summaryrefslogtreecommitdiff
path: root/selftest
Commit message (Collapse)AuthorAgeFilesLines
* CVE-2022-38023 s3:rpc_server/netlogon: Use dcesrv_netr_creds_server_step_check()Samuel Cabrero2023-01-091-0/+14
| | | | | | | | After s3 and s4 rpc servers merge we can avoid duplicated code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-38023 selftest:Samba3: avoid global 'server schannel = auto'Samuel Cabrero2023-01-091-1/+15
| | | | | | | | | | Instead of using the generic deprecated option use the specific server require schannel:COMPUTERACCOUNT = no in order to allow legacy tests for pass. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3: smbd: Strip any leading '\\' characters if the SMB2 DFS flag is set.Jeremy Allison2023-01-041-1/+0
| | | | | | | | | | | | | | | | | MacOS clients send SMB2 DFS pathnames as \server\share\file\name. Ensure smbd can cope with this by stipping any leading '\\' characters from an SMB2 packet with the DFS flag set. Remove knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15277 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Wed Jan 4 07:46:06 UTC 2023 on sn-devel-184
* s3: smbtorture: Add SMB2-DFS-FILENAME-LEADING-BACKSLASH test.Jeremy Allison2023-01-041-0/+1
| | | | | | | | | | | | | | | | Shows that we fail to cope with MacOSX clients that send a (or more than one) leading '\\' character for an SMB2 DFS pathname. I missed this in earlier tests as Windows, Linux, and libsmbclient clients do NOT send a leading backslash for SMB2 DFS paths. Only MacOSX (sigh:-). Passes against Windows. Adds a knownfail for smbd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15277 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* s3:rpc_server/srvsvc: make sure we (re-)load all shares as root.Stefan Metzmacher2022-12-291-1/+0
| | | | | | | | | | | | | | | | | | | | | This fixes a regression in commit f03665bb7e8ea97699062630f2aa1bac4c5dfc7f The use of reload_services() has a lot of side effects, e.g. reopen of log files and other things, which are only useful in smbd, but not in rpcd_classic. It was also unloading the user and registry shares we loaded a few lines above. We need to do all (re-)loading as root, otherwise we won't be able to read root only smb.conf files, access registry shares, ... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Walker <awalker@ixsystems.com> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Dec 29 21:14:02 UTC 2022 on sn-devel-184
* selftest: add samba3.blackbox.registry_shareStefan Metzmacher2022-12-292-0/+31
| | | | | | | | | | | | This demonstrates the regression introduced by f03665bb7e8ea97699062630f2aa1bac4c5dfc7f, where registry shares are no longer listed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Walker <awalker@ixsystems.com>
* CI: join ad_member_s3_join to vampire_dcRalph Boehme2022-12-211-1/+1
| | | | | | | | | | | | | | Currently ad_member_s3_join is only used for testing samba-tool join and that'll work just fine being joined to vampire_dc instead of ad_dc. vampire_dc is an additional DC in the SAMBADOMAIN "started" by ad_dc_ntvfs, so by joining ad_member_s3_join to the SAMBADOMAIN, it is member of a domain with more then one DC. Subsequently I'll add a test that needs such an environment. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Re-create files if manually removedDavid Mulder2022-12-211-1/+0
| | | | | Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Test that files are re-created if manually removedDavid Mulder2022-12-211-0/+1
| | | | | | | | Currently applied files which are manually removed do not get re-applied. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* smbd: Add "posix" flag to openat_pathref_dirfsp_nosymlink()Volker Lendecke2022-12-151-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | Don't do the get_real_filename() retry if we're in posix context of if the connection is case sensitive. The whole concept of case sensivity blows my brain. In SMB1 without posix extensions it's a per-request thing. In SMB2 without posix extensions this should just depend on "case sensitive = yes/no", and in future SMB2 posix extensions this will become a per-request thing again, depending on the existence of the posix create context. Then there are other semantics that are attached to posix-ness, which have nothing to do with case sensivity. See for example merge request 2819 and bug 8776, or commit f0e1137425f. Also see check_path_syntax_internal(). This patch uses the same flags as openat_pathref_fsp_case_insensitive() does, but I am 100% certain this is wrong in a subtle way. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Thu Dec 15 11:30:04 UTC 2022 on sn-devel-184
* tests: Show that in smb1 posix we don't treat dirs as case sensitiveVolker Lendecke2022-12-151-0/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.Stefan Metzmacher2022-12-132-2980/+616
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to take the value from the msDS-SupportedEncryptionTypes attribute and only take the default if there's no value or if the value is 0. For krbtgt and DC accounts we need to force support for ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is completely ignored the hardcoded value is the default, so there's no AES256-SK for krbtgt). For UF_USE_DES_KEY_ONLY on the account we reset the value to 0, these accounts are in fact disabled completely, as they always result in KRB5KDC_ERR_ETYPE_NOSUPP. Then we try to get all encryption keys marked in supported_enctypes, and the available_enctypes is a reduced set depending on what keys are actually stored in the database. We select the supported session key enctypes by the available keys and in addition based on AES256-SK as well as the "kdc force enable rc4 weak session keys" option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 python:tests/krb5: test much more etype combinationsStefan Metzmacher2022-12-132-501/+3907
| | | | | | | | | | | | | | | This tests work out the difference between - msDS-SupportedEncryptionTypes value or it's default - software defined extra flags for DC accounts - accounts with only an nt hash being stored - the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ↵Andrew Bartlett2022-12-132-599/+2
| | | | | | | | | | | | | | | | | ENC_HMAC_SHA1_96_AES256_SK was added ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE to indicate that additionally, AES session keys are available. We set the etypes available for session keys depending on the encryption types that are supported by the principal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219 Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-37966 selftest: Run S4U tests against FL2003 DCJoseph Sutton2022-12-131-0/+7
| | | | | | | | | | | This shows that changes around RC4 encryption types do not break older functional levels where only RC4 keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ↵Joseph Sutton2022-12-133-5/+1113
| | | | | | | | | | | | | | | ENC_HMAC_SHA1_96_AES256_SK was added ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE to indicate that additionally, AES session keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-37966 tests/krb5: Test different preauth etypes with Protected ↵Joseph Sutton2022-12-131-2/+4
| | | | | | | | | | | | | | Users group Extend the RC4 Protected Users tests to use different preauth etypes. This helps test the nuances of the new expected behaviour and allows the tests to continue passing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-37967 Add new PAC checksumJoseph Sutton2022-12-131-2/+28
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients ↵Andrew Bartlett2022-12-131-5/+0
| | | | | | | | | | | | | | etype list to select a session key We need to select server, not client, to compare client etypes against. (It is not useful to compare the client-supplied encryption types with the client's own long-term keys.) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-37966 tests/krb5: Add a test requesting tickets with various ↵Joseph Sutton2022-12-132-0/+12
| | | | | | | | | | | | | encryption types The KDC should leave the choice of ticket encryption type up to the target service, and admit no influence from the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require ↵Stefan Metzmacher2022-12-131-0/+28
| | | | | | | | | | | | | | | seal[:COMPUTERACCOUNT]" By default we'll now require schannel connections with privacy/sealing/encryption. But we allow exceptions for specific computer/trust accounts. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15260 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and ↵Stefan Metzmacher2022-12-131-7/+53
| | | | | | | | | | | | | | | 'reject md5 clients = no' Instead of using the generic deprecated option use the specific allow nt4 crypto:COMPUTERACCOUNT = yes and server reject md5 schannel:COMPUTERACCOUNT = no in order to allow legacy tests for pass. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yesStefan Metzmacher2022-12-131-0/+4
| | | | | | | | | | | | AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0, so there's no reason to allow md5 clients by default. However some third party domain members may need it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'Stefan Metzmacher2022-12-131-3/+37
| | | | | | | | | | | | Instead of using the generic deprecated option use the specific server require schannel:COMPUTERACCOUNT = no in order to allow legacy tests for pass. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* selftest: make filter-subunit much more efficient for large knownfail listsAndrew Bartlett2022-12-131-17/+15
| | | | | | | | | | | | | | | | | By compiling the knownfail lists ahead of time we change a 20min test into a 90sec test. This could be improved further by combining this into a single regular expression, but this is enough for now. The 'reason' is thankfully not used. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15258 Pair-programmed-with: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* tsocket: Fix the build on FreeBSDVolker Lendecke2022-12-121-3/+4
| | | | | | | FreeBSD does not have TCP_USER_TIMEOUT Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib/comression: convert test_lzxpress_plain to cmockaDouglas Bagnall2022-12-011-0/+3
| | | | | | | | | | | | | | Mainly so I can go make bin/test_lzxpress_plain && bin/test_lzxpress_plain valgrind bin/test_lzxpress_plain rr bin/test_lzxpress_plain rr replay in a tight loop. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* selftest: be less confident in commending st/summaryDouglas Bagnall2022-12-011-2/+2
| | | | | | | | st/summary is useless. If you'll find anything, it'll be in st/subunit. However, in case *something* useful ever ends up there we still mention it. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* lib/compression: add LZ77 + Huffman decompressionDouglas Bagnall2022-12-011-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This format is described in [MS-XCA] 2.1 and 2.2, with exegesis in many posts on the cifs-protocol list[1]. The two public functions are: ssize_t lzxpress_huffman_decompress(const uint8_t *input, size_t input_size, uint8_t *output, size_t output_size); uint8_t *lzxpress_huffman_decompress_talloc(TALLOC_CTX *mem_ctx, const uint8_t *input_bytes, size_t input_size, size_t output_size); In both cases the caller needs to know the *exact* decompressed size, which is essential for decompression. The _talloc version allocates the buffer for you, and uses the talloc context to allocate a 128k working buffer. THe non-talloc function will allocate the working buffer on the stack. This compression format gives better compression for messages of several kilobytes than the "plain" LXZPRESS compression, but is probably a bit slower to decompress and is certainly worse for very short messages, having a fixed 256 byte overhead for the first Huffman table. Experiments show decompression rates between 20 and 500 MB per second, depending on the compression ratio and data size, on an i5-1135G7 with no compiler optimisations. This compression format is used in AD claims and in SMB, but that doesn't happen with this commit. I will not try to describe LZ77 or Huffman encoding here. Don't expect an answer in MS-XCA either; instead read the code and/or Wikipedia. [1] Much of that starts here: https://lists.samba.org/archive/cifs-protocol/2022-October/ but there's more earlier, particularly in June/July 2020, when Aurélien Aptel was working on an implementation that ended up in Wireshark. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Pair-programmed-with: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* util: add stable sort functionsDouglas Bagnall2022-12-011-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Sometimes (e.g. in lzxpress Huffman encoding, and in some of our tests: c.f. https://lists.samba.org/archive/samba-technical/2018-March/126010.html) we want a stable sort algorithm (meaning one that retains the previous order of items that compare equal). The GNU libc qsort() is *usually* stable, in that it first tries to use a mergesort but reverts to quicksort if the necessary allocations fail. That has led Samba developers to unthinkingly assume qsort() is stable which is not the case on many platforms, and might not always be on GNU/Linuxes either. This adds four functions. stable_sort() sorts an array, and requires an auxiliary working array of the same size. stable_sort_talloc() takes a talloc context so it ca create a working array and call stable_sort(). stable_sort_r() takes an opaque context blob that gets passed to the compare function, like qsort_r() and ldb_qsort(). And stable_sort_talloc_r() rounds out the quadrant. These are LGPL so that the can be used in ldb, which has problems with unstable sort. The tests are borrowed and extended from test_ldb_qsort.c. When sorting non-trivial structs this is roughly as fast as GNU qsort, but GNU qsort has optimisations for small items, using direct assignments of rather than memcpy where the size allows the item to be cast as some kind of int. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* s3: smbd: Fix schedule_smb2_aio_read() to allow the last read in a compound ↵Jeremy Allison2022-12-011-1/+0
| | | | | | | | | | | | to go async. Remove knownfail. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Thu Dec 1 16:04:07 UTC 2022 on sn-devel-184
* s3: smbd: Fix schedule_aio_smb2_write() to allow the last write in a ↵Jeremy Allison2022-12-011-1/+0
| | | | | | | | | compound to go async. Remove knownfail. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* s4: torture: Add compound_async.read_read test to show we don't go async on ↵Jeremy Allison2022-12-011-0/+1
| | | | | | | | | the last read in a compound. Add knownfail. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* s4: torture: Add compound_async.write_write test to show we don't go async ↵Jeremy Allison2022-12-011-0/+1
| | | | | | | | | on the last write in a compound. Add knownfail. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* tests/s3: Test case sensitive open with SMB3 posixDavid Mulder2022-11-291-0/+1
| | | | | | | | Disabled because we don't handle posix paths correctly yet. Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Volker Lendecke <vl@samba.org>
* tests/s3: Test reserved chars in posix filenameDavid Mulder2022-11-291-0/+1
| | | | | | | | Disabled because we don't handle posix paths correctly yet. Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Volker Lendecke <vl@samba.org>
* tests/s3: Test SMB2_FIND_POSIX_INFORMATION dir queryDavid Mulder2022-11-291-0/+8
| | | | | Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Volker Lendecke <vl@samba.org>
* smbd: reject FILE_ATTRIBUTE_TEMPORARY on directoriesRalph Boehme2022-11-281-1/+0
| | | | | | | | | | | | Cf MS-FSA 2.1.5.14.2 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15252 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Mon Nov 28 10:14:12 UTC 2022 on sn-devel-184
* torture: add a test trying to set FILE_ATTRIBUTE_TEMPORARY on a directoryRalph Boehme2022-11-282-0/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15252 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gitlab-ci: do some basic testing on ubuntu1804-32bitStefan Metzmacher2022-11-243-0/+190
| | | | | | | | | | | | | | | | | For now we allow build warnings and only do some basic testing. We also ignore timestamp related problems, as well as some charset failures. Over time we should try to address the situation by not allowing warnings and verify if expected failures are harmless or not. But it's already much better then having no 32bit testing at all! Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Nov 24 12:05:26 UTC 2022 on sn-devel-184
* selftest: add --default-ldb-backend optionStefan Metzmacher2022-11-243-10/+15
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* selftest: samba-ktest-mit also needs $ENV{KRB5RCACHETYPE} = "none"Stefan Metzmacher2022-11-241-2/+5
| | | | | | | | | | | | | | | We need to pass --mitkrb5 to selftest.pl in all cases we use system mit kerberos not only when we also test the kdc. We can't use a replay cache in selftest verifies the stat.st_uid against getuid(). BTW: while debugging this on ubuntu 22.04 I exported KRB5_TRACE="/dev/stderr", which means we get tracing into the servers log file and into selftest_prefix/subunit for the client... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests: Start testing smb2 symlink error returnsVolker Lendecke2022-11-221-0/+1
| | | | | | | | | | This still all fails, but if you run them against Windows they work. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Nov 22 19:25:34 UTC 2022 on sn-devel-184
* tests: Add nosymlinks_smb1allow shareVolker Lendecke2022-11-221-0/+3
| | | | | | | | | | | The next commits will create symlinks via posix extensions to test the smb2 symlink error return. Creating posix symlinks is not allowed with follow symlinks = no, but it's currently our only way to create symlinks over SMB. This could go away once we can create symlinks via reparse points. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* tests: Start testing reparsepointsVolker Lendecke2022-11-221-0/+1
| | | | | | | | | | | | | | | | | | | | | | This still all fails, but if you run them against Windows they work. How to run: PYTHONPATH=bin/python \ LOCAL_PATH=/tmp \ SMB1_SHARE=share \ SMB2_SHARE=share \ SHARENAME=share \ SERVER_IP=<server-ip> \ DOMAIN=<your-domain> \ USERNAME=Administrator \ PASSWORD=<your-password> \ SMB_CONF_PATH=/usr/local/samba/etc/smb.conf \ SERVERCONFFILE="$SMB_CONF_PATH" \ python3 -m samba.subunit.run samba.tests.reparsepoints Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Make samba-tool gpo manage sudoers remove backward compatibleDavid Mulder2022-11-211-1/+0
| | | | | | | | Ensure `samba-tool gpo manage sudoers remove` is backward compatible with the GPME sudo rules. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Test that samba-tool gpo manage removes gpme sudoersDavid Mulder2022-11-211-0/+1
| | | | | | | | | | The file format for storing the sudo rules changed in samba-tool, but these can still be added via the GPME. We should still include them here. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Make samba-tool gpo manage sudoers list backward compatibleDavid Mulder2022-11-211-1/+0
| | | | | | | | Ensure `samba-tool gpo manage sudoers list` is backward compatible with the GPME sudo rules. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* gp: Test that samba-tool gpo manage lists gpme sudoersDavid Mulder2022-11-211-0/+1
| | | | | | | | | | The file format for storing the sudo rules changed in samba-tool, but these can still be added via the GPME. We should still include them here. Signed-off-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:rpc_server: Fix include directive substitution when enumerating sharesAndreas Schneider2022-11-181-1/+0
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Nov 18 19:17:31 UTC 2022 on sn-devel-184
View Lorry Controller Status