1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

210 Commits

Author SHA1 Message Date
Stefan Metzmacher
80dae9afda CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
This matches windows and prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:27 +02:00
Stefan Metzmacher
942e4ed851 CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
2b40fb8509 CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
We want to test against all "ldap server require strong auth" combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
5dccb19801 selftest/Samba3: use the correct "SELFTEST_WINBINDD_SOCKET_DIR" for "net join"
This avoids picking up a gid from the DC's winbind when
creating BUILTIN\Administrators

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Mar 24 22:15:44 CET 2016 on sn-devel-144
2016-03-24 22:15:44 +01:00
Michael Adam
e9586a653c torture:smb2: add durable-v2-open.reopen1a-lease
Lease variant of the reopen1a test which tests the
relevance of the client guid.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 22 03:47:02 CET 2016 on sn-devel-144
2016-03-22 03:47:02 +01:00
Michael Adam
3e90abe670 torture:smb2: add durable-open.reopen1a-lease
Lease variant of the reopen1a test which tests the
relevance of the client guid.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-22 00:23:22 +01:00
Günther Deschner
2b799880b9 torture:smb2: add test for checking sequence number wrap around.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-22 00:23:21 +01:00
Stefan Metzmacher
5a397216d4 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:31 +01:00
Jeremy Allison
841ae4a2e2 CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2016-03-10 06:52:23 +01:00
Jeremy Allison
19eb1c9311 CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2016-03-10 06:52:23 +01:00
Douglas Bagnall
b797baaa60 Add python server sort tests
The tests are repeated twice: once properly with complex Unicode
strings, and again in a simplified ASCII subset. We only expect Samba
to pass the simplified version. The hard tests are aspirational and
show what Active Directory does.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-09 10:32:17 +01:00
Michael Adam
2fd54b5332 smbd:smb2: implement create replay
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
1b804d6f93 torture:smb2: add smb2.replay.replay-dhv2-lease3
create with a lease, and replay with lease
with a different lease key.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
1c772984c6 torture:smb2: add smb2.replay.replay-oplock-lease
create with an oplock, and replay with a lease.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
2036e1d27b torture:smb2: add smb2.replay.replay-dhv2-lease-oplock
Open with a lease and replay with an oplock.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
6eeabe43a2 torture:smb2: add smb2.replay.replay-dhv2-lease2
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
de678ebcdf torture:smb2: add smb2.replay.replay-dhv2-lease1
This is a variant of the replay-dhv2-oplock1 test for leases
instead of for oplocks.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
9ac9d286b4 torture:smb2: split rename2 into multiple tests and extend these
- replay-regular
- replay-dhv2-oplock1
- replay-dhv2-oplock2
- replay-dhv2-oplock3

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:23 +01:00
Michael Adam
9ebf079b00 torture:smb2: rename replay1 -> replay-commands
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:23 +01:00
Adrian Cochrane
594778e580 ldb-samba: Expand testing of recursive search
Signed-off-by: Adrian Cochrane <adrianc@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jan 18 07:49:43 CET 2016 on sn-devel-144
2016-01-18 07:49:43 +01:00
Adrian Cochrane
c505076422 Fix propagation of LDB errors through TDB.
Returning a non-zero value from a tdb_traverse callback indicates that tdb_traverse
should stop traversing the database. This error code IS NOT propagated back to the
caller, so LTDB must record the error otherwise. This patch corrects LTDB for this
misunderstanding.

Naturally exposing these errors changes the behaviour of some tests. This commit fixes
that as well.

Signed-off-by: Adrian Cochrane <adrianc@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-12-04 06:08:29 +01:00
Andrew Bartlett
97577fd088 Add samba4.smb2.create.mkdir-dup(ad_dc_ntvfs) as flapping
This test sometimes succeeds, depending on the build environment.

(Corrects earlier patch to also remove from knownfail)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11486
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Jeremy Allison
808f29cb2f s4: torture: Add SMB2 access-based enumeration test. Passes against Win2k12R2.
https://bugzilla.samba.org/show_bug.cgi?id=10252

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Oct 14 19:00:03 CEST 2015 on sn-devel-104
2015-10-14 19:00:03 +02:00
Jeremy Allison
969d043596 s4: torture: Test mkdir race condition.
Found by Max of LoadDynamix <adx.forum@gmail.com>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11486

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Sep 24 06:13:22 CEST 2015 on sn-devel-104
2015-09-24 06:13:22 +02:00
Andrew Bartlett
336d41155e python/tests: Add tests for integer overflow handling
This also documents an issue with our python bindings and lists, as changes to integers in a list
of integers are not preserved

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11429

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-24 23:46:22 +02:00
Andrew Bartlett
dc2d5ccd56 Revert "ldb-samba: Implement transitive extended matching"
This reverts commit 2a22ba34cd.

selftest/knownfail entries are added to ensure 'make test' continues to pass

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10493

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-17 17:43:36 +02:00
Andrew Bartlett
e0fa42201b selftest: Add knownfail entry required to disable tombstone_reanimation
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jul 20 09:21:33 CEST 2015 on sn-devel-104
2015-07-20 09:21:33 +02:00
Stefan Metzmacher
70cea2b85c s4:rpc_server/netlogon: implement NETLOGON_CONTROL_{QUERY,REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD}
We pass NETLOGON_CONTROL_{REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD} to
winbindd and do the hard work there, while we answer NETLOGON_CONTROL_QUERY
directly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
c57fef89e1 s4:rpc_server/netlogon: implement dcesrv_netr_ServerTrustPasswordsGet()
We just need to call dcesrv_netr_ServerGetTrustInfo() and ignore trust_info.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
a02300c0c7 s4:rpc_server/netlogon: implement dcesrv_netr_ServerGetTrustInfo()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Andrew Bartlett
c31c30043b s4-winbindd: Remove the winbind rewrite from the samba4 effort
This winbind implementation is undermaintained, out of date and not the
future of even the AD DC, let alone any other purpose.

Removing it will reduce our security and bug exposure on this
off by default subsystem

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 24 22:34:57 CEST 2015 on sn-devel-104
2015-06-24 22:34:57 +02:00
Andrew Bartlett
db59f9ec73 selftest: Change chgdcpass environment to use winbindd
This allows us to test that winbindd starts up without secrets.tdb, as happens after
a classicupgrade.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 18 00:59:54 CEST 2015 on sn-devel-104
2015-06-18 00:59:54 +02:00
Andrew Bartlett
5bb647b788 selftest: Run winbind tests in chgdcpass environment
This ensures that winbind both starts and operates without a secrets.tdb

(chgdcpass deliberatly removes the secrets.tdb file after provision, like has happend with classicupgrade).

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-17 22:10:24 +02:00
Stefan Metzmacher
a5981d1374 s3:smbd: use STATUS_NOTIFY_CLEANUP when closing a smb2 directory handle
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-06 22:33:19 +02:00
Stefan Metzmacher
9eb64502f0 s3:winbindd: list users/groups of our own domain as AD DC
The AD users/groups of the local domain of an AD DC
only exist via winbindd and not in /etc/passwd or /etc/group.

This also matches the behaviour of the source4/winbind code.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11183

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-05-06 01:22:14 +02:00
Andrew Bartlett
4aa2246dd9 selftest: Run more winbind tests against more environments
This ensures we still test the internal winbind on the AD DC
and winbindd as a member server.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-05-06 01:22:14 +02:00
Stefan Metzmacher
419910532f s3:winbindd: don't remove the DOMAIN\ prefix for principals of our own domain as AD DC
This also matches the behaviour of the source4/winbind code.

In Samba 4.0 and 4.1 we had the following

> getent passwd administrator
S4XDOM\Administrator:*:0:100::/home/S4XDOM/Administrator:/bin/false
> getent passwd S4XDOM\\administrator
S4XDOM\Administrator:*:0:100::/home/S4XDOM/Administrator:/bin/false

With Samba 4.2.0 we have:

> getent passwd administrator
administrator:*:0:100::/home/S4XDOM/administrator:/bin/false
> getent passwd S4XDOM\\administrator
administrator:*:0:100::/home/S4XDOM/administrator:/bin/false

With the patches we have:

> getent passwd administrator
S4XDOM\administrator:*:0:100::/home/S4XDOM/administrator:/bin/false
> getent passwd S4XDOM\\administrator
S4XDOM\administrator:*:0:100::/home/S4XDOM/administrator:/bin/false

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11183

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-06 01:22:14 +02:00
Jeremy Allison
9d7ecb9fc3 s4: torture: Test for incorrect file size returned in the response of "FILE_SUPERSEDE Create".
https://bugzilla.samba.org/show_bug.cgi?id=11240

Signed-off-by: Kenny Dinh <kdinh@peaxy.net>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <rb@sernet.de>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr 30 22:12:22 CEST 2015 on sn-devel-104
2015-04-30 22:12:22 +02:00
Stefan Metzmacher
ff5f466825 selftest/knownfail: remove unused ^samba4.winbind.struct.show_sequence\(ad_dc\) line
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-04-09 16:58:23 +02:00
David Disseldorp
5c166d5cdb selftest: run the FSRVP test suite against s3fs
With FSRVP server support now present along with suitable mock-up test
infrastructure, run the FSRVP test suite against s3fs.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-31 18:40:25 +02:00
Stefan Metzmacher
1e782d9695 s4:torture/rpc: sync test_LogonControl2Ex with test_LogonControl2
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-27 01:26:15 +01:00
Stefan Metzmacher
30cb12e7d2 s4:torture/rpc: let rpc.netlogon.admin pass against windows 2012r2
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-27 01:26:15 +01:00
Stefan Metzmacher
038659dcbb s3:rpc_server/netlogon: improve the netr_LogonControl*() error returns
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-27 01:26:15 +01:00
Stefan Metzmacher
01cb90ad12 s4:torture/rpc: don't use the same names for 3 different tests
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-27 01:26:15 +01:00
Michael Adam
c157baa4b9 selftest: rename env s3dc to nt4_dc
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-03-16 23:04:47 +01:00
Michael Adam
25f9ebf270 selftest: rename env s3member to ad_member.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-03-16 23:04:46 +01:00
Michael Adam
3de5abb954 selftest: rename env dc to ad_dc_ntvfs
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-03-16 23:04:46 +01:00
Michael Adam
902aa3c710 selftest: rename env plugin_s4_dc to ad_dc
This is the environment that represents our supported production
setup of an active directory domain controller.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-03-16 23:04:46 +01:00
Michael Adam
79b927ac9e selftest: modify python.samba.test.posixacl to cope with nss_winbind active
It was observed that adding libnss_winbind (via nss_wrapper) lets
the posix acl mapping come out slightly differently with respect
to the owner/domain admin who is not explicitly nailed down in
the original NT acl.

This patch extends the test to react to the presence of
nss_winbind in environment and adapts the expected results.
This in particular fixes the run of the test against the
(changed) plugin_s4_dc environment while keeping the possibility
to successfully run it against an env without nss_winbind.

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
2015-03-12 14:35:06 +01:00
Michael Adam
f5a0ccc228 selftest: re-enable nsswrapper integration testing for dc and member environments.
There are some failures:

- The dc environment fails consistently due to duplicate uid,
  (for the calling user and the domain administrator).
  ==> Marked as knownfail.

- The s3member environment only fails under very strange
  circumstances:
  - one needs to run the unix.whoami test in the
    member and s3member environment for the local.nss
    test to fail in the s3member:local env. The failure
    is then related to builtin administrators sharing
    a gid with a different group.
    --> This is really really strange!!!
    ==> Marked as knownfail.

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Mar  2 19:50:55 CET 2015 on sn-devel-104
2015-03-02 19:50:55 +01:00