summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* VERSION: Disable GIT_SNAPSHOT for the 4.17.7 release.samba-4.17.7Jule Anger2023-03-291-1/+1
| | | | Signed-off-by: Jule Anger <janger@samba.org>
* WHATSNEW: Add release notes for Samba 4.17.7.Jule Anger2023-03-291-2/+72
| | | | Signed-off-by: Jule Anger <janger@samba.org>
* CVE-2023-0922 set default ldap client sasl wrapping to sealRob van der Linde2023-03-204-17/+16
| | | | | | | | | | | This avoids sending new or reset passwords in the clear (integrity protected only) from samba-tool in particular. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315 Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no valuesJoseph Sutton2023-03-202-7/+7
| | | | | | | | | | | | | | This early return would mistakenly allow an unprivileged user to delete the dNSHostName attribute by making an LDAP modify request with no values. We should no longer allow this. Add or replace operations with no values and no privileges are disallowed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged userDouglas Bagnall2023-03-203-0/+239
| | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org The self.set_heuristic(samba.dsdb.DS_HR_ATTR_AUTHZ_ON_LDAP_ADD, b'11') in the test setUp() is unused in this test but is included as a clean backport, so the fact that the server does not implement this is unimportant]
* CVE-2023-0225 CVE-2020-25720 pydsdb: Add dsHeuristics constant definitionsJoseph Sutton2023-03-201-0/+30
| | | | | | | | | | | | | | | We want to be able to use these values in Python tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit cc709077822a39227174b91ed2345c2bd603f61f) [abartlet@samba.org This patch is needed for a clean backport of CVE-2023-0225 as these constants are used in the acl_modify test even when this behaviour is not itself used.]
* CVE-2023-0225 CVE-2020-25720 s4/dsdb/util: Add functions for dsHeuristics 28, 29Joseph Sutton2023-03-202-0/+42
| | | | | | | | | | | | | | | | These are the newly-added AttributeAuthorizationOnLDAPAdd and BlockOwnerImplicitRights. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 0af5706b559e89c77123ed174b41fd3d01705aa5) [abartlet@samba.org This patch is needed for a clean backport of CVE-2023-0225 as these constants are used in the acl_modify test even when this behaviour is not itself used.]
* CVE-2023-0614 ldb: Release LDB 2.6.2ldb-2.6.2Andrew Bartlett2023-03-203-1/+305
| | | | | | | | | | | * CVE-2023-0614 Not-secret but access controlled LDAP attributes can be discovered (bug 15270) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> [abartlet@samba.org Adapted to LDB 2.6 series in Samba 4.17]
* CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on ↵Andrew Bartlett2023-03-201-1/+6
| | | | | | | | | | | SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN Setting the LDB_HANDLE_FLAG_UNTRUSTED tells the acl_read module to operate on this request. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2023-0614 lib/ldb-samba: Add test for ↵Andrew Bartlett2023-03-203-57/+175
| | | | | | | | | | | | SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and ACL hidden attributes The chain for transitive evaluation does consider ACLs, avoiding the disclosure of confidential information. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in ↵Andrew Bartlett2023-03-201-0/+8
| | | | | | | | | match_rules tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTEDAndrew Bartlett2023-03-202-0/+5
| | | | | | | | | | This will allow our dsdb helper search functions to mark the new request as untrusted, forcing read ACL evaluation (per current behaviour). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexedJoseph Sutton2023-03-204-4/+33
| | | | | | | | | | | | In the unlikely case that someone adds a confidential indexed attribute to the schema, LDAP search expressions on that attribute could disclose information via timing differences. Let's not use the index for searches on confidential attributes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 ldb: Filter on search base before redacting messageJoseph Sutton2023-03-204-23/+47
| | | | | | | | | | | Redaction may be expensive if we end up needing to fetch a security descriptor to verify rights to an attribute. Checking the search scope is probably cheaper, so do that first. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 ldb: Centralise checking for inaccessible matchesJoseph Sutton2023-03-202-30/+31
| | | | | | | | | This makes it less likely that we forget to handle a case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 ldb: Use binary search to check whether attribute is secretJoseph Sutton2023-03-201-21/+35
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help itJoseph Sutton2023-03-201-3/+8
| | | | | | | | | | If the AS_SYSTEM control is present, we know we have system privileges, and have no need to call dsdb_module_am_system(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 ldb: Prevent disclosure of confidential attributesJoseph Sutton2023-03-2012-455/+672
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a hook, acl_redact_msg_for_filter(), in the aclread module, that marks inaccessible any message elements used by an LDAP search filter that the user has no right to access. Make the various ldb_match_*() functions check whether message elements are accessible, and refuse to match any that are not. Remaining message elements, not mentioned in the search filter, are checked in aclread_callback(), and any inaccessible elements are removed at this point. Certain attributes, namely objectClass, distinguishedName, name, and objectGUID, are always present, and hence the presence of said attributes is always allowed to be checked in a search filter. This corresponds with the behaviour of Windows. Further, we unconditionally allow the attributes isDeleted and isRecycled in a check for presence or equality. Windows is not known to make this special exception, but it seems mostly harmless, and should mitigate the performance impact on searches made by the show_deleted module. As a result of all these changes, our behaviour regarding confidential attributes happens to match Windows more closely. For the test in confidential_attr.py, we can now model our attribute handling with DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org adapted due to Samba 4.17 and lower not having the patches for CVE-2020-25720]
* CVE-2023-0614 s4-acl: Split out function to set up access checking variablesJoseph Sutton2023-03-201-33/+80
| | | | | | | | | | | | | | | These variables are often used together, and it is useful to have the setup code in one place. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org adapted to the use of acl_check_access_on_attribute as acl_check_access_on_attribute_implicit_owner is only in Samba 4.18 and newer]
* CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf()Joseph Sutton2023-03-201-0/+20
| | | | | | | | | | This function parses a SID from an ldb_message, similar to samdb_result_dom_sid(), but does it without allocating anything. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 s4-acl: Split out logic to remove access checking attributesJoseph Sutton2023-03-201-23/+35
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr()Joseph Sutton2023-03-202-0/+28
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 tests/krb5: Add test for confidential attributes timing ↵Joseph Sutton2023-03-202-0/+163
| | | | | | | | differences BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 schema_samba4.ldif: Allocate previously added OIDJoseph Sutton2023-03-201-0/+1
| | | | | | | | | | DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID was added in commit 08187833fee57a8dba6c67546dfca516cd1f9d7a. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* schema_samba4.ldif: Allocate previously added OIDsJoseph Sutton2023-03-201-0/+2
| | | | | | | | | | | | | | | | | | DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID was added to source4/dsdb/samdb/samdb.h in commit c2ab1f4696fa3f52918a126d0b37993a07f68bcb. DSDB_EXTENDED_SCHEMA_LOAD was added in commit 1fd4cdfafaa6a41c824d1b3d76635bf3e446de0f. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 672ec6135f9ae3d7b5439523a4f456c19fb03a88) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 [abartlet@samba.org This required as context for the above bug]
* CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in confidential attributes ↵Joseph Sutton2023-03-201-3/+3
| | | | | | | | | | | | | | | | | | | | test The object returned by schema_format_value() is a bytes object. Therefore the search expression would resemble: (lastKnownParent=<GUID=b'00000000-0000-0000-0000-000000000000'>) which, due to the extra characters, would fail to match anything. Fix it to be: (lastKnownParent=<GUID=00000000-0000-0000-0000-000000000000>) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a search tree we don't ownJoseph Sutton2023-03-201-8/+32
| | | | | | | | | | | | | | | | | | | | | | | | In extended_dn_fix_filter() we had: req->op.search.tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree); which overwrote the parse tree on an existing ldb request with a fixed up tree. This became a problem if a module performed another search with that same request structure, as extended_dn_in would try to fix up the already-modified tree for a second time. The fixed-up tree element now having an extended DN, it would fall foul of the ldb_dn_match_allowed() check in extended_dn_filter_callback(), and be replaced with an ALWAYS_FALSE match rule. In practice this meant that <GUID={}> searches would only work for one search in an ldb request, and fail for subsequent ones. Fix this by creating a new request with the modified tree, and leaving the original request unmodified. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 ldb: Make use of ldb_filter_attrs_in_place()Joseph Sutton2023-03-204-65/+66
| | | | | | | | | | | | | | Change all uses of ldb_kv_filter_attrs() to use ldb_filter_attrs_in_place() instead. This function does less work than its predecessor, and no longer requires the allocation of a second ldb message. Some of the work is able to be split out into separate functions that each accomplish a single task, with a purpose to make the code clearer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place() work in placeJoseph Sutton2023-03-203-442/+307
| | | | | | | | | | | | | | | | | | | | | | ldb_filter_attrs() previously did too much. Now its replacement, ldb_filter_attrs_in_place(), only does the actual filtering, while taking ownership of each element's values is handled in a separate function, ldb_msg_elements_take_ownership(). Also, ldb_filter_attrs_in_place() no longer adds the distinguishedName to the message if it is missing. That is handled in another function, ldb_msg_add_distinguished_name(). As we're now modifying the original message rather than copying it into a new one, we no longer need the filtered_msg parameter. We adapt a test, based on ldb_filter_attrs_test, to exercise the new function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 ldb: Add function to filter message in placeJoseph Sutton2023-03-204-0/+1148
| | | | | | | | | | | | | | At present this function is an exact duplicate of ldb_filter_attrs(), but in the next commit we shall modify it to work in place, without the need for the allocation of a second message. The test is a near duplicate of the existing test for ldb_filter_attrs(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 ldb: Add function to add distinguishedName to messageJoseph Sutton2023-03-202-3/+8
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org Adapted to conflict from lack of new ldb_ascii_toupper() in ldb_private.h]
* CVE-2023-0614 ldb: Add function to remove excess capacity from an ldb messageJoseph Sutton2023-03-202-0/+19
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org Adapted to conflict from lack of new ldb_ascii_toupper() in ldb_private.h]
* CVE-2023-0614 ldb: Add function to take ownership of an ldb messageJoseph Sutton2023-03-202-0/+45
| | | | | | | | | | | | | Many places in Samba depend upon various components of an ldb message being talloc allocated, and hence able to be used as talloc contexts. The elements and values of an unpacked ldb message point to unowned data inside the memory-mapped database, and this function ensures that such messages have talloc ownership of said elements and values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 ldb:tests: Ensure all tests are accounted forJoseph Sutton2023-03-201-2/+3
| | | | | | | | | | | | | Add ldb_filter_attrs_test to the list of tests so that it actually gets run. Remove a duplicate ldb_msg_test that was accidentally added in commit 5ca90e758ade97fb5e335029c7a1768094e70564. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 ldb:tests: Ensure ldb_val data is zero-terminatedJoseph Sutton2023-03-201-85/+86
| | | | | | | | | | | | | | | | | If the value of an ldb message element is not zero-terminated, calling ldb_msg_find_attr_as_string() will cause the function to read off the end of the buffer in an attempt to verify that the value is zero-terminated. This can cause unexpected behaviour and make the test randomly fail. To avoid this, we must have a terminating null byte that is *not* counted as part of the length, and so we must calculate the length with strlen() rather than sizeof. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 s4-acl: Use ldb functions for handling inaccessible message ↵Joseph Sutton2023-03-201-52/+10
| | | | | | | | | elements BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 ldb: Add functions for handling inaccessible message elementsJoseph Sutton2023-03-202-0/+30
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 s4-acl: Make some parameters constJoseph Sutton2023-03-201-2/+2
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org Adapted to code without newer acl_check_access_on_attribute_implicit_owner name]
* CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistentlyJoseph Sutton2023-03-204-5/+5
| | | | | | | | | | It is better to explicitly abort than to dereference a NULL pointer or try to read data cast to the wrong type. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2023-0614 libcli/security: Make some parameters constJoseph Sutton2023-03-202-6/+6
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org Updated to add const to sec_access_check_ds() instead of the sec_access_check_ds_implicit_owner() wrapper found in 4.18 and later]
* CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py to be slower by ↵Andrew Bartlett2023-03-201-2/+16
| | | | | | | | | | | matching on large objects This changes the slow aspect to be the object matching not the filter parsing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2023-0614 selftest: Use setUpClass() to reduce "make test ↵Andrew Bartlett2023-03-201-33/+36
| | | | | | | | | | | | | | | | | | | | | TESTS=large_ldap" time This reduces the elapsed time to 6m from 20m on my laptop. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15332 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Mar 14 07:16:04 UTC 2023 on atb-devel-224 (cherry picked from commit b4a6c054ec6acefacd22cb7230a783d20cb07c05) [abartlet@samba.org Included in the security release as this makes working on the large_ldap test practical by reducing the elapsed time taken]
* CVE-2023-0614 lib/ldb: Avoid allocation and memcpy() for every wildcard ↵Andrew Bartlett2023-03-201-10/+50
| | | | | | | | | | | | | | | | | | match candidate The value can be quite large, the allocation will take much longer than the actual match and is repeated per candidate record. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15331 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> (cherry picked from commit cad96f59a08192df927fb1df4e9787c7f70991a2) [abartlet@samba.org Included in the security release as this makes the new large_ldap.py timeout test more reliable]
* VERSION: Bump version up to Samba 4.17.7...Jule Anger2023-03-091-2/+2
| | | | | | and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger <janger@samba.org>
* VERSION: Disable GIT_SNAPSHOT for the 4.17.6 release.samba-4.17.6Jule Anger2023-03-091-1/+1
| | | | Signed-off-by: Jule Anger <janger@samba.org>
* WHATSNEW: Add release notes for Samba 4.17.6.Jule Anger2023-03-091-2/+63
| | | | Signed-off-by: Jule Anger <janger@samba.org>
* s3: smbd: Fix fsp/fd leak when looking up a non-existent stream name on a file.Jeremy Allison2023-03-082-1/+21
| | | | | | | | | | | | | | | | | | | | | | | When open_stream_pathref_fsp() returns NT_STATUS_OBJECT_NAME_NOT_FOUND, smb_fname_rel->fsp has been set to NULL, so we must free base_fsp separately to prevent fd-leaks when opening a stream that doesn't exist. Remove knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15314 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Fri Mar 3 16:37:27 UTC 2023 on atb-devel-224 (cherry picked from commit 3f84a6df4546e0f1e62dfbcd0b823ea29499a787) Autobuild-User(v4-17-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-17-test): Wed Mar 8 10:11:41 UTC 2023 on sn-devel-184
* s3: tests: Add new test_stream_dir_rename.sh test.Jeremy Allison2023-03-083-0/+77
| | | | | | | | | | | | | | Shows we are leaking an fsp/fd if we request a non-existent stream on a file. This then causes rename of a directory containing the file to be denied, as it thinks we have an existing open file below it. Add knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15314 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit c54bec26ad23b0121b2ddfbf04bc81050f27e6e1)
* s3: provision: Add new streams_xattr_nostrict share - needs "strict rename = ↵Jeremy Allison2023-03-081-0/+5
| | | | | | | | | | | | | | no". The bug we're testing for needs "strict rename = no" (the default), but the existing streams_xattr share uses "strict rename = yes" from the [global] section. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15314 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 5a3db5105bd8360b245cd35810002740ccff605c)
* rpcd: With npa->need_idle_server we can have more than 256 serversVolker Lendecke2023-03-072-2/+2
| | | | | | | | | | | | | | | | | | | | Before this patch the worker-status cut the worker index such that samba-dcerpcd could not properly update status of the surplus rpc daemons. This could lead to those daemons to stay around forever, samba-dcerpcd will never notice they are idle and can exit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15310 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Mar 6 22:35:00 UTC 2023 on atb-devel-224 (cherry picked from commit a1780ed8d1b46e4760319b27a4978e7ce7a1df80) Autobuild-User(v4-17-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-17-test): Tue Mar 7 11:16:46 UTC 2023 on sn-devel-184
View Lorry Controller Status