1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

4205 Commits

Author SHA1 Message Date
Stefan Metzmacher
fd6e9855c3 dcesrv_core: introduce dcesrv_connection->transport_max_recv_frag
The max fragment size depends on the transport.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 09e8dd23ce)
2024-11-07 08:18:16 +00:00
Stefan Metzmacher
71aad11c2c tests/dcerpc/raw_protocol: run test_neg_xmit_ffff_ffff over tcp and smb
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a2d894fd37)
2024-11-07 08:18:16 +00:00
Stefan Metzmacher
74b127d037 dcesrv_core: disconnect after a fault with non AUTH_LEVEL_CONNECT bind
Without an auth context using DCERPC_AUTH_LEVEL_PACKET or higher
the fault to reject requests with an invalid auth level
should trigger a disconnect after sending the fault to
the client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 31c2f35bba)
2024-11-07 08:18:16 +00:00
Stefan Metzmacher
d095ad71cc s4:selftest: only run ad_member with AUTH_LEVEL_CONNECT_LSA=1
We only want to test against
'allow dcerpc auth level connect:lsarpc = yes' once
in order to have the related code tests.
We use the ad_memeber for that special test and
use the default on the tested ADDC.

This reveals some knownfails, which will be fixed in
the next commit...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 93bd5ba609)
2024-11-07 08:18:16 +00:00
Stefan Metzmacher
2d2d5f675d s4:tortore/rpc: let rpc.backupkey without privacy pass against Windows 2022
The server disconnects after the first fault.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8c6b5b8743)
2024-11-07 08:18:16 +00:00
Stefan Metzmacher
24e89430b1 s3:smbd: avoid false positives for got_oplock and have_other_lease in delay_for_oplock_fn
stat opens should not cause a oplock/lease downgrade if
they don't have a lease attached to itself.

Note that opens broken to NONE still count if they are
non-stat opens...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Oct 10 13:59:18 UTC 2024 on atb-devel-224

(cherry picked from commit dd5b9e08c7)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Oct 14 10:52:03 UTC 2024 on atb-devel-224
2024-10-14 10:52:03 +00:00
Stefan Metzmacher
1e9bd54ef0 s3:smbd: allow reset_share_mode_entry() to handle more than one durable handle
This means that multiple durable handles with RH leases can
co-exist now... Before only the last remaining durable handle
was able to pass the SMB_VFS_DURABLE_DISCONNECT() step.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit b1e5f5d8d2)
2024-10-14 09:28:21 +00:00
Stefan Metzmacher
11903eb476 s4:torture/smb2: add smb2.durable-v2-open.{keep,purge}-disconnected-* tests
These demonstrate which durables handles are kept and which are purged
because of various opens, writes or renames.

smb2.durable-v2-open.keep-disconnected-rh-with-stat-open
smb2.durable-v2-open.keep-disconnected-rh-with-rh-open
smb2.durable-v2-open.keep-disconnected-rh-with-rwh-open
smb2.durable-v2-open.keep-disconnected-rwh-with-stat-open

smb2.durable-v2-open.purge-disconnected-rwh-with-rwh-open
smb2.durable-v2-open.purge-disconnected-rwh-with-rh-open
smb2.durable-v2-open.purge-disconnected-rh-with-share-none-open
smb2.durable-v2-open.purge-disconnected-rh-with-write
smb2.durable-v2-open.purge-disconnected-rh-with-rename

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15708

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 9e98cd5c7a)
2024-10-14 09:28:21 +00:00
Stefan Metzmacher
02a4ccfb32 s4:torture/smb2: add smb2.durable-v2-open.{[non]stat[RH]-and,two-same,two-different}-lease
These show that it's possible to have durable handles in addition
of stat opens, as well as multiple durable opens with RH leases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 77c7741f39)
2024-10-14 09:28:21 +00:00
Stefan Metzmacher
041f15c8a8 s3:smbd: only store durable handles with byte range locks when having WRITE lease
This simplifies the reconnect assumptions, when we want to allow
more than one durable handle on a file for multiple clients with
READ+HANDLE leases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0893ae8818)
2024-10-14 09:28:21 +00:00
Stefan Metzmacher
ad0fb08546 s4:torture/smb2: add smb2.durable-v2-open.lock-{oplock,lease,noW-lease}
This demonstrates that a W lease is required for a
durable handle to be durable when it has byte range locks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8884d61731)
2024-10-14 09:28:21 +00:00
Stefan Metzmacher
6ea02f3765 s4:torture/smb2: add smb2.durable-open.lock-noW-lease
This demonstrates that a W lease is required for a
durable handle to be durable when it has byte range locks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1cc1586d84)
2024-10-14 09:28:21 +00:00
Ralph Boehme
630c870eef smbd: remove just created sharemode entry in the error codepaths
Without this we leave stale sharemode entries around that can lead to all sorts
of havoc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15624

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Sep 19 19:36:19 UTC 2024 on atb-devel-224

(cherry picked from commit 2ff3b9bc0d)
2024-10-02 14:35:10 +00:00
Stefan Metzmacher
4e419975cc s3:tests: let test_durable_handle_reconnect.sh run smb2.durable-v2-regressions.durable_v2_reconnect_bug15624
This demonstrates the dead lock after a durable reconnect failed
because the stat info changed, the file can't be accessed anymore
as we leak the incomplete share mode entry in a still running
process.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15624

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 14875448ca)
2024-10-02 14:35:10 +00:00
Stefan Metzmacher
dc0f69fd13 s4:torture/smb2: add smb2.durable-v2-regressions.durable_v2_reconnect_bug15624
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15624

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit ef4ef04e7f)
2024-10-02 14:35:10 +00:00
Ralph Boehme
9559c00d06 smbd: use metadata_fsp(fsp) in copy_access_posix_acl() for SMB_VFS_SYS_ACL_SET_FD
When inherting permissions on the created stream, we call into the VFS to fetch
the streams security descriptor via inherit_access_posix_acl() ->
copy_access_posix_acl() -> SMB_VFS_SYS_ACL_SET_FD() passing the stream fsp which
triggers the assert SMB_ASSERT(!fsp_is_alternate_stream(fsp)) in
vfswrap_sys_acl_set_fd() in vfs_default.

Just passing the base fsp to the VFS fixes this.

vfs_streams_depot which *does use* distinct backend filesystem files for the
streams, currently does not apply permissions to the stream files at all, so the
incomplete behaviour of vfs_streams_depot is not affected by this change.

If in the future someone want to fix this defficiency in vfs_streams_depot, the
module code can use fsp->stream_fsp to base decisions in VFS ops whether the
module should carry out some action.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15695

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Sep  2 08:55:28 UTC 2024 on atb-devel-224

(cherry picked from commit ecb8a99a2c)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Fri Sep  6 15:26:57 UTC 2024 on atb-devel-224
2024-09-06 15:26:57 +00:00
Ralph Boehme
a60419838b smbtorture: test creating stream doesn't crash when using "inherit permissions = yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15695

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 0983560830)
2024-09-06 14:04:09 +00:00
David Disseldorp
9e2c58c7d3 smb2_ioctl: fix truncated FSCTL_QUERY_ALLOCATED_RANGES responses
As per MS-FSA 2.1.5.10.22 FSCTL_QUERY_ALLOCATED_RANGES, if response
range entries exceed in_max_output, then we should respond with
STATUS_BUFFER_OVERFLOW and a truncated output buffer.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15699

Reported-by: David Howells <dhowells@redhat.com>
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Aug 28 08:54:11 UTC 2024 on atb-devel-224

(cherry picked from commit 5e278a5264)
2024-09-02 12:37:12 +00:00
David Disseldorp
7cf02a523a s4:torture/smb2: test FSCTL_QUERY_ALLOCATED_RANGES truncation
FSCTL_QUERY_ALLOCATED_RANGES responses with more than one range should
be truncated to account for a ioctl.smb2.in.max_output_response limit.
Add a test for this.

Flag the new test knownfail; fix in subsequent commit.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 5cf57f1f53)
2024-09-02 12:37:12 +00:00
Jule Anger
7d68c0adcf Revert "s4:torture/smb2: test FSCTL_QUERY_ALLOCATED_RANGES truncation"
This reverts commit 13470db5f70a194a098339148c247a79776a774c.

Wrong patchset applied. This is the one for 4.21. The correct patchset
will be the subsequent commits.

See: https://bugzilla.samba.org/show_bug.cgi?id=15699

Signed-off-by: Jule Anger <janger@samba.org>
2024-09-02 12:37:12 +00:00
Jule Anger
78ca7d3914 Revert "smb2_ioctl: fix truncated FSCTL_QUERY_ALLOCATED_RANGES responses"
This reverts commit 4bb2b46bac8dad426e1b2f0942ded6908c47f7d5.

Wrong patchset applied. This is the one for 4.21. The correct patchset
will be the subsequent commits.

See: https://bugzilla.samba.org/show_bug.cgi?id=15699

Signed-off-by: Jule Anger <janger@samba.org>
2024-09-02 12:37:12 +00:00
David Disseldorp
72aa92c67d smb2_ioctl: fix truncated FSCTL_QUERY_ALLOCATED_RANGES responses
As per MS-FSA 2.1.5.10.22 FSCTL_QUERY_ALLOCATED_RANGES, if response
range entries exceed in_max_output, then we should respond with
STATUS_BUFFER_OVERFLOW and a truncated output buffer.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15699

Reported-by: David Howells <dhowells@redhat.com>
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Aug 28 08:54:11 UTC 2024 on atb-devel-224

(cherry picked from commit 5e278a5264)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Fri Aug 30 09:01:54 UTC 2024 on atb-devel-224
2024-08-30 09:01:54 +00:00
David Disseldorp
f22c56b06e s4:torture/smb2: test FSCTL_QUERY_ALLOCATED_RANGES truncation
FSCTL_QUERY_ALLOCATED_RANGES responses with more than one range should
be truncated to account for a ioctl.smb2.in.max_output_response limit.
Add a test for this.

Flag the new test knownfail; fix in subsequent commit.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 5cf57f1f53)
2024-08-30 07:58:15 +00:00
Stefan Metzmacher
0bd26677e6 s3:smb2_server: return NT_STATUS_NETWORK_SESSION_EXPIRED for compound requests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15696

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 13 22:29:28 UTC 2024 on atb-devel-224

(cherry picked from commit 4df1bfd070)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Tue Aug 20 12:47:54 UTC 2024 on atb-devel-224
2024-08-20 12:47:54 +00:00
Stefan Metzmacher
6a416edfa2 s4:torture/smb2: let smb2.session.expire2* also check compound requests
This shows that all compound related requests should get
NT_STATUS_NETWORK_SESSION_EXPIRED.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15696

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit f6009aa73b)
2024-08-20 11:36:13 +00:00
Douglas Bagnall
d6f010090c cmdline:burn: list commands to always burn; warn on unknown
We burn arguments to all unknown options containing "pass" (e.g.
"--passionate=false") in case they are a password option, but is bad
in the case where the unknown option takes no argument but the next
option *is* a password (like "--overpass --password2 barney". In that
case "--password2" would be burnt and not "barney".

The burning behaviour doesn't change with this commit, but users will now
see an error message explaining that the option was unknown. This is not
so much aimed at end users -- for who an invalid option will hopefully
lead to --help like output -- but to developers who add a new "pass"
option.

This also slightly speeds up the processing of known password options,
which is a little bit important because we are in a race to replace the
command line in /proc before an attacker sees it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Jul 10 06:28:08 UTC 2024 on atb-devel-224

(cherry picked from commit 8684368541)
2024-07-23 07:33:12 +00:00
Douglas Bagnall
93d345467e cmdline: samba-tool test for bad option warning
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
(cherry picked from commit d2b119e34b)
2024-07-23 07:33:12 +00:00
Douglas Bagnall
8560c854d4 cmdline:burn: explicitly burn --username
This is the long form of -U in samba-tool.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
(cherry picked from commit 63a83fb7bb)
2024-07-23 07:33:12 +00:00
Douglas Bagnall
6bcdbdab57 cmdline: test_cmdline tests more burning
We have more secret arguments, like --client-password, --adminpass,
so we are going to use an allowlist for options containing 'pass', but
we don't want to burn the likes of --group=passionfruit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
(cherry picked from commit c4df89e964)
2024-07-23 07:33:12 +00:00
Douglas Bagnall
916d5bde84 cmdline:burn: handle arguments separated from their --options
We weren't treating "--password secret" the same as "--password=secret",
which sometimes led to secrets not being redacted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
(cherry picked from commit 53a1184525)
2024-07-23 07:33:12 +00:00
Douglas Bagnall
f900e532c3 cmdline:tests: extend cmdline_burn tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
(cherry picked from commit 05128a1f5f)
2024-07-23 07:33:12 +00:00
Douglas Bagnall
9cbb5bdd33 selftest: run the cmdline tests that we already have
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
(cherry picked from commit f17a2b1b25)
2024-07-23 07:33:12 +00:00
Stefan Metzmacher
16b430e740 s4:selftest: also test samba4.ldb.simple.ldap*SASL-BIND with ldap_testing:{channel_bound,tls_channel_bindings,forced_channel_binding}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 065da87329)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Tue Jul  9 10:53:40 UTC 2024 on atb-devel-224
2024-07-09 10:53:40 +00:00
Stefan Metzmacher
ac22551de3 selftest: split out selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6794cc4762)
2024-07-09 09:54:15 +00:00
Stefan Metzmacher
7f2e3839f2 s4:ldap_server: add support for tls channel bindings
ldap server require strong auth = allow_sasl_over_tls
is now an alias for 'allow_sasl_without_tls_channel_bindings'
and should be avoided and changed to 'yes' or
'allow_sasl_without_tls_channel_bindings'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6c17e3d280)
2024-07-09 09:54:15 +00:00
Douglas Bagnall
52fc65513f selftest: move some more expected failures to expectedfail.d
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 10 06:15:46 UTC 2024 on atb-devel-224

(cherry picked from commit 60df2a09a4)
2024-07-09 09:54:15 +00:00
Jo Sutton
bff728a842 third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54)
This lets us match the Windows FAST reply when the password is expired.

Windows clients were upset by the NTSTATUS field in the edata,
apparently interpreting it to mean “insufficient resource”.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit fe90576871)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Jul  3 10:06:33 UTC 2024 on atb-devel-224
2024-07-03 10:06:32 +00:00
Jo Sutton
41c8a42c8a tests/krb5: Add tests for errors produced when logging in with unusable accounts
Heimdal matches Windows in the no‐FAST case, but produces NTSTATUS codes
when it shouldn’t in the FAST case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit c5ee0b60b2)
2024-07-03 08:49:13 +00:00
Stefan Metzmacher
fc318c63e5 auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts
We only turn desired into off in the NT4 domain member case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 19 10:17:28 UTC 2024 on atb-devel-224

(cherry picked from commit 5b40cdf6e8)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Jun 19 14:07:17 UTC 2024 on atb-devel-224
2024-06-19 14:07:17 +00:00
Stefan Metzmacher
cccd9c95c8 testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use-kerberos
This shows that they are ignored for machine accounts as domain member.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit db2c576f32)
2024-06-19 13:00:11 +00:00
Stefan Metzmacher
64d7108cdd vfs_recycle: fix memory hierarchy
If the configuration is reloaded strings and string lists
in recycle_config_data could become stale pointers
leading to segmentation faults...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 2175856fef)
2024-06-19 13:00:11 +00:00
Stefan Metzmacher
cf22968a8a TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal()
Forcing a reload of the smb.conf option values means the pointer learned
in vfs_recycle_connect() become stale.

This will be reverted at the end of the patset again.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 6467c47cbe)
2024-06-19 13:00:11 +00:00
Stefan Metzmacher
b3ce5a8648 vfs_default: also call vfs_offload_token_ctx_init in vfswrap_offload_write_send
If a client for whatever reason calls FSCTL_SRV_COPYCHUNK[_WRITE] without
FSCTL_SRV_REQUEST_RESUME_KEY, we call vfswrap_offload_write_send
before vfswrap_offload_read_send.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jun 17 18:02:27 UTC 2024 on atb-devel-224

(cherry picked from commit 462b74da79)
2024-06-19 13:00:11 +00:00
Stefan Metzmacher
d7e0b5933f s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
(cherry picked from commit 372476aeb0)
2024-06-19 13:00:11 +00:00
Noel Power
5b90acbef1 s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share
This patch also removes known fail for existing test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 11 19:31:40 UTC 2024 on atb-devel-224

(cherry picked from commit 788ef8f07c)
[noel.power@suse.com backported to Samba 4.20 minor change to use
   4.20 create_open_symlink_err fn instead of read_symlink_reparse]

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Tue Jun 18 08:33:30 UTC 2024 on atb-devel-224
2024-06-18 08:33:30 +00:00
Noel Power
4b4b0152fd selftest: Add a python blackbox test for some misc (widelink) DFS tests
On master attempting to chdir into a nested dfs link

e.g. cd dfslink (works)
     cd dfslink/another_dfslink (fails)

[1] Add a test for this scenario (nested chdir)
[2] Add test for enumerating a dfs link in root of dfs share
[3] Add a test to check case insensitive chdir into dfs link on widelink
  enabled share

Add knownfails for tests 1 and 3

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
(cherry picked from commit 7f1de90f72)
2024-06-18 07:30:11 +00:00
Stefan Metzmacher
df54d3fdda s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored
If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun  6 03:18:16 UTC 2024 on atb-devel-224

(cherry picked from commit ed61c57e02)
2024-06-18 07:30:11 +00:00
Stefan Metzmacher
89817ed216 s4:dns_server: correctly sign dns update responses with gss-tsig like Windows
This means we no longer generate strange errors/warnings
in the Windows event log nor in the nsupdate -g output.

Note: this is a only difference between gss-tsig and
the legacy gss.microsoft.com algorithms.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 76fec2668e)
2024-06-18 07:30:11 +00:00
Stefan Metzmacher
f663b38615 s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5906ed94f2)
2024-06-18 07:30:11 +00:00
Stefan Metzmacher
3b36f44704 s4:dns_server: use tkey->algorithm if available in dns_sign_tsig()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ae7538af04)
2024-06-18 07:30:11 +00:00