The branch, v4-3-test has been updated via 162efbf passdb: add linefeed to debug message via 3137519 smbd: ignore SVHDX create context via 9e9bc07 winbindd: return trust parameters when listing trusts via 708fe69 winbindd: initialize foreign domain as AD based on trust via 22aa4d9 winbindd: introduce add_trusted_domain_from_tdc() via 7fd2e7f access based share enum: handle permission set in configuration files from e42cd66 s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-test - Log ----------------------------------------------------------------- commit 162efbfbd4e447a5c590281d42873a8daade348a Author: Uri Simchoni <u...@samba.org> Date: Tue Mar 1 10:36:35 2016 +0200 passdb: add linefeed to debug message BUG: https://bugzilla.samba.org/show_bug.cgi?id=11763 Signed-off-by: Uri Simchoni <u...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> Autobuild-User(master): Volker Lendecke <v...@samba.org> Autobuild-Date(master): Tue Mar 1 15:24:35 CET 2016 on sn-devel-144 (cherry picked from commit fb4778f4e9834af556bd5aac177fc04e7f09f152) Autobuild-User(v4-3-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-3-test): Fri Mar 4 14:43:29 CET 2016 on sn-devel-104 commit 3137519ebcb4c80bbc1a489457276d6e6fcdf475 Author: Uri Simchoni <u...@samba.org> Date: Thu Feb 25 07:08:06 2016 +0200 smbd: ignore SVHDX create context According to discussions with doch...@microsoft.com, an SMB server should ignore an SVHDX_OPEN_DEVICE_CONTEXT or SVHDX_OPEN_DEVICE_CONTEXT_V2 create context if it does not support the RSVD protocol. This is contrary to [MS-SMB2] rev 48.0 which states (3.3.5.9.14) that the open should fail in this case. Failing the create fails Windows backup if the SMB dialect is SMB3.0.2 or higher. Hopefully a new revision of MS-SMB2 will clear this up in the future. Meanwhile, this patch modifies smbd to ignore the SVHDX_OPEN_DEVICE_CONTEXT by default. This can be overriden by a VFS module if a VFS module adds support for RSVD. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11753 Signed-off-by: Uri Simchoni <u...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 9e9bc07254cb9885ced5c1d85987fbe7d68c8888 Author: Uri Simchoni <u...@samba.org> Date: Wed Feb 10 00:38:11 2016 +0200 winbindd: return trust parameters when listing trusts When asking a child domain process to list trusts on that domain, return (along with trust domain names and SID) the trust properties - flags, type, and attributes. Use those attributes to initialize domain object. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691 Signed-off-by: Uri Simchoni <u...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Autobuild-User(master): Ralph Böhme <s...@samba.org> Autobuild-Date(master): Tue Feb 23 22:02:16 CET 2016 on sn-devel-144 (cherry picked from commit 7b4dfd939f417c7d8c4c2c1e8c77f4af9bcd28d7) commit 708fe69b2a5d70153de1321b8ecbdccf5d4de5f9 Author: Uri Simchoni <u...@samba.org> Date: Wed Feb 10 00:32:23 2016 +0200 winbindd: initialize foreign domain as AD based on trust Based on trust parameters, initialize the active_directory member of domain object to true. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691 Signed-off-by: Uri Simchoni <u...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit d0aa5d057497022aeefffa9882d3ac2b7e18a682) commit 22aa4d997fccfc1669c7f9a8cf01dcdbad736de3 Author: Uri Simchoni <u...@samba.org> Date: Wed Feb 10 00:26:45 2016 +0200 winbindd: introduce add_trusted_domain_from_tdc() This is purely a refactoring patch - Add a routine that adds a winbindd domain object based on domain trust cache entry. add_trusted_domain() becomes a wrapper for this new routine. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691 Signed-off-by: Uri Simchoni <u...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit c65841a3bd737b61251603a916a315043703c832) commit 7fd2e7f4d8f20a5b1810e949db37bbb5d8900e51 Author: Alberto Maria Fiaschi <alberto.fias...@estar.toscana.it> Date: Tue Feb 23 18:22:10 2016 +0100 access based share enum: handle permission set in configuration files change function is_enumeration_allowed to check permissions set by fields: valid users, invalid users, only user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=8093 Signed-off-by: Alberto Maria Fiaschi <alberto.fias...@estar.toscana.it> Reviewed-by: Uri Simchoni <u...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 5036a0922b7890005bcc8b77368a6635c8ebeb4b) ----------------------------------------------------------------------- Summary of changes: source3/passdb/passdb.c | 3 +- source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 17 +++- source3/smbd/smb2_create.c | 15 --- source3/winbindd/winbindd_misc.c | 11 ++- source3/winbindd/winbindd_util.c | 153 +++++++++++++++++++++--------- 5 files changed, 128 insertions(+), 71 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index f071027..5873c54 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -658,7 +658,8 @@ bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid, /* BUILTIN groups are looked up elsewhere */ if (!sid_check_is_in_our_sam(&map->sid)) { DEBUG(10, ("Found group %s (%s) not in our domain -- " - "ignoring.", name, sid_string_dbg(&map->sid))); + "ignoring.\n", + name, sid_string_dbg(&map->sid))); TALLOC_FREE(map); return False; } diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c index 96c022b..cfb5dac 100644 --- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c +++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c @@ -477,12 +477,19 @@ static bool is_hidden_share(int snum) static bool is_enumeration_allowed(struct pipes_struct *p, int snum) { - if (!lp_access_based_share_enum(snum)) - return true; + if (!lp_access_based_share_enum(snum)) { + return true; + } + + if (!user_ok_token(p->session_info->unix_info->unix_name, + p->session_info->info->domain_name, + p->session_info->security_token, snum)) { + return false; + } - return share_access_check(p->session_info->security_token, - lp_servicename(talloc_tos(), snum), - FILE_READ_DATA, NULL); + return share_access_check(p->session_info->security_token, + lp_servicename(talloc_tos(), snum), + FILE_READ_DATA, NULL); } /**************************************************************************** diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c index 76d6d69..f77a9f0 100644 --- a/source3/smbd/smb2_create.c +++ b/source3/smbd/smb2_create.c @@ -675,7 +675,6 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx, struct smb2_lease lease; struct smb2_lease *lease_ptr = NULL; ssize_t lease_len = -1; - struct smb2_create_blob *svhdx = NULL; exta = smb2_create_blob_find(&in_context_blobs, SMB2_CREATE_TAG_EXTA); @@ -689,13 +688,6 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx, SMB2_CREATE_TAG_TWRP); qfid = smb2_create_blob_find(&in_context_blobs, SMB2_CREATE_TAG_QFID); - if (smb2req->xconn->protocol >= PROTOCOL_SMB3_02) { - /* - * This was introduced with SMB3_02 - */ - svhdx = smb2_create_blob_find(&in_context_blobs, - SVHDX_OPEN_DEVICE_CONTEXT); - } fname = talloc_strdup(state, in_name); if (tevent_req_nomem(fname, req)) { @@ -916,13 +908,6 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx, } } - if (svhdx != NULL) { - /* SharedVHD is not yet supported */ - tevent_req_nterror( - req, NT_STATUS_INVALID_DEVICE_REQUEST); - return tevent_req_post(req, ev); - } - /* these are ignored for SMB2 */ in_create_options &= ~(0x10);/* NTCREATEX_OPTIONS_SYNC_ALERT */ in_create_options &= ~(0x20);/* NTCREATEX_OPTIONS_ASYNC_ALERT */ diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c index 29831aa..d32a71e 100644 --- a/source3/winbindd/winbindd_misc.c +++ b/source3/winbindd/winbindd_misc.c @@ -181,11 +181,12 @@ enum winbindd_result winbindd_dual_list_trusted_domains(struct winbindd_domain * } extra_data = talloc_asprintf_append_buffer( - extra_data, "%s\\%s\\%s\n", - trusts.array[i].netbios_name, - trusts.array[i].dns_name, - sid_string_talloc(state->mem_ctx, - trusts.array[i].sid)); + extra_data, "%s\\%s\\%s\\%u\\%u\\%u\n", + trusts.array[i].netbios_name, trusts.array[i].dns_name, + sid_string_talloc(state->mem_ctx, trusts.array[i].sid), + trusts.array[i].trust_flags, + (uint32_t)trusts.array[i].trust_type, + trusts.array[i].trust_attributes); } /* add our primary domain */ diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 57ee40c..23c32de 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -34,6 +34,10 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND +static struct winbindd_domain * +add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc, + struct winbindd_methods *methods); + extern struct winbindd_methods cache_methods; /** @@ -119,14 +123,40 @@ static bool is_in_internal_domain(const struct dom_sid *sid) If the domain already exists in the list, return it and don't re-initialize. */ -static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name, - struct winbindd_methods *methods, - const struct dom_sid *sid) +static struct winbindd_domain * +add_trusted_domain(const char *domain_name, const char *alt_name, + struct winbindd_methods *methods, const struct dom_sid *sid) +{ + struct winbindd_tdc_domain tdc; + + ZERO_STRUCT(tdc); + + tdc.domain_name = domain_name; + tdc.dns_name = alt_name; + if (sid) { + sid_copy(&tdc.sid, sid); + } + + return add_trusted_domain_from_tdc(&tdc, methods); +} + +/* Add a trusted domain out of a trusted domain cache + entry +*/ +static struct winbindd_domain * +add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc, + struct winbindd_methods *methods) { struct winbindd_domain *domain; const char *alternative_name = NULL; const char **ignored_domains, **dom; int role = lp_server_role(); + const char *domain_name = tdc->domain_name; + const struct dom_sid *sid = &tdc->sid; + + if (is_null_sid(sid)) { + sid = NULL; + } ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL); for (dom=ignored_domains; dom && *dom; dom++) { @@ -138,8 +168,8 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const /* use alt_name if available to allow DNS lookups */ - if (alt_name && *alt_name) { - alternative_name = alt_name; + if (tdc->dns_name && *tdc->dns_name) { + alternative_name = tdc->dns_name; } /* We can't call domain_list() as this function is called from @@ -151,8 +181,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const break; } - if (alternative_name && *alternative_name) - { + if (alternative_name) { if (strequal(alternative_name, domain->name) || strequal(alternative_name, domain->alt_name)) { @@ -160,12 +189,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const } } - if (sid) - { - if (is_null_sid(sid)) { - continue; - } - + if (sid != NULL) { if (dom_sid_equal(sid, &domain->sid)) { break; } @@ -219,13 +243,16 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const domain->internal = is_internal_domain(sid); domain->sequence_number = DOM_SEQUENCE_NONE; domain->last_seq_check = 0; - domain->initialized = False; + domain->initialized = false; domain->online = is_internal_domain(sid); domain->check_online_timeout = 0; domain->dc_probe_pid = (pid_t)-1; - if (sid) { + if (sid != NULL) { sid_copy(&domain->sid, sid); } + domain->domain_flags = tdc->trust_flags; + domain->domain_type = tdc->trust_type; + domain->domain_trust_attribs = tdc->trust_attribs; /* Is this our primary domain ? */ if (strequal(domain_name, get_global_sam_name()) && @@ -243,6 +270,10 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const if (lp_security() == SEC_ADS) { domain->active_directory = true; } + } else if (!domain->internal) { + if (domain->domain_type == LSA_TRUST_TYPE_UPLEVEL) { + domain->active_directory = true; + } } /* Link to domain list */ @@ -252,9 +283,9 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const setup_domain_child(domain); - DEBUG(2,("Added domain %s %s %s\n", - domain->name, domain->alt_name, - &domain->sid?sid_string_dbg(&domain->sid):"")); + DEBUG(2, + ("Added domain %s %s %s\n", domain->name, domain->alt_name, + !is_null_sid(&domain->sid) ? sid_string_dbg(&domain->sid) : "")); return domain; } @@ -312,24 +343,37 @@ static void trustdom_list_done(struct tevent_req *req) struct winbindd_response *response; int res, err; char *p; + struct winbindd_tdc_domain trust_params = {0}; + ptrdiff_t extra_len; res = wb_domain_request_recv(req, state, &response, &err); if ((res == -1) || (response->result != WINBINDD_OK)) { - DEBUG(1, ("Could not receive trustdoms\n")); + DBG_WARNING("Could not receive trustdoms\n"); + TALLOC_FREE(state); + return; + } + + if (response->length < sizeof(struct winbindd_response)) { + DBG_ERR("ill-formed trustdom response - short length\n"); TALLOC_FREE(state); return; } + extra_len = response->length - sizeof(struct winbindd_response); + p = (char *)response->extra_data.data; - while ((p != NULL) && (*p != '\0')) { + while ((p - (char *)response->extra_data.data) < extra_len) { char *q, *sidstr, *alt_name; - struct dom_sid sid; - char *alternate_name = NULL; + + DBG_DEBUG("parsing response line '%s'\n", p); + + ZERO_STRUCT(trust_params); + trust_params.domain_name = p; alt_name = strchr(p, '\\'); if (alt_name == NULL) { - DEBUG(0, ("Got invalid trustdom response\n")); + DBG_ERR("Got invalid trustdom response\n"); break; } @@ -338,26 +382,52 @@ static void trustdom_list_done(struct tevent_req *req) sidstr = strchr(alt_name, '\\'); if (sidstr == NULL) { - DEBUG(0, ("Got invalid trustdom response\n")); + DBG_ERR("Got invalid trustdom response\n"); break; } *sidstr = '\0'; sidstr += 1; - q = strchr(sidstr, '\n'); - if (q != NULL) - *q = '\0'; + /* use the real alt_name if we have one, else pass in NULL */ + if (!strequal(alt_name, "(null)")) { + trust_params.dns_name = alt_name; + } + + q = strtok(sidstr, "\\"); + if (q == NULL) { + DBG_ERR("Got invalid trustdom response\n"); + break; + } - if (!string_to_sid(&sid, sidstr)) { + if (!string_to_sid(&trust_params.sid, sidstr)) { DEBUG(0, ("Got invalid trustdom response\n")); break; } - /* use the real alt_name if we have one, else pass in NULL */ + q = strtok(NULL, "\\"); + if (q == NULL) { + DBG_ERR("Got invalid trustdom response\n"); + break; + } + + trust_params.trust_flags = (uint32_t)strtoul(q, NULL, 10); + + q = strtok(NULL, "\\"); + if (q == NULL) { + DBG_ERR("Got invalid trustdom response\n"); + break; + } + + trust_params.trust_type = (uint32_t)strtoul(q, NULL, 10); + + q = strtok(NULL, "\n"); + if (q == NULL) { + DBG_ERR("Got invalid trustdom response\n"); + break; + } - if ( !strequal( alt_name, "(null)" ) ) - alternate_name = alt_name; + trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10); /* * We always call add_trusted_domain() cause on an existing @@ -365,13 +435,10 @@ static void trustdom_list_done(struct tevent_req *req) * This is important because we need the SID for sibling * domains. */ - (void)add_trusted_domain(p, alternate_name, - &cache_methods, - &sid); + (void)add_trusted_domain_from_tdc(&trust_params, + &cache_methods); - p=q; - if (p != NULL) - p += 1; + p = q + strlen(q) + 1; } /* @@ -438,10 +505,8 @@ static void rescan_forest_root_trusts( void ) d = find_domain_from_name_noinit( dom_list[i].domain_name ); if ( !d ) { - d = add_trusted_domain( dom_list[i].domain_name, - dom_list[i].dns_name, - &cache_methods, - &dom_list[i].sid ); + d = add_trusted_domain_from_tdc(&dom_list[i], + &cache_methods); } if (d == NULL) { @@ -507,10 +572,8 @@ static void rescan_forest_trusts( void ) about it */ if ( !d ) { - d = add_trusted_domain( dom_list[i].domain_name, - dom_list[i].dns_name, - &cache_methods, - &dom_list[i].sid ); + d = add_trusted_domain_from_tdc(&dom_list[i], + &cache_methods); } if (d == NULL) { -- Samba Shared Repository