summaryrefslogtreecommitdiff
path: root/source4
Commit message (Collapse)AuthorAgeFilesLines
* s4:torture/vfs/fruit: update test "read open rsrc after rename" to work with ↵Ralph Boehme2018-11-061-2/+15
| | | | | | | | | | | | | | | | macOS macOS SMB server seems to return NT_STATUS_SHARING_VIOLATION in this case while Windows 2016 returns NT_STATUS_ACCESS_DENIED. Lets stick with the Windows error code for now in the Samba fileserver, but let the test pass against macOS. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13646 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 9cd9859dc10d425d29774d221ec9ad697192b466)
* s4:torture/vfs/fruit: ensure a directory handle is closed in all code pathsRalph Boehme2018-11-061-7/+4
| | | | | | | | | | | Otherwise we get a sharing violation when running against Samba and opening the directory a second time. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13646 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit f7551d8fb3599a6a71dd0570bad02bdc48324107)
* s4:torture/vfs/fruit: update test "stream names" to work with macOSRalph Boehme2018-11-061-0/+8
| | | | | | | | | | | | | | o create the basefile before trying to create a stream on it, otherwise this fails on macOS o write something to the stream, otherwise the stream is not listed as macOS hides 0-byte sized streams Bug: https://bugzilla.samba.org/show_bug.cgi?id=13646 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 125498861abeeed5bde727ff98d88d9ce4af6c75)
* s4:torture/vfs/fruit: update test "SMB2/CREATE context AAPL" to work against ↵Ralph Boehme2018-11-061-1/+5
| | | | | | | | | | macOS Bug: https://bugzilla.samba.org/show_bug.cgi?id=13646 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit dba9a4743fc42b57f03b6ace24753ce8091f629f)
* s4:torture/vfs/fruit: set share_access to NTCREATEX_SHARE_ACCESS_MASK in ↵Ralph Boehme2018-11-061-0/+1
| | | | | | | | | | | | check_stream_list Avoid sharing conflicts with other opens on the basefile. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13646 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 1d4e50649b02c7c2314aa04e08f9946e21b6b37d)
* s4:torture/vfs/fruit: fix a few error checks in "delete AFP_AfpInfo by ↵Ralph Boehme2018-11-061-4/+4
| | | | | | | | | | writing all 0" Bug: https://bugzilla.samba.org/show_bug.cgi?id=13646 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 394d1fc9ac8373ea7419ea9514750422bd6e504d)
* s4:torture/vfs/fruit: skip a few tests when running against a macOS SMB serverRalph Boehme2018-11-061-0/+15
| | | | | | | | | | These tests are designed to test specific vfs_fruit functionality. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13646 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 242f42ef79e51e35ab33331e2f2d7c9feaac36f8)
* s4/test: fix AAPL size checkRalph Boehme2018-11-061-5/+10
| | | | | | | | | | A recent commit changed the ModelString from "Samba" to "MacSamba". Bug: https://bugzilla.samba.org/show_bug.cgi?id=13646 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 11589a26ba40e9da90822a85b21327f49a69afda)
* s4:torture/smb2/read: add test for cancelling SMB aioRalph Boehme2018-11-063-0/+118
| | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=13667 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit e37ff8c5fe18d400e378bf2591e209b30473d9f9)
* s4:libcli/smb2: reapply request endtimeRalph Boehme2018-11-061-0/+17
| | | | | | | | | | | | tevent_req_finish() removed a possible request timeout, make sure to reinstall it. This happened when an interim SMB2 response was received. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13667 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit a6de555c51ca34ef24ac4b4cb672cd748d3197a1)
* dsdb: Add comments explaining the limitations of our current backlink behaviourAndrew Bartlett2018-11-052-7/+35
| | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Tim Beale <timbeale@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Oct 30 10:32:51 CET 2018 on sn-devel-144 (cherry picked from commit 852e1db12b0afa04a738c03bb2609c084fe96a7f) Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-8-test): Mon Nov 5 14:28:49 CET 2018 on sn-devel-144
* s4:samldb: internally use extended dns while changing the primaryGroupID fieldStefan Metzmacher2018-11-051-8/+21
| | | | | | | | | | | This is important, otherwise we'll loose the <SID=> component of the linked attribute. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 7a36cb30b716d56b84e894851c1a18e9eb3a0964)
* s4:repl_meta_data: add support for DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SIDStefan Metzmacher2018-11-053-3/+161
| | | | | | | | | | This will be used by dbcheck in the next commits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 0386307e34097f5d9233c970983c7306d1705a87)
* s4:repl_meta_data: pass down struct replmd_replicated_request to ↵Stefan Metzmacher2018-11-051-19/+12
| | | | | | | | | | | | replmd_modify_la_replace() This will simplify further changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 1ef145d9d72d847055f6aba8a0070b3e1cfdabbc)
* s4:repl_meta_data: pass down struct replmd_replicated_request to ↵Stefan Metzmacher2018-11-051-16/+11
| | | | | | | | | | | | replmd_modify_la_delete() This will simplify further changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 738b52eb0856c8fcdbb8589e8061bcc14700c23a)
* s4:repl_meta_data: add missing \n to a DEBUG message in replmd_modify_la_add()Stefan Metzmacher2018-11-051-1/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 70a306d0bd6806d1fd00d45e3d8cc70c73d09f79)
* s4:repl_meta_data: pass down struct replmd_replicated_request to ↵Stefan Metzmacher2018-11-051-17/+10
| | | | | | | | | | | | replmd_modify_la_add() This will simplify further changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 42e69a86ca583e3cb20c63b9c6930b4b3425485d)
* s4:repl_meta_data: pass down struct replmd_replicated_request to ↵Stefan Metzmacher2018-11-051-15/+10
| | | | | | | | | | | | replmd_modify_handle_linked_attribs() This will simplify further changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 966c7febaf0245516481bde924ea6cd738eeb78b)
* blackbox/dbcheck-links: Test broken links with missing <SID=...> on linked ↵Stefan Metzmacher2018-11-051-0/+8
| | | | | | | | | | attributes BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit f81771c8593327e058b9cb4330d7e77083df3ea9)
* s4:dsdb: add DSDB_CONTROL_DBCHECK_FIX_LINK_DN_SID oidStefan Metzmacher2018-11-053-0/+5
| | | | | | | | | | This will be used to fix missing <SID=> components in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit bb9c9e49a5e82f19626cb1b12ec9189fff5114e8)
* testprogs/blackbox: add samba4.blackbox.test_primary_group testStefan Metzmacher2018-11-051-0/+2
| | | | | | | | | | | This demonstrates the bug, that happens when the primaryGroupID of a user is changed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13418 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 364ed537e0bcb3a97cae0f2d1ff72de9423ce0e6)
* s4:dsdb: fix comment on DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAMEStefan Metzmacher2018-11-051-1/+1
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 60131b4452d43b3792e7f27a4190c88e7aabb1b4)
* schema_samba4.ldif: add allocation of DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAMEStefan Metzmacher2018-11-051-0/+1
| | | | | | | | | This was already allocated in source4/dsdb/samdb/samdb.h with commit 22208f52e6096fbe9413b8ff339d9446851e0874. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 0189f23f5bda263c7462366ee16b2fe4bcda0119)
* dbchecker: Fixing up incorrect DNs wasn't workingTim Beale2018-11-055-0/+92
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | dbcheck would fail to fix up attributes where the extended DN's GUID is correct, but the DN itself is incorrect. The code failed attempting to remove the old/incorrect DN, e.g. NOTE: old (due to rename or delete) DN string component for objectCategory in object CN=alice,CN=Users,DC=samba,DC=example,DC=com - <GUID=7bfdf9d8-62f9-420c-8a71-e3d3e931c91e>; CN=Person,CN=Schema,CN=Configuration,DC=samba,DC=bad,DC=com Change DN to <GUID=7bfdf9d8-62f9-420c-8a71-e3d3e931c91e>; CN=Person,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com? [y/N/all/none] y Failed to fix old DN string on attribute objectCategory : (16, "attribute 'objectCategory': no matching attribute value while deleting attribute on 'CN=alice,CN=Users,DC=samba,DC=example,DC=com'") The problem was the LDB message specified the value to delete with its full DN, including the GUID. The LDB code then helpfully corrected this value on the way through, so that the DN got updated to reflect the correct DN (i.e. 'DC=example,DC=com') of the object matching that GUID, rather than the incorrect DN (i.e. 'DC=bad,DC=com') that we were trying to remove. Because the requested value and the existing DB value didn't match, the operation failed. We can avoid this problem by passing down just the DN (not the extended DN) of the value we want to delete. Without the GUID portion of the DN, the LDB code will no longer try to correct it on the way through, and the dbcheck operation will succeed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13495 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Pair-programmed-with: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 22208f52e6096fbe9413b8ff339d9446851e0874)
* dbcheck: Use symbolic control name for DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKSAndrew Bartlett2018-11-051-0/+1
| | | | | | | | | While we do not wish to encourage use of this control, manually typed OIDs are even more trouble, so pass out via pydsdb. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> (cherry picked from commit c7fd68088d84232a2f4074ca278b5448ef624afd)
* s4:torture: add test for AppleDouble ResourceFork conversionRalph Boehme2018-11-022-0/+192
| | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=13642 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 6f022e61597994bc032e61876f24150d7acb3fc2)
* s4:torture: FinderInfo conversion test with AppleDouble without xattr dataRalph Boehme2018-10-181-0/+258
| | | | | | | | | | | | This testcase demonstrates that the AppleDouble conversion in vfs_fruit doesn't correctly convert the FinderInfo data from the AppleDouble file to a stream. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13649 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 8b9728480f6ab22da0831400796f3c39ec543df8)
* s4:torture: split smb2.session.expire{1,2} to run with signing and encryptpionStefan Metzmacher2018-10-101-4/+46
| | | | | | | | | | This reproduces the problem we have with expired encrypted sessions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13624 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 01b868455c9bae309d1ca7ddad54077fc5d7f4b1)
* krb5-samba: interdomain trust uses different salt principalAlexander Bokovoy2018-09-051-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where DOMAIN is the sAMAccountName without the dollar sign ($) The salt principal for the BLA$ user object was generated wrong. dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010 trustDirection: 3 trustPartner: bla.base trustPosixOffset: -2147483648 trustType: 2 trustAttributes: 8 flatName: BLA dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base userAccountControl: 2080 primaryGroupID: 513 objectSid: S-1-5-21-278041429-3399921908-1452754838-1597 accountExpires: 9223372036854775807 sAMAccountName: BLA$ sAMAccountType: 805306370 pwdLastSet: 131485652467995000 The salt stored by Windows in the package_PrimaryKerberosBlob (within supplementalCredentials) seems to be 'W4EDOM-L4.BASEkrbtgtBLA' for the above trust and Samba stores 'W4EDOM-L4.BASEBLA$'. While the salt used when building the keys from trustAuthOutgoing/trustAuthIncoming is 'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144 (cherry picked from commit f3e349bebc443133fdbe4e14b148ca8db8237060) Autobuild-User(v4-8-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-8-test): Wed Sep 5 18:32:05 CEST 2018 on sn-devel-144
* s4:selftest: test kinit with the interdomain trust user accountAlexander Bokovoy2018-09-051-0/+1
| | | | | | | | | | | | | | To test it, add a blackbox test that ensures we pass a keytab-based authentication with the trust user account for a trusted domain. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 7df505298f71432d5adbcffccde8f97c117a57a6)
* torture: Make sure that fruit_ftruncate only unlinks streamsVolker Lendecke2018-09-051-0/+45
| | | | | | | | | | Follow-up to Bug: https://bugzilla.samba.org/show_bug.cgi?id=13441 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit c39ec64231b261fe4ada02f1f1b9aa344cf35bb5)
* selftest: add a durable handle test with delayed disconnectRalph Boehme2018-09-053-0/+98
| | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 5508024a861e7c85e6c837552ad142aa1d5e8eca)
* s4:selftest: reformat smb2_s3only listRalph Boehme2018-09-051-1/+6
| | | | | | | | | | No change besides reformatting the list to one entry per line. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13549 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 3255822f75163cb38e53f634a5c6b03d46bfaff1)
* s4:rpc_server/netlogon: don't treet trusted domains as primary in ↵Stefan Metzmacher2018-09-051-57/+82
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | LogonGetDomainInfo() We need to handle trusted domains differently than our primary domain. The most important part is that we don't return NETR_TRUST_FLAG_PRIMARY for them. NETR_TRUST_FLAG_{INBOUND,OUTBOUND,IN_FOREST} are the relavant flags for trusts. This is an example of what Windows returns in a complex trust environment: netr_LogonGetDomainInfo: struct netr_LogonGetDomainInfo out: struct netr_LogonGetDomainInfo return_authenticator : * return_authenticator: struct netr_Authenticator cred: struct netr_Credential data : f48b51ff12ff8c6c timestamp : Tue Aug 28 22:59:03 2018 CEST info : * info : union netr_DomainInfo(case 1) domain_info : * domain_info: struct netr_DomainInformation primary_domain: struct netr_OneDomainInfo domainname: struct lsa_StringLarge length : 0x0014 (20) size : 0x0016 (22) string : * string : 'W2012R2-L4' dns_domainname: struct lsa_StringLarge length : 0x0020 (32) size : 0x0022 (34) string : * string : 'w2012r2-l4.base.' dns_forestname: struct lsa_StringLarge length : 0x0020 (32) size : 0x0022 (34) string : * string : 'w2012r2-l4.base.' domain_guid : 0a133c91-8eac-4df0-96ac-ede69044a38b domain_sid : * domain_sid : S-1-5-21-2930975464-1937418634-1288008815 trust_extension: struct netr_trust_extension_container length : 0x0000 (0) size : 0x0000 (0) info : NULL dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_long1 : 0x00000000 (0) dummy_long2 : 0x00000000 (0) dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) trusted_domain_count : 0x00000006 (6) trusted_domains : * trusted_domains: ARRAY(6) trusted_domains: struct netr_OneDomainInfo domainname: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'FREEIPA' dns_domainname: struct lsa_StringLarge length : 0x0018 (24) size : 0x001a (26) string : * string : 'freeipa.base' dns_forestname: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL domain_guid : 00000000-0000-0000-0000-000000000000 domain_sid : * domain_sid : S-1-5-21-429948374-2562621466-335716826 trust_extension: struct netr_trust_extension_container length : 0x0010 (16) size : 0x0010 (16) info : * info: struct netr_trust_extension length : 0x00000008 (8) dummy : 0x00000000 (0) size : 0x00000008 (8) flags : 0x00000022 (34) 0: NETR_TRUST_FLAG_IN_FOREST 1: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x00000000 (0) trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000008 (8) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 1: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_long1 : 0x00000000 (0) dummy_long2 : 0x00000000 (0) dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) trusted_domains: struct netr_OneDomainInfo domainname: struct lsa_StringLarge length : 0x0016 (22) size : 0x0018 (24) string : * string : 'S1-W2012-L4' dns_domainname: struct lsa_StringLarge length : 0x0036 (54) size : 0x0038 (56) string : * string : 's1-w2012-l4.w2012r2-l4.base' dns_forestname: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL domain_guid : afe7fbde-af82-46cf-88a2-2df6920fc33e domain_sid : * domain_sid : S-1-5-21-1368093395-3821428921-3924672915 trust_extension: struct netr_trust_extension_container length : 0x0010 (16) size : 0x0010 (16) info : * info: struct netr_trust_extension length : 0x00000008 (8) dummy : 0x00000000 (0) size : 0x00000008 (8) flags : 0x00000023 (35) 1: NETR_TRUST_FLAG_IN_FOREST 1: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x00000004 (4) trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000020 (32) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 1: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_long1 : 0x00000000 (0) dummy_long2 : 0x00000000 (0) dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) trusted_domains: struct netr_OneDomainInfo domainname: struct lsa_StringLarge length : 0x0006 (6) size : 0x0008 (8) string : * string : 'BLA' dns_domainname: struct lsa_StringLarge length : 0x0010 (16) size : 0x0012 (18) string : * string : 'bla.base' dns_forestname: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL domain_guid : 00000000-0000-0000-0000-000000000000 domain_sid : * domain_sid : S-1-5-21-4053568372-2049667917-3384589010 trust_extension: struct netr_trust_extension_container length : 0x0010 (16) size : 0x0010 (16) info : * info: struct netr_trust_extension length : 0x00000008 (8) dummy : 0x00000000 (0) size : 0x00000008 (8) flags : 0x00000022 (34) 0: NETR_TRUST_FLAG_IN_FOREST 1: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x00000000 (0) trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000008 (8) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 1: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_long1 : 0x00000000 (0) dummy_long2 : 0x00000000 (0) dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) trusted_domains: struct netr_OneDomainInfo domainname: struct lsa_StringLarge length : 0x000c (12) size : 0x000e (14) string : * string : 'S4XDOM' dns_domainname: struct lsa_StringLarge length : 0x0016 (22) size : 0x0018 (24) string : * string : 's4xdom.base' dns_forestname: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL domain_guid : 00000000-0000-0000-0000-000000000000 domain_sid : * domain_sid : S-1-5-21-313966788-4060240134-2249344781 trust_extension: struct netr_trust_extension_container length : 0x0010 (16) size : 0x0010 (16) info : * info: struct netr_trust_extension length : 0x00000008 (8) dummy : 0x00000000 (0) size : 0x00000008 (8) flags : 0x00000022 (34) 0: NETR_TRUST_FLAG_IN_FOREST 1: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x00000000 (0) trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000008 (8) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 1: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_long1 : 0x00000000 (0) dummy_long2 : 0x00000000 (0) dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) trusted_domains: struct netr_OneDomainInfo domainname: struct lsa_StringLarge length : 0x0014 (20) size : 0x0016 (22) string : * string : 'W2012R2-L4' dns_domainname: struct lsa_StringLarge length : 0x001e (30) size : 0x0020 (32) string : * string : 'w2012r2-l4.base' dns_forestname: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL domain_guid : 0a133c91-8eac-4df0-96ac-ede69044a38b domain_sid : * domain_sid : S-1-5-21-2930975464-1937418634-1288008815 trust_extension: struct netr_trust_extension_container length : 0x0010 (16) size : 0x0010 (16) info : * info: struct netr_trust_extension length : 0x00000008 (8) dummy : 0x00000000 (0) size : 0x00000008 (8) flags : 0x0000001d (29) 1: NETR_TRUST_FLAG_IN_FOREST 0: NETR_TRUST_FLAG_OUTBOUND 1: NETR_TRUST_FLAG_TREEROOT 1: NETR_TRUST_FLAG_PRIMARY 1: NETR_TRUST_FLAG_NATIVE 0: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x00000000 (0) trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000000 (0) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_long1 : 0x00000000 (0) dummy_long2 : 0x00000000 (0) dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) trusted_domains: struct netr_OneDomainInfo domainname: struct lsa_StringLarge length : 0x0016 (22) size : 0x0018 (24) string : * string : 'S2-W2012-L4' dns_domainname: struct lsa_StringLarge length : 0x004e (78) size : 0x0050 (80) string : * string : 's2-w2012-l4.s1-w2012-l4.w2012r2-l4.base' dns_forestname: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL domain_guid : 29daace6-cded-4ce3-a754-7482a4d9127c domain_sid : * domain_sid : S-1-5-21-167342819-981449877-2130266853 trust_extension: struct netr_trust_extension_container length : 0x0010 (16) size : 0x0010 (16) info : * info: struct netr_trust_extension length : 0x00000008 (8) dummy : 0x00000000 (0) size : 0x00000008 (8) flags : 0x00000001 (1) 1: NETR_TRUST_FLAG_IN_FOREST 0: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 0: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x00000001 (1) trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000000 (0) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_long1 : 0x00000000 (0) dummy_long2 : 0x00000000 (0) dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) lsa_policy: struct netr_LsaPolicyInformation policy_size : 0x00000000 (0) policy : NULL dns_hostname: struct lsa_StringLarge length : 0x0036 (54) size : 0x0038 (56) string : * string : 'torturetest.w2012r2-l4.base' dummy_string2: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string3: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL dummy_string4: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL workstation_flags : 0x00000003 (3) 1: NETR_WS_FLAG_HANDLES_INBOUND_TRUSTS 1: NETR_WS_FLAG_HANDLES_SPN_UPDATE supported_enc_types : 0x0000001f (31) 1: KERB_ENCTYPE_DES_CBC_CRC 1: KERB_ENCTYPE_DES_CBC_MD5 1: KERB_ENCTYPE_RC4_HMAC_MD5 1: KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 1: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 0: KERB_ENCTYPE_FAST_SUPPORTED 0: KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED 0: KERB_ENCTYPE_CLAIMS_SUPPORTED 0: KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED dummy_long3 : 0x00000000 (0) dummy_long4 : 0x00000000 (0) result : NT_STATUS_OK Best viewed with: git show --histogram -w BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 2099add0657126e4a5427ec2db0fe8025478b355)
* s4:rpc_server/netlogon: make use of talloc_zero_array() for the ↵Stefan Metzmacher2018-09-051-1/+1
| | | | | | | | | | | | | netr_OneDomainInfo array It's much safer than having uninitialized memory when we hit an error case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit ef0b489ad0d93199e08415dd895da5cfe2d1c11a)
* s4:rpc_server/netlogon: use samdb_domain_guid()/dsdb_trust_local_tdo_info() ↵Stefan Metzmacher2018-09-051-18/+91
| | | | | | | | | | | | | | | | | to build our netr_OneDomainInfo values The logic for constructing the values for our own primary domain differs from the values of trusted domains. In order to make the code easier to understand we have a new fill_our_one_domain_info() helper that only takes care of our primary domain. The cleanup for the trust case will follow in a separate commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 61333f7787d78e3ec5c7bd2874d5a0f1f536275a)
* s4:dsdb/common: add samdb_domain_guid() helper functionStefan Metzmacher2018-09-051-0/+55
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 0e442e094240abbf79aaca00a9d1a053a200a7e8)
* dsdb:util_trusts: add dsdb_trust_local_tdo_info() helper functionStefan Metzmacher2018-09-051-0/+16
| | | | | | | | | | | This is similar to dsdb_trust_xref_tdo_info(), but will also work if we ever support more than one domain in our forest. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit c1b0ac95db5c6112d90356c7ada8c3d445e9b668)
* dsdb/util_trusts: domain_dn is an input parameter of ↵Stefan Metzmacher2018-09-051-6/+0
| | | | | | | | | | | | | | dsdb_trust_crossref_tdo_info() We should not overwrite it within the function. Currently it doesn't matter as we don't have multiple domains within our forest, but that will change in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit f5f96f558b499770cdeb3d38998167a387e058b9)
* s4:torture/rpc/netlogon: verify the trusted domains output of ↵Stefan Metzmacher2018-09-051-1/+129
| | | | | | | | | | | | | LogonGetDomainInfo() This makes sure we don't treat trusted domains in the same way we treat our primary domain. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit d5dd8fdc647d6a202c5da0451d395116c2cd92b9)
* s4:torture/rpc/netlogon: assert that ↵Stefan Metzmacher2018-09-051-0/+16
| | | | | | | | | | | | | cli_credentials_get_{workstation,password} don't return NULL This is better that generating a segfault while dereferencing a NULL pointer later. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit dffc182c6943d21513d8db9f6cf66bdc09206b17)
* torture: Demonstrate the invalid lock order panicVolker Lendecke2018-08-231-0/+89
| | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Aug 21 02:33:05 CEST 2018 on sn-devel-144 (cherry picked from commit ec3c37ee53f21d8c0e80b1d3b3d7e95a4ac8e0bc) Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-8-test): Thu Aug 23 15:39:45 CEST 2018 on sn-devel-144
* s4/torture: Add new test for DELETE_ON_CLOSE on non-empty directoriesAnoop C S2018-08-231-0/+87
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13204 Signed-off-by: Anoop C S <anoopcs@redhat.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 6a7f11746c9cc3cdc5307e540bdd1f3f10fed05b)
* Merge tag 'samba-4.8.4' into v4-8-testKarolin Seeger2018-08-147-35/+1450
|\ | | | | | | samba: tag release samba-4.8.4
| * CVE-2018-1140 dns: Add a test to trigger the LDB casefolding issue on ↵Kai Blin2018-08-111-0/+3
| | | | | | | | | | | | | | | | | | invalid chars BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466 Signed-off-by: Kai Blin <kai@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
| * CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-caseTim Beale2018-08-111-26/+131
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The acl_read.c code contains a special case to allow dirsync to work-around having insufficient access rights. We had a concern that the dirsync module could leak sensitive information for deleted objects. This patch adds a test-case to prove whether or not this is happening. The new test case is similar to the existing dirsync test except: - We make the confidential attribute also preserve-on-delete, so it hangs around for deleted objcts. Because the attributes now persist across test case runs, I've used a different attribute to normal. (Technically, the dirsync search expressions are now specific enough that the regular attribute could be used, but it would make things quite fragile if someone tried to add a new test case). - To handle searching for deleted objects, the search expressions are now more complicated. Currently dirsync adds an extra-filter to the '!' searches to exclude deleted objects, i.e. samaccountname matches the test-objects AND the object is not deleted. We now extend this to include deleted objects with lastKnownParent equal to the test OU. The search expression matches either case so that we can use the same expression throughout the test (regardless of whether the object is deleted yet or not). This test proves that the dirsync corner-case does not actually leak sensitive information on Samba. This is due to a bug in the dirsync code - when the buggy line is removed, this new test promptly fails. Test also passes against Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
| * CVE-2018-10919 acl_read: Fix unauthorized attribute access via searchesTim Beale2018-08-111-0/+247
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A user that doesn't have access to view an attribute can still guess the attribute's value via repeated LDAP searches. This affects confidential attributes, as well as ACLs applied to an object/attribute to deny access. Currently the code will hide objects if the attribute filter contains an attribute they are not authorized to see. However, the code still returns objects as results if confidential attribute is in the search expression itself, but not in the attribute filter. To fix this problem we have to check the access rights on the attributes in the search-tree, as well as the attributes returned in the message. Points of note: - I've preserved the existing dirsync logic (the dirsync module code suppresses the result as long as the replPropertyMetaData attribute is removed). However, there doesn't appear to be any test that highlights that this functionality is required for dirsync. - To avoid this fix breaking the acl.py tests, we need to still permit searches like 'objectClass=*', even though we don't have Read Property access rights for the objectClass attribute. The logic that Windows uses does not appear to be clearly documented, so I've made a best guess that seems to mirror Windows behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
| * CVE-2018-10919 acl_read: Flip the logic in the dirsync checkTim Beale2018-08-111-10/+7
| | | | | | | | | | | | | | | | | | This better reflects the special case we're making for dirsync, and gets rid of a 'if-else' clause. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
| * CVE-2018-10919 acl_read: Small refactor to aclread_callback()Tim Beale2018-08-111-14/+17
| | | | | | | | | | | | | | | | | | Flip the dirsync check (to avoid a double negative), and use a helper boolean variable. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
| * CVE-2018-10919 acl_read: Split access_mask logic out into helper functionTim Beale2018-08-111-19/+35
| | | | | | | | | | | | | | | | So we can re-use the same logic laster for checking the search-ops. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
View Lorry Controller Status