| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Old versions of 'samba-tool dbcheck' could reanimate
deleted objects, when running at the same time as the
tombstone garbage collection.
When the (deleted) parent of a deleted object
(with the DISALLOW_MOVE_ON_DELETE bit in systemFlags),
is removed before the object itself, dbcheck moved
it in the LostAndFound[Config] subtree of the partition
as an originating change. That means that the object
will be in tombstone state again for 180 days on the local
DC. And other DCs fail to replicate the object as
it's already removed completely there and the replication
only gives the name and lastKnownParent attributes, because
all other attributes should already be known to the other DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a1658b306d85452407388b91a745078c9c1f7dc7)
|
|
|
|
|
|
|
|
| |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1ccc21a34d295be3bb2ab481a5918003eae88bf4)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This would typically happen when the garbage collection
removed a parent object before a child object (both with
the DISALLOW_MOVE_ON_DELETE bit set in systemFlags),
while dbcheck is running at the same time as the garbage collection.
In this case the lastKnownParent attributes points a non existing
object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e388e599495b6d7c38b8b6966332e27f8b958783)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This would typically happen when the garbage collection
removed a parent object before a child object (both with
the DISALLOW_MOVE_ON_DELETE bit set in systemFlags),
while dbcheck is running at the same time as the garbage collection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6d50ee74920c39cdb18b427bfaaf200775bf2d73)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a parent object is removed during the tombstone garbage collection
before a child object and samba-tool dbcheck runs at the same time, the
following can happen:
- If the object child had DISALLOW_MOVE_ON_DELETE in systemFlags,
samba-tool dbcheck moves the object under the LostAndFound[Config]
object (as an originating update!)
- The lastKnownParent attribute is removed (as an originating update!)
These originating updates cause the object to have an extended time
as tombstone. And these changes are replicated to other DCs,
which very likely already removed the object completely!
This means the destination DC of replication has no chance to handle
the object it gets from the source DC with just 2 attributes (name, lastKnownParent).
The destination logs something like:
No objectClass found in replPropertyMetaData
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5357f591accffbf8c62335c308b985811b66f0b5)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Deny ACEs must always be evaluated against explicitly granted rights
from previous ACEs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 8d355dd9769e8990ce998b4c9f28977669b43616)
Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-8-test): Mon Mar 11 13:04:13 UTC 2019 on sn-devel-144
|
|
|
|
|
|
|
|
|
|
|
|
| |
Creates a 2-element ALLOW + DENY ACE showing that when calculating
effective permissions and maximum access already seen allow bits are not
removed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit b205d695d769e910a91bec87451dec189ec33740)
|
|
|
|
|
|
|
|
|
|
|
| |
Creates a 3-element ALLOW + ALLOW + DENY ACE showing that when
calculating maximum access already seen allow bits are not removed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0ebd8c99aed28a0ba43a22c429837f66f7e94409)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Owner Rights ACEs
We basically must process the Owner Rights ACEs as any other ACE wrt to the
order of adding granted permissions and checking denied permissions. According
to MS-DTYP 2.5.3.2 Owner Rights ACEs must be evaluated in the main loop over
the ACEs in an ACL and the corresponding access_mask must be directly applied
to bits_remaining. We currently defer this to after the loop over the ACEs in
ACL, this is wrong.
We just have to do some initial magic to determine if an ACL contains and
Owner Rights ACEs, and in case it doesn't we grant SEC_STD_WRITE_DAC |
SEC_STD_READ_CONTROL at the *beginning*. MS-DTYP:
-- the owner of an object is always granted READ_CONTROL and WRITE_DAC.
CALL SidInToken(Token, SecurityDescriptor.Owner, PrincipalSelfSubst)
IF SidInToken returns True THEN
IF DACL does not contain ACEs from object owner THEN
Remove READ_CONTROL and WRITE_DAC from RemainingAccess
Set GrantedAccess to GrantedAccess or READ_CONTROL or WRITE_OWNER
END IF
END IF
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 9722f75757c0e38c7f42c7cc310d56aa6eaf6392)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Shows that owner and SID_OWNER_RIGHTS ACE
entries interact in max permissions requests.
Tested against Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit fadc4c1bc5fcc3b2d9daea44ef8daf8a8ae0fbe2)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was missing in 44590c1b70c0a24f853c02d5fcdb3c609401e2ca.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Feb 28 19:18:16 UTC 2019 on sn-devel-144
(cherry picked from commit 5cf0764bc4b65dbc59d8626760dbe946a2234833)
|
|
|
|
|
|
|
|
| |
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
(cherry picked from commit 3ca38d2cd1189a5040e13ddab016063280be2b4d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This only properly covers the small-message nonblocking case. Covering
the large-message and the blocking case is a much larger effort assuming
we want to re-send the failed message if parts of the message has gone
through properly. Don't do that for now.
This was found by sanba_dnsupdate constantly recreating its irpc handle to
winbindd in the RODC case.
The messaging_dgm code cached connected datagram sockets based on the
destination pid for 1 second. Which means the IRPC responses from
winbindd are never delivered to samba_dnsupdate,
which will then hit a timeout.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13786
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2543bba0364d8054e9ad316f5611621841bc061d)
|
|
|
|
|
|
|
|
|
|
|
| |
Do ping_pong a hundred times, re-initializing the msg_ctx every time.
https://bugzilla.samba.org/show_bug.cgi?id=13786
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8d8f62c4b9dea381ce9f5833bc794553ae358173)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fsp->base_fsp->fsp_name
Stacked VFS modules might use the file name, not the file
handle. Looking at you, vfs_fruit...
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13455
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit aa1fac696956f96e89e54ddd4535a6e2844161b0)
Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-8-test): Thu Dec 13 18:20:47 CET 2018 on sn-devel-144
|
|
|
|
|
|
|
|
| |
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13455
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit cfffa2e2428b42db65a4ece00602e0cef8ceb5a3)
|
|
|
|
|
|
|
|
| |
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit cf95756235f718478e556ce1fbf7c032f9c9acfb)
|
|
|
|
|
|
|
|
| |
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(backported from commit 12778f015988f7e8755016c72c26939998758dae)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this eg "NT Authority" didn't work:
$ bin/wbinfo -n "NT Authority/Authenticated Users"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name NT Authority/Authenticated Users
$ bin/wbinfo --group-info="NT Authority/Authenticated Users"
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group NT Authority/Authenticated Users
With the patch:
$ bin/wbinfo -n "NT Authority/Authenticated Users"
S-1-5-11 SID_WKN_GROUP (5)
$ bin/wbinfo --group-info="NT Authority/Authenticated Users"
NT AUTHORITY\authenticated users:x:10002:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Dec 5 11:27:22 CET 2018 on sn-devel-144
(cherry picked from commit 8b8d9fdad4a4e2c479141b3d40e9a7320a49c0dd)
Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-8-test): Fri Dec 7 16:15:58 CET 2018 on sn-devel-144
|
|
|
|
|
|
|
|
|
| |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit c46b6b111e8adcd7cf029e5c3293cbdc471793db)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The loop prevention should only be done for CNAME records!
Otherwise we truncate the answer records for A, AAAA or
SRV queries, which is a bad idea if you have more than 20 DCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 4 08:52:29 CET 2018 on sn-devel-144
(cherry picked from commit 34f4491d79b47b2fe2457b8882f11644cf773bc4)
|
|
|
|
|
|
|
|
|
|
|
| |
These tests expose the regression described by Stefan Metzmacher in
discussion on the bugzilla paged linked below.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 14399fd818b130a6347eec860460929c292d5996)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original commit c5cd22b5bbce724dcd68fe94320382b3f772cabf from bug
9175 never worked, as the preceeding signing check overwrote the status
variable.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9175
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Nov 13 17:28:45 CET 2018 on sn-devel-144
(cherry picked from commit 5a8583ed701be97c33a20b2a20f6bbb8ac2f8e99)
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a simple test that verifies that after having set
smbXcli_session_set_disconnect_expired() a session gets disconnected
when it expires.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9175
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit a5d1bb5c5b5a57a2d7710dc5ab962683fe5c8e68)
|
|\
| |
| |
| | |
samba: tag release samba-4.8.7
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Count number of answers generated by internal DNS query routine and stop at
20 to match Microsoft's loop prevention mechanism.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
talloc_move'd
We talloc_move() session_info to session->global->auth_session_info
which sets session_info to NULL.
This means security_session_user_level(NULL, NULL) will always return
SECURITY_ANONYMOUS so we never sign the session setup response.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Nov 13 14:22:46 CET 2018 on sn-devel-144
(cherry picked from commit bb93e691ca9b1922bf552363a1e7d70792749d67)
Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-8-test): Fri Nov 23 13:52:04 CET 2018 on sn-devel-144
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This test checks that a session setup reauth is signed even when neither
client nor server require signing.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 181f18c4bf70754a6f3132375d06250baab2871b)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13677
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(backported from commit a7c877847f855be5ee6673e541a181b818013abf)
Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-8-test): Wed Nov 14 17:12:08 CET 2018 on sn-devel-144
|
| |
| |
| |
| |
| |
| |
| |
| | |
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13677
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 221133b0e9ed28274f7513d9416f13a81b7b458b)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is the final step in implementing the needed macOS semantics on the
FinderInfo stream: as long as the client hasn't written a non-zero
FinderInfo blob to the stream, there mustn't be a visible filesystem
entry for other openers.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13646
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 1 01:14:23 CET 2018 on sn-devel-144
(cherry picked from commit 1b2de44ea8114cf2025e8b8c843131e2f2dbed27)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
One to rule them all: consistently test critical operations on all
streams relevant to macOS clients: the FinderInfo stream, the Resource
Fork stream and an arbitrary stream that macOS maps to xattrs when
written to on a macOS SMB server.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13646
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 9d8751db64de75a0de442365b317c1b9ce194170)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
First step in achieving macOS compliant behaviour wrt to empty streams:
- hide empty streams in streaminfo
- prevent opens of empty streams
This means that we may carry 0-byte sized streams in our streams
backend, but this shouldn't really hurt.
The previous attempt of deleting the streams when an SMB setinfo eof to
0 request came in, turned out be a road into desaster.
We could set delete-on-close on the stream, but that means we'd have to
check for it for every write on a stream and checking the
delete-on-close bits requires fetching the locking.tdb record, so this
is expensive and I'd like to avoid that overhead.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13646
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ebfcf75e993b1a792db76b94aa898532e1c81eeb)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
o Adds checks verifying that after setting eof to 0 on a stream, a
subsequent open gets ENOENT, before and after closing the handle that
had been used to set eof to 0.
o Verify that a write to a handle succeeds after that handle has been
used to set eof to 0 on a stream.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13646
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit b35d9e74028727da24f349242cb0bc62403a9b09)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
macOS SMB server versions supports this since 10.12, so we adapt our
behaviour.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13646
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 055ca448f1a2bd995291af1810c9ec94f90f32dd)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
newer macOS versions
While this operation failed against older macOS versions, it passes
against versions 10.12 and newer. Update the test accordingly, a
subsequent commit will then update our implementation.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13646
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit c3cf09a0791ed4dfb7ca18d175396ac1aca5d2ed)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As we currently don't attempt to cancel the internal aio request, we
must ignore the SMB2 cancel request and continue to process the SMB2
request, cf MS-SM2 3.3.5.16:
If the target request is not successfully canceled, processing of the
target request MUST continue and no response is sent to the cancel
request.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13667
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 07eb805cde4db6ac74740e3cfbc56ab6f8e2118a)
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13667
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit e37ff8c5fe18d400e378bf2591e209b30473d9f9)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is important, otherwise we'll loose the <SID=> component of the
linked attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7a36cb30b716d56b84e894851c1a18e9eb3a0964)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This will be used by dbcheck in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0386307e34097f5d9233c970983c7306d1705a87)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f81771c8593327e058b9cb4330d7e77083df3ea9)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This demonstrates the bug, that happens when the primaryGroupID
of a user is changed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 364ed537e0bcb3a97cae0f2d1ff72de9423ce0e6)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13642
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 3649f1a41a299b14609318ef52b44e2d53cba4b5)
Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-8-test): Fri Nov 2 15:02:42 CET 2018 on sn-devel-144
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For some reason the macOS client often writes AppleDouble files with a
non-zero sized resource fork, but the resource fork data is just
boilerplate data with the following string close to the start
This resource fork intentionally left blank
A dump with apple_dump looks like this:
Entry ID : 00000002 : Resource Fork
Offset : 00000052 : 82
Length : 0000011E : 286
-RAW DUMP--: 0 1 2 3 4 5 6 7 8 9 A B C D E F : (ASCII)
00000000 : 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 1E : ................
00000010 : 54 68 69 73 20 72 65 73 6F 75 72 63 65 20 66 6F : This resource fo
00000020 : 72 6B 20 69 6E 74 65 6E 74 69 6F 6E 61 6C 6C 79 : rk intentionally
00000030 : 20 6C 65 66 74 20 62 6C 61 6E 6B 20 20 20 00 00 : left blank ..
00000040 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
00000050 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
00000060 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
00000070 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
00000080 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
00000090 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
000000A0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
000000B0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
000000C0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
000000D0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
000000E0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
000000F0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
00000100 : 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 1E : ................
00000110 : 00 00 00 00 00 00 00 00 00 1C 00 1E FF FF : ..............
We can safely discard this Resource Fork data.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13642
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 7be979f958295474f0c0df6a4db0b5bca9a6676d)
|
| |
| |
| |
| |
| |
| |
| |
| | |
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13642
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 6f022e61597994bc032e61876f24150d7acb3fc2)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently the whole conversion is skipped if the FinderInfo entry in the
AppleDouble file is of the default size (ie not containing xattrs).
That also means we never converted FinderInfo from the AppleDouble file
to stream format. This change finally fixes this.
Note that this keeps failing with streams_depot, much like the existing
known-fail of "samba3.vfs.fruit streams_depot.OS X AppleDouble file
conversion". Fixing the conversion to work with vfs_streams_depot is a
task for another day.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13649
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Oct 11 01:30:13 CEST 2018 on sn-devel-144
(cherry picked from commit 31daab88e6a415e72ead69844e3eccf5dc02e53c)
Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-8-test): Thu Oct 18 17:37:52 CEST 2018 on sn-devel-144
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This testcase demonstrates that the AppleDouble conversion in vfs_fruit
doesn't correctly convert the FinderInfo data from the AppleDouble file
to a stream.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13649
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 8b9728480f6ab22da0831400796f3c39ec543df8)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The STATUS_SESSION_EXPIRED error was returned unencrypted,
if the request was encrypted.
If clients use SMB3 encryption and the kerberos authenticated session
expires, clients disconnect the connection instead of doing a reauthentication.
From https://blogs.msdn.microsoft.com/openspecification/2012/10/05/encryption-in-smb-3-0-a-protocol-perspective/
The sender encrypts the message if any of the following conditions is
satisfied:
- If the sender is sending a response to an encrypted request.
- If Session.EncryptData is TRUE and the request or response being
sent is not NEGOTIATE.
- If Session.EncryptData is FALSE, the request or response being sent
is not NEGOTIATE or SESSION_SETUP or TREE_CONNECT, and
<TreeConnect|Share>.EncryptData is TRUE.
[MS-SMB2] 3.3.4.1.4 Encrypting the Message
If Connection.Dialect belongs to the SMB 3.x dialect family and
Connection.ClientCapabilities includes the SMB2_GLOBAL_CAP_ENCRYPTION
bit, the server MUST encrypt the message before sending, if any of the
following conditions are satisfied:
- If the message being sent is any response to a client request for which
Request.IsEncrypted is TRUE.
- If Session.EncryptData is TRUE and the response being sent is not
SMB2_NEGOTIATE or SMB2 SESSION_SETUP.
- If Session.EncryptData is FALSE, the response being sent is not
SMB2_NEGOTIATE or SMB2 SESSION_SETUP or SMB2 TREE_CONNECT, and
Share.EncryptData for the share associated with the TreeId in the SMB2
header of the response is TRUE.
The server MUST encrypt the message as specified in section 3.1.4.3,
before sending it to the client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13624
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Oct 2 14:11:30 CEST 2018 on sn-devel-144
(cherry picked from commit 4ef45e5334d5874f5d0fdc69286b745ebcdc612d)
Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-8-test): Wed Oct 10 17:25:32 CEST 2018 on sn-devel-144
|
|/
|
|
|
|
|
|
|
|
| |
This reproduces the problem we have with expired encrypted sessions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13624
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 01b868455c9bae309d1ca7ddad54077fc5d7f4b1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where
DOMAIN is the sAMAccountName without the dollar sign ($)
The salt principal for the BLA$ user object was generated wrong.
dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base
securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010
trustDirection: 3
trustPartner: bla.base
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: BLA
dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base
userAccountControl: 2080
primaryGroupID: 513
objectSid: S-1-5-21-278041429-3399921908-1452754838-1597
accountExpires: 9223372036854775807
sAMAccountName: BLA$
sAMAccountType: 805306370
pwdLastSet: 131485652467995000
The salt stored by Windows in the package_PrimaryKerberosBlob
(within supplementalCredentials) seems to be
'W4EDOM-L4.BASEkrbtgtBLA' for the above trust
and Samba stores 'W4EDOM-L4.BASEBLA$'.
While the salt used when building the keys from
trustAuthOutgoing/trustAuthIncoming is
'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144
(cherry picked from commit f3e349bebc443133fdbe4e14b148ca8db8237060)
Autobuild-User(v4-8-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-8-test): Wed Sep 5 18:32:05 CEST 2018 on sn-devel-144
|