(file->fd, buffer + bytes_read, block_size - bytes_read)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
  174|
  175|   	while ( bytes_read < block_size ) {
  176|-> 		if ( (returned = read( file->fd, buffer+bytes_read, block_size-bytes_read )) == -1 ) {
  177|   			DEBUG(0,(""read_block: read() failed (%s)\n"", strerror(errno) ));
  178|   			return False;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-07-08 07:36:32 +00:00
Jones Syue
90c9d0d98d s3:ntlm_auth: make logs more consistent with length check
Run ntlm_auth with options --lm-response/--nt-response/--challenge, and pass
wrong length to these options, got error prompted logs about 'only got xxx
bytes', which are not consistent with length check. This patch revise logs
for length check to make it more consistent.

For example --lm-response requires exact 24 hex, let us input three kinds
of length 23 24 25, prompted logs said 'only got 25 bytes' seems confusing.

script:
for length in 23 24 25; \
do \
    ntlm_auth --username=${un} --password=${pw} \
    --lm-response="`openssl rand -hex ${length}`"; \
done;

output:
hex decode of 04db772593f5e6023d0ab4bc67a942c9179963477eb49d failed! (only got 23 bytes)
NT_STATUS_OK: The operation completed successfully. (0x0)
hex decode of 1e57749feb46bedcf969af6cbbe10e21d0232e35c27eb07294 failed! (only got 25 bytes)

After patch it shows 'got 25 bytes, expected 24' seems more consistent:

hex decode of e13e70c9cf2ac1e20015657c4bec53435b1b948febb63f failed! (got 23 bytes, expected 24)
NT_STATUS_OK: The operation completed successfully. (0x0)
hex decode of 64647005243092b036856f572faad262e0b69386d095d60f54 failed! (got 25 bytes, expected 24)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15677

Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jul  6 00:52:02 UTC 2024 on atb-devel-224
2024-07-06 00:52:02 +00:00
Pavel Filipenský
c9c74d819a s3:rpc_server: Initialize array struct security_ace ace[]
Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/lease.c:567: var_decl: Declaring variable "h" without initializer.
samba-4.20.0rc2/source4/torture/smb2/lease.c:642: uninit_use_in_call: Using uninitialized value "h" when calling "smb2_util_close".
  640|
  641|    done:
  642|->         smb2_util_close(tree, h);
  643|           smb2_util_close(tree, h2);
  644|

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jul  5 08:53:08 UTC 2024 on atb-devel-224
2024-07-05 08:53:07 +00:00
Pavel Filipenský
fd4afa309e s3:registry: Initialize struct security_ace ace[]
Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/registry/reg_dispatcher.c:43: var_decl: Declaring variable "ace" without initializer.
samba-4.20.0rc2/source3/registry/reg_dispatcher.c:66: uninit_use_in_call: Using uninitialized value "*ace". Field "ace->object" is uninitialized when calling "make_sec_acl".
  64|           /* create the security descriptor */
  65|
  66|->         theacl = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace);
  67|           if (theacl == NULL) {
  68|                   return WERR_NOT_ENOUGH_MEMORY;

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-07-05 07:45:32 +00:00
Pavel Filipenský
275ffbf560 s3:rpcclient: Initialize spoolss_DriverDirectoryInfo info
Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/rpcclient/cmd_spoolss.c:1530: var_decl: Declaring variable "info" without initializer.
samba-4.20.0rc2/source3/rpcclient/cmd_spoolss.c:1578: uninit_use_in_call: Using uninitialized value "info" when calling "display_printdriverdir_1".
 1576|
 1577|           if (W_ERROR_IS_OK(result)) {
 1578|->                 display_printdriverdir_1(&info.info1);
 1579|           }
 1580|

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-07-05 07:45:32 +00:00
Pavel Filipenský
af3868d703 s3:utils: Initialize DATA_BLOB blob
Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/utils/regedit_dialog.c:1965: var_decl: Declaring variable "blob" without initializer.
samba-4.20.0rc2/source3/utils/regedit_dialog.c:2044: uninit_use_in_call: Using uninitialized value "blob" when calling "reg_val_set".
 2042|
 2043|           if (W_ERROR_IS_OK(rv)) {
 2044|->                 rv = reg_val_set(edit->key, name, edit->type, blob);
 2045|           }
 2046|

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-07-05 07:45:31 +00:00
Volker Lendecke
8292481bc0 smbd: Don't talloc_zero where we assign the struct a line below
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jul  4 16:31:39 UTC 2024 on atb-devel-224
2024-07-04 16:31:39 +00:00
Volker Lendecke
e989d7383e lib: Remove a few duplicate prototypes
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-07-04 15:26:36 +00:00
Volker Lendecke
f31478e782 lib: Remove unused strnrchr_m
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-07-04 15:26:36 +00:00
Volker Lendecke
94f37866b5 smbd: Use new symlink_target_path routine
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-07-04 15:26:36 +00:00
Volker Lendecke
659cb9f728 smbd: Rename symlink_target_path to _symlink_target_path
Only temporary, next step is a new more general symlink_target_path
routine, we'll need that in libcli/smb as well.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-07-04 15:26:36 +00:00
Stefan Metzmacher
2aca5cfbfa smbd: correctly restore ENOENT if fstatfs() modifies it
Review with: git show -U5

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul  3 11:41:12 UTC 2024 on atb-devel-224
2024-07-03 11:41:12 +00:00
Anoop C S
121687e7bd source3/wscript: Remove long pending unsupported option
It has been a while since --with-libcephfs option was dropped. Therefore
stop advertising it through waf scripts.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-07-02 08:09:32 +00:00
Jo Sutton
03e9575e38 s3:smbd: Avoid compiler warning for unused label
If either of HAVE_FSTATFS and HAVE_LINUX_MAGIC_H are not defined, gcc
produces the following error:

../../source3/smbd/open.c: In function ‘reopen_from_fsp’:
../../source3/smbd/open.c:1222:1: error: label ‘namebased_open’ defined but not used [-Werror=unused-label]
 1222 | namebased_open:
      | ^~~~~~~~~~~~~~

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Jul  2 04:44:56 UTC 2024 on atb-devel-224
2024-07-02 04:44:56 +00:00
Jo Sutton
ec73e99792 s3:rpc_server: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Jo Sutton
32cd94b1e4 s3:rpc_server: Update deprecated directives
‘api.prefix’ and ‘parse.error’ have both been supported since Bison 3.0.

/data/samba/source3/rpc_server/mdssvc/es_parser.y:98.1-21: warning: deprecated directive: ‘%name-prefix "mdsyyl"’, use ‘%define api.prefix {mdsyyl}’ [-Wdeprecated]
   98 | %name-prefix "mdsyyl"
      | ^~~~~~~~~~~~~~~~~~~~~
      | %define api.prefix {mdsyyl}
/data/samba/source3/rpc_server/mdssvc/es_parser.y:100.1-14: warning: deprecated directive: ‘%error-verbose’, use ‘%define parse.error verbose’ [-Wdeprecated]
  100 | %error-verbose
      | ^~~~~~~~~~~~~~
      | %define parse.error verbose
/data/samba/source3/rpc_server/mdssvc/es_parser.y: warning: fix-its can be applied.  Rerun with option '--update'. [-Wother]

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Jo Sutton
8a456f373f s3:param: Check return value of strlower_m() (CID 1598446)
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Andreas Schneider
b11cf72c1b s3:winbind: Fix integer type of len
"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source3/winbindd/winbindd_cache.c:849: cast_overflow: Truncation due to cast operation on ""len"" from 32 to 8 bits.
samba-4.20.0rc2/source3/winbindd/winbindd_cache.c:851: overflow_sink: ""len"", which might have overflowed, is passed to ""memcpy(centry->data + centry->ofs, s, len)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
  849|   	centry_put_uint8(centry, len);
  850|   	centry_expand(centry, len);
  851|-> 	memcpy(centry->data + centry->ofs, s, len);
  852|   	centry->ofs += len;
  853|   }"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:34 +00:00
Andreas Schneider
aae8cab3f9 s3:smbd: Make sure struct security_ace is initialized
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/smbd/posix_acls.c:4706: var_decl: Declaring variable ""aces"" without initializer.
samba-4.20.0rc2/source3/smbd/posix_acls.c:4748: uninit_use_in_call: Using uninitialized value ""*aces"". Field ""aces->object"" is uninitialized when calling ""make_sec_acl"".
 4746|   	idx++;
 4747|
 4748|-> 	new_dacl = make_sec_acl(ctx,
 4749|   				NT4_ACL_REVISION,
 4750|   				idx,"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:34 +00:00
Andreas Schneider
321ee914a4 s3:libsmb: Check if we have a valid file descriptor
"Error: REVERSE_NEGATIVE (CWE-191):
samba-4.20.0rc2/source3/libsmb/pylibsmb.c:215: negative_sink_in_call: Passing ""t->shutdown_pipe[1]"" to a parameter that cannot be negative.
samba-4.20.0rc2/source3/libsmb/pylibsmb.c:230: check_after_sink: You might be using variable ""t->shutdown_pipe[1]"" before verifying that it is >= 0.
  228|   		t->shutdown_pipe[0] = -1;
  229|   	}
  230|-> 	if (t->shutdown_pipe[1] != -1) {
  231|   		close(t->shutdown_pipe[1]);
  232|   		t->shutdown_pipe[1] = -1;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:34 +00:00
Andreas Schneider
d755bc43d8 s3:rpc_client: Initialize struct security_ace
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/rpc_client/init_spoolss.c:348: var_decl: Declaring variable ""ace"" without initializer.
samba-4.20.0rc2/source3/rpc_client/init_spoolss.c:415: uninit_use_in_call: Using uninitialized value ""*ace"". Field ""ace->object"" is uninitialized when calling ""make_sec_acl"".
  413|   	   NT5 machine. */
  414|
  415|-> 	if ((psa = make_sec_acl(mem_ctx, NT4_ACL_REVISION, i, ace)) != NULL) {
  416|   		psd = make_sec_desc(mem_ctx,
  417|   				    SD_REVISION,"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:33 +00:00
Andreas Schneider
1478619363 s3:smbd: Make sure struct security_ace is initialized
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/smbd/posix_acls.c:4778: var_decl: Declaring variable ""aces"" without initializer.
samba-4.20.0rc2/source3/smbd/posix_acls.c:4799: uninit_use_in_call: Using uninitialized value ""*aces"". Field ""aces->object"" is uninitialized when calling ""make_sec_acl"".
 4797|   	idx++;
 4798|
 4799|-> 	new_dacl = make_sec_acl(ctx,
 4800|   				NT4_ACL_REVISION,
 4801|   				idx,"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:33 +00:00
Andreas Schneider
df8d19e53b s3:smbd: Remove trailing spaces in posix_acls.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:33 +00:00
Volker Lendecke
0ebabaedbc smbd: Fix cached dos attributes
The callers of fset_dos_mode must set the cached attributes
themselves, which I did not see. I tried, but I did not find a clean
way to fix this behind SMB_VFS_FSET_DOS_ATTRIBUTES, with a smb_fname
and smb_fname->fsp->fsp_name we might have two copies of the cached
dos attributes around and if we only update fsp->fsp_name, we might
miss the outer one.

Not doing a test, this is really fresh code, and in the future we must
reorganize setting and caching dos attributes anyway.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jun 28 14:32:27 UTC 2024 on atb-devel-224
2024-06-28 14:32:27 +00:00
Volker Lendecke
b565901a47 smbd: Simplify smbd_do_qfsinfo with direct struct initialization
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
d2932c22e0 smbd: Simplify reopen_from_fsp
In a variable declaration the (struct ...) is not needed

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
c3799dfb4a smbd: Remove some unused code
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
1fb07bc721 smbd: Avoid a cast
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
9cb187d188 smbd: Print reparse_point in dos_mode_debug_print
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
7b03fc3d9f smbd: Simplify dos_mode_from_sbuf
We don't need that else branch, this could be a switch as well

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
e2ba614465 smbd: Simplify fdos_mode
We don't need the outer !NT_STATUS_IS_OK and the comment

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
6a077e2fcd smbd: Simplify filename_convert_dirfsp_nosymlink
Initialize the timestamps in the existing struct assignment

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
5e206ffbe3 smbd: Remove an obsolete comment
We have a good understanding of SAMBA_UTIME_OMIT these days

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
e94de8a4af smbd: Simplify init_smb_file_time
Call make_omit_timespec just once, saves a few .text bytes

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
e5a304193b smbd: Simplify copy_stat_ex_timestamps
copy_stat_ex_timestamps doesn't need the fsp, it only needs the
destination stat struct

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
1d2fbbdd64 smbd: Modernize a DEBUG
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
2edb49c5fc vfs: Fix typos
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
6f68812d22 smbd: Don't leave a pointer variable uninitialized
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
e6f8568541 smbd: Align an integer type
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Volker Lendecke
0db47112bb smbd: Modernize a DEBUG
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-28 13:26:24 +00:00
Andreas Schneider
dd896862d0 s3:rpc_client: Check for array size instead of UINT16_MAX
mdscli_ctx->mdscmd_open.share_path is an array of size 1025. The
boundary is 1025 and not UINT16_MAX.

"Error: OVERRUN (CWE-119):
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_at_least: Checking ""share_path_len < 1UL"" implies that ""share_path_len"" is at least 1 on the false branch.
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_between: Checking ""share_path_len > 65535UL"" implies that ""share_path_len"" is between 1 and 65535 (inclusive) on the false branch.
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:133: overrun-local: Overrunning array ""mdscli_ctx->mdscmd_open.share_path"" of 1025 bytes at byte offset 65534 using index ""share_path_len - 1UL"" (which evaluates to 65534).
  131|   	mdscli_ctx->mdscmd_open.share_path_len = share_path_len;
  132|
  133|-> 	if (mdscli_ctx->mdscmd_open.share_path[share_path_len-1] == '/') {
  134|   		mdscli_ctx->mdscmd_open.share_path[share_path_len-1] = '\0';
  135|   		mdscli_ctx->mdscmd_open.share_path_len--;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-06-28 11:39:33 +00:00
Andreas Schneider
ec7dfedccf s3:auth: Avoid passing freed pamh pointer to funcitons using it
"Error: USE_AFTER_FREE (CWE-416):
samba-4.20.0rc2/source3/auth/pampass.c:466: freed_arg: ""pam_end"" frees ""pamh"".
samba-4.20.0rc2/source3/auth/pampass.c:467: pass_freed_arg: Passing freed pointer ""pamh"" as an argument to ""smb_pam_error_handler"".
  465|   	if( pamh != NULL ) {
  466|   		pam_error = pam_end(pamh, 0);
  467|-> 		if(smb_pam_error_handler(pamh, pam_error, ""End Cleanup Failed"", 2) == True) {
  468|   			DEBUG(4, (""smb_pam_end: PAM: PAM_END OK.\n""));
  469|   			return True;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-06-28 11:39:33 +00:00
Andreas Schneider
990a68fedb s3:auth: Remove trailing spaces in pampass.c
Reviewed-by: Noel Power <npower@samba.org>
2024-06-28 11:39:33 +00:00
Volker Lendecke
ac7a16f9cc smbd: Fix crossing automounter mount points
We get ENOENT on /proc/self/fd/<fdnum> when we try to turn the
mountpoint's O_PATH handle into a real one. This does not trigger a
mount attempt, you have to use name-based calls.

This is not the real fix, because if the autofs mount triggers, the
inode number will change. For directories this is not a huge problem
as we don't touch the share mode database before we open the "real"
fd. We would only violate potential share modes with other pure
READ_ATTRIBUTES (i.e. stat-) opens that came before the mount
trigger.

As I don't think share modes on directories are really relevant, I
think we can live with this "fix". Once we do directory leases this
will potentially change.

As a quick remedy we could use our defer_open() mechanism that starts
path processing from scratch. But as long as this seems not really
required, we should not add users of this really bad way of going back
to square 1.

The "real" fix would be to go back to the point where we open the last
component with openat(). In the retry round we need to do this without
O_PATH to trigger the mount and only then do the initial fstat.

Right now I don't see an easy way to properly test this
behaviour. Intercepting with vfs_error_inject is certainly possible,
but nailing the exact call would clutter the main code path. So I have
just tested this manually.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jun 27 11:59:05 UTC 2024 on atb-devel-224
2024-06-27 11:59:05 +00:00
Shachar Sharon
2d743185e0 vfs_ceph: use consistent code style when setting errno
When setting explicit value to 'errno' use same coding-style as used in
this entire module (spaces before and after assignment operator).

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>

Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Jun 27 06:35:19 UTC 2024 on atb-devel-224
2024-06-27 06:35:19 +00:00
Shachar Sharon
a7d34ec597 vfs_ceph: explicit cast to uint64_t upon failure of ceph_statfs
When a call to 'ceph_statfs' from with 'cephwrap_disk_free' returns
non-zero status do an explicit cast to uint64_t for the negative (-1)
value returned by 'status_code'.

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
2024-06-27 05:34:33 +00:00
Shachar Sharon
0f92c6055a vfs_ceph: adjust code-style of cephwrap_disk_free
The common convention in 'vfs_ceph.c' module is to bailout (by return or
goto) whenever the return value from libcephfs call is not OK. Apply
this code-style to cephwrap_disk_free hook.

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
2024-06-27 05:34:33 +00:00
Shachar Sharon
691a397b27 vfs_ceph: replace WRAP_RETURN macro with convenience helpers
The WRAP_RETURN is a non-hygienic macro, and as such has the potential
of creating bogus code (e.g. 'return WRAP_RETURN(ret);' which existed
in the code in the past but did not yield any compiler warning). Prefer
simple convenience helper functions instead, which are also type safe.

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
2024-06-27 05:34:33 +00:00
Shachar Sharon
0bc917b01f vfs_ceph: use talloc in realpath hook
Prefer talloc_asprintf over asprintf when resolving realpath.
Re-format code using 'git clang-format'.

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
2024-06-27 05:34:33 +00:00
Shachar Sharon
ee72f127c3 vfs_ceph: re-map unimplemented hooks
Code cleanup: prefer standard convenience helpers for unimplemented
VFS hooks.

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
2024-06-27 05:34:33 +00:00
Shachar Sharon
b7e3f93ef0 vfs_ceph: align lines-length with coding standard
Coding standard requires following Linux kernel style guide, with an
explicit statement that "Maximum Line Width is 80 Characters". Align
vfs_ceph.c with this convention: split long lines into multiple lines
and use 'git clang-format' to do auto-formatting based on Samba project
'.clang-format' settings.

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
2024-06-27 05:34:33 +00:00
Shachar Sharon
4e21a8b278 vfs_ceph: improve readability of cephwrap_realpath
Minor code cleanup: use local variable to reference current-work dir.
This commit is in preparation to following code-cleanup which aligns
line-length with Samba's coding conventions.

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
2024-06-27 05:34:33 +00:00
Volker Lendecke
d86f9ff7fd smbd: Simplify callers of notify_filter_string
This is exactly the application talloc_tos() was made for

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jun 24 17:27:04 UTC 2024 on atb-devel-224
2024-06-24 17:27:04 +00:00
Volker Lendecke
a37ea9d750 smbd: Simplify notify_filter_string
Just a single NULL check through talloc_asprintf_addbuf

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Volker Lendecke
6e7a1cc646 smbd: Modernize a DEBUG
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Volker Lendecke
6d0444a7bf lib: Align an integer type
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Volker Lendecke
fc0c605aac smbd: Simplify smbd_do_qfilepathinfo()
Use fsctl_get_reparse_tag()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Volker Lendecke
1b47fae676 lib: Move 286 bytes from R/W data to R/O text segment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Volker Lendecke
06aff34586 smbd: Fix DEBUG messages
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Volker Lendecke
9be7dbd9c4 gse: Simplify gse_errstr() with talloc_asprintf_addbuf()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Volker Lendecke
221ef3ca86 gse: Avoid explicit ZERO_STRUCT in gse_errstr()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Volker Lendecke
7fba822817 libsmb: "clang-format" for an if-condition
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Volker Lendecke
7f935e2774 lib: Remove pointless \ line endings
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Andreas Schneider
b57bddacd7 s3:registry: Add missing return value checks
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:36 +00:00
Andreas Schneider
8c4f807350 s3:registry: Avoid possible double frees
Found by Covscan.

"Error: USE_AFTER_FREE (CWE-416):
samba-4.20.0rc2/source3/registry/reg_perfcount.c:309: freed_arg: ""_reg_perfcount_multi_sz_from_tdb"" frees ""*retbuf"".
samba-4.20.0rc2/source3/registry/reg_perfcount.c:313: double_free: Calling ""_reg_perfcount_multi_sz_from_tdb"" frees pointer ""*retbuf"" which has already been freed.
  311|   	for(i = 1; i <= base_index; i++)
  312|   	{
  313|-> 		buffer_size = _reg_perfcount_multi_sz_from_tdb(names, i*2, retbuf, buffer_size);
  314|   	}
  315|   	tdb_close(names);"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:36 +00:00
Andreas Schneider
10b95ff436 s3:registry: Remove trailing spaces in reg_perfcount.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:36 +00:00
Andreas Schneider
067a30c527 s3:utils: Fix get_window_height() return value
Found by Covscan.

"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source3/utils/regedit_list.c:522: tainted_data_return: Called function ""get_window_height(list)"", and a possible return value may be less than zero.
samba-4.20.0rc2/source3/utils/regedit_list.c:522: cast_underflow: An assign of a possibly negative number to an unsigned type, which might trigger an underflow.
samba-4.20.0rc2/source3/utils/regedit_list.c:526: overflow: The expression ""list->cursor_row -= page"" is deemed underflowed because at least one of its arguments has underflowed.
samba-4.20.0rc2/source3/utils/regedit_list.c:529: overflow_sink: ""list->cursor_row"", which might have underflowed, is passed to ""data_get_row_n(list, list->cursor_row)"".
  527|   			list->start_row -= page;
  528|   		}
  529|-> 		tmp = data_get_row_n(list, list->cursor_row);
  530|   		break;
  531|   	case ML_CURSOR_PGDN:"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:36 +00:00
Andreas Schneider
a0b6d18a25 s3:rpc_server: Make sure struct security_ace is initialized
Found by Covscan.

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/rpc_server/samr/srv_samr_nt.c:235: var_decl: Declaring variable ""ace"" without initializer.
samba-4.20.0rc2/source3/rpc_server/samr/srv_samr_nt.c:269: uninit_use_in_call: Using uninitialized value ""*ace"". Field ""ace->object"" is uninitialized when calling ""make_sec_acl"".
  267|   	/* create the security descriptor */
  268|
  269|-> 	if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) == NULL)
  270|   		return NT_STATUS_NO_MEMORY;
  271|"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:35 +00:00
Andreas Schneider
c709cb8a17 s3:lib: Make sure struct security_ace is fully initialized
Found by Covscan.

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/lib/sharesec.c:275: var_decl: Declaring variable ""ace"" without initializer.
samba-4.20.0rc2/source3/lib/sharesec.c:285: uninit_use_in_call: Using uninitialized value ""ace"". Field ""ace.object"" is uninitialized when calling ""make_sec_acl"".
  283|   	init_sec_ace(&ace, &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, 0);
  284|
  285|-> 	if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 1, &ace)) != NULL) {
  286|   		psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
  287|   				    SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:35 +00:00
Andreas Schneider
d6a7a97bc2 s3:lib: Remove trailing spaces in sharesec.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:35 +00:00
Stefan Metzmacher
53b72ea4d2 vfs_recycle: remember resolved config->repository in vfs_recycle_connect()
This should not change during the lifetime of the tcon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-06-19 09:07:36 +00:00
Stefan Metzmacher
c229a84b44 Revert "TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal()"
This was only added to demonstrate the problem more reliable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-06-19 09:07:36 +00:00
Stefan Metzmacher
2175856fef vfs_recycle: fix memory hierarchy
If the configuration is reloaded strings and string lists
in recycle_config_data could become stale pointers
leading to segmentation faults...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-06-19 09:07:36 +00:00
Stefan Metzmacher
b38241da3d vfs_recycle: use the correct return in SMB_VFS_HANDLE_GET_DATA()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-06-19 09:07:36 +00:00
Stefan Metzmacher
cf7a6b521a vfs_recycle: use a talloc_stackframe() in recycle_unlink_internal()
That makes the cleanup more clear...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-06-19 09:07:36 +00:00
Stefan Metzmacher
220b0e977e vfs_recycle: directly allocate smb_fname_final->base_name
We can use talloc_asprintf() instead of asprintf() followed
by talloc_strdup().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-06-19 09:07:36 +00:00
Stefan Metzmacher
691564f6ca vfs_recycle: don't unlink on allocation failure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-06-19 09:07:36 +00:00
Stefan Metzmacher
6467c47cbe TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal()
Forcing a reload of the smb.conf option values means the pointer learned
in vfs_recycle_connect() become stale.

This will be reverted at the end of the patset again.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-06-19 09:07:36 +00:00
Stefan Metzmacher
2916b6096e test_recycle.sh: make sure we don't see panics on the log files
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-06-19 09:07:36 +00:00
Stefan Metzmacher
462b74da79 vfs_default: also call vfs_offload_token_ctx_init in vfswrap_offload_write_send
If a client for whatever reason calls FSCTL_SRV_COPYCHUNK[_WRITE] without
FSCTL_SRV_REQUEST_RESUME_KEY, we call vfswrap_offload_write_send
before vfswrap_offload_read_send.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jun 17 18:02:27 UTC 2024 on atb-devel-224
2024-06-17 18:02:27 +00:00
Noel Power
788ef8f07c s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share
This patch also removes known fail for existing test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 11 19:31:40 UTC 2024 on atb-devel-224
2024-06-11 19:31:40 +00:00
Jeremy Allison
e535bcc698 s3: vfs_widelinks: Allow case insensitivity to work on DFS widelinks shares.
Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 11 17:00:38 UTC 2024 on atb-devel-224
2024-06-11 17:00:38 +00:00
Jeremy Allison
e37e4f4749 s3/torture: Add test for widelink case insensitivity on a MSDFS share.
Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2024-06-11 15:53:38 +00:00
MikeLiu
a9b3522f53 smbd: Ensure we grant owner sid in check_parent_access_fsp()
Grant owner sid to check for owner rights.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15648

Signed-off-by: MikeLiu <mikeliu@qnap.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun  7 18:30:34 UTC 2024 on atb-devel-224
2024-06-07 18:30:34 +00:00
Andreas Schneider
5d73bb4acd s3:utils: Use talloc instead of malloc functions
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun  6 21:32:53 UTC 2024 on atb-devel-224
2024-06-06 21:32:53 +00:00
Andreas Schneider
b9d93eccbc s3:util: Use a talloc stackframe in rpc_trustdom_establish()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 20:25:36 +00:00
Andreas Schneider
e844f483bd s3:utils: Use a destructor in rpc_trustdom_establish()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 20:25:36 +00:00
Andreas Schneider
77a4ff5435 s3:utils: Remove overwrite of opt_workgroup in rpc_trustdom_establish()
This is not used anywhere in that functions or the functions we are
calling. It was replaced by command line cli credentials stored in
c->creds. This fixes a memory leak.

Direct leak of 12 byte(s) in 1 object(s) allocated from:
    #0 0x7f17fdaf5830 in strdup ../../../../libsanitizer/asan/asan_interceptors.cpp:578
    #1 0x7f17fc7e7339 in smb_xstrdup ../../lib/util/util.c:752
    #2 0x55f079bf0723 in rpc_trustdom_establish ../../source3/utils/net_rpc.c:6591
    #3 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
    #4 0x55f079bdbecf in rpc_trustdom ../../source3/utils/net_rpc.c:7483
    #5 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
    #6 0x55f079bfe7de in net_rpc ../../source3/utils/net_rpc.c:8413
    #7 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
    #8 0x55f079baa0a8 in main ../../source3/utils/net.c:1436
    #9 0x7f17f8a2a1ef in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 20:25:36 +00:00
Stefan Metzmacher
9fb57dab37 s3:utils: DNS_UTIL depends on libads headers so we need to depend on 'ads'
Otherwise we don't get the correct header include paths and krb5.h in
a non default location won't be found.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 20:25:36 +00:00
Stefan Metzmacher
1185410a0d s3:libsmb: we no longer need libads/kerberos_proto.h in namequery.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 20:25:36 +00:00
Andreas Schneider
8989aa47b7 s3:winbind: Fix idmap_ad creating an invalid local krb5.conf
In case of a trusted domain, we are providing the realm of the primary
trust but specify the KDC IP of the trusted domain. This leads to
Kerberos ticket requests to the trusted domain KDC which doesn't know
about the machine account. However we need a ticket from our primary
trust KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 19:49:36 +00:00
Andreas Schneider
9dcc52d2a5 s3:libads: Do not fail if we don't get an IP passed down
The IP should be optional and we should look it up if not provided.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 19:49:36 +00:00
Andreas Schneider
28aa0b815b s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP
Remove the requirement to provide an IP address. We should look up the
IP of the KDC and use it for the specified realm/workgroup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 19:49:36 +00:00
Volker Lendecke
c005de07ae smbd: list reparse tag in QUERY_DIRECTORY
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun  4 17:39:21 UTC 2024 on atb-devel-224
2024-06-04 17:39:21 +00:00
Jo Sutton
747a7fec01 s3:rpc_server: Check query level according to MS-NRPC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Noel Power <noel.power@suse.com>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Jun  4 09:39:42 UTC 2024 on atb-devel-224
2024-06-04 09:39:42 +00:00
Jo Sutton
8adbdbe50f s3:rpc_server: Check function code according to MS-NRPC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Noel Power <noel.power@suse.com>
2024-06-04 08:33:32 +00:00
Noel Power
0418b9fa92 s3/rpc_server: Fix dereference of client pointer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-04 08:33:32 +00:00
Volker Lendecke
021dfe8f33 winbind: Modernize a few DEBUGs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 07:11:35 +00:00
Volker Lendecke
bc2b2350b9 smbd: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 07:11:35 +00:00
Volker Lendecke
b29e408e14 libsmb: Use SMB2_0_INFO_SECURITY instead of raw "3"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 07:11:35 +00:00
Volker Lendecke
9445d8e06e torture: Remove some pointless local variables
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 07:11:35 +00:00
Volker Lendecke
df30ec83c9 lib: Use cli_credentials_add_gensec_features in a few places
Capture a common pattern

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 07:11:35 +00:00
Volker Lendecke
dc31a49830 libsmb: Slightly simplify cli_session_creds_init
In this case a nested if seems easier to understand to me than another
if-expression duplicating half of a previous one.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 07:11:35 +00:00
Anoop C S
4cade04d1f vfs_ceph: Implement SMB_VFS_FSET_DOS_ATTRIBUTES for precise btime
Previously we added an implementation for SMB_VFS_FGET_DOS_ATTRIBUTES
so that the btime is always preserved unless explicitly changed using
SMB_VFS_FNTIMES. But there are situations with open file handle where
btime stored on dos attributes as create_time has to be precise for
comparison because a one-to-one conversion between timepsec and nttime
is not always guaranteed.

Accordingly preserve btime via SMB_VFS_FSET_DOS_ATTRIBUTES so that we
always compare the exact btime from fsp stat information while the file
handle is still open.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Jun  3 11:10:11 UTC 2024 on atb-devel-224
2024-06-03 11:10:11 +00:00
Anoop C S
c36e79ef81 vfs_ceph: Simplify SMB_VFS_FGET_DOS_ATTRIBUTES
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2024-06-03 10:02:39 +00:00
Douglas Bagnall
267f307689 s3/torture: local_rbtree: avoid birthday collisions
We insert 999 keys, but if two of them happen to be the same, we
don't find 1000 nodes, and that is upsetting for CI:

[130(1421)/303 at 4m46s] samba3.smbtorture_s3.LOCAL-RBTREE
UNEXPECTED(failure): samba3.smbtorture_s3.LOCAL-RBTREE.smbtorture(none)
REASON: Exception: Exception: using seed 1716333987
host=foo share=bar user= myname=runner-jlguopmm-project-6378020-concurrent-0
Running LOCAL-RBTREE
run_local_rbtree: read1: 999 999, NT_STATUS_OK
run_local_rbtree: delete: 999 999, NT_STATUS_OK
run_local_rbtree: read2: 0 0, NT_STATUS_OK
TEST LOCAL-RBTREE FAILED!
LOCAL-RBTREE took 0.002706 secs

This has been flapping very occasionally for a long time:
https://lists.samba.org/archive/samba-technical/2016-March/112861.html

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-05-31 04:22:36 +00:00
Stefan Metzmacher
5a54c9b28a s3:utils: let smbstatus report anonymous signing/encryption explicitly
We should mark sessions/tcons with anonymous encryption or signing
in a special way, as the value of it is void, all based on a
session key with 16 zero bytes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu May 23 13:37:09 UTC 2024 on atb-devel-224
2024-05-23 13:37:09 +00:00
Stefan Metzmacher
f3ddfb828e s3:smbd: allow anonymous encryption after one authenticated session setup
I have captures where a client tries smb3 encryption on an anonymous session,
we used to allow that before commit da7dcc443f
was released with samba-4.15.0rc1.

Testing against Windows Server 2022 revealed that anonymous signing is always
allowed (with the session key derived from 16 zero bytes) and
anonymous encryption is allowed after one authenticated session setup on
the tcp connection.

https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2024-05-23 12:35:37 +00:00
Stefan Metzmacher
551756abd2 s3:utils: let smbstatus also report partial tcon signing/encryption
We already do that for sessions and also for the json output,
but it was missing in the non-json output for tcons.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2024-05-23 12:35:37 +00:00
Stefan Metzmacher
8119fd6d6a s3:utils: let smbstatus also report AES-256 encryption types for tcons
We already do that for sessions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2024-05-23 12:35:37 +00:00
Stefan Metzmacher
5089d85506 s3:utils: let connections_forall_read() report if the session was authenticated
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2024-05-23 12:35:37 +00:00
Stefan Metzmacher
596a10d107 s3:lib: let sessionid_traverse_read() report if the session was authenticated
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2024-05-23 12:35:37 +00:00
Stefan Metzmacher
a9f84593f4 s3:utils: remove unused signing_flags in connections_forall()
We never use the signing flags from the session, as the tcon
has its own signing flags.

https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2024-05-23 12:35:37 +00:00
Andreas Schneider
f3f8aa4964 s3:rpc_server: Use lpcfg_dns_hostname() in srv_witness_nt.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
c2d4fe11b4 s3:utils: Use lp_dnsdomain() in net_ads.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
382c300acd s3:libnet: Convert myalias to lower case
This will be more consistent as it is a dnsname.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
0e96092c18 s3:libnet: Use lp_dns_hostname() in libnet_join.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
84989f2bf4 s3:lib: Remove obsolete name_to_fqdn()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
f6efc74670 s3:librpc: Use lp_dns_hostname() for creating the fqdn
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
b93fef8e90 s3:utils: Use lp_dns_hostname() for 'net' dns updates
name_to_fqdn() requires /etc/hosts to be set up in a special way to find
out the fqdn for dns updates. They are not set up by default and the
DNS update fails. Normally the fqdn is just <lp_netbios_name>.<realm>
and we should just use that. However if it is different, you can set
it to the special value in the smb.conf now.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
758bb9aacd docs-xml: Add smb.conf option 'dns hostname'
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Douglas Bagnall
5abeb724d7 s3:smbcacls: fix ace_compare
We got this wrong in commit 31101a9fa1.

In fact, we should probably not reorder the inherited ACLs, but that
is for another patch series.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
94b8deffa2 libsmb: Remove file_info->[ug]id
These fields were never assigned

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
f2b692fb45 smbd: Simplify request_timed_out
timeval_expired does what we need here

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
c443d377a0 libsmb: Remove a talloc_strdup()
We're directly overwriting state->mask without actually using it for
anything real.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
335877ec04 libsmb: Remove an unneeded NULL check
We have dereferenced p_last_name_raw before in the call to
data_blob_free, our only caller does give us a pointer

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
5384244f76 libsmb: Remove unused cli_list_trans()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
e79698c4be libsmb: Use SMB2_0_INFO_ constants instead of magic numbers
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
7ecf3b0e25 libsmb: Execute a "TODO", remove IVAL2_TO_SMB_BIG_UINT
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
27ac0beaa0 lib: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
0013105eb5 libsmb: Avoid pointless intermediate variables
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
06a322a17f libsmb: Use the direct FSCC_ infolevels
Could have done this as part of 1776918c5b already.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
dd1dd65026 smbd: Remove an unused function parameter
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
f69fe79189 smbd: Remove an unnecessary else
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
ff43158c52 smbd: Remove a no-op call to init_strict_lock_struct
"lock" is a variable on the stack, and initializing it is all that
init_strict_lock_struct does. We've done the corresponding checks
already in smbd_smb2_read_send

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
661532c46c smbd: Remove an unnecessary else branch
We return in the if branch, review with "git show -w"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
6f0628c848 smbd: Return correct error for fallback sendfile
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
9115836687 smbd: Use direct struct initialization
Make sure all fields in the target struct are initialized

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
979f3e2399 smbd: Remove the ZERO_ZERO define
This code went in with e8e98c9ea0 in 2001 without any mention in the
commit message.

I don't remember all details, but there was some discussion around the
offset=0,length=0 lock being somehow special. These days [MS-FSA]
defines the required behaviour (don't conflict) and we implement that
behaviour.

If someone still remembers why this code is in and thinks it's
worthwhile, that's what version control is for.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
3542f938c5 smbd: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
a8b9a8358e smbd: Move a DBG_DEBUG up
Make it line up with the other branches

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Volker Lendecke
477dec3770 smbd: Modernize a few DEBUGs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Stefan Metzmacher
83f03513fd s3:libnet: add a debug message to libnet_keytab_add_to_keytab_entries()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
888a785f47 s3:libnet: add support for trusted domains in libnet_dssync_keytab.c
It means that keytabs generated via 'net rpc vampire keytab' are
able to decrypt cross-realm tickets in wireshark.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
2b2cc54472 s3:libnet: split out store_or_fetch_attribute() from parse_user() in libnet_dssync_keytab.c
This way we can easily re-use the logic in the next commits...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
feff15fc88 s3:libnet: split out parse_user() in libnet_dssync_keytab.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
52df406387 s3:libnet: let parse_user() in libnet_dssync_keytab.c work without nt hash
It happens in setups with 'nt hash store = never'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Volker Lendecke
2b495c44a2 smbd: Fix a typo in a few places
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 15 17:56:24 UTC 2024 on atb-devel-224
2024-05-15 17:56:24 +00:00
Volker Lendecke
a99f2f3ae3 smbd: Modernize a few DEBUGs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-15 16:51:39 +00:00
Volker Lendecke
df75ae65e6 g_lock: Fix buffer length check in g_lock_parse()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-15 16:51:39 +00:00
Volker Lendecke
aca70be782 smbd: Simplify check_parent_access_fsp()
We don't need to explicitly call fetch_share_mode_unlocked,
get_file_infos does it for us behind the scenes

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-15 16:51:39 +00:00
Volker Lendecke
c422002ce5 smbd: Remove an obsolete comment
notify_fname only sends a message to the notify daemon. There is no
potential deadlock anymore.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-15 16:51:39 +00:00
Volker Lendecke
b71f729698 smbd: Add reparse tag to smb3_posix_cc_info
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 14 23:29:46 UTC 2024 on atb-devel-224
2024-05-14 23:29:46 +00:00
Volker Lendecke
d0cdb4160b smbd: Use fsctl_get_reparse_tag in fsctl_del_reparse_point
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
7b6dc319b5 smbd: Use fsctl_get_reparse_tag in fsctl_set_reparse_point
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
3a38767366 smbd: Add fsctl_get_reparse_tag() helper function
There's a few places where we only care about the tag

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
2743127a6e smbd: Modernize a few DEBUGs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
a85b1e5754 libsmb: Cap max_rdata at UINT16_MAX
The caller does not necessarily query max values for smb1 and smb2+.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
1776918c5b libsmb: Use the direct FSCC_FILE_ALL_INFORMATION define
(SMB_FILE_ALL_INFORMATION - 1000) looks a bit silly if you look at the
definition of SMB_FILE_ALL_INFORMATION...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
5e0fe4d91c smbd: Add DEBUG message got get_reparse_point
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
ee65357763 smbd: Return reparse tag as of MS-FSCC 2.4.6
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
d884c2fb0d smbd: Fix a DBG
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
ba40d97087 pylibsmb: Add py_cli_qfileinfo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
c13ac1f1a7 pylibsmb: Add FSCC QUERY_INFO levels
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
291a353b16 libsmb: Remove smb2 branch from cli_qfileinfo_basic_send
cli_qfileinfo_send now does it

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
893e4f6ebf libsmb: Add smb2 branch to cli_qfileinfo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
6e9c18ed82 libsmb: Add a tevent_req_received() where appropriate
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
bec5920ec9 libsmb: Convert cli_qfileinfo to use FSCC levels
This will enable this routine to be used for SMB2 as well. The
translation table is from [MS-CIFS] 2.2.8.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
af4bb5f75f libsmb: Use SMB2_0_INFO_FILE instead of the raw "1"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
4eac4014c0 libsmb: Use SMB2_0_INFO_SECURITY instead of the raw "3"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Volker Lendecke
072e4d030a smbd: Modernize a DEBUG
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 22:29:36 +00:00
Pavel Filipenský
1092d4b0a8 s3:winbindd: Update non cache entries keys (non_centry_keys)
This change does NOT affect WHAT and HOW is cached. It only avoids
undefined behavior for "NDR" and "TRUSTDOMCACHE" when processed in
wcache_flush_cache() and wbcache_upgrade_v1_to_v2().

winbindd_cache.tdb contains two types of entries:

1) cache entries (typed as 'struct cache_entry')
  - internal format is:           [ntstatus; sequence_number; timeout]

2) non cache entries (keys listed in non_centry_keys)
  - for "NDR" internal format is: [sequence_number; timeout]

Without this commit, "NDR" would be processed as the first type (instead
as the second type). E.g. in the stack below:

wcache_fetch_raw()
traverse_fn_cleanup()
wcache_flush_cache()

the triplet [ntstatus; sequence_number; timeout] would be initialized
from data containing only [sequence_number; timeout], leading to
mismatched values ('ntstatus' would be filled from 'sequence_number').

Anyway, current code is never calling wcache_flush_cache(), since
wcache_flush_cache() can be called only from get_cache() and get_cache()
will call it only if global/static wcache was not set yet. But wcache is
set very early in the main winbind (and all winbind children get it
after fork), sooner than any call of get_cache() can happen:

   #1 init_wcache + 0x19
   #2 initialize_winbindd_cache + 0x35
   #3 winbindd_cache_validate_and_initialize + 0x25
   #4 main + 0x806

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 14 21:04:57 UTC 2024 on atb-devel-224
2024-05-14 21:04:57 +00:00
Pavel Filipenský
26d87d1fef s3:winbindd: Use TDB_REPLACE in tdb_store
tdb_store() should use as a flag TDB_REPLACE instead of undocumented 0

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-14 20:02:36 +00:00
Stefan Metzmacher
845a2aae6f smbspool: let kerberos_ccache_is_valid() use smb_force_krb5_cc_default_name()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:32 +00:00
Stefan Metzmacher
4514fb5f43 smbspool_krb5_wrapper: let kerberos_get_default_ccache() use smb_force_krb5_cc_default_name()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:32 +00:00
Stefan Metzmacher
a8da9de9f4 smbspool_krb5_wrapper: remove unused includes
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:32 +00:00
Stefan Metzmacher
d49de77710 s3:libads: let kerberos_kinit_password_ext() require an explicit krb5 ccache
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
fc92025ecb s3:libads: finally remove unused ads_connect[_user_creds]() and related code
That was a long way, but now we're cli_credentials/gensec only :-)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
25806314da s3:net: finally remove net_context->opt_{user_specified,user_name,password}
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
a1ab1c8620 s3:net: remove unused net_context->smb_encrypt
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
9620d2ecc1 s3:net: remove unused net_context->opt_kerberos
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
2de585a978 s3:include: remove unused krb5_env.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
eb9ad5cc89 s3:net_ads: remove unused use_in_memory_ccache()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
e76fe56fdf s3:net_ads: make use of ads_connect_{cldap_only,creds}() in ads_startup_int()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
d59d957cab s3:libads: let ads_krb5_set_password() require an explicit krb5 ccache to operate on
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
432273dd3e s3:libads: kerberos_set_password() don't need to kinit before ads_krb5_chg_password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
125db2ed81 s3:libads: remove unused kdc_host and time_offset arguments to kerberos_set_password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
b641b35b02 s3:libads: remove unused kdc_host and time_offset arguments to ads_krb5_chg_password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
3141423feb s3:libads: remove krb5_set_real_time() from ads_krb5_set_password()
Callers typically only pass in 0 anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
c85c084d69 s3:libads: remove unused kdc_host argument of ads_krb5_set_password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
5f32f14ef5 s3:net_ads: require kerberos if we use ads_krb5_set_password() in ads_user_add()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
1eeeb76e6c s3:net_ads: use ADS_SASL_SEAL by default, so that we always get encryption
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
612af29cef s3:net_ads: use cli_credentials_get_principal() in order to call kerberos functions
This is better than the value from cli_credentials_get_username()...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
55c9a6c0e3 s3:net: remove useless net_prompt_pass() wrapper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
d9082129f2 s3:net_rpc: make use of !c->explicit_credentials for NET_FLAGS_ANONYMOUS
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
e690666fd1 s3:net: make use of c->explicit_credentials in order to check for valid credentials
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
be1051f379 s3:net: add net_context->explicit_credentials to check if credentials were passed
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
a9beae36f0 s3:net: correctly implement --use-ccache as legacy for --use-winbind-ccache for 'net'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
579195769d s3:net_offlinejoin: we don't need to call libnetapi_set_use_kerberos() as we already passed cli_credentials
c->opt_kerberos is derived from c->creds...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
f4f31236c4 s3:libnet_join: pass down cli_credentials *admin_credentials to libnet_{Join,Unjoin}Ctx()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
c0edd3406b s3:lib/netapi: make use of ads_simple_creds/libnetapi_get_creds in NetGetJoinableOUs_l
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
0470cc385d s3:lib/netapi: add libnetapi_get_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
87e7a9488a s3:printing: make use of ads_connect_machine()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
f9496bfdf4 s3:libads: add ads_connect_machine() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
353abcb4d3 s3:libads: add ads_simple_creds() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
c36b044224 s3:libads: make use of ads_connect_simple_anon() in ldap.c where possible
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
7bfbea4c3c s3:libads: add ads_connect_simple_anon() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
c95a2785e2 lib/addns: rewrite signed dns update code to use gensec instead of plain gssapi
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
5807689f96 s3:utils: let net_update_dns_internal() set status before goto done in all cases
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
28af082926 s3:winbindd: make use of winbindd_get_trust_credentials() in idmap_ad.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
ed75331f52 s3:winbindd: make use of winbindd_get_trust_credentials() in _winbind_LogonControl_TC_VERIFY()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
16bbb407fa s3:winbindd: make use of samba_sockaddr to avoid compiler warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
f903d80769 s3:winbindd: use winbindd_get_trust_credentials()/ads_connect_creds() in winbindd_ads.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
8166642e1b s3:winbindd: make winbindd_get_trust_credentials() public
We'll use it outside of winbindd_cm.c soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
81a6c54fdd s3:libads: add ads_set_reconnect_fn() and only reconnect if we can get creds
This reconnect is only useful for long running connections (e.g. in winbindd)
and there we'll make use of it...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
31e4614ee3 s3:libads: add ads_connect_creds() helper
In future ads_connect_creds() will be used by callers directly instead
of using ads_connect().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
76e0d348dd s3:libads: fix compiler warning in ads_mod_ber()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
bac243442a s3:libads: move ads->auth.time_offset to ads->config.time_offset
There's no reason to pass the LDAP servers time to the kerberos
libraries, as we may talk to a KDC different than the LDAP server!

Also Heimdal handles AS-REQ with KRB5KRB_AP_ERR_SKEW fine and
retries with the time from the krb-error.
MIT records the time from the KDC_ERR_PREAUTH_REQUIRED response
in order to use the KDCs time.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
ea97abd545 s3:libads: we only need to gensec_expire_time()...
The lifetime of a service ticket is never longer than
the lifetime of the TGT...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
ce1ad21ce6 s3:libads: remove unused ads->auth.renewable
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
fcd47a4966 s3:winbindd: remove useless 'renewable' argument to ads_cached_connection_connect()
There's really no need to get a reneable ticket for an ldap connection,
we currently always do a kinit for each connection anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
bb8b7be74a s3:libads: let ads_sasl_spnego_bind() really use spnego to negotiate krb5/ntlmssp
For now we still do the ads_kinit_password() in ads_legacy_creds()
for callers that rely on the global krb5ccache to be filled.

E.g. the dns update code and the kpasswd code.

But at least ads_connect_internal() and ads_sasl_spnego_bind()
will allow to do the kinit in the gensec layer only if needed...

We'll remove ads_legacy_creds() during the following commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
cff7656e66 s3:net_ads: make use of ads_connect_cldap_only() and ADS_AUTH_GENERATE_KRB5_CONFIG in net_ads_password()
We don't need a real ldap connection here.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
f024063aec s3:winbindd: make use of ads_connect_cldap_only() in dcip_check_name_ads()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
e8250f1624 s3:net_ads: make use of ads_connect_cldap_only() in net_ads_check_int()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
fdd34b57c4 s3:libsmb: make use of ads_connect_cldap_only()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
f34e64baf6 s3:libads: add ads_connect_cldap_only() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
36748002f0 s3:libads: also avoid ADS_AUTH_GENERATE_KRB5_CONFIG for ADS_AUTH_ANON_BIND
For anonymous binds we don't need a krb5.conf.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
9ea1ea1629 s3:libads: add ADS_AUTH_GENERATE_KRB5_CONFIG to generate a custom krb5.conf
That's better then using !ADS_AUTH_NO_BIND. And it allows callers
to be more flexible in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
b3110ec049 s3:libads: split out ads_connect_internal() and call it with ads_legacy_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
be771670eb s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_unparsed_name()
We should only operate on the creds structure and
avoid using ads->auth.{user_name,realm}.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
4d42574c54 s3:libads: let ads_sasl_spnego_bind() reset krb5_state at the end
In future we'll pass in creds from the caller, so we better
restore the original krb5_state at the end of ads_sasl_spnego_bind().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
f7ab92ea7e s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_kerberos_state()
We should only operate on the creds structure and avoid ads->auth.flags

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
b98f9a341f s3:libads: split out ads_legacy_creds()
This is just a temporary change until the highlevel caller
will pass in a cli_credentials structure and we'll get rid of
ads->auth.{user_name,realm,password}.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
6f33e46c19 s3:libads: remove unused LIBADS_CCACHE_NAME define
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
a70c62a78e s3:libads: make use of talloc_stackframe() in ads_setup_tls_wrapping()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
d26e4c6e27 s3:libsmb: remove unused cli_session_creds_prepare_krb5()
Kinit will be done within gensec if required.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
ef205f6b52 s3:gse: get an explicit ccache_name from creds and kinit if required
This means we may call kinit multiple times for now,
but we'll remove the kinit from the callers soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Andreas Schneider
98ee5ca7e8 s3:gse: Pass down the mech to gse_context_init()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-05-14 10:18:31 +00:00
Andreas Schneider
bc2a2399e5 s3:gse: Implement gensec_gse_security_by_oid()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-05-14 10:18:31 +00:00
Andreas Schneider
2ec3e59f58 s3:gse: Use smb_gss_mech_import_cred() in gse_init_server()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
2fd2d28b8f s3:libsmb: fix lpcfg_gensec_settings() no memory check in auth_generic_client_prepare()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
fb7e19826a s3:libsmb: explicitly use the default krb5 ccache in cli_session_creds_init() without a password
This happened implicitly as the gse_krb5 module always used the default
krb5 ccache, but that will change soon.

If kerberos is requested without a fallback to ntlm AND
the caller doesn't provide a password we'll use the
default ccache. This will keep our the following tests
happy once the gse_krb5 module changes the behavior:

 samba3.blackbox.krbsmbspool
 samba3.blackbox.smbget

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
2dc76cc84c s3:ntlm_auth: explicitly include default krb5 ccache if no explicit username/password are given
Before this silently happened because the gse_krb5 module just used the
default ccache, but that will change soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
e47f9415b7 s3:libads: don't allow ads_kdestroy(NULL) anymore
This should not happen, if we ever need that behaviour
we should add an ads_kdestroy_default() helper.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
4959f93227 s3:winbindd: don't use ads_kdestroy(NULL) in winbindd_raw_kerberos_login()
This fixes a problem introduced in the commit:

commit e6c693b705
Author: Stefan Metzmacher <metze@samba.org>
Date:   Wed Feb 28 17:28:43 2024 +0100

    s3:winbindd: pass a NULL ccache to kerberos_return_pac() for a MEMORY ccache

    It means kerberos_return_pac() will use smb_krb5_cc_new_unique_memory().

    ...

Before that commit cc was never NULL as generate_krb5_ccache()
returned "MEMORY:winbindd_pam_ccache" as fallback.

So we called ads_kdestroy("MEMORY:winbindd_pam_ccache").

Now we have cc == NULL if user_ccache_file == NULL.

and kerberos_return_pac() uses smb_krb5_cc_new_unique_memory()
and krb5_cc_destroy() internally.

It means unless user_ccache_file != NULL we should not
call ads_kdestroy(cc) as cc is NULL and means we would destroy
any global default krb5 ccache.

Review with: git show -U25

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
712ffbffc0 s3:libsmb: allow store_cldap_reply() to work with a ipv6 response
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224
2024-05-10 01:35:18 +00:00
Stefan Metzmacher
87e31f88f2 s3:libsmb: let cli_session_creds_init() keep the value from 'client use kerberos'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May  7 12:33:29 UTC 2024 on atb-devel-224
2024-05-07 12:33:29 +00:00
Stefan Metzmacher
e6c693b705 s3:winbindd: pass a NULL ccache to kerberos_return_pac() for a MEMORY ccache
It means kerberos_return_pac() will use smb_krb5_cc_new_unique_memory().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
147565232d s3:libads: use smb_krb5_cc_new_unique_memory() in kerberos_return_pac()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
e3f97f35b1 s3:gse: don't call krb5_cc_resolve() as server
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
6ced3c6af2 s3:gse: avoid prompting for a password that we don't use in the end
Currently we rely on a valid default credential cache being available
and don't make use of the password.

In future we'll do a kinit on demand, but that's for another day.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
ce05fe3b71 s3:gse: make use of gensec_kerberos_possible()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Stefan Metzmacher
1275e77933 s3:client: avoid cli_credentials_get_password() to check for a specified password
Using cli_credentials_get_password_obtained() is more lightweight as
it avoids a possible password prompt.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Volker Lendecke
5edd1e7c3e smbd: Implement FSCTL_DELETE_REPARSE_POINT
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May  6 21:55:03 UTC 2024 on atb-devel-224
2024-05-06 21:55:03 +00:00
Volker Lendecke
8ace45e0da smbd: Implement fsctl_set_reparse_point
Store the data in the "user.SmbReparse" xattr. Only allow this on
regular files. Windows does it for directories too, but we can not
allow this: Setting a symlink reparse point in a xattr on a directory
would go unnoticed by our openat2-optimization. If someone really
needs this, we could have a VFS module disallowing openat2 and doing
the appropriate checks on every openat-call.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-06 20:55:37 +00:00
Volker Lendecke
6eba4b794f smbd: Implement fsctl_get_reparse_point
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-06 20:55:37 +00:00
Jeremy Allison
6526f20e42 s3: smbd: smb2-posix: Add SAMBA_XATTR_REPARSE_ATTRIB "user.SmbReparse" name.
Ensure it's prohibited for normal user access.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-05-06 20:55:37 +00:00
Volker Lendecke
1fa7668ee8 smbd: Use reparse_buffer_check() in fsctl_set_reparse_point()
check_reparse_data_buffer() was duplicated code

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-06 20:55:37 +00:00
Volker Lendecke
4b98f993a2 smbd: Prepare to return the reparse tag from fsctl_get_reparse_point
We'll need this in many places, for example when listing directories

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-06 20:55:37 +00:00
Volker Lendecke
db5c23e4be smbd: Change the output of fsctl_get_reparse_point to uint8
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-06 20:55:37 +00:00
Volker Lendecke
2defbc994d smbd: Return FILE_ATTRIBUTE_REPARSE_POINT from "user.DOSATTRIB"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-06 20:55:37 +00:00
Volker Lendecke
6bf51860a0 smbd: Remove unused [push_pull]_file_id_24
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 30 23:48:21 UTC 2024 on atb-devel-224
2024-04-30 23:48:21 +00:00
Volker Lendecke
5ef6a8a01f smbd: Use struct oplock_break_message for MSG_SMB_KERNEL_BREAK
Signed-off-by: Volker Lendecke <vl@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
7d860a73ca smbd: Remove message_to_share_mode_entry and vice versa
Used only for closing files from rpc srvsvc these days

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
037b9dac21 smbd: Use struct oplock_break_message for MSG_CLOSE_FILE
We only need to transmit the file_id and share_file_id. Next patch
will show why :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
e2201a8dff smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
8f1cc217a8 smbd: Simplify sending oplock_break_message
This is fixed length of 33 bytes, no need to talloc

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
4fe0808ebe lib: Convert push_file_id_16 to take uint8_t instead of char
All callers had a cast from uint8_t to char, avoid those.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
e889d76fad vfs: Convert return_data from char * to uint8_t
Prepares for a small simplification in the next patch

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
6f2aa43a3f passdb: Use getline(3) to read our old machine sid
Don't read the whole file.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
30b7cf9b3c pylibsmb: Avoid talloc()
dom_sid_string() does an implicit talloc_strdup() which is not
necessary here.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
3f17f19429 pylibsmb: clang-format for the calls to Py_BuildValue()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
8ef24d670b pylibsmb: Return reparse_tag from directory listing
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
ceea95af63 libsmb: Slightly simplify py_cli_list()
We don't need an & to take a function pointer

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
5d51be5891 smbd: Fix a copy&paste error in smbXsrv_client_remove()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
c2b80caf5e smbd: Use direct struct initialization in smbXsrv_client
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
60b724a7e5 smbd: Save a few lines in smbXsrv_client_global_init()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
7b4ab077c8 smbd: Do an early TALLOC_FREE in smbXsrv_client_global_init()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
45200770fe smbd: Simplify smbXsrv_open_clear_replay_cache()
GUID_buf_string() is designed to never fail

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
e5596cf4a6 smbd: Simplify smbXsrv_open_purge_replay_cache()
GUID_buf_string is supposed to never fail except if the guid passed in
is NULL. Our only current caller already checks
that. dbwrap_purge_bystring() could actually fail, so put the result
into a variable for the debugger.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
647d2c6481 smbd: Simplify an if-condition
(state->current_sid == NULL) is true if and only if we could not
assign state->current_sid because num_sids was too small. Make that
more explicit.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
56814d3ee2 smbd: Some README.Coding in smbXsrv_session
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
debb589484 libsmb: Remove unused setup_stat_from_stat_ex()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Volker Lendecke
fba4e66df5 smbd: Save a few bytes of .text
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-04-30 22:44:32 +00:00
Anna Popova
80159018e4 s3:utils: Fix Inherit-Only flag being automatically propagated to children
Inherit-only flag applies only to the container it was set to and it
shouldn't be automatically propagated to children.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636

Signed-off-by: Anna Popova <popova.anna235@gmail.com>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Apr 29 10:56:48 UTC 2024 on atb-devel-224
2024-04-29 10:56:48 +00:00
Andreas Schneider
96b5cfe4e6 s3:libsmb: Pass a memory context to get_ipc_connect()
Indirect leak of 792 byte(s) in 1 object(s) allocated from:                                                                                                                              #0 0x7f261b8dc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0)
    #1 0x7f261b2c2bc2 in __talloc_with_prefix ../../lib/talloc/talloc.c:783                                                                                                              #2 0x7f261b2c473d in __talloc ../../lib/talloc/talloc.c:825
    #3 0x7f261b2c473d in _talloc_named_const ../../lib/talloc/talloc.c:982
    #4 0x7f261b2c473d in _talloc_zero ../../lib/talloc/talloc.c:2421                                                                                                                     #5 0x7f2618cb42bc in smbXcli_conn_create ../../libcli/smb/smbXcli_base.c:350
    #6 0x7f261a74acd3 in cli_state_create ../../source3/libsmb/clientgen.c:196                                                                                                           #7 0x7f261a751f0d in cli_connect_nb_done ../../source3/libsmb/cliconnect.c:2715
    #8 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177                                                                                                   #9 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #10 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240                                                                                                             #11 0x7f261a752dde in cli_connect_sock_done ../../source3/libsmb/cliconnect.c:2624
    #12 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #13 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #14 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #15 0x7f261a7ba2c4 in smbsock_any_connect_connected ../../source3/libsmb/smbsock_connect.c:788
    #16 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #17 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #18 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #19 0x7f261a7b75ad in smbsock_connect_connected ../../source3/libsmb/smbsock_connect.c:524
    #20 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #21 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #22 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240
    #23 0x7f261b4b400a in open_socket_out_connected ../../source3/lib/util_sock.c:484
    #24 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #25 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #26 0x7f261a69be3e in tevent_req_trigger ../../lib/tevent/tevent_req.c:291
    #27 0x7f261a699df4 in tevent_common_invoke_immediate_handler ../../lib/tevent/tevent_immediate.c:190
    #28 0x7f261a699e31 in tevent_common_loop_immediate ../../lib/tevent/tevent_immediate.c:236
    #29 0x7f261a6ad3ec in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:905
    #30 0x7f261a6a679e in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #31 0x7f261a696538 in _tevent_loop_once ../../lib/tevent/tevent.c:820

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Apr 29 09:48:47 UTC 2024 on atb-devel-224
2024-04-29 09:48:47 +00:00
Andreas Schneider
56426eda9b s3:libsmb: Make get_ipc_connect() static
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-04-29 08:43:32 +00:00
Andreas Schneider
bf688e0d2a s3:libnet: Fix memory leak in libnet_join_connect_dc_ipc()
Direct leak of 885 byte(s) in 1 object(s) allocated from:
    #0 0x7f261b8dc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0)
    #1 0x7f261b2c2bc2 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
    #2 0x7f261b2c543c in _talloc_pool ../../lib/talloc/talloc.c:838
    #3 0x7f261b2c543c in _talloc_pooled_object ../../lib/talloc/talloc.c:906
    #4 0x7f261a69cac9 in __tevent_req_create ../../lib/tevent/tevent_req.c:98
    #5 0x7f261a75bf55 in cli_full_connection_creds_send ../../source3/libsmb/cliconnect.c:3455
    #6 0x7f261a75c4b7 in cli_full_connection_creds ../../source3/libsmb/cliconnect.c:3818
    #7 0x7f261b70d39f in libnet_join_connect_dc_ipc ../../source3/libnet/libnet_join.c:1146
    #8 0x7f261b715794 in libnet_join_lookup_dc_rpc ../../source3/libnet/libnet_join.c:1188
    #9 0x7f261b715794 in libnet_DomainJoin ../../source3/libnet/libnet_join.c:2812
    #10 0x7f261b715794 in libnet_Join ../../source3/libnet/libnet_join.c:3040
    #11 0x555bd93671ea in net_ads_join ../../source3/utils/net_ads.c:1855
    #12 0x555bd9415ca9 in net_join ../../source3/utils/net_join.c:45
    #13 0x555bd940b972 in net_run_function ../../source3/utils/net_util.c:464
    #14 0x555bd9363129 in main ../../source3/utils/net.c:1372
    #15 0x7f2616a281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-04-29 08:43:32 +00:00
Andreas Schneider
d2297b41a2 s3:libsmb: Pass memory context to cli_full_connection_creds()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-04-29 08:43:32 +00:00
Andreas Schneider
5c63d5bdab s3:libsmb: Pass memory context to cli_full_connection_creds_recv()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-04-29 08:43:32 +00:00
Andreas Schneider
8888f95947 s3:libsmb: Pass a memory context to cli_start_connection()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-04-29 08:43:32 +00:00
Andreas Schneider
f3fda1e440 s3:libsmb: Pass a memory context to cli_start_connection_recv()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-04-29 08:43:32 +00:00
Andreas Schneider
bbb21797bf s3:libsmb: Pass memory context to cli_connect_nb()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-04-29 08:43:32 +00:00
Andreas Schneider
4f62937dfa s3:torture: Remove trailing spaces in torture.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-04-29 08:43:32 +00:00
Andreas Schneider
c8eabee18b s3:nmbd: Remove trailing spaces in nmbd_synclists.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-04-29 08:43:32 +00:00
Andreas Schneider
2154bd37e4 s3:libsmb: Pass a memory context to cli_connect_nb_recv()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-04-29 08:43:32 +00:00
Stefan Metzmacher
a34532cd9b s3:selftest/tests.py: run TLDAP tests with sasl-sign,sasl-seal,ldaps,starttls
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
d189952f0e s3:torture: add ldaps/starttls support to run_tldap()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
09647d1dc9 s3:torture: add '-T 'option=value' this is similar to '--option='=value'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
0f8a7c9ef6 s3:idmap_ad: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
Review with: git show --patience

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
864ed28ce0 s3:libads: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
844e1bdc6d smbdotconf: add client ldap sasl wrapping = {starttls,ldaps}
In order to use SASL authentitation within a TLS connection
we now provide "client ldap sasl wrapping = starttls" or
"client ldap sasl wrapping = ldaps".

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
576ac69cbb s3:libads: call gensec_set_channel_bindings() for tls connections
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
da87dbcea5 s3:libads: call ldap_set_option(LDAP_OPT_PROTOCOL_VERSION) as soon as possible
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
6a84552d59 s3:libads: add tls_wrapping into openldap
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
f1a83feb0e s3:libads: always require ber_sockbuf_add_io() and LDAP_OPT_SOCKBUF
There's no point in trying to support --with-ads, but only use
plaintext ldap without sign/seal.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
86e03bd515 s3:libads: use the correct struct sockbuf_io_desc type for 'sbiod' pointer
Using 'Sockbuf_IO_Desc' in idl implicitly means pidl will use
'struct Sockbuf_IO_Desc', which doesn't exist!

Using 'struct sockbuf_io_desc' which is used in OpenLDAP to
typedef Sockbuf_IO_Desc, we won't need to cast the assign the
'sbiod' pointer.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
e6593c297e s3:libads: no longer pass "GSS-SPNEGO" to ads_sasl_spnego_gensec_bind()
That's the only thing we use...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
4775869589 s3:libads: remove dead code in ads_sasl_spnego_{gensec}_bind()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
aeed081fc8 s3:libads: directly use kerberos without asking the server
Every AD DC supports kerberos so we can just use it without
asking the server (in an untrusted way) if kerberos is supported.
So remove another useless roundtrip.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
09b69a12a6 s3:libads: use GSS-SPNEGO directly without asking for supportedSASLMechanisms
Every AD DC supports 'GSS-SPNEGO' and that's the only one we use anyway,
so remove an unused roundtrip.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
29b77a34aa s3:tldap: add support for [START]TLS
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
3798dc7aea s3:tldap: make tldap_gensec_bind_send/recv public
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
eb29f28a29 s3:tldap: add tldap_extended*
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
557de8f39e s3:tldap: store plain and gensec tstream
Also allow resetting to plain.

We now have ld->active as the currently active
tstream, which will allow us to add tls support
soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
3bf3d4d855 s3:tldap: let tldap_gensec_bind_send/recv use gensec_update_send/recv
We should not use the sync gensec_update() in async code!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
4b22fa0153 s3:tldap: don't use 'supportedSASLMechanisms' and force 'GSS-SPNEGO' instead
All active directory dcs support 'GSS-SPNEGO'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
8c5b522682 s3:tldap: simplify tldap_gensec_bind.h
We don't need any includes...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
30440e0ee3 s3:tldap: simplify read_ldap_more() by using asn1_peek_full_tag()
An LDAP pdu is at least 7 bytes long, so we read at least 7 bytes,
then it's easy to use asn1_peek_full_tag() in order to find out the
whole length of the pdu on one go.

As a side effect it's now possible that wireshark can reassemble
the fragments in a socket_wrapper generated pcap file.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
ded41b0946 s3:libads: remove unused ADS_AUTH_SIMPLE_BIND code
We have other code to test simple binds.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
2e975ae983 s3:libads: remove unused include of gensec_internal.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
c7c5d3fb76 s3:libsmb: libcli/auth/spnego.h is not needed in cliconnect.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
6c17e3d280 s4:ldap_server: add support for tls channel bindings
ldap server require strong auth = allow_sasl_over_tls
is now an alias for 'allow_sasl_without_tls_channel_bindings'
and should be avoided and changed to 'yes' or
'allow_sasl_without_tls_channel_bindings'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
811d04fea7 s3:crypto/gse: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00