diff options
author | Gerald Carter <jerry@samba.org> | 2004-08-16 15:33:20 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2004-08-16 15:33:20 +0000 |
commit | 3563bd6e6496dcd10477e44294d8b783988d325b (patch) | |
tree | b0e78c24ccbb27dfa79988695c7c7a683b5df202 | |
parent | 40ea2b654c892beaf4f9e0248a3eb76f7f3b3aae (diff) | |
download | samba-3563bd6e6496dcd10477e44294d8b783988d325b.tar.gz |
r1835: sync up logon hours changes with 3.0 tree (and update release notes)
-rw-r--r-- | WHATSNEW.txt | 691 | ||||
-rw-r--r-- | examples/LDAP/samba.schema | 7 | ||||
-rw-r--r-- | source/include/smbldap.h | 1 | ||||
-rw-r--r-- | source/lib/smbldap.c | 1 | ||||
-rw-r--r-- | source/passdb/passdb.c | 51 | ||||
-rw-r--r-- | source/passdb/pdb_ldap.c | 23 | ||||
-rw-r--r-- | source/utils/pdbedit.c | 33 |
7 files changed, 396 insertions, 411 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b53ffe549aa..558656aec02 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,31 +1,71 @@ - ================================ - Release Notes for Samba 3.0.6rc2 - Aug 5, 2004 - ================================ - -This is a release candidate snapshot of the Samba 3.0.5 code -base and should be considered for testing only. A release -candidate (RC) means that we are close to the final, stable -release and in provided for Quality Assurance (QA) purposes. -This release is *not* intended for production servers. Use -at your own risk. + ============================= + Release Notes for Samba 3.0.6 + Aug XX, 2004 + ============================= -There have been several bug fixes since the 3.0.4 release that -we feel are important to make available to the Samba community -for wider testings. See the "Changes" section for details on -exact updates. +This is the latest stable release of Samba. This is the version +that production Samba servers should be running for all +current bug-fixes. There have been several issues fixes since +the 3.0.4/5 release and new features have been added as well. +See the "Changes" section for details on exact updates. -Common bugs fixed in 3.0.6rc2 include: +Common bugs fixed in 3.0.6 include: + o Schannel failure in winbindd. + o Numerous memory leaks. + o Incompatibilities between the 'write list' and 'force user' + smb.conf options. + o Premature optimization of the open_directory() internal + function that broke tools such as the ArcServe backup + agent, Macromedia HomeSite, and Robocopy. + o Corrupt workgroup names in nmbd's browse.dat. + o Sharing violation errors commonly seen when opening + when serving Microsoft Office documents from a Samba + file share. + o Browsing problems caused by an apostrophe (') in the + computer's description field. + o Problems creating special file types from UNIX CIFS + clients and enabling 'unix extensions'. o Fix stalls in smbd caused by inaccessible LDAP servers. o Remove various memory leaks. o Fix issues in the password lockout feature. - o Merge security fixes for CAN-2004-0600, CAN-2004-0686 - from 3.0.5. New features introduced in this release include: + O Support symlinks created by CIFS clients which + can be followed on the server. + o Using a cups server other than localhost. + o Maintaining the service principal entry in the system + keytab for integration with other kerberized services. + Please refer to the 'use kerberos keytab' entry in + smb.conf(5). When using the heimdal kerberos libraries, + you must also specify the following in /etc/krb5.conf: + [libdefaults] + default_keytab_name = FILE:/etc/krb5.keytab + o Support for maintaining individual printer names + stored separately from the printer's sharename. o Support for maintaining user password history. + o Support for honoring the logon times for user in a + Samba domain. + +-------------------------------------------- +unix extensions = yes (default) and symlinks +-------------------------------------------- + +Beginning with Samba 3.0.6pre1 (formally known as 3.0.5pre1), +clients supporting the UNIX extensions to the CIFS protocol +can create symlinks to absolute paths which will be **followed** +by the server. This functionality has been requested in order +to correctly support certain applications when the user's home +directory is mounted using some type of CIFS client (e.g. the +cifsvfs in the Linux 2.6 kernel). + +If this behavior is not acceptable for your production environment +you can set 'wide links = no' in the specific share declaration in +the server's smb.conf. Be aware that disabling wide link support +out of a share in Samba may impact the server's performance due +to the fact that smbd will now have to check each path additional +times before traversing it. ------------------------ Password History Support @@ -33,14 +73,13 @@ Password History Support The new password history feature allows smbd to check the new password in password change requests against a list of the user's -previous passwords. The number of previous passwords to save can be -set using pdbedit (4 in this example): +previous passwords. The number of previous passwords to save can +be set using pdbedit (4 in this example): root# pdbedit -P "password history" -C 4 -When using the ldapsam passdb backend, it is vital to secure -the following attributes from access by non-administrative -users: +When using the ldapsam passdb backend, it is vital to secure the +following attributes from access by non-administrative users: * sambaNTPassword * sambaLMPassword @@ -48,249 +87,14 @@ users: You should refer to your directory server's documentation on how to implement this restriction). + ###################################################################### Changes ####### -Changes since 3.0.6rc1 -(formally referred to as 3.0.5rc1) ----------------------------------- - -smb.conf changes ----------------- - - Parameter Name Action - -------------- ------ - ldap timeout New - - -commits -------- -o Jeremy Allison <jra@samba.org> - * Add support for storing a user's password history. - LDAP portion of the code was based on a patch from - Jianliang Lu <j.lu@tiesse.com>. - * Correct memory leaks found in the password change code. - * Fix support for the mknod command with the Linux CIFS client. - * Remove support for passing the new password to smbpasswd - on the command line without using the -s option. - * Ensure home directory service number is correctly reused - (inspired by patches from Michael Collin Nielsen - <michael@hum.aau.dk>). - * Fix to stop printing accounts from resetting the bas - password and account lockout flags. - * If a account was locked out by an admin (and has a bad - password count of zero) leave it locked out until an admin - unlocks it (but log a message). - - -o Tom Alsberg <alsbergt@cs.huji.ac.il> - * Allow pdbedit to export a single user from a passdb backend. - - -o Andrew Bartlett <abartlet@samba.org> - * Improve smbd's internal random number generation. - * Fix a few outstanding long password changes in smbd. - * Fix LANMAN2 session setup code. - - -o Gerald Carter <jerry@samba.org> - * BUG 1520: Work around bug in Windows XP SP2 RC2 where the - client sends a FindNextPrintChangeNotify() request without - previously sending a FindFirstPrintChangeNotify(). Return - the same error code as Windows 2000 SP4. - * BUG 1516: Manually declare ldap_open_with_timeout() to - workaround compiler errors on IRIX (or other systems without - LDAP headers). - * Merge security fixes for CAN-2004-0600, CAN-2004-0686 from - 3.0.5. - * Corrected syntax error in the OID for sambaUnixIdPool, - sambaSidEntry, & sambaIdmapEntry object classes. - - - -o Fabien Chevalier <fabien.chevalier@supelec.fr> - * Debian BUG 252591: Ensure that the return value from the - number of available interfaces is initialized in case no - interfaces are actually available. - - -o Guenther Deschner <gd@sernet.de> - * Display share ACL entries from rpcclient. - - -o Steve French <sfrench@us.ibm.com> - * Fix user unmount of shares mount with suid mount.cifs. - - -o Volker Lendecke <vl@samba.org> - * Allow the 'idmap backend' parameter to accept a list of - LDAP servers for failover purposes. - * Revert code in smbd to remove a tdb when it has become - corrupted. - * Add paranoid checks when mapping SIDs to a uid/gid to - ensure that the type is correct. - * Initial work on getting client support for sending mailslot - datagrams. - * Add 'ldap timeout' parameter. - * Dont always uppercase 'afs username map'. - * Expand aliases for getusersids as well. - - -o James Peach <jpeach@sgi.com> - * More iconv detection fixes for IRIX. - * Compile fixed for systems that do not have C99/UNIX98 compliant - vsnprintf by default. - - -o Tim Potter <tpot@samba.org> - * BUG 1360: Use -Bsymbolic when creating shared libraries to - avoid conflicts with identical symbols in the global namespace - when loading libnss_wins.so. - - -o Richard Renard <rrenard@idealx.com> - * Save the current password as it is being changed into the - password history list. - - -o Simo Source <idra@samba.org> - * Tidy up parametric options in testparm output. - - -o Richard Sharpe <rsharpe@samba.org> - * Add sigchild handling to winbindd to restart the child - daemon if necessary. - - -o Tom Shaw <tomisfaraway@gmail.com> - * Use winbindd_fill_pwent() consistently. - - -o Nick Thompson <nickthompson@agere.com> - * Protect smbd against broken filesystems which return zero - blocksize. - - -Changes for older versions follow below: - - -------------------------------------------------- - - ============================= - Release Notes for Samba 3.0.5 - July 20, 2004 - ============================= - -Please note that Samba 3.0.5 is identical to Samba 3.0.4 with -the exception of correcting the two security issues outlined -below. - -######################## SECURITY RELEASE ######################## - -Summary: Multiple Potential Buffer Overruns in Samba 3.0.x -CVE ID: CAN-2004-0600, CAN-2004-0686 - (http://cve.mitre.org/) - - -This is the latest stable release of Samba. This is the version -that production Samba servers should be running for all current -bug-fixes. - -It has been confirmed that versions of Samba 3 prior to v3.0.4 -are vulnerable to two potential buffer overruns. The individual -details are given below. - -------------- -CAN-2004-0600 -------------- - -Affected Versions: Samba 3.0.2 and later - -The internal routine used by the Samba Web Administration -Tool (SWAT v3.0.2 and later) to decode the base64 data -during HTTP basic authentication is subject to a buffer -overrun caused by an invalid base64 character. It is -recommended that all Samba v3.0.2 or later installations -running SWAT either (a) upgrade to v3.0.5, or (b) disable -the swat administration service as a temporary workaround. - -This same code is used internally to decode the -sambaMungedDial attribute value when using the ldapsam -passdb backend. While we do not believe that the base64 -decoding routines used by the ldapsam passdb backend can -be exploited, sites using an LDAP directory service with -Samba are strongly encouraged to verify that the DIT only -allows write access to sambaSamAccount attributes by a -sufficiently authorized user. - -The Samba Team would like to heartily thank Evgeny Demidov -for analyzing and reporting this bug. - -------------- -CAN-2004-0686 -------------- - -Affected Versions: Samba 3.0.0 and later - -A buffer overrun has been located in the code used to support -the 'mangling method = hash' smb.conf option. Please be aware -that the default setting for this parameter is 'mangling method -= hash2' and therefore not vulnerable. - -Affected Samba 3 installations can avoid this possible security -bug by using the default hash2 mangling method. Server -installations requiring the hash mangling method are encouraged -to upgrade to Samba 3.0.5. - - -################################################################## - - - -------------------------------------------------- - - ================================ - Release Notes for Samba 3.0.5rc1 - July 8, 2004 - ================================ - -Common bugs fixed in this 3.0.5rc1 include: - - o Corrupt workgroup names in nmbd's browse.dat. - - o Sharing violation errors commonly seen when opening - when serving Microsoft Office documents from a Samba - file share. - - o Browsing problems caused by an apostrophe (') in the - computer's description field. - - o Problems creating special file types from UNIX CIFS - clients and enabling 'unix extensions'. - - -New features introduced in this release include: - - o Using a cups server other than localhost. - - o Maintaining the service principal entry in the system - keytab for integration with other kerberized services. - Please refer to the 'use kerberos keytab' entry in - smb.conf(5). When using the heimdal kerberos libraries, - you must also specify the following in /etc/krb5.conf: - [libdefaults] - default_keytab_name = FILE:/etc/krb5.keytab - - o Support for maintaining individual printer names - stored separately from the printer's sharename. - - -###################################################################### -Changes -####### - -Changes since 3.0.5pre1 ------------------------ +Changes since 3.0.5 +------------------- smb.conf changes ---------------- @@ -301,11 +105,25 @@ smb.conf changes defer sharing violations New force unknown acl user New ldap timeout New + printcap cache time New use kerberos keytab New commits ------- -o Jeremy Allison <jra@samba.org> +o Jeremy Allison <jra@samba.org> + * Correct path parsing bug that broke DeletePrinterDriverEx(). + * Fix bugs in check_path_syntax() caught by asserts. + * Internal change - rearrange internal global case setting + variables to a per connection basis. + * BUG 1345: Fix premature optimization in unix_convert(). + * Allow clients to truncate a locked file. + * BUG 1319: Always check to see if a user as write access + to a share, even when 'force user' is set. + * Fix specific case of open that doesn't cause oplock break, + or share mode check. + * Correct sid type is WKN_GROUP, not alias. Added some + more known types (inspired by patch from Jianliang Lu). + * Allow creation of absolute symlink paths via CIFS clients. * Fix charset bug in when invoking send_mailslot(). * When using widelinks = no, use realpath to canonicalize the connection path on connection create for the user. @@ -340,27 +158,62 @@ o Jeremy Allison <jra@samba.org> * Turn on sendfile by default for non-Win9x clients. * Handle non-io opens that cause oplock breaks correctly. * Ensure ldap replication sleep time is not more than 5 seconds. + * Add support for storing a user's password history. + LDAP portion of the code was based on a patch from + Jianliang Lu <j.lu@tiesse.com>. + * Correct memory leaks found in the password change code. + * Fix support for the mknod command with the Linux CIFS client. + * Remove support for passing the new password to smbpasswd + on the command line without using the -s option. + * Ensure home directory service number is correctly reused + (inspired by patches from Michael Collin Nielsen + <michael@hum.aau.dk>). + * Fix to stop printing accounts from resetting the bas + password and account lockout flags. + * If a account was locked out by an admin (and has a bad + password count of zero) leave it locked out until an admin + unlocks it (but log a message). +o Tom Alsberg <alsbergt@cs.huji.ac.il> + * Allow pdbedit to export a single user from a passdb backend. + + o Andrew Bartlett <abartlet@samba.org> + * Fix parsing bug in GetDomPwInfo(). + * Fix segfault in 'ntlm_auth --diagnostics'. * Re-enable code to allow sid_to_gid() to perform a group mapping lookup before checking with winbindd. * Fix memory leak in the trans2 signing code. * Allow more flexible GSS-SPENGO client and server operation in ntlm_auth. + * Improve smbd's internal random number generation. + * Fix a few outstanding long password changes in smbd. + * Fix LANMAN2 session setup code. o Eric Boehm <boehm@nortelnetworks.com> BUG 703: Final touches on netgroup case lookups. -o Jerome Borsboom" <j.borsboom@erasmusmc.nl> +o Jerome Borsboom <j.borsboom@erasmusmc.nl> + * Ensure error status codes don't get overwritten in + lsa_lookup_sids() server code. * Correct bug that caused smbd to overwrite certain error codes when returning up the call stack. * Ensure the correct sid type returned for builtin sids. o Gerald Carter <jerry@samba.org> + * Fix a few bugs in the Fedora Packaging files. + * Fix for setting the called name to by our IP if the + called name was *SMBSERVER and *SMBSERV. Fixes issue + with connecting to printers via \\ip.ad.dr.ess\printer + UNC path. + * BUG 1315: fix for schannel client connections to servers + when we haven't specifically negotiated AUTH_PIPE_SEAL. + * Allow PrinterDriverData valuenames with embedded backslashes + (Fixes bug with one of the Konica Fiery drivers). * Fixed string length miscalculation in netbios names that resulted in corrupt workgroup names in browse.dat. * When running smbd as a daemon, launch child smbd to update @@ -391,9 +244,26 @@ o Gerald Carter <jerry@samba.org> value for LDAP SASL binds. * Ensure we remove the tdb entry when deleting a job that is being spooled. + * BUG 1520: Work around bug in Windows XP SP2 RC2 where the + client sends a FindNextPrintChangeNotify() request without + previously sending a FindFirstPrintChangeNotify(). Return + the same error code as Windows 2000 SP4. + * BUG 1516: Manually declare ldap_open_with_timeout() to + workaround compiler errors on IRIX (or other systems without + LDAP headers). + * Merge security fixes for CAN-2004-0600, CAN-2004-0686 from + 3.0.5. + * Corrected syntax error in the OID for sambaUnixIdPool, + sambaSidEntry, & sambaIdmapEntry object classes. - -o Guenther Deschner <gd@sernet.de> + +o Fabien Chevalier <fabien.chevalier@supelec.fr> + * Debian BUG 252591: Ensure that the return value from the + number of available interfaces is initialized in case no + interfaces are actually available. + + +o Guenther Deschner <gd@sernet.de> * Implement 'rpcclient setprintername'. * Add local groups to the user's NT_TOKEN since they are actually supported now. @@ -407,12 +277,18 @@ o Guenther Deschner <gd@sernet.de> * Ensure that REG_SZ values in the SetPrinterData actually get written in UNICODE strings rather than ASCII. * Ensure that the last kerberos error return is not invalid. + * Display share ACL entries from rpcclient. o Fabian Franz <FabianFranz@gmx.de> * Support specifying a port in the device URL passed to smbspool. +o Steve French <sfrench@us.ibm.com> + * Handle -S and user mount parms in mount.cifs. + * Fix user unmount of shares mount with suid mount.cifs. + + o Bjoern Jacke <bj@sernet.de> * Install libsmbclient into $(LIBDIR), not into hard coded ${prefix}/lib. This helps amd64 systems with /lib and /lib64 @@ -420,10 +296,23 @@ o Bjoern Jacke <bj@sernet.de> o <kawasa_r@itg.hitachi.co.jp> + * Correct more memory leaks and initialization bugs. + * Fix bug that prevented core dumps from being generated + even if you tried. + * Connect to the winbind pipe in non-blocking mode to + prevent processes from hanging. * Memory leak fixes. +o Stephan Kulow <coolo@suse.de> + * Fix crash bug in libsmbclient. + + o Volker Lendecke <vl@samba.org> + * Added vfs_full_audit module. + * Add vfs_afsacl.c which can display & set AFS acls via + the NT security editor. + * Fix crash bug caused by trying to Base64 encode a NULL string. * Fix DOS error code bug in reply_chkpath(). * Correct misunderstanding of the max_size field in cli_samr_enum_als_groups; it is more like an account_control @@ -453,19 +342,41 @@ o Volker Lendecke <vl@samba.org> 'read only' smb.conf option. * Fix bug that caused _samr_lookupsids() with more than 32 ( MAX_REF_DOMAINS) SIDs to fail. + * Allow the 'idmap backend' parameter to accept a list of + LDAP servers for failover purposes. + * Revert code in smbd to remove a tdb when it has become + corrupted. + * Add paranoid checks when mapping SIDs to a uid/gid to + ensure that the type is correct. + * Initial work on getting client support for sending mailslot + datagrams. + * Add 'ldap timeout' parameter. + * Dont always uppercase 'afs username map'. + * Expand aliases for getusersids as well. o Herb Lewis <herb@samba.org> + * Add the acls debug class. + * Fix logic bug in netbios name truncate routine. + * Fix smbd crash caused by smbtorture IOCTL test. * Fix errno tromping before calling iconv to reset the conversion state. * need to leave empty dacl so we can remove last ACE. o Jianliang Lu <Jianliang.Lu@getronics.com> + * Fix to stop smbd hanging on missing group member in + get_memberuids(). + * Make sure Samba returns the correct group types. * Reset the bad password count password counts upon a successful login. -o Joe Meadows "Joe Meadows" <jameadows@webopolis.com> +o Jim McDonough <jmcd@us.ibm.com> + * BUG 1279: SMBjobid fix for Samba print servers running on + Big-Endian platforms. + + +o Joe Meadows <jameadows@webopolis.com> * Add optional timeout parameter to ldap open calls. * Allow get_dc_list() to check the negative cache. @@ -475,195 +386,165 @@ o Jason Mader <jason@ncac.gwu.edu> o Stefan Metzmacher <metze@samba.org> + * fix a configure logic bug for linux/XFS quotas when + using --with-sys-quotas. + * Use quota debug class in quota code. * print out the SVN revision by configure, o Lars Mueller <lmuelle@suse.de> + * BUG 1279: Added 'printcap cache time' parameter. * Fix afs related build issues on SuSE. -o Dan Peterson - * Implement NFS quota support on FreeBSD. +o James Peach <jpeach@sgi.com> + * More iconv detection fixes for IRIX. + * Compile fixed for systems that do not have C99/UNIX98 compliant + vsnprintf by default. -o Nick Wellnhofer <wellnhofer@aevum.de> - * Prevent lp_interfaces() list from being corrupted. Fixes - bug where nmbd would lose the list of network interfaces - on the system and consequently shutdown. - - -o James Wilkinson <jwilk@alumni.cse.ucsc.edu> - * Fix ntlm_auth memory leaks. +o Dan Peterson + * Implement NFS quota support on FreeBSD. -o Jelmer Vernooij <jelmer@samba.org> - * BUG 478: Rename vsnprintf to smb_vsnprintf so we don't - get duplicate symbol errors. - * Return an error when the last command read from stdin - fails in smbclient. - * Prepare for better error checking in tar. - +o Tim Potter <tpot@samba.org> + * BUG 1360: Use -Bsymbolic when creating shared libraries to + avoid conflicts with identical symbols in the global namespace + when loading libnss_wins.so. - -------------------------------------------------- - ================================= - Release Notes for Samba 3.0.5pre1 - May 25, 2004 - ================================= +o Richard Renard <rrenard@idealx.com> + * Save the current password as it is being changed into the + password history list. -Common bugs fixed in this preview release include: - o Schannel failure in winbindd. - o Numerous memory leaks. - o Incompatibilities between the 'write list' and 'force user' - smb.conf options. - o Premature optimization of the open_directory() internal - function that broke tools such as the ArcServe backup - agent, Macromedia HomeSite, and Robocopy. +o Richard Sharpe <rsharpe@samba.org> + * Fix error return codes on some lock messages. + * BUG 1178: Make the libsmbclient routines callable + by C++ programs. + * BUG 1333: Make sure we return an error code when + things go wrong. + * BUG 1301: Return NT_STATUS_SHARING_VIOLATION when + share mode locking requests fail. -ATTENTION! NEW BEHAVIOR! -------------------------- +o Simo Source <idra@samba.org> + * Update Debian stable & unstable packaging. + * Tidy up parametric options in testparm output. -Beginning with Samba 3.0.5pre1, clients supporting the UNIX -extensions to the CIFS protocol can create symlinks to -absolute paths which will be **followed** by the server. This -functionality has been requested in order to correctly support -certain applications when the user's home directory is mounted -using some type of CIFS client (e.g. the cifsvfs in the Linux -2.6 kernel). -If this behavior is not acceptable for your production environment -you can set 'wide links = no' in the specific share declaration in -the server's smb.conf. Be aware that disabling wide link support -out of a share in Samba may impact the server's performance due -to the fact that smbd will now have to check each path additional -times before traversing it. +o Richard Sharpe <rsharpe@samba.org> + * Add sigchild handling to winbindd to restart the child + daemon if necessary. -Changes since 3.0.4 --------------------- -smb.conf changes ----------------- +o Tom Shaw <tomisfaraway@gmail.com> + * Use winbindd_fill_pwent() consistently. - Parameter Name Action - -------------- ------ - printcap cache time New - - -commits -------- -o Jeremy Allison <jra@samba.org> - * Correct path parsing bug that broke DeletePrinterDriverEx(). - * Fix bugs in check_path_syntax() caught by asserts. - * Internal change - rearrange internal global case setting - variables to a per connection basis. - * BUG 1345: Fix premature optimization in unix_convert(). - * Allow clients to truncate a locked file. - * BUG 1319: Always check to see if a user as write access - to a share, even when 'force user' is set. - * Fix specific case of open that doesn't cause oplock break, - or share mode check. - * Correct sid type is WKN_GROUP, not alias. Added some - more known types (inspired by patch from Jianliang Lu). - * Allow creation of absolute symlink paths via CIFS clients. - -o Andrew Bartlett <abartlet@samba.org> - * Fix parsing bug in GetDomPwInfo(). - * Fix segfault in 'ntlm_auth --diagnostics'. +o Nick Thompson <nickthompson@agere.com> + * Protect smbd against broken filesystems which return zero + blocksize. -o Jerome Borsboom <j.borsboom@erasmusmc.nl> - * Ensure error status codes don't get overwritten in - lsa_lookup_sids() server code. +o Andrew Tridgell <tridge@samba.org> + * Fixed bug in handling of timeout in socket connections. + +o Nick Wellnhofer <wellnhofer@aevum.de> + * Prevent lp_interfaces() list from being corrupted. Fixes + bug where nmbd would lose the list of network interfaces + on the system and consequently shutdown. -o Gerald Carter <jerry@samba.org> - * Fix a few bugs in the Fedora Packaging files. - * Fix for setting the called name to by our IP if the - called name was *SMBSERVER and *SMBSERV. Fixes issue - with connecting to printers via \\ip.ad.dr.ess\printer - UNC path. - * BUG 1315: fix for schannel client connections to servers - when we haven't specifically negotiated AUTH_PIPE_SEAL. - * Allow PrinterDriverData valuenames with embedded backslashes - (Fixes bug with one of the Konica Fiery drivers). + +o James Wilkinson <jwilk@alumni.cse.ucsc.edu> + * Fix ntlm_auth memory leaks. -o Steve French <sfrench@us.ibm.com> - * Handle -S and user mount parms in mount.cifs. - - -o kawasa_r@itg.hitachi.co.jp - * Correct more memory leaks and initialization bugs. - * Fix bug that prevented core dumps from being generated - even if you tried. - * Connect to the winbind pipe in non-blocking mode to - prevent processes from hanging. +o Jelmer Vernooij <jelmer@samba.org> + * Additional NT status to unix error mappings. + * BUG 478: Rename vsnprintf to smb_vsnprintf so we don't + get duplicate symbol errors. + * Return an error when the last command read from stdin + fails in smbclient. + * Prepare for better error checking in tar. + +Changes for older versions follow below: -o Stephan Kulow <coolo@suse.de> - * Fix crash bug in libsmbclient. + -------------------------------------------------- + + ============================= + Release Notes for Samba 3.0.5 + July 20, 2004 + ============================= +Please note that Samba 3.0.5 is identical to Samba 3.0.4 with +the exception of correcting the two security issues outlined +below. -o Volker Lendecke <vl@samba.org> - * Added vfs_full_audit module. - * Add vfs_afsacl.c which can display & set AFS acls via - the NT security editor. - * Fix crash bug caused by trying to Base64 encode a NULL string. +######################## SECURITY RELEASE ######################## +Summary: Multiple Potential Buffer Overruns in Samba 3.0.x +CVE ID: CAN-2004-0600, CAN-2004-0686 + (http://cve.mitre.org/) -o Herb Lewis <herb@samba.org> - * Add the acls debug class. - * Fix logic bug in netbios name truncate routine. - * Fix smbd crash caused by smbtorture IOCTL test. +This is the latest stable release of Samba. This is the version +that production Samba servers should be running for all current +bug-fixes. -o Jianliang Lu <j.lu@tiesse.com> - * Fix to stop smbd hanging on missing group member in - get_memberuids(). - * Make sure Samba returns the correct group types. +It has been confirmed that versions of Samba 3 prior to v3.0.4 +are vulnerable to two potential buffer overruns. The individual +details are given below. +------------- +CAN-2004-0600 +------------- -o Jim McDonough <jmcd@us.ibm.com> - * BUG 1279: SMBjobid fix for Samba print servers running on - Big-Endian platforms. +Affected Versions: Samba 3.0.2 and later +The internal routine used by the Samba Web Administration +Tool (SWAT v3.0.2 and later) to decode the base64 data +during HTTP basic authentication is subject to a buffer +overrun caused by an invalid base64 character. It is +recommended that all Samba v3.0.2 or later installations +running SWAT either (a) upgrade to v3.0.5, or (b) disable +the swat administration service as a temporary workaround. -o Stefan Metzmacher <metze@samba.org> - * fix a configure logic bug for linux/XFS quotas when - using --with-sys-quotas. - * Use quota debug class in quota code. +This same code is used internally to decode the +sambaMungedDial attribute value when using the ldapsam +passdb backend. While we do not believe that the base64 +decoding routines used by the ldapsam passdb backend can +be exploited, sites using an LDAP directory service with +Samba are strongly encouraged to verify that the DIT only +allows write access to sambaSamAccount attributes by a +sufficiently authorized user. - -o Lars Müller <lmuelle@suse.de> - * BUG 1279: Added 'printcap cache time' parameter. +The Samba Team would like to heartily thank Evgeny Demidov +for analyzing and reporting this bug. +------------- +CAN-2004-0686 +------------- -o Richard Sharpe <rsharpe@samba.org> - * Fix error return codes on some lock messages. - * BUG 1178: Make the libsmbclient routines callable - by C++ programs. - * BUG 1333: Make sure we return an error code when - things go wrong. - * BUG 1301: Return NT_STATUS_SHARING_VIOLATION when - share mode locking requests fail. +Affected Versions: Samba 3.0.0 and later +A buffer overrun has been located in the code used to support +the 'mangling method = hash' smb.conf option. Please be aware +that the default setting for this parameter is 'mangling method += hash2' and therefore not vulnerable. -o Simo Source <idra@samba.org> - * Update Debian stable & unstable packaging. - +Affected Samba 3 installations can avoid this possible security +bug by using the default hash2 mangling method. Server +installations requiring the hash mangling method are encouraged +to upgrade to Samba 3.0.5. -o Andrew Tridgell <tridge@samba.org> - * Fixed bug in handling of timeout in socket connections. - - -o Jelmer Vernooij <jelmer@samba.org> - * Additional NT status to unix error mappings. +################################################################## -------------------------------------------------- + ============================= Release Notes for Samba 3.0.4 May 8, 2004 diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index d87815b3abc..8c6b8cb4e39 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -212,6 +212,10 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaLogonHours' + DESC 'Logon Hours' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE ) ## ## string settings @@ -334,7 +338,8 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ - sambaBadPasswordCount $ sambaBadPasswordTime $ sambaPasswordHistory)) + sambaBadPasswordCount $ sambaBadPasswordTime $ + sambaPasswordHistory $ sambaLogonHours)) ## ## Group mapping info diff --git a/source/include/smbldap.h b/source/include/smbldap.h index 6046af464e6..953937fb75d 100644 --- a/source/include/smbldap.h +++ b/source/include/smbldap.h @@ -96,6 +96,7 @@ #define LDAP_ATTR_PWD_HISTORY 39 #define LDAP_ATTR_SID_LIST 40 #define LDAP_ATTR_MOD_TIMESTAMP 41 +#define LDAP_ATTR_LOGON_HOURS 42 typedef struct _attrib_map_entry { int attrib; diff --git a/source/lib/smbldap.c b/source/lib/smbldap.c index 0980b763adb..e66fb3640cf 100644 --- a/source/lib/smbldap.c +++ b/source/lib/smbldap.c @@ -102,6 +102,7 @@ ATTRIB_MAP_ENTRY attrib_map_v30[] = { { LDAP_ATTR_BAD_PASSWORD_TIME, "sambaBadPasswordTime" }, { LDAP_ATTR_PWD_HISTORY, "sambaPasswordHistory" }, { LDAP_ATTR_MOD_TIMESTAMP, "modifyTimestamp" }, + { LDAP_ATTR_LOGON_HOURS, "sambaLogonHours" }, { LDAP_ATTR_LIST_END, NULL } }; diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c index e404f5af3f9..0905d816920 100644 --- a/source/passdb/passdb.c +++ b/source/passdb/passdb.c @@ -583,6 +583,57 @@ BOOL pdb_gethexpwd(const char *p, unsigned char *pwd) return (True); } +/************************************************************* + Routine to set 42 hex hours characters from a 21 byte array. +**************************************************************/ + +void pdb_sethexhours(char *p, const unsigned char *hours) +{ + if (hours != NULL) { + int i; + for (i = 0; i < 21; i++) { + slprintf(&p[i*2], 3, "%02X", hours[i]); + } + } else { + safe_strcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 43); + } +} + +/************************************************************* + Routine to get the 42 hex characters and turn them + into a 21 byte array. +**************************************************************/ + +BOOL pdb_gethexhours(const char *p, unsigned char *hours) +{ + int i; + unsigned char lonybble, hinybble; + const char *hexchars = "0123456789ABCDEF"; + char *p1, *p2; + + if (!p) { + return (False); + } + + for (i = 0; i < 42; i += 2) { + hinybble = toupper(p[i]); + lonybble = toupper(p[i + 1]); + + p1 = strchr(hexchars, hinybble); + p2 = strchr(hexchars, lonybble); + + if (!p1 || !p2) { + return (False); + } + + hinybble = PTR_DIFF(p1, hexchars); + lonybble = PTR_DIFF(p2, hexchars); + + hours[i / 2] = (hinybble << 4) | lonybble; + } + return (True); +} + int algorithmic_rid_base(void) { static int rid_offset = 0; diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c index 37cc0c79029..9af34705df5 100644 --- a/source/passdb/pdb_ldap.c +++ b/source/passdb/pdb_ldap.c @@ -782,7 +782,15 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, /* pdb_set_unknown_6(sampass, unknown6, PDB_SET); */ - pdb_set_hours(sampass, hours, PDB_SET); + if(!smbldap_get_single_pstring(ldap_state->smbldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_HOURS), temp)) { + /* leave as default */ + } else { + pdb_gethexhours(temp, hours); + memset((char *)temp, '\0', strlen(temp) +1); + pdb_set_hours(sampass, hours, PDB_SET); + ZERO_STRUCT(hours); + } /* check the timestamp of the cache vs ldap entry */ if (!(ldap_entry_time = ldapsam_get_entry_timestamp(ldap_state, @@ -1065,7 +1073,18 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, } } - /* FIXME: Hours stuff goes in LDAP */ + if (need_update(sampass, PDB_HOURS)) { + const char *hours = pdb_get_hours(sampass); + if (hours) { + pdb_sethexhours(temp, hours); + smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, + existing, + mods, + get_userattr_key2string(ldap_state->schema_ver, + LDAP_ATTR_LOGON_HOURS), + temp); + } + } if (need_update(sampass, PDB_ACCTCTRL)) smbldap_make_mod(ldap_state->smbldap_state->ldap_struct, existing, mods, diff --git a/source/utils/pdbedit.c b/source/utils/pdbedit.c index 1201cf88fcf..1eb6a135c51 100644 --- a/source/utils/pdbedit.c +++ b/source/utils/pdbedit.c @@ -49,6 +49,7 @@ #define BIT_EXPORT 0x02000000 #define BIT_FIX_INIT 0x04000000 #define BIT_BADPWRESET 0x08000000 +#define BIT_LOGONHOURS 0x10000000 #define MASK_ALWAYS_GOOD 0x0000001F #define MASK_USER_GOOD 0x00401F00 @@ -130,6 +131,9 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst if (!sam_pwent) return -1; if (verbosity) { + pstring temp; + const uint8 *hours; + printf ("Unix username: %s\n", pdb_get_username(sam_pwent)); printf ("NT username: %s\n", pdb_get_nt_username(sam_pwent)); printf ("Account Flags: %s\n", pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sam_pwent), NEW_PW_FORMAT_SPACE_PADDED_LEN)); @@ -170,6 +174,10 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst printf ("Bad password count : %d\n", pdb_get_bad_password_count(sam_pwent)); + hours = pdb_get_hours(sam_pwent); + pdb_sethexhours(temp, (const char *)hours); + printf ("Logon hours : %s\n", temp); + } else if (smbpwdstyle) { char lm_passwd[33]; char nt_passwd[33]; @@ -294,7 +302,7 @@ static int set_user_info (struct pdb_context *in, const char *username, const char *drive, const char *script, const char *profile, const char *account_control, const char *user_sid, const char *group_sid, - const BOOL badpw) + const BOOL badpw, const BOOL hours) { BOOL updated_autolock = False, updated_badpw = False; SAM_ACCOUNT *sam_pwent=NULL; @@ -308,6 +316,16 @@ static int set_user_info (struct pdb_context *in, const char *username, pdb_free_sam(&sam_pwent); return -1; } + + if (hours) { + uint8 hours_array[MAX_HOURS_LEN]; + uint32 hours_len; + + hours_len = pdb_get_hours_len(sam_pwent); + memset(hours_array, 0xff, hours_len); + + pdb_set_hours(sam_pwent, hours_array, PDB_CHANGED); + } if (!pdb_update_autolock_flag(sam_pwent, &updated_autolock)) { DEBUG(2,("pdb_update_autolock_flag failed.\n")); @@ -631,6 +649,7 @@ int main (int argc, char **argv) static long int account_policy_value = 0; BOOL account_policy_value_set = False; static BOOL badpw_reset = False; + static BOOL hours_reset = False; struct pdb_context *bin; struct pdb_context *bout; @@ -662,6 +681,7 @@ int main (int argc, char **argv) {"account-control", 'c', POPT_ARG_STRING, &account_control, 0, "Values of account control", NULL}, {"force-initialized-passwords", 0, POPT_ARG_NONE, &force_initialised_password, 0, "Force initialization of corrupt password strings in a passdb backend", NULL}, {"bad-password-count-reset", 'z', POPT_ARG_NONE, &badpw_reset, 0, "reset bad password count", NULL}, + {"logon-hours-reset", 'Z', POPT_ARG_NONE, &hours_reset, 0, "reset logon hours", NULL}, POPT_COMMON_SAMBA POPT_TABLEEND }; @@ -715,7 +735,8 @@ int main (int argc, char **argv) (account_policy_value_set ? BIT_ACCPOLVAL : 0) + (backend_in ? BIT_IMPORT : 0) + (backend_out ? BIT_EXPORT : 0) + - (badpw_reset ? BIT_BADPWRESET : 0); + (badpw_reset ? BIT_BADPWRESET : 0) + + (hours_reset ? BIT_LOGONHOURS : 0); if (setparms & BIT_BACKEND) { if (!NT_STATUS_IS_OK(make_pdb_context_string(&bdef, backend))) { @@ -829,6 +850,12 @@ int main (int argc, char **argv) checkparms |= BIT_MODIFY; checkparms &= ~BIT_BADPWRESET; } + + /* if logon hours is reset, must modify */ + if (checkparms & BIT_LOGONHOURS) { + checkparms |= BIT_MODIFY; + checkparms &= ~BIT_LOGONHOURS; + } /* account operation */ if ((checkparms & BIT_CREATE) || (checkparms & BIT_MODIFY) || (checkparms & BIT_DELETE)) { @@ -866,7 +893,7 @@ int main (int argc, char **argv) logon_script, profile_path, account_control, user_sid, group_sid, - badpw_reset); + badpw_reset, hours_reset); } } |