IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Now that check_any_access_fsp() is broadly used consistently to
restrict access for all modifying operations, we can add a check for
previous versions to check_any_access_fsp() and it gets enforced
consistently.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Frankly, I can't remember why I added this as part of bug 13688. The
goal of the corresponding test is to verify a write on a read-only
file handle fails. As the file is opened O_RDONLY, the write will fail
anyway and there's no need to inject the error.
To make things worse, having the error injected meant we didn't notice
when the underlying logic of forcing the open to be done with O_RDONLY
was done as O_RDWR, resulting in the write on the handle to succeed.
This happened when we introduced reopen_from_fsp(): the initial
pathref open of a path with a twrp value was correctly detected and
handled by shadow_copy2_openat(). However, when converting the pathref
open to a real one via reopen_from_fsp(), shadow_copy2_openat() only
sees the magic /proc/fd path and has no way of inferring that this was
originating from a prevous version open with a twrp value.
Tl;dr: we can just remove this error injection, it is not needed, the
correct fix is to implement this in the SMB layer which is done in the
subsequent commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15544
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 2 20:37:01 UTC 2024 on atb-devel-224
Right now we can't traverse a subdirectory in a snapshot which was
deleted in the current set of files.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15544
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 21 21:19:30 UTC 2023 on atb-devel-224
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This will return the previous password, but the pattern is to include
the option in the returned attribute name, so we need to use
vatter["raw_attr"], not 'a'.
This changes the behaviour for the ;rounds= option used when we hold
the plaintext password (possibly under GPG encryption).
This is now consistant with other parameters in the LDAP attribute,
and is now included in the returned attribute name.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This is consistant with ;format= support for time attributes and
other users of this parameter style elsewhere in LDAP.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
A side effect of being able to generate at read time unicodePwd for a gMSA is that we can also generate the unicodePwd from a virtualSambaGPG password.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This pre-hashed value may be more practical to use than the random "UTF-16"
password. In particular it is easy to compare with the DB values.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
If a client connects to a non-public address first followed by a connect
to public address with the same client_guid and a connection to
the non-public address gets disconnected first, we hit by a use-after-free
talloc_get_type_abort() called from release_ip() as
"xconn" is already gone, taking smbd_release_ip_state with it.
We need to decide between calling ctdbd_unregister_ips() by default, as
it means the tcp connection is really gone and ctdb needs to remove the
'tickle' information. But when a connection was passed to a different
smbd process, we need to use ctdbd_passed_ips() as the tcp connection is
still alive and the 'tickle' information should not be removed within
ctdb.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
This demonstrates the crash that happens if a client connects to a
non-public address first followed by a connect
to public address with the same client_guid and a connection to
the non-public address gets disconnected first, we hit by a
use-after-free talloc_get_type_abort() called from release_ip() as
"xconn" is already gone, taking smbd_release_ip_state with it.
Note that we also need to mark some subtests as flapping
as there's a 2nd problem that happens in the interaction
between smbd processes and ctdb when passing a multichannel
connection to an existing process, it means we sometimes
loose the 'tickle' information within ctdb to that tcp connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
From the file itself:
> # The fl2000dc environment is provisioned with the --plaintext-secrets option
> # running the ecnrypted secrets tests on it and expecting them to fail.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These tests have been set up to fail by smb.conf options, partly
in order to test those options.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These tests are expected to fail because the handling of GET_ANC has
deliberately been degraded in this environment (in order to test an
upgrade path, long story).
> We now show this is in effect by the fact that tests now fail.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
To quote the original commit:
> Note that the rpc.echo tests for the testallowed and testdenied users
> fail, because we don't backup the secrets for these users. So these
> tests failing proves that the lab-DC testenv is correct.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec 1 08:06:44 UTC 2023 on atb-devel-224
If it is a wire claim (which is probably most common), the checking
and sorting has already happened. We don't need to make a copy to
sort and check.
In either case, there is still a copy step to make the conditional ACE
token.
This shuffles around some knownfails because the claim_v1_copy()
function we were using is checking for duplicates, which we don't
always want. That will be fixed soon.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This roughly returns things to where they were a few commits ago, with
the claims being checked for uniqueness.
The difference is the claims will be sorted afterwards, and the
uniqueness check will be far more efficient on large claims.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This changes the behaviour when one of the strings is NULL. Previously
a single NULL string would be ignored, and two would cause an error.
That will be restored in the next commit.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
And we allocate all the values together as an array, because
we might as well.
This and the next couple of commits might look like steps backwards,
and they are, but they allow us to get a run-up to leap over a big
fence.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Our composite comparisons are currently all wrong.
Soon they will be fixed, but we are going to have an inflection point
where we switch from the naive compare-everything approach to a sort
based comparison, and we want to test both sides. Also, we use these
tests for a little bit of timing, which reveals it is all fast enough.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We had two sets of test vectors (Windows ground-truth for SDDL
compilation) that got mixed up.
The "oversized ACLs" set is ACLs that contain repeated ACEs, like
"D:P(D;;;;;MP)(D;;;;;MP)" -- Windows will assign a size to the ACL
that is greater than the sum of the ACEs, while Samba will not (in
part because we don't actually store a size for the ACL, instead
calculating it on the fly from the size of the ACEs).
The "TX integers" set is for resource attribute ACEs with octet-string
data that contains pure integers (lacking '#' characters) in their
SDDL, like «(RA;;;;;WD;("bar",TX,0x0,0077,00,0077,00))». We used to
think that was weird, and that RA-TX ACEs should contain octet-strings
in the conditional ACE style. But now we have realised it's not weird,
it's normal, and we have fixed our handling of these ACEs.
As a result of this mix-up, some of the tests labelled as "oversized
ACLs" started passing when we fixed the TX integer problem, and that
was confusing. All of the removed tests are already on the TX integer
set -- the removed ones were duplicates.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We are going to parse octet strings like Windows (as opposed to like
Windows docs), so the tests need changing.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Nov 23 00:32:33 UTC 2023 on atb-devel-224
When returning WERR_MORE_DATA the winreg server needs to indicate the
required buffer size.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 20 04:50:00 UTC 2023 on atb-devel-224
When returning WERR_MORE_DATA the winreg server needs to indicate the
required buffer size.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows the usage test to pass on our CI hosts without
python-crypto and not uxsuccess on hosts with it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
The wrong number of semicolons is usually one less than count (which
counts sections separated by semicolons), except when count is zero.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The knownfail will stay around for a few commits, because the message
we get is slightly wrong.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Given two opens on a file:
1. Windows open with delete-on-close
2. POSIX open with delete-on-close set
When handle 1 is closed processing in has_other_nonposix_opens_fn() will not
delete the file as (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) is false, so
has_other_nonposix_opens() will return true which is wrong.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15517
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 13 19:34:29 UTC 2023 on atb-devel-224
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov 9 09:01:25 UTC 2023 on atb-devel-224
