summaryrefslogtreecommitdiff
path: root/source4
Commit message (Collapse)AuthorAgeFilesLines
* s4:selftest: use plansmbtorture4testsuite() for 'rpc.echo'Stefan Metzmacher2021-03-031-1/+2
| | | | | | | | | | | | | This makes sure "--basedir=$SELFTEST_TMPDIR" is passed to smbtorture. Tests should not create files in the build nor the source directory! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14628 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit d06f2c22d726a5ec7bd804d89154ee272ab1a679) (cherry picked from commit 81b36b389cb01eca9b2f0a2a452d290e21f31394)
* dbcheck: Check Deleted Objects and reduce noise in reports about expired ↵Andrew Bartlett2021-02-221-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | tombstones These reports (about recently deleted objects) create concern about a perfectly normal part of DB operation. We must not operate on objects that are expired or we might reanimate them, but we must fix "Deleted Objects" if it is wrong (mostly it is set as being deleted in 9999, but in alpha19 we got this wrong). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14593 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Feb 3 05:29:11 UTC 2021 on sn-devel-184 (cherry picked from commit da627106cdbf8d375b25fa3338a717447f3dbb6e) Autobuild-User(v4-13-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-13-test): Mon Feb 22 12:58:04 UTC 2021 on sn-devel-184
* HEIMDAL: krb5_storage_free(NULL) should workPaul Wise2021-02-161-0/+2
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12505 Signed-off-by: Paul Wise <pabs3@bonedaddy.net> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Original-author: Nicolas Williams <nico@twosigma.com> (cherry-picked from heimdal commit b3db07d5f0e03f6a1a0a392e70f9675e19a6d6af) (cherry picked from commit f9ed4f7028a5ed29026ac8ef1b47b63755ba98f8)
* s4:torture/smb2: add samba3.smb2.ioctl.bug14607Stefan Metzmacher2021-01-201-0/+53
| | | | | | | | | | | FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 will be used to trigger an SMB2 IOCTL response with extra padding. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> (cherry picked from commit 3db566026bcc0bff87acae762211e1c49220dc82)
* Do not create an empty DB when accessing a sam.ldbAndrew Bartlett2021-01-071-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | Samba already does this for samba-tool and doing this should make our errors more sensible, particularly in BIND9 if not provisioned with the correct --dns-backend=DLZ_BIND9 The old error was like: named[62954]: samba_dlz: Unable to get basedn for /var/lib/samba/private/dns/sam.ldb - NULL Base DN invalid for a base search. The new error will be like (in this case from the torture test): Failed to connect to Failed to connect to ldb:///home/abartlet/samba/st/chgdcpass/bind-dns/dns/sam.ldb: Unable to open tdb '/home/abartlet/samba/st/chgdcpass/bind-dns/dns/sam.ldb': No such file or directory: Operations error BUG: https://bugzilla.samba.org/show_bug.cgi?id=14579 Reviewed-by: Andreas Schneider <asn@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit d49e96bc45ea5e2d3364242dad36fe9094b7cc42) Autobuild-User(v4-13-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-13-test): Thu Jan 7 10:50:10 UTC 2021 on sn-devel-184
* s4/samba: call force_check_log_size() in standard_new_task()Ralph Boehme2020-12-091-0/+2
| | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248 RN: samba process does not honor max log size Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Dec 7 18:54:29 UTC 2020 on sn-devel-184 (cherry picked from commit 058f96f4c4eda42b404f0067521d3eafb495fe7d)
* s4/samba: call force_check_log_size() in standard_accept_connection()Ralph Boehme2020-12-091-0/+2
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 6fa5fb8ef26dab862df5c46bb5e74f19839c30e2)
* s4/samba: call force_check_log_size() in prefork_reload_after_fork()Ralph Boehme2020-12-091-0/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248 Signed-off-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 82b64e930b0e2d3b2e5186017d9f8e420994136c)
* s4: call reopen_logs_internal() in the SIGHUP handler of the prefork process ↵Ralph Boehme2020-12-091-1/+1
| | | | | | | | | | | | | model With debug_schedule_reopen_logs() the actual reopen only takes place at some point in the future when a DEBUG message is processed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 19413e76a46f07fdd46fde5e60707bb6845a782d)
* s4: replace low-level SIGUP handler with a tevent handlerRalph Boehme2020-12-091-0/+29
| | | | | | | | | | | | Replace the low-level signal handler for SIGHUP with a nice tevent signal handler. The low-level handler sig_hup() installed by setup_signals() remains being used during early startup before a tevent context is available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 9f71e6173ab43a04804ba8061cb0e8ae6c0165bf)
* s4: install tevent tracing hooks to trigger logfile rotationRalph Boehme2020-12-093-2/+33
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 516c2a04a242a539f9fbddb2822295fee233644c)
* s4: add samba server tevent trace helper stuffRalph Boehme2020-12-093-0/+131
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (backported from commit 68f71f227b17774a12c84575c1eecd82279fac95) [slow@samba.org: conflict due to rename source4/smbd/ -> source4/samba/ in master]
* s4:torture: Pass buffer correctly to write()Andreas Schneider2020-10-301-1/+1
| | | | | | | | | | | | | | | | | ../../source4/torture/basic/denytest.c: In function ‘torture_createx_specific.isra’: ../../source4/torture/basic/denytest.c:2372:9: error: ‘write’ reading 56 bytes from a region of size 8 [-Werror=stringop-overflow=] 2372 | res = write(data_file_fd, &cxd, cxd_len); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ BUG: https://bugzilla.samba.org/show_bug.cgi?id=14555 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 5f92ec6988d2f4c20eab9449cbe17317588f6634) Autobuild-User(v4-13-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-13-test): Fri Oct 30 13:53:37 UTC 2020 on sn-devel-184
* DNS Resolver: support both dnspython before and after 2.0.0Alexander Bokovoy2020-10-301-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `dnspython` 2.0.0 has many changes and several deprecations like: ``` > dns.resolver.resolve() has been added, allowing control of whether search lists are used. dns.resolver.query() is retained for backwards compatibility, but deprecated. The default for search list behavior can be set at in the resolver object with the use_search_by_default parameter. The default is False. > dns.resolver.resolve_address() has been added, allowing easy address-to-name lookups. ``` The new class `DNSResolver`: - provides the compatibility layer - defaults the previous behavior (the search list configured in the system's resolver configuration is used for relative names) - defaults lifetime to 15sec (determines the number of seconds to spend trying to get an answer to the question) The compatibility shim was developed by Stanislav Levin for FreeIPA and adopted for Samba by Alexander Bokovoy. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14553 Signed-off-by: Stanislav Levin <slev@altlinux.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 183d5d63f4b40accda3b3ffc980fea391612f964)
* Merge tag 'samba-4.13.1' into v4-13-testKarolin Seeger2020-10-293-14/+124
|\ | | | | | | samba: tag release samba-4.13.1
| * CVE-2020-14383: s4/dns: do not crash when additional data not foundDouglas Bagnall2020-10-261-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Found by Francis Brosnan Blázquez <francis@aspl.es>. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184 (based on commit df98e7db04c901259dd089e20cd557bdbdeaf379)
| * CVE-2020-14383: s4/dns: Ensure variable initialization with NULL.Douglas Bagnall2020-10-261-11/+13
| | | | | | | | | | | | | | | | | | | | | | | | Based on patches from Francis Brosnan Blázquez <francis@aspl.es> and Jeremy Allison <jra@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> (based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e)
| * CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind callVolker Lendecke2020-10-261-0/+27
| | | | | | | | | | | | | | | | | | | | | | We can't add this test before the fix, add it to knownfail and have the fix remove the knownfail entry again. As this crashes winbind, many tests after this one will fail. Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436 Signed-off-by: Volker Lendecke <vl@samba.org>
| * s4: torture: Add smb2.notify.handle-permissions test.Jeremy Allison2020-10-261-0/+80
| | | | | | | | | | | | | | | | | | | | Add knownfail entry. CVE-2020-14318 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 Signed-off-by: Jeremy Allison <jra@samba.org>
* | daemons: report status to systemd even when running in foregroundAlexander Bokovoy2020-10-271-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When systemd launches samba services, the configuration we have in systemd service files expects that the main process (/usr/sbin/*) would use sd_notify() to report back its status. However, we only use sd_notify() when running become_daemon(). As a result, samba/smbd/winbindd/nmbd processes never report back its status and the status updates from other childs (smbd, winbindd, etc) are not accepted as we now have implied NotifyAccess=main since commit d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc This leads to a timeout and killing samba process by systemd. Situation is reproducible in Fedora 33, for example. Make sure that we have required status updates for all daemons in case we aren't runnning in interactive mode. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14552 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Oct 26 19:58:18 UTC 2020 on sn-devel-184 (cherry picked from commit 3e27dc4847bd35ca8914be087d5a8ca096510399) Autobuild-User(v4-13-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-13-test): Tue Oct 27 10:50:29 UTC 2020 on sn-devel-184
* | provision: Add support for BIND 9.16.xAmitay Isaacs2020-10-271-0/+3
| | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487 Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Rowland Penny <rpenny@samba.org> (cherry picked from commit 5b2ccb1c7cad5cded5dad37a18a7d42c1680b2f7)
* | bind9-dlz: Add support for BIND 9.16.xAmitay Isaacs2020-10-272-0/+13
| | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487 Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Rowland Penny <rpenny@samba.org> (cherry picked from commit ca3c18a236dedfdfbf225dcfcd0418f1634d8759)
* | provision: Add support for BIND 9.14.xAmitay Isaacs2020-10-271-0/+3
| | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487 Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Rowland Penny <rpenny@samba.org> (cherry picked from commit 016c1174ef783990f93e348ee82f5c989c43cbbf)
* | bind9-dlz: Add support for BIND 9.14.xAmitay Isaacs2020-10-272-0/+13
| | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487 Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Rowland Penny <rpenny@samba.org> (cherry picked from commit a167a2154d4909e8e1f97d9f36d0e4c947f2d944)
* | bind9-dlz: Bind 9.13.x switched to using bool as isc_boolean_t instead of int.Amitay Isaacs2020-10-271-1/+17
| | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14487 Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Rowland Penny <rpenny@samba.org> (cherry picked from commit cdb6c5d1eca1c0f6967941dbd1da07be6b53d302)
* | s4:dsdb:acl_read: Implement "List Object" mode featureStefan Metzmacher2020-10-271-1/+78
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | See [MS-ADTS] 5.1.3.3.6 Checking Object Visibility I tried to avoid any possible overhead for the common cases: - SEC_ADS_LIST (List Children) is already granted by default - fDoListObject is off by default Overhead is only added if the administrator turned on the fDoListObject feature and removed SEC_ADS_LIST (List Children) from a parent object. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Oct 21 08:48:02 UTC 2020 on sn-devel-184 (cherry picked from commit 7223f6453b1b38c933c9480c637ffd06d9f39b97)
* | s4:dsdb:util: add dsdb_do_list_object() helperStefan Metzmacher2020-10-271-0/+21
| | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit ffc0bdc6d49e88da1ee408956365da163ff3e1b2)
* | s4:dsdb:acl_read: defer LDB_ERR_NO_SUCH_OBJECTStefan Metzmacher2020-10-271-1/+23
| | | | | | | | | | | | | | | | | | | | | | We may need to return child objects even if the base dn is invisible. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit e1529bedb2b6c8553e69a42537ac0cffd03af6d6)
* | s4:dsdb:acl_read: make use of aclread_check_object_visible() for the search baseStefan Metzmacher2020-10-271-17/+5
| | | | | | | | | | | | | | | | | | | | | | | | We should only have one place to do access checks. Use 'git show -w' to see the minimal diff. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit faff8e6c89777c38443e561235073c336cfb2e9c)
* | s4:dsdb:acl_read: fully set up 'struct aclread_context' before the search ↵Stefan Metzmacher2020-10-271-30/+32
| | | | | | | | | | | | | | | | | | | | | | | | base acl check This makes further change much easier. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit c4a3028de726d6708f57d02f9162a4d62d1b6ae7)
* | s4:dsdb:acl_read: introduce aclread_check_object_visible() helperStefan Metzmacher2020-10-271-9/+25
| | | | | | | | | | | | | | | | | | | | | | In future this will do more than aclread_check_parent(), if we implement fDoListObject and SEC_ADS_LIST_OBJECT handling. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit d2dd7c2a5c1f8ee30f0f3b41f933d082b0c75f7c)
* | s4:dsdb:tests: add AclVisibiltyTestsStefan Metzmacher2020-10-272-2/+321
|/ | | | | | | | | | | | | | | | | | | | | | | | | | This tests a sorts of combinations in order to demonstrate the visibility of objects depending on: - with or without fDoListObject - with or without explicit DENY ACEs - A hierachy of objects with 4 levels from the base dn - SEC_ADS_LIST (List Children) - SEC_ADS_LIST_LIST_OBJECT (List Object) - SEC_ADS_READ_PROP - all possible scopes and basedns This demonstrates that NO_SUCH_OBJECT doesn't depend purely on the visibility of the base dn, it's still possible to get children returned und an invisible base dn. It also demonstrates the additional behavior with "List Object" mode. See [MS-ADTS] 5.1.3.3.6 Checking Object Visibility BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit 06d134406739e76b97273db3023855150dbaebbc)
* CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challengeGary Lockyer2020-09-181-0/+335
| | | | | | | | | | | Ensure that client challenges with the first 5 bytes identical are rejected. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> [abartlet@samba.org: backported from master as test order was flipped]
* CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty machine acct pwdGary Lockyer2020-09-181-35/+29
| | | | | | | | | Ensure that an empty machine account password can't be set by netr_ServerPasswordSet2 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log warnings about ↵Stefan Metzmacher2020-09-181-3/+63
| | | | | | | | | | | | | unsecure configurations This should give admins wawrnings until they have a secure configuration. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require ↵Stefan Metzmacher2020-09-181-1/+8
| | | | | | | | | | | schannel:WORKSTATION$ = no" This allows to add expections for individual workstations, when using "server schannel = yes". "server schannel = auto" is very insecure and will be removed soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: refactor ↵Stefan Metzmacher2020-09-181-12/+33
| | | | | | | | | | dcesrv_netr_creds_server_step_check() We should debug more details about the failing request. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: protect ↵Stefan Metzmacher2020-09-181-1/+59
| | | | | | | | netr_ServerPasswordSet2 against unencrypted passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make use of ↵Stefan Metzmacher2020-09-181-2/+1
| | | | | | | | | | netlogon_creds_random_challenge() This is not strictly needed, but makes things more clear. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of ↵Stefan Metzmacher2020-09-182-23/+13
| | | | | | | | | | | netlogon_creds_random_challenge() This will avoid getting flakey tests once our server starts to reject weak challenges. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* lib/replace: move lib/replace/closefrom.c from ROKEN_HOSTCC_SOURCE to ↵Stefan Metzmacher2020-09-101-6/+1
| | | | | | | | | | | | | | | | | | | | | | REPLACE_HOSTCC_SOURCE This is where it really belongs and we avoid the strange interaction with source4/heimdal_build/config.h. This a follow up for commit f31333d40e6fa38daa32a3ebb32d5a317c06fc62. This fixes a build problem if libbsd-dev is not installed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14482 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Björn Jacke <bjacke@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Sep 8 13:59:58 UTC 2020 on sn-devel-184 (cherry picked from commit 0022cd94587b805a525b0b9ef71ff0f15780424a)
* ldap_server: Terminate LDAP connections on krb ticket expiryVolker Lendecke2020-09-033-0/+100
| | | | | | | | | | | | | | | | | See RFC4511 section 4.4.1 and https://lists.samba.org/archive/cifs-protocol/2020-August/003515.html for details: Windows terminates LDAP connections when the krb5 ticket expires, Samba should do the same. This patch slightly deviates from Windows behaviour by sending a LDAP exop response with msgid 0 that is ASN1-encoded conforming to RFC4511. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit eb72f887b0bf91c050fd5d911f58a1b3ff9b8bcc)
* ldap_server: Add the krb5 expiry to conn->limitsVolker Lendecke2020-09-033-0/+20
| | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 77f72fb01faba45babfe6080f805361492ce49e5)
* torture: Test ldap session expiryVolker Lendecke2020-09-034-0/+128
| | | | | | | | | | | | | | | LDAP connections should time out when the kerberos ticket used to authenticate expires. Windows does this with a RFC4511 section 4.4.1 message (that as of August 2020 is encoded not according to the RFC) followed by a TCP disconnect. ldb sees the section 4.4.1 as a protocol violation and returns LDB_ERR_PROTOCOL_ERROR. Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 35c4bb0b0c55a65490fe199edb1a534548104e95)
* build: Wrap a long lineVolker Lendecke2020-09-031-1/+11
| | | | | | | | | | There will be another entry in the next commit Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit c8c2f8ba73324ba43ccef9f6d1c0c726d7ec0d25)
* kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for Primary:KerberosStefan Metzmacher2020-08-071-6/+12
| | | | | | | | | | | | | | | | | | | | | | | Currently we only ignore KRB5_PROG_ETYPE_NOSUPP for Primary:Kerberos-Newer-Keys, but not for Primary:Kerberos. If a service account has msDS-SupportedEncryptionTypes: 31 and DES keys stored in Primary:Kerberos, we'll pass the DES key to smb_krb5_keyblock_init_contents(), but may get KRB5_PROG_ETYPE_NOSUPP. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Isaac Boukris <iboukris@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Jul 28 14:04:26 UTC 2020 on sn-devel-184 (cherry picked from commit 4baa7cc8e473f6b63316b4ae5db34796c0f864c3) Autobuild-User(v4-13-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-13-test): Fri Aug 7 10:39:26 UTC 2020 on sn-devel-184
* Add a test with old msDS-SupportedEncryptionTypesIsaac Boukris2020-08-071-0/+2
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354 Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 07399831794e28c7c2cf0140d0f1d1b5538b5f60)
* s4:torture/smb2: add smb2.multichannel.oplocks.test3{_windows,specification}Stefan Metzmacher2020-07-081-0/+459
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is similar to the smb2.multichannel.leases.test5, but it tests the oplock case instead of leases. With Oplocks Windows only sends a single break on the latest channel, this is not what the spec says... Maybe we should have a similar test that would expect the behavior from the [MS-SMB2] (3/4/2020 rev 60.0) "3.3.4.6 Object Store Indicates an Oplock Break": ... If the server implements the SMB 3.x dialect family, SMB2 Oplock Break Notification MUST be sent to the client using the first available connection in Open.Session.ChannelList where Channel.Connection is not NULL. If the server fails to send the notification to the client, the server MUST retry the send using an alternate connection, if available, in Open.Session.ChannelList. ... Here I add one test that demonstrates the Windows behavior: smb2.multichannel.oplocks.test3_windows and a 2nd test that demonstrates the behavior from MS-SMB2. smb2.multichannel.oplocks.test3_specification Note that Windows 10 seems to behave differently and it's not possible to open all 32 channel used by this test. Against remote servers it's required to run iptables as root: #> smbtorture //server/torture -Uu%p \ --option="torture:use_iptables=yes" \ --option="torture:iptables_command=sudo /sbin/iptables" \ smb2.multichannel.oplocks.test3_windows #> smbtorture //server/torture -Uu%p \ --option="torture:use_iptables=yes" \ --option="torture:iptables_command=sudo /sbin/iptables" \ smb2.multichannel.oplocks.test3_specification The test will also work against a Samba server with 'smbd:FSCTL_SMBTORTURE = yes', and won't require iptables in that case. Samba will get a "smb2 disable oplock break retry" configuration option to switch between both behaviors, as it's much more common with Samba that leases are not supported and clients will fallback to oplocks together with multichannel. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s4:torture/smb2: (re-)add smb2.multichannel.leases.test4Stefan Metzmacher2020-07-081-0/+298
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This tests 32 channels, which is the maximum Windows Server versions support. (Note that Windows 10 (a Client OS as SMB server, seems to support only 20 channels and may differ in other aspects, so we ignore that for now). This works at least against Windows Server 2019 and we see lease break notification retries every ~ 1.3 seconds with ~ 5 TCP retransmissions. At that rate we see the remaining 5 retries after the conflicting SMB2 Create already returned. Older Windows Server versions use much longer timeouts in the TCP-stack, they send lease break notification retries less often and only 4 in total, all other channels get TCP-RST packets because of missing TCP keepalive packets before they're used. The intervals between lease break notification retries are ~19 seconds for 2012[_R2] and ~25 seconds for 2016. It means that only ~2 lease break notifications arrive before the open returns after ~35 seconds. Note that Windows 10 seems to behave differently and it's not possible to open all 32 channel used by this test. Against remote servers it's required to run iptables as root: #> smbtorture //server/torture -Uu%p \ --option="torture:use_iptables=yes" \ --option="torture:iptables_command=sudo /sbin/iptables" \ smb2.multichannel.leases.test4 The test will also work against a Samba server with 'smbd:FSCTL_SMBTORTURE = yes', and won't require iptables in that case. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s4:torture/smb2: remove useless 'smb2.multichannel.leases.test4'Stefan Metzmacher2020-07-081-190/+0
| | | | | | | | | | | | | | Having a test that would only pass against Samba makes things way to complex, they're already complex and we should try to behave like windows as much as possible. The next commit will add a better test that will work against Windows Servers and the future Samba servers. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
View Lorry Controller Status