summaryrefslogtreecommitdiff
path: root/selftest
Commit message (Collapse)AuthorAgeFilesLines
* CVE-2018-14629 dns: CNAME loop prevention using counterAaron Haslett2018-11-261-0/+6
| | | | | | | | | | | Count number of answers generated by internal DNS query routine and stop at 20 to match Microsoft's loop prevention mechanism. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* smb2_server: set req->do_encryption = true earlierStefan Metzmacher2018-10-101-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The STATUS_SESSION_EXPIRED error was returned unencrypted, if the request was encrypted. If clients use SMB3 encryption and the kerberos authenticated session expires, clients disconnect the connection instead of doing a reauthentication. From https://blogs.msdn.microsoft.com/openspecification/2012/10/05/encryption-in-smb-3-0-a-protocol-perspective/ The sender encrypts the message if any of the following conditions is satisfied: - If the sender is sending a response to an encrypted request. - If Session.EncryptData is TRUE and the request or response being sent is not NEGOTIATE. - If Session.EncryptData is FALSE, the request or response being sent is not NEGOTIATE or SESSION_SETUP or TREE_CONNECT, and <TreeConnect|Share>.EncryptData is TRUE. [MS-SMB2] 3.3.4.1.4 Encrypting the Message If Connection.Dialect belongs to the SMB 3.x dialect family and Connection.ClientCapabilities includes the SMB2_GLOBAL_CAP_ENCRYPTION bit, the server MUST encrypt the message before sending, if any of the following conditions are satisfied: - If the message being sent is any response to a client request for which Request.IsEncrypted is TRUE. - If Session.EncryptData is TRUE and the response being sent is not SMB2_NEGOTIATE or SMB2 SESSION_SETUP. - If Session.EncryptData is FALSE, the response being sent is not SMB2_NEGOTIATE or SMB2 SESSION_SETUP or SMB2 TREE_CONNECT, and Share.EncryptData for the share associated with the TreeId in the SMB2 header of the response is TRUE. The server MUST encrypt the message as specified in section 3.1.4.3, before sending it to the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13624 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Tue Oct 2 14:11:30 CEST 2018 on sn-devel-144 (cherry picked from commit 4ef45e5334d5874f5d0fdc69286b745ebcdc612d) Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-7-test): Wed Oct 10 15:51:31 CEST 2018 on sn-devel-144
* s4:torture: split smb2.session.expire{1,2} to run with signing and encryptpionStefan Metzmacher2018-10-101-0/+2
| | | | | | | | | | This reproduces the problem we have with expired encrypted sessions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13624 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 01b868455c9bae309d1ca7ddad54077fc5d7f4b1)
* krb5-samba: interdomain trust uses different salt principalAlexander Bokovoy2018-09-051-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where DOMAIN is the sAMAccountName without the dollar sign ($) The salt principal for the BLA$ user object was generated wrong. dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010 trustDirection: 3 trustPartner: bla.base trustPosixOffset: -2147483648 trustType: 2 trustAttributes: 8 flatName: BLA dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base userAccountControl: 2080 primaryGroupID: 513 objectSid: S-1-5-21-278041429-3399921908-1452754838-1597 accountExpires: 9223372036854775807 sAMAccountName: BLA$ sAMAccountType: 805306370 pwdLastSet: 131485652467995000 The salt stored by Windows in the package_PrimaryKerberosBlob (within supplementalCredentials) seems to be 'W4EDOM-L4.BASEkrbtgtBLA' for the above trust and Samba stores 'W4EDOM-L4.BASEBLA$'. While the salt used when building the keys from trustAuthOutgoing/trustAuthIncoming is 'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144 (cherry picked from commit f3e349bebc443133fdbe4e14b148ca8db8237060) Autobuild-User(v4-7-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-7-test): Wed Sep 5 18:44:46 CEST 2018 on sn-devel-144
* testprogs/blackbox: let test_trust_user_account.sh check the correct ↵Stefan Metzmacher2018-09-051-0/+1
| | | | | | | | | | | | kerberos salt This demonstrates the bug we currently have. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 1b31fa62567ec549e32c9177b322cfbfb3b6ec1a)
* vfs_fruit: Don't unlink the main fileVolker Lendecke2018-09-051-1/+0
| | | | | | | | | | | | | | | | | | | The original fix for bug 13441 was missing a check that verifies that fruit_ftruncate() is actually called on a stream. Follow-up to Bug: https://bugzilla.samba.org/show_bug.cgi?id=13441 Pair-Programmed-With: Volker Lendecke <vl@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Aug 23 15:28:48 CEST 2018 on sn-devel-144 (cherry picked from commit 8c14234871820eacde46670d722a676fb5f3a46c)
* torture: Make sure that fruit_ftruncate only unlinks streamsVolker Lendecke2018-09-051-0/+1
| | | | | | | | | | Follow-up to Bug: https://bugzilla.samba.org/show_bug.cgi?id=13441 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit c39ec64231b261fe4ada02f1f1b9aa344cf35bb5)
* s3:smbd: let session logoff close files and tcons before deleting the sessionRalph Boehme2018-09-051-1/+0
| | | | | | | | | | | | | | | | | | | | This avoids a race in durable handle reconnects if the reconnect comes in while the old session is still in the tear-down phase. The new session is supposed to rendezvous with and wait for destruction of the old session, which is internally implemented with dbwrap_watch_send() on the old session record. If the old session deletes the session record before calling file_close_user() which marks all file handles as disconnected, the durable handle reconnect in the new session will fail as the records are not yet marked as disconnected which is a prerequisite. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 8f6edcc1645e0ed35eaec914bd0b672500ce986c)
* selftest: add a durable handle test with delayed disconnectRalph Boehme2018-09-052-0/+9
| | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 5508024a861e7c85e6c837552ad142aa1d5e8eca)
* s4:rpc_server/netlogon: don't treet trusted domains as primary in ↵Stefan Metzmacher2018-09-051-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | LogonGetDomainInfo() We need to handle trusted domains differently than our primary domain. The most important part is that we don't return NETR_TRUST_FLAG_PRIMARY for them. NETR_TRUST_FLAG_{INBOUND,OUTBOUND,IN_FOREST} are the relavant flags for trusts. This is an example of what Windows returns in a complex trust environment: netr_LogonGetDomainInfo: struct netr_LogonGetDomainInfo out: struct netr_LogonGetDomainInfo return_authenticator : * return_authenticator: struct netr_Authenticator cred: struct netr_Credential data : f48b51ff12ff8c6c timestamp : Tue Aug 28 22:59:03 2018 CEST info : * info : union netr_DomainInfo(case 1) domain_info : * domain_info: struct netr_DomainInformation primary_domain: struct netr_OneDomainInfo domainname: struct lsa_StringLarge length : 0x0014 (20) size : 0x0016 (22) string : * string : 'W2012R2-L4' dns_domainname: struct lsa_StringLarge length : 0x0020 (32) size : 0x0022 (34) string : * string : 'w2012r2-l4.base.' dns_forestname: struct lsa_StringLarge length : 0x0020 (32) size : 0x0022 (34) string : * string : 'w2012r2-l4.base.' domain_guid : 0a133c91-8eac-4df0-96ac-ede69044a38b domain_sid : * domain_sid : S-1-5-21-2930975464-1937418634-1288008815 trust_extension: struct netr_trust_extension_container length : 0x0000 (0) size : 0x0000 (0) info : NULL dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_long1 : 0x00000000 (0) dummy_long2 : 0x00000000 (0) dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) trusted_domain_count : 0x00000006 (6) trusted_domains : * trusted_domains: ARRAY(6) trusted_domains: struct netr_OneDomainInfo domainname: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'FREEIPA' dns_domainname: struct lsa_StringLarge length : 0x0018 (24) size : 0x001a (26) string : * string : 'freeipa.base' dns_forestname: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL domain_guid : 00000000-0000-0000-0000-000000000000 domain_sid : * domain_sid : S-1-5-21-429948374-2562621466-335716826 trust_extension: struct netr_trust_extension_container length : 0x0010 (16) size : 0x0010 (16) info : * info: struct netr_trust_extension length : 0x00000008 (8) dummy : 0x00000000 (0) size : 0x00000008 (8) flags : 0x00000022 (34) 0: NETR_TRUST_FLAG_IN_FOREST 1: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x00000000 (0) trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000008 (8) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 1: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_long1 : 0x00000000 (0) dummy_long2 : 0x00000000 (0) dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) trusted_domains: struct netr_OneDomainInfo domainname: struct lsa_StringLarge length : 0x0016 (22) size : 0x0018 (24) string : * string : 'S1-W2012-L4' dns_domainname: struct lsa_StringLarge length : 0x0036 (54) size : 0x0038 (56) string : * string : 's1-w2012-l4.w2012r2-l4.base' dns_forestname: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL domain_guid : afe7fbde-af82-46cf-88a2-2df6920fc33e domain_sid : * domain_sid : S-1-5-21-1368093395-3821428921-3924672915 trust_extension: struct netr_trust_extension_container length : 0x0010 (16) size : 0x0010 (16) info : * info: struct netr_trust_extension length : 0x00000008 (8) dummy : 0x00000000 (0) size : 0x00000008 (8) flags : 0x00000023 (35) 1: NETR_TRUST_FLAG_IN_FOREST 1: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x00000004 (4) trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000020 (32) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 1: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_long1 : 0x00000000 (0) dummy_long2 : 0x00000000 (0) dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) trusted_domains: struct netr_OneDomainInfo domainname: struct lsa_StringLarge length : 0x0006 (6) size : 0x0008 (8) string : * string : 'BLA' dns_domainname: struct lsa_StringLarge length : 0x0010 (16) size : 0x0012 (18) string : * string : 'bla.base' dns_forestname: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL domain_guid : 00000000-0000-0000-0000-000000000000 domain_sid : * domain_sid : S-1-5-21-4053568372-2049667917-3384589010 trust_extension: struct netr_trust_extension_container length : 0x0010 (16) size : 0x0010 (16) info : * info: struct netr_trust_extension length : 0x00000008 (8) dummy : 0x00000000 (0) size : 0x00000008 (8) flags : 0x00000022 (34) 0: NETR_TRUST_FLAG_IN_FOREST 1: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x00000000 (0) trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000008 (8) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 1: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_long1 : 0x00000000 (0) dummy_long2 : 0x00000000 (0) dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) trusted_domains: struct netr_OneDomainInfo domainname: struct lsa_StringLarge length : 0x000c (12) size : 0x000e (14) string : * string : 'S4XDOM' dns_domainname: struct lsa_StringLarge length : 0x0016 (22) size : 0x0018 (24) string : * string : 's4xdom.base' dns_forestname: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL domain_guid : 00000000-0000-0000-0000-000000000000 domain_sid : * domain_sid : S-1-5-21-313966788-4060240134-2249344781 trust_extension: struct netr_trust_extension_container length : 0x0010 (16) size : 0x0010 (16) info : * info: struct netr_trust_extension length : 0x00000008 (8) dummy : 0x00000000 (0) size : 0x00000008 (8) flags : 0x00000022 (34) 0: NETR_TRUST_FLAG_IN_FOREST 1: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x00000000 (0) trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000008 (8) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 1: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_long1 : 0x00000000 (0) dummy_long2 : 0x00000000 (0) dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) trusted_domains: struct netr_OneDomainInfo domainname: struct lsa_StringLarge length : 0x0014 (20) size : 0x0016 (22) string : * string : 'W2012R2-L4' dns_domainname: struct lsa_StringLarge length : 0x001e (30) size : 0x0020 (32) string : * string : 'w2012r2-l4.base' dns_forestname: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL domain_guid : 0a133c91-8eac-4df0-96ac-ede69044a38b domain_sid : * domain_sid : S-1-5-21-2930975464-1937418634-1288008815 trust_extension: struct netr_trust_extension_container length : 0x0010 (16) size : 0x0010 (16) info : * info: struct netr_trust_extension length : 0x00000008 (8) dummy : 0x00000000 (0) size : 0x00000008 (8) flags : 0x0000001d (29) 1: NETR_TRUST_FLAG_IN_FOREST 0: NETR_TRUST_FLAG_OUTBOUND 1: NETR_TRUST_FLAG_TREEROOT 1: NETR_TRUST_FLAG_PRIMARY 1: NETR_TRUST_FLAG_NATIVE 0: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x00000000 (0) trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000000 (0) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_long1 : 0x00000000 (0) dummy_long2 : 0x00000000 (0) dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) trusted_domains: struct netr_OneDomainInfo domainname: struct lsa_StringLarge length : 0x0016 (22) size : 0x0018 (24) string : * string : 'S2-W2012-L4' dns_domainname: struct lsa_StringLarge length : 0x004e (78) size : 0x0050 (80) string : * string : 's2-w2012-l4.s1-w2012-l4.w2012r2-l4.base' dns_forestname: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL domain_guid : 29daace6-cded-4ce3-a754-7482a4d9127c domain_sid : * domain_sid : S-1-5-21-167342819-981449877-2130266853 trust_extension: struct netr_trust_extension_container length : 0x0010 (16) size : 0x0010 (16) info : * info: struct netr_trust_extension length : 0x00000008 (8) dummy : 0x00000000 (0) size : 0x00000008 (8) flags : 0x00000001 (1) 1: NETR_TRUST_FLAG_IN_FOREST 0: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 0: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x00000001 (1) trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000000 (0) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_long1 : 0x00000000 (0) dummy_long2 : 0x00000000 (0) dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) lsa_policy: struct netr_LsaPolicyInformation policy_size : 0x00000000 (0) policy : NULL dns_hostname: struct lsa_StringLarge length : 0x0036 (54) size : 0x0038 (56) string : * string : 'torturetest.w2012r2-l4.base' dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL workstation_flags : 0x00000003 (3) 1: NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS 1: NETR_WS_FLAG_HANDLES_SPN_UPDATE supported_enc_types : 0x0000001f (31) 1: KERB_ENCTYPE_DES_CBC_CRC 1: KERB_ENCTYPE_DES_CBC_MD5 1: KERB_ENCTYPE_RC4_HMAC_MD5 1: KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 1: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 0: KERB_ENCTYPE_FAST_SUPPORTED 0: KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED 0: KERB_ENCTYPE_CLAIMS_SUPPORTED 0: KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) result : NT_STATUS_OK Best viewed with: git show --histogram -w BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 2099add0657126e4a5427ec2db0fe8025478b355)
* s4:torture/rpc/netlogon: verify the trusted domains output of ↵Stefan Metzmacher2018-09-051-0/+1
| | | | | | | | | | | | | LogonGetDomainInfo() This makes sure we don't treat trusted domains in the same way we treat our primary domain. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit d5dd8fdc647d6a202c5da0451d395116c2cd92b9)
* selftest: Load time_audit and full_audit modules for all testsChristof Schmitt2018-08-231-6/+6
| | | | | | | | | | | | | | | | | | Previously the only test was to load these modules to trigger the smb_vfs_assert_all_fns check. As these modules just pass through the calls, they can be loaded for all tests to ensure that the codepaths are exercised. This would have found the problem in smb_time_audit_offload_read_recv. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13568 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Aug 13 22:35:20 CEST 2018 on sn-devel-144 (cherry picked from commit a98f09a09db2fc7be85f9171b586e65344a39e92)
* g_lock: Fix lock upgradesVolker Lendecke2018-08-231-1/+0
| | | | | | | | | | Master has changed significantly, this is a minimum fix for 4.7 without cleaning up the code BUG: https://bugzilla.samba.org/show_bug.cgi?id=13195 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* torture3: Extend the g_lock6 test to also cover upgradesVolker Lendecke2018-08-231-0/+1
| | | | | | | | | | The fixes for #13195 were incomplete and did not cover upgrades properly. It's all gone in master with the new code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13195 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* selftest: subunithelper needs to follow the subunit spec more closelyDouglas Bagnall2018-08-211-1/+2
| | | | | | | | | | | In particular allow ]\n without \n]\n as used by cmocka Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 7d79575de8e47a0ce03e30c3ea84176be696269f) Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-7-test): Tue Aug 21 16:10:23 CEST 2018 on sn-devel-144
* Merge tag 'samba-4.7.9' into v4-7-testKarolin Seeger2018-08-142-11/+12
|\ | | | | | | samba: tag release samba-4.7.9
| * CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled ↵Günther Deschner2018-08-112-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | via "ntlm auth". This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0. Found by Vivek Das <vdas@redhat.com> (Red Hat QE). In order to demonstrate simply run: smbclient //server/share -U user%password -mNT1 -c quit \ --option="client ntlmv2 auth"=no \ --option="client use spnego"=no against a server that uses "ntlm auth = ntlmv2-only" (our default setting). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
| * CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check()Andrew Bartlett2018-08-112-0/+4
| | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * selftest/tests.py: remove always-needed, never-set with_cmocka flagDouglas Bagnall2018-08-111-10/+8
| | | | | | | | | | | | | | | | | | | | We have cmocka in third_party, so we are never without it. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6 by Andrew Bartlett)
| * CVE-2018-10919 acl_read: Fix unauthorized attribute access via searchesTim Beale2018-08-112-16/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A user that doesn't have access to view an attribute can still guess the attribute's value via repeated LDAP searches. This affects confidential attributes, as well as ACLs applied to an object/attribute to deny access. Currently the code will hide objects if the attribute filter contains an attribute they are not authorized to see. However, the code still returns objects as results if confidential attribute is in the search expression itself, but not in the attribute filter. To fix this problem we have to check the access rights on the attributes in the search-tree, as well as the attributes returned in the message. Points of note: - I've preserved the existing dirsync logic (the dirsync module code suppresses the result as long as the replPropertyMetaData attribute is removed). However, there doesn't appear to be any test that highlights that this functionality is required for dirsync. - To avoid this fix breaking the acl.py tests, we need to still permit searches like 'objectClass=*', even though we don't have Read Property access rights for the objectClass attribute. The logic that Windows uses does not appear to be clearly documented, so I've made a best guess that seems to mirror Windows behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
| * CVE-2018-10919 tests: Add test case for object visibility with limited rightsTim Beale2018-08-111-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently Samba is a bit disclosive with LDB_OP_PRESENT (i.e. attribute=*) searches compared to Windows. All the acl.py tests are based on objectClass=* searches, where Windows will happily tell a user about objects they have List Contents rights, but not Read Property rights for. However, if you change the attribute being searched for, suddenly the objects are no longer visible on Windows (whereas they are on Samba). This is a problem, because Samba can tell you about which objects have confidential attributes, which in itself could be disclosive. This patch adds a acl.py test-case that highlights this behaviour. The test passes against Windows but fails against Samba. Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
| * CVE-2018-10919 tests: Add tests for guessing confidential attributesTim Beale2018-08-111-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds tests that assert that a confidential attribute cannot be guessed by an unprivileged user through wildcard DB searches. The tests basically consist of a set of DB searches/assertions that get run for: - basic searches against a confidential attribute - confidential attributes that get overridden by giving access to the user via an ACE (run against a variety of ACEs) - protecting a non-confidential attribute via an ACL that denies read- access (run against a variety of ACEs) - querying confidential attributes via the dirsync controls These tests all pass when run against a Windows Dc and all fail against a Samba DC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
* | dns wildcards: fix BUG 13536Gary Lockyer2018-07-281-5/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | The current position in the dns name was not advanced past the '.' character Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Jul 20 04:40:31 CEST 2018 on sn-devel-144 (cherry picked from commit cef1b31cd1f33074e8ab6de52aa0fb74e9b57a9f)
* | dns wildcards: tests to confirm BUG 13536Gary Lockyer2018-07-281-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | DNS wildcard matching failing if more than one label to the left of the wildcard. This commits adds tests to confirm the bug. Wildcard entry: *.example.org bar.example.com matches foo.bar.example.com does not, but it it should. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 0d3aec18679a2637430263a55de5e210a9201e21)
* | s3: smbd: fix path check in smbd_smb2_create_durable_lease_check()Ralph Boehme2018-07-281-1/+0
| | | | | | | | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=13535 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit e60e9368cb3cb512e2506620d814187a692108e0)
* | s4: torture: run test_durable_v2_open_reopen2_lease() in a subdirectoryRalph Boehme2018-07-281-0/+1
| | | | | | | | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=13535 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 725319743f1f2de934cbde477ca84430f5b2b4b4)
* | s3: libsmbclient: Fix cli_splice() fallback when reading less than a ↵Jeremy Allison2018-07-281-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | complete file. We were always asking for SPLICE_BLOCK_SIZE even when the remaining bytes we wanted were smaller than that. This works when using cli_splice() on a complete file, as the cli_read() terminated the read at the right place. We always have the space to read SPLICE_BLOCK_SIZE bytes so this isn't an overflow. Found by Bailey Berro <baileyberro@google.com> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13527 Signed-off-by: Bailey Berro <baileyberro@google.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> Autobuild-User(master): David Disseldorp <ddiss@samba.org> Autobuild-Date(master): Fri Jul 13 14:57:14 CEST 2018 on sn-devel-144 (cherry picked from commit c9656fd2977557ab20ec4e3d87c385a9b2f1bf43)
* | s3: torture: Test SMB1 cli_splice() fallback path when doing a non-full file ↵Jeremy Allison2018-07-281-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | splice. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13527 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> (cherry picked from commit 1c8d1cceff852acaca4a0ec0da37b053ed03fe4a) (cherry picked from commit 49d6c3f061284aac31c3ef21f88f9d69bdd86bd8) Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Jul 14 00:14:13 CEST 2018 on sn-devel-144
* | s3:smbd: don't allow renaming basefile if streams are openRalph Boehme2018-07-122-5/+0
| | | | | | | | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 465b7d07e5db787c3d6330371e5e42ecbb1b57b9)
* | s4:torture/vfs/fruit: adjust test testing basefile rename to expect failureRalph Boehme2018-07-121-0/+3
| | | | | | | | | | | | | | | | | | | | | | Renaming a basefile that has open streams must fail with NT_STATUS_ACCESS_DENIED. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit f166207fc0344b51879d863857055ab7ff36a09b)
* | s4:torture/smb2/streams: try to rename basefile while is has open streamsRalph Boehme2018-07-121-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This tests the following: - create a file with a stream - open the the stream and keep it open - on a second connection, try to rename the basefile, this should fail with NT_STATUS_ACCESS_DENIED Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 00d19bdab15102083b8ba395ede161824c898be1)
* | selftest: run smb2.streams tests against a share with vfs_streams_xattrRalph Boehme2018-07-121-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | The tests are currently only run against streams_depot, where stream IO is handle based, compared to streams_xattr which is path based. vfs_streams_xattr is also used much more in real world setups, so we should run our tests against it. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (backported from commit aa096ab70a466388a9947f73a525b2dcbb9821e5)
* | vfs_fruit: delete 0 byte size streams if AAPL is enabledRalph Boehme2018-07-121-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | macOS SMB server uses xattrs as storage backend for streams, directly exposing xattr get/set characteristics. Setting EOF on a stream to 0 just deletes the xattr as macOS doesn't support 0-byte sized xattrs. Note that this does not apply to the AFP_AfpInfo and AFP_Resource streams, they have even stranger semantics and we have other tests for those. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13441 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed May 30 02:34:29 CEST 2018 on sn-devel-144 (cherry picked from commit 46d127865f3fb14041797d395db3b3234ed3bd6c)
* | s4:torture: test setting EOF of a stream to 0 with enabled AAPL extensionsRalph Boehme2018-07-121-0/+3
|/ | | | | | | | | | | | | | | | macOS SMB server uses xattrs as storage backend for streams, directly exposing xattr get/set characteristics. Setting EOF on a stream to 0 just deletes the xattr as macOS doesn't support 0-byte sized xattrs. Note that this does not apply to the AFP_AfpInfo and AFP_Resource streams, they have even stranger semantics and we have other tests for those. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13441 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit cf5d471544f0cb0d072e4af1ee36798580d32897)
* s3: smbtorture: Add new SMB2-DIR-FSYNC test to show behavior of FSYNC on ↵Jeremy Allison2018-06-191-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | directories. Tests against a directory handle on the root of a share, and a directory handle on a sub-directory in a share. Check SEC_DIR_ADD_FILE and SEC_DIR_ADD_SUBDIR separately, either allows flush to succeed. Passes against Windows. Regression test for: BUG: https://bugzilla.samba.org/show_bug.cgi?id=13428 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri May 18 02:38:50 CEST 2018 on sn-devel-144 (cherry picked from commit d42f467a25e75e5487a00378609a24809ddc83ee)
* smbd: Cache dfree information based on query pathChristof Schmitt2018-06-071-1/+0
| | | | | | | | | | | | | Sub directories in a SMB share can have different free space information (e.g. when a different file system is mounted there). Caching the dfree information per SMB share will return invalid data. Address this by switching to memcache and store the cached data based on the query path. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 8f121747b06ca78cf51801a3931b2ddd1a424c77)
* selftest: Add test for 'dfree cache'Christof Schmitt2018-06-071-0/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit a55b3d2fcc2f7737a2702bf908dcf1f80969bf21)
* selftest: Add dfq_cache share with 'dfree cache time' setChristof Schmitt2018-06-071-0/+6
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 7ffcbd5ce1222971cb9879f78765d87cdc4102a8)
* auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a serverStefan Metzmacher2018-06-041-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!" error messages, which were generated if the client only sends NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP connection. This fixes a regession in the combination of commits 77adac8c3cd2f7419894d18db735782c9646a202 and 3a0b835408a6efa339e8b34333906bfe3aacd6e3. We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end of the authentication (as a server, while we already do so at the beginning as a client). As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE (as an internal flag) in order to let us work as a Windows using NTLMSSP for LDAP. Even if only signing is negotiated during the authentication the following PDUs will still be encrypted if NTLMSSP is used. This is exactly the same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL. I guess it's a bug in Windows, but we have to reimplement that bug. Note this only applies to NTLMSSP and only to LDAP! Signing only works fine for LDAP with Kerberos or DCERPC and NTLMSSP. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144 (cherry picked from commit c7a3ce95ac4ce837d8fde36578b3b1f56c3ac2fa)
* s4:selftest: run test_ldb_simple.sh with more auth optionsStefan Metzmacher2018-06-041-0/+1
| | | | | | | | | | | This demonstrates the broken GENSEC_FEATURE_LDAP_STYLE handling in our LDAP server. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fc1c5bd3be2c3f90eab2f31e43cf053f7ff13782)
* s3:smbd: fix interaction between chown and SD flagsRalph Boehme2018-05-241-1/+0
| | | | | | | | | | | | | | | | | | A change ownership operation that doesn't set the NT ACLs must not touch the SD flags (type). Bug: https://bugzilla.samba.org/show_bug.cgi?id=13432 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri May 11 23:30:32 CEST 2018 on sn-devel-144 (cherry picked from commit ced55850034a3653525823bf9623912a4fcf18a0) Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-7-test): Thu May 24 17:22:35 CEST 2018 on sn-devel-144
* s4:torture/smb2: new test for interaction between chown and SD flagsRalph Boehme2018-05-241-0/+1
| | | | | | | | | | This passes against Windows, but fails against Samba. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13432 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 12f6d56c4814fca64e0e3c636018e70d71ad0be5)
* nsswitch:tests: Add test for wbinfo --user-infoAndreas Schneider2018-05-241-0/+11
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 2715f52f54e66a73131a92d752a8c2447da1fd33)
* selftest: Add a user with a different userPrincipalNameAndreas Schneider2018-05-241-1/+18
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 5319cae00096dcecc29aa9fa675a983352ad64d8)
* rpc_server: Fix NetSessEnum with stale sessionsChristof Schmitt2018-05-071-1/+0
| | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13407 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Apr 25 22:49:07 CEST 2018 on sn-devel-144 (cherry picked from commit a6fade4e10760284ef56abf45d3fa70038091cbe)
* selftest: Add testcase for querying sessions after smbd crashChristof Schmitt2018-05-071-0/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13407 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit e04846c7df8e3eec1f3dbb2fc5eaf47ceb1c44d2)
* s3: tests: Regression test to ensure we can never return a DIRECTORY ↵Jeremy Allison2018-05-071-0/+4
| | | | | | | | | | | | | | | | | | attribute on a stream. Tests streams_xattr and also streams_depot. Inspired from a real-world test case by Andrew Walker <awalker@ixsystems.com>. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13380 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Apr 12 02:04:28 CEST 2018 on sn-devel-144 (cherry picked from commit 82beaf868f252c4bc975ddafd80240af6f679b83)
* s4:rpc_server: fix call_id truncation in dcesrv_find_fragmented_call()Stefan Metzmacher2018-04-251-4/+0
| | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13289 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Wed Feb 21 19:02:56 CET 2018 on sn-devel-144 (cherry picked from commit 5d113f80944f2e1d2a7e80f73aea7a4cfdfbd140) Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-7-test): Wed Apr 25 13:15:10 CEST 2018 on sn-devel-144
* tests:dcerpc/raw_protocol: reproduce call_id truncation bugStefan Metzmacher2018-04-251-0/+4
| | | | | | | | | | We need to make sure the server handles call_id values > UINT16_MAX. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13289 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 65e8edb382fbc7450919aad8b42cfcae9e779d11)
* winbindd: Do not ignore domain in the LOOKUPNAME requestChristof Schmitt2018-04-111-2/+0
| | | | | | | | | | | | | | | | | | | A LOOKUPNAME request with a domain and a name containing a winbind separator character would return the result for the joined domain, instead of the specified domain. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Apr 6 21:03:31 CEST 2018 on sn-devel-144 (cherry picked from commit 1775ac8aa4dc00b9a0845ade238254ebb8b32429) Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-7-test): Wed Apr 11 13:53:02 CEST 2018 on sn-devel-144
View Lorry Controller Status