1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

109326 Commits

Author SHA1 Message Date
Volker Lendecke
fe736f246b rpcclient: Remove sam_sync related commands
These three commands don't use the netlogon credential chain
correctly. They are missing the netlogon_creds_store after the dcerpc
call, so they destroy the correct use of the netlogon creds.

The only valid server for these calls that I know of would be NT4, and
that should be gone long ago.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-09-20 22:48:15 +02:00
Richard Sharpe
2d97c8a4a5 Make sure smbtorture tests can run if someone has set their min protocol above NT1.
This code is SMB1 only, and already modifies
maxprotocol, so this change is appropriate.

Signed-off-by: Richard Sharpe <richard.sharpe@primarydata.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-09-20 22:48:15 +02:00
Jeremy Allison
b092ed3842 CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Wed Sep 20 17:06:23 CEST 2017 on sn-devel-144
2017-09-20 17:06:23 +02:00
Stefan Metzmacher
35051a860c CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested
With forced encryption or required signing we should also don't fallback.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-09-20 13:04:10 +02:00
Stefan Metzmacher
22e22d8f49 CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-09-20 13:04:10 +02:00
Stefan Metzmacher
7074a1b7e0 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-09-20 13:04:10 +02:00
Stefan Metzmacher
6ca2cfaff9 CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server()
It's important that we use a signed connection to get the GPOs!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-09-20 13:04:10 +02:00
Stefan Metzmacher
9c1ead502b CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-09-20 13:04:10 +02:00
Stefan Metzmacher
52d967e161 CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED
This is an addition to the fixes for CVE-2015-5296.

It applies to smb2mount -e, smbcacls -e and smbcquotas -e.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-09-20 13:04:10 +02:00
Stefan Metzmacher
44b47f2bae CVE-2017-12150: s3:popt_common: don't turn a guessed username into a specified one
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-09-20 13:04:10 +02:00
Stefan Metzmacher
3d1c488c81 CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on()
This will keep enforced encryption across dfs referrals.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-09-20 13:04:10 +02:00
Stefan Metzmacher
ace72741ad CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function
This allows to check if the current cli_state uses encryption
(either via unix extentions or via SMB3).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-09-20 13:04:10 +02:00
Andrew Bartlett
ee4418e73f dsdb: Only trigger a re-index once per @INDEXLIST modification
A modify of both @INDEXLIST and @ATTRIBUTES will still trigger two re-index passes
but that is a task for later.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9527

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep 20 12:29:49 CEST 2017 on sn-devel-144
2017-09-20 12:29:49 +02:00
Andrew Bartlett
da575f0131 selftest: sort dbcheck output to avoid sort order impacting results
The GUID index code will change the returned results order

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-09-20 08:15:22 +02:00
Andrew Bartlett
9e9a8d8f88 s4-dnsserver: Check for too many DNS results
If we had this check in when the wildcard DNS tests were written, we would have
noticed that the name needed to be escaped (see previous commit).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12994
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-09-20 08:15:21 +02:00
Andrew Bartlett
c174702107 s4-dnsserver: Always encode user-supplied names when looking up DNS records
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12994

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-09-20 08:15:21 +02:00
Garming Sam
3e1870c26c kcc: Remove unused, untested KCC code
This code tries to implement the full KCC algorithm, but never
actually worked correctly.

Removing this doesn't affect the full-mesh KCC. This code only
attempted to calculate a graph using the "proper" algorithm, though it
neglected to write its results back into the database. The full-mesh
calculation occurs elsewhere.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Sep 20 06:28:07 CEST 2017 on sn-devel-144
2017-09-20 06:28:07 +02:00
Andrew Bartlett
dd53be2756 ldap_server: Plumb ldb error string from a failed connect to ldapsrv_terminate_connection()
However, do not plumb it to the client-seen error string, as it could contain server paths.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-20 02:25:30 +02:00
Andrew Bartlett
c1e41d489d samdb: Rework samdb_connect_url() to return LDB error code and an error string
This allows debugging of why the LDB failed to start up.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-20 02:25:30 +02:00
Andrew Bartlett
6c28abc249 ldb: Release 1.2.3
* Bug #13033 LDB open with LDB_FLG_RDONLY can cause the database
   to fail to open

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13033

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-20 02:25:30 +02:00
Gary Lockyer
f5f3657c48 ldb: Add tests for read only behaviour
As the kernel is no longer enforcing the read-only DB
add some tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13033

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-20 02:25:30 +02:00
Andrew Bartlett
22854f9b8d ldb_tdb: Change ltdb_connect() NOT to request a kernel-level read only TDB
We support opening and LDB multiple times in a process, but do not support this in tdb.

As we can open the ldb with different flags, we must ensure a later read-write
open is possible.

Additionally, a read-only TDB will refuse the all-record lock, preventing
the ldb from even loading.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13033

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-20 02:25:30 +02:00
Andrew Bartlett
13777d35d0 ldb_tdb: Give a debug message as well as setting the error string if prepare_commit() fails
This is a serious condition, and should be logged.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13033

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-20 02:25:30 +02:00
Andrew Bartlett
75e88e40a2 ldb_tdb: Map TDB error codes into LDB error codes in ltdb_lock_read()
The ltdb_lock_read() routine did not return an LDB error code, but -1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13033

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-20 02:25:30 +02:00
Martin Schwenke
24996c60aa ctdb-tools: Fix a typo for a talloc context
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Sep 19 17:31:18 CEST 2017 on sn-devel-144
2017-09-19 17:31:18 +02:00
Martin Schwenke
c715da3bdb ctdb-tools: Add debug to ctdb_killtcp
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:27 +02:00
Martin Schwenke
8fb6c1adb0 ctdb-tools: Move special case of 0 connections into computation
This avoids other potential users from unnecessarily setting up file
descriptors and such.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:27 +02:00
Martin Schwenke
fd54d47875 ctdb-tools: Rework killtcp logic into a tevent_req-based computation
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:27 +02:00
Martin Schwenke
44cdda4ee0 ctdb-tools: New function ctdb_kill_tcp_init()
This replaces ctdb_killtcp(), which did the initialisation inside a
loop.  The new logic is inverted, making it more natural.

The variable containing all the state is called "state" in
anticipation of the next commit that will convert this to a tevent_req
computation.  This will mean less churn.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:27 +02:00
Martin Schwenke
3f78dddea9 ctdb-tools: Improve error handling
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:27 +02:00
Martin Schwenke
7a2db5410f ctdb-tools: Drop global variable prog
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:27 +02:00
Martin Schwenke
6ac5cb4eaf ctdb-tools: Use db_hash in ctdb_killtcp
One less use of trbt_tree_t.  The code is easier to read and is
significantly smaller.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:27 +02:00
Martin Schwenke
c355fd979a ctdb-tools: Use ctdb_connection and ctdb_connection_list structs
Also use new connection and sock addr utilities.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:27 +02:00
Martin Schwenke
6d9fef467c ctdb-protocol: Add ctdb_connection_list utilities
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:27 +02:00
Martin Schwenke
e50cb8cb52 ctdb-protocol: Add marshalling for ctdb_connection_list
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:26 +02:00
Martin Schwenke
d6f9cd19fd ctdb-protocol: Add new data structure ctdb_connection_list
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:26 +02:00
Martin Schwenke
ef676d5acf ctdb-protocol: Add ctdb_connection utilities
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:26 +02:00
Martin Schwenke
285020360a ctdb-protocol: Factor out static function ctdb_sock_addr_cmp_family()
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:26 +02:00
Martin Schwenke
6f1b1a05fb ctdb-protocol: Add ctdb_sock_addr_from_string()
This and the supporting functions duplicate functionality (parse_ip()
and parse_ip_port()) from common/system_util.c.  The old functions
will be removed at a later time.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:26 +02:00
Martin Schwenke
93668f5026 ctdb-protocol: Optionally print port for address printing functions
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:26 +02:00
Martin Schwenke
de9f05e8fe ctdb-protocol: Add utility function ctdb_sock_addr_to_buf()
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:26 +02:00
Martin Schwenke
22de111ebf ctdb-protocol: Add ctdb_sock_addr_port() and sock_addr_set_port()
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:26 +02:00
Martin Schwenke
eb32b8d3a0 ctdb-protocol: Add server and client aliases in ctdb_connection
The current code is ambiguous in its use of src and dst.  This allows
new code to use server and client for clarity.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2017-09-19 13:30:26 +02:00
Martin Schwenke
3816270c76 ctdb-common: Initialise socket addresses before reading into them
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:26 +02:00
Martin Schwenke
3783b66fb3 ctdb-build: Split protocol-util as a separate subsystem
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:26 +02:00
Martin Schwenke
2550a88e2f ctdb-build: Fix dependency for ctdbd
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 13:30:26 +02:00
Günther Deschner
2c745cfac5 s4-torture: move lease break handler outside the lease testsuite.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Jose A. Rivera <jarrpa@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Sep 19 09:36:40 CEST 2017 on sn-devel-144
2017-09-19 09:36:40 +02:00
Martin Schwenke
68c3ea773b selftest: Avoid a build started just before midnight failing
It looks like commit 070f24bc9d was incomplete because it doesn't
match on the trailing fullstop and newline.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Sep 19 05:32:22 CEST 2017 on sn-devel-144
2017-09-19 05:32:22 +02:00
Martin Schwenke
b0244d46b5 Revert "ctdb-daemon: Don't explicitly stop monitoring during shutdown"
This reverts commit 19318d2835.

With this commit, a shutdown that occurs while the startup event is
running can cause an abort because the startup callback will try to
decrease the run state from SHUTDOWN to RUNNING.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 01:28:13 +02:00
Martin Schwenke
d0d805977f Revert "ctdb-daemon: Remove unused function ctdb_stop_monitoring()"
This reverts commit b119104267.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2017-09-19 01:28:13 +02:00