The branch, v4-5-test has been updated via 685437e s3:smbd: Fix incorrect use of sys_getgroups() via 36a97de s3:lib: Fix incorrect logic in sys_broken_getgroups() via 96c7150 lib: debug: Avoid negative array access. via 5cba8bb vfs_acl_xattr: avoid needlessly supplying a large buffer to getxattr() via c0bf985 vfs_acl_xattr: factor out fetching of an extended attribute via 4b0b012 vfs_xattr_tdb: handle case of zero size. via 5e29379 selftest: test fetching a large ACL from vfs_acl_xattr via 8c283d4 ctdb-docs: Fix documentation of -n option to ctdb tool via 490f722 winbindd: trigger possible passdb_dsdb initialisation via 46abe7f winbindd: error handling in rpc_lookup_sids() via bc6d901 s3/rpc_client: lookupsids error handling of NT_STATUS_NONE_MAPPED via 84c7c56 s3/rpc_client: use NT_STATUS_LOOKUP_ERR via f81a0ff s3/include: add NT_STATUS_LOOKUP_ERR via 2735992 selftest: fix for wbinfo -s tests for wellknown SIDs via cca29f8 winbindd: explicit check for well-known SIDs in wb_lookupsids_bulk() via 888e75a selftest: wbinfo --sids-to-unix-ids tests for wellknown SIDs via 82bbb79 selftest: wbinfo -s tests for wellknown SIDs via 089711e winbindd: use passdb backend for well-known SIDs via 6bcfe2d s4/torture: vfs_fruit: test for bug 12565 via 92cc3b2 vfs_fruit: resource fork open request with flags=O_CREAT|O_RDONLY via 1de3e92 waf: Explicitly link libreplace against libnss_wins.so via f54ff44 selftest: Test for bug 12558 via 2ead4b4 smbd: Fix smb1 findfirst with DFS via 3dc328c winbindd: Fix password policy for pam authentication via 107f3ee selftest: tests idmap mapping with idmap_rid via 6249de7 selftest: new environment "ad_member_idmap_rid" via d5d552d winbindd: remove unused single_domains array via 82cf367 winbindd: use correct domain name for failed lookupsids from fa9bc20 VERSION: Bump version up to 4.5.9.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test - Log ----------------------------------------------------------------- commit 685437eb89fb11bfd9cb8bc8703b3539b665c624 Author: Jeremy Allison <j...@samba.org> Date: Mon Apr 17 14:30:54 2017 -0700 s3:smbd: Fix incorrect use of sys_getgroups() Second arg must be NULL when first arg is 0 (it is in all other places). Bug report and patch from Hanno Böck <ha...@hboeck.de> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12747 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Tue Apr 18 15:43:02 CEST 2017 on sn-devel-144 (cherry picked from commit 76b351e907f67cc7d4af4e7d800c7a3aa1269ee8) Autobuild-User(v4-5-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-5-test): Thu Apr 20 16:36:14 CEST 2017 on sn-devel-144 commit 36a97de00dee6dd7acdb0a2fd3322f5ddef1831e Author: Jeremy Allison <j...@samba.org> Date: Mon Apr 17 14:30:04 2017 -0700 s3:lib: Fix incorrect logic in sys_broken_getgroups() If setlen == 0 then the second argument must be ignored. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12747 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 60af864f751706c48b8af448700bf06e33e45946) commit 96c71509470be1685d9941b70796e534481a48e6 Author: Jeremy Allison <j...@samba.org> Date: Mon Apr 17 14:09:24 2017 -0700 lib: debug: Avoid negative array access. Report and patch from Hanno Böck <ha...@hboeck.de>. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12746 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Martin Schwenke <mar...@meltin.net> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 600f8787e3b605c9f3e8f724c726e63157ee9efc) commit 5cba8bb5846e7fc53c517c65bc6873e87db84509 Author: Uri Simchoni <u...@samba.org> Date: Thu Apr 13 12:44:58 2017 +0300 vfs_acl_xattr: avoid needlessly supplying a large buffer to getxattr() When obtaining the security descriptor via getxattr(), first try optimistically to supply a buffer of 4K, and if that turns out to be too small, determine the correct buffer size. The previous behavior of falling back to a 64K buffer encountered problem with Linux prior to version 3.6, due to pyisical memory fragmentation. With those kernels, as long as the buffer is 8K or smaller, getting the xattr is much less prone to failure due to memory fragmentation. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737 Signed-off-by: Uri Simchoni <u...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Tue Apr 18 04:41:16 CEST 2017 on sn-devel-144 (cherry picked from commit 05d83ccf7a6fecf963fcb980acd50cebfc0c3ea9) commit c0bf985b472d56a675cb4b17aed43de63e42c0be Author: Uri Simchoni <u...@samba.org> Date: Sun Apr 9 00:40:44 2017 +0300 vfs_acl_xattr: factor out fetching of an extended attribute Pure refactoring - add a function that fetches an extended attribute based on either the file descriptor or the file name. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737 Signed-off-by: Uri Simchoni <u...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 7b775abd9278ae34110ec87d94a736be7f64884a) commit 4b0b01268f1d42a8c2615946c1fe0ba364bdf3c1 Author: Uri Simchoni <u...@samba.org> Date: Thu Apr 13 12:50:47 2017 +0300 vfs_xattr_tdb: handle case of zero size. With getxattr(), passing a zero buffer size is a way of obtaining actual xattr size. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737 Signed-off-by: Uri Simchoni <u...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 4dfa2d6a0972847e3b21ddf05077e50ed72c4ea8) commit 5e2937966fe20e3747c080ce171c106af157d7f8 Author: Uri Simchoni <u...@samba.org> Date: Sun Apr 9 00:20:40 2017 +0300 selftest: test fetching a large ACL from vfs_acl_xattr Add a test that fetches an ACL whose size is larger than 4K. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737 Signed-off-by: Uri Simchoni <u...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (back-ported from commit 5017dfeef24b8d568e0146c085f3f979d688acf2) commit 8c283d4d316a022bef327018fa6409eab15844b8 Author: Amitay Isaacs <ami...@gmail.com> Date: Thu Apr 6 12:20:21 2017 +1000 ctdb-docs: Fix documentation of -n option to ctdb tool BUG: https://bugzilla.samba.org/show_bug.cgi?id=12733 Signed-off-by: Amitay Isaacs <ami...@gmail.com> Reviewed-by: David Disseldorp <dd...@samba.org> (cherry picked from commit 7f714a436250dfeaa1970f78090ef066482711f0) commit 490f72216c915b25a4a4b2aa24da5894255c85ef Author: Ralph Boehme <s...@samba.org> Date: Wed Mar 29 11:13:46 2017 +0200 winbindd: trigger possible passdb_dsdb initialisation If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not from secrets.tdb. As we use the domain SID in various places, we must ensure the domain SID is migrated from dsdb to secrets.tdb before get_global_sam_sid() is called the first time. The migration is done as part of the passdb_dsdb initialisation, calling pdb_get_domain_info() triggers it. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12729 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Sat Apr 1 21:18:59 CEST 2017 on sn-devel-144 (cherry picked from commit 8b32fc4006ae338ddee7c0e5991958ec3463da0d) commit 46abe7f06c3cbaee205f82da8e91f49859a488ed Author: Ralph Boehme <s...@samba.org> Date: Sun Mar 26 08:22:13 2017 +0200 winbindd: error handling in rpc_lookup_sids() NT_STATUS_NONE_MAPPED and NT_STATUS_SOME_NOT_MAPPED should not be treated as fatal error. We should continue processing the results and not bail out. In case we got NT_STATUS_NONE_MAPPED we must have to ensure all lsa_TranslatedName are of type SID_NAME_UNKNOWN. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 8dfbba59d768b10f6b088cfc49e5dbe6de4834e1) commit bc6d9010cbe8b5320be489c52da8870b64f9c2f7 Author: Ralph Boehme <s...@samba.org> Date: Sat Apr 1 16:51:07 2017 +0200 s3/rpc_client: lookupsids error handling of NT_STATUS_NONE_MAPPED NT_STATUS_NONE_MAPPED is not a fatal error, it just means we must return all lsa_TranslatedName's as type SID_NAME_UNKNOWN. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 416c74e8c89dc2fb2083beaaa9ac8a6e975ec873) commit 84c7c56dcd74d57c2ae2b27aac775ea7a35e2cfd Author: Ralph Boehme <s...@samba.org> Date: Sat Apr 1 16:56:39 2017 +0200 s3/rpc_client: use NT_STATUS_LOOKUP_ERR No change in behaviour. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 0e7e4ebad31caa1ccb392f2fe20c67929149b8c9) commit f81a0ff5184aac642209691830db7be2735dd741 Author: Ralph Boehme <s...@samba.org> Date: Sat Apr 1 16:44:45 2017 +0200 s3/include: add NT_STATUS_LOOKUP_ERR Useful helper macro to check the return value of LSA and SAMR translations. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit fc37c7327dc7e4ad4405e324fc88d4bbf9b6ef9e) commit 27359922c2fa31d74942bb717b9a62b32cedc948 Author: Ralph Boehme <s...@samba.org> Date: Fri Mar 31 16:06:18 2017 +0200 selftest: fix for wbinfo -s tests for wellknown SIDs Rework while loop to not use a pipe as that uses a subshell for the loop which means assigning to the variable failed is not visible in the main script. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit d8fd56a8244a3010469c27eaa3b73a2c5fbbc41f) commit cca29f8cfee786805ed6c9d7e31a0b54ff0dc8ae Author: Ralph Boehme <s...@samba.org> Date: Sun Apr 2 13:42:45 2017 +0200 winbindd: explicit check for well-known SIDs in wb_lookupsids_bulk() Those are implicitly already catched by the if (sid->num_auths != 5) check, but I'd like to make the desired behaviour more obvious. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 167bb5ead8c7193d173fdba8a453279d422fa7ea) commit 888e75a37868b250042139c5a1c3874bef260935 Author: Ralph Boehme <s...@samba.org> Date: Fri Mar 31 16:24:05 2017 +0200 selftest: wbinfo --sids-to-unix-ids tests for wellknown SIDs This test passes even without the fix, as in sids2xids we use the lookupnames just to determine the mapping domain, using the default idmap domain as fallback if that fails. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 8bd5f774fdc1f4ea012885262eb0f40640504de8) commit 82bbb7924b0533892b19a83a06e7777d565e01bd Author: Ralph Boehme <s...@samba.org> Date: Fri Mar 31 16:06:18 2017 +0200 selftest: wbinfo -s tests for wellknown SIDs Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 2150de3a73527850547263e853faf4f3fedca6e6) commit 089711efb6b3298b671d4d46f7f9119c42f96819 Author: Ralph Boehme <s...@samba.org> Date: Thu Mar 30 23:41:59 2017 +0200 winbindd: use passdb backend for well-known SIDs On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the local domain, otherwise something simple like this fails with WBC_ERR_DOMAIN_NOT_FOUND: $ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1 localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0 failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup sid S-1-1-0 On a member server asking our DC works and is what we're currently doing, but changing it to ask passdb avoids the overhead. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 6b7a14b4b9c3411bd2e05383917e8fdedae51c90) commit 6bcfe2dc16602ac1365ea97056b222abb4158d7a Author: Ralph Boehme <s...@samba.org> Date: Tue Feb 7 15:13:15 2017 +0100 s4/torture: vfs_fruit: test for bug 12565 Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 893fc5abbe0a1b63ebd81f442a8d544572ed76a9) commit 92cc3b274e8ee7c7de8dc71355e2c47d2c6f926d Author: Ralph Boehme <s...@samba.org> Date: Tue Feb 7 07:44:40 2017 +0100 vfs_fruit: resource fork open request with flags=O_CREAT|O_RDONLY When receiving an SMB create request with read-only access mode and open_if disposition, we end of calling the open() function with flags=O_CREAT|O_RDONLY for the ._ AppleDouble file. If the file doesn't exist, ie there's currently no rsrc stream, we create it but then we fail to write the AppleDouble header into the file due to the O_RDONLY open mode, leaving a 0 byte size ._ file. Running this create requests against macOS SMB server yields an interesting result: it returns NT_STATUS_OBJECT_NAME_NOT_FOUND even though create dispotion is open_if. Another instance where the macOS SMB server just exposes FSA behaviour (ie HFS+) and we have to adapt to be compatible. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit a36de8b81aa88c31450e68ec54d6b659b1693878) commit 1de3e9268908d5892bd795f696fcb8b7907bc30d Author: Andreas Schneider <a...@samba.org> Date: Mon Sep 19 16:21:31 2016 +0200 waf: Explicitly link libreplace against libnss_wins.so If we do not specify replace as a depencency here, it will not link to libreplace using an rpath. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12277 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Jim McDonough <j...@samba.org> (cherry picked from commit d8a5565ae647352d11d622bd4e73ff4568678a7c) commit f54ff446c4f04eb0654b05621d8f02182750eceb Author: Volker Lendecke <v...@samba.org> Date: Fri Apr 7 16:33:57 2017 +0200 selftest: Test for bug 12558 Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 3667876ebebb7181d89834e6038e2d7218c98797) commit 2ead4b430fda09fde81ef2dac362b5931891e88a Author: Volker Lendecke <v...@samba.org> Date: Thu Apr 6 22:12:36 2017 +0200 smbd: Fix smb1 findfirst with DFS 9377f3bce should have changed the callers of dfs_path_lookup. It now takes a uint32_t ucf_flags, not a boolean anymore. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit baa3e71f7968ec3239d80d7602839c2d7c2de74f) commit 3dc328cf7a46e92f8b933f784bf36e5a103e55de Author: Christof Schmitt <c...@samba.org> Date: Mon Mar 27 15:11:08 2017 -0700 winbindd: Fix password policy for pam authentication Authenticating users from trusted domains would return the password policy of the joined domain. Fix the code so that the password policy of the joined domain is only returned for users from that domain. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12725 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Christof Schmitt <c...@samba.org> Autobuild-Date(master): Wed Mar 29 22:54:47 CEST 2017 on sn-devel-144 (cherry picked from commit bc39fb07ced84af4d97853d00d07fb4293352686) commit 107f3eeebe7f4a372473e18d3237f9a17ebaf0ee Author: Ralph Boehme <s...@samba.org> Date: Wed Apr 5 13:27:51 2017 +0200 selftest: tests idmap mapping with idmap_rid This adds two blackbox tests that run wbinfo --sids-to-unix-ids: o a non-existing SID from the primary domain should return a mapping o a SID with a bogus (and therefor unknown) domain must not return a mapping Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Ralph Böhme <s...@samba.org> Autobuild-Date(master): Fri Apr 7 00:05:02 CEST 2017 on sn-devel-144 (cherry picked from commit b680ceebf85b2403758a0f9e931f1211e9b80e8d) commit 6249de7f8e5184fd9c8d02f178bd153b36368d4d Author: Ralph Boehme <s...@samba.org> Date: Wed Apr 5 13:27:14 2017 +0200 selftest: new environment "ad_member_idmap_rid" This uses idmap_rid for the primary domain. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit ef10b43469f5b31a696259a70b3e116a350bfd3d) commit d5d552d1f963a2f91da2b33a55a89ae711e9ccdc Author: Ralph Boehme <s...@samba.org> Date: Tue Apr 4 14:23:03 2017 +0200 winbindd: remove unused single_domains array This was added as part of 9be918116e356c358ef77cc2933e471090088293, but is not needed anymore as the previous commit changed the logic. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Ralph Boehme <s...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 9671811da8ad3f91ba7bb0fa868f806bc5afe863) commit 82cf3678b8d008849e1a1d23b7f9a8be212c3604 Author: Ralph Boehme <s...@samba.org> Date: Tue Apr 4 14:21:25 2017 +0200 winbindd: use correct domain name for failed lookupsids What we want here is, for failed lookupsids, pass the domain name of the SID we were trying to lookup to the idmap backend. But as a domain member, using state->single_domains[state->single_sids_done] for this purpose will always be use our primary domain name (for S-1-5-21 SIDs that are not in our local SAM). So for now use find_domain_from_sid_noinit() to find the domain from the domain list. This can be removed when we switch idmap backend determination to be based on domain SIDs, not names. Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961 Signed-off-by: Ralph Boehme <s...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit a684df160e692710e011c4eb6795a66772025c23) ----------------------------------------------------------------------- Summary of changes: ctdb/doc/ctdb.1.xml | 4 +- lib/util/debug.c | 2 +- nsswitch/tests/test_idmap_rid.sh | 66 +++++++++++++++++ nsswitch/tests/test_wbinfo.sh | 25 +++++++ nsswitch/wscript_build | 2 +- selftest/knownfail | 6 -- selftest/target/Samba.pm | 1 + selftest/target/Samba3.pm | 88 +++++++++++++++++++++++ selftest/target/Samba4.pm | 6 ++ source3/include/lsa.h | 4 ++ source3/lib/system.c | 12 ++-- source3/modules/vfs_acl_xattr.c | 84 +++++++++++++++------- source3/modules/vfs_fruit.c | 14 ++++ source3/modules/vfs_xattr_tdb.c | 12 ++++ source3/rpc_client/cli_lsarpc.c | 8 +-- source3/script/tests/test_large_acl.sh | 59 +++++++++++++++ source3/script/tests/test_smbclient_s3.sh | 11 +++ source3/script/tests/test_wbinfo_sids2xids_int.py | 2 +- source3/selftest/tests.py | 5 +- source3/smbd/msdfs.c | 4 +- source3/smbd/sec_ctx.c | 3 +- source3/winbindd/wb_lookupsids.c | 21 +++--- source3/winbindd/winbindd_pam.c | 7 +- source3/winbindd/winbindd_rpc.c | 9 +-- source3/winbindd/winbindd_util.c | 27 +++++-- source4/torture/vfs/fruit.c | 73 ++++++++++++++++++- 26 files changed, 477 insertions(+), 78 deletions(-) create mode 100755 nsswitch/tests/test_idmap_rid.sh create mode 100755 source3/script/tests/test_large_acl.sh Changeset truncated at 500 lines: diff --git a/ctdb/doc/ctdb.1.xml b/ctdb/doc/ctdb.1.xml index 71af0a5..4508969 100644 --- a/ctdb/doc/ctdb.1.xml +++ b/ctdb/doc/ctdb.1.xml @@ -123,10 +123,10 @@ <title>OPTIONS</title> <variablelist> - <varlistentry><term>-n <parameter>PNN-LIST</parameter></term> + <varlistentry><term>-n <parameter>PNN</parameter></term> <listitem> <para> - The nodes specified by PNN-LIST should be queried for the + The node specified by PNN should be queried for the requested information. Default is to query the daemon running on the local host. </para> diff --git a/lib/util/debug.c b/lib/util/debug.c index ed89944..2662c2d 100644 --- a/lib/util/debug.c +++ b/lib/util/debug.c @@ -396,7 +396,7 @@ static void debug_backends_log(const char *msg, int msg_level) * a buffer without the newline character. */ len = MIN(strlen(msg), FORMAT_BUFR_SIZE - 1); - if (msg[len - 1] == '\n') { + if ((len > 0) && (msg[len - 1] == '\n')) { len--; } diff --git a/nsswitch/tests/test_idmap_rid.sh b/nsswitch/tests/test_idmap_rid.sh new file mode 100755 index 0000000..7fb5985 --- /dev/null +++ b/nsswitch/tests/test_idmap_rid.sh @@ -0,0 +1,66 @@ +#!/bin/sh +# +# Test id mapping with various SIDs and idmap_rid +# + +if [ $# -lt 1 ]; then + echo Usage: $0 DOMAIN RANGE_START + exit 1 +fi + +DOMAIN="$1" +RANGE_START="$2" + +wbinfo="$VALGRIND $BINDIR/wbinfo" +failed=0 + +. `dirname $0`/../../testprogs/blackbox/subunit.sh + +DOMAIN_SID=$($wbinfo -n "@$DOMAIN" | cut -f 1 -d " ") +if [ $? -ne 0 ] ; then + echo "Could not find domain SID" | subunit_fail_test "test_idmap_rid" + exit 1 +fi + +# Find an unused uid and SID +RID=66666 +MAX_RID=77777 +while true ; do + id $RID + if [ $? -ne 0 ] ; then + SID="$DOMAIN_SID-$RID" + $wbinfo -s $SID + if [ $? -ne 0 ] ; then + break + fi + fi + RID=$(expr $RID + 1) + if [ $RID -eq $MAX_RID ] ; then + echo "Could not find free SID" | subunit_fail_test "test_idmap_rid" + exit 1 + fi +done + +# +# Test 1: Using non-existing SID to check backend returns a mapping +# + +EXPECTED_ID=$(expr $RID + $RANGE_START) +out="$($wbinfo --sids-to-unix-ids=$SID)" +echo "wbinfo returned: \"$out\", expecting \"$SID -> uid/gid $EXPECTED_ID\"" +test "$out" = "$SID -> uid/gid $EXPECTED_ID" +ret=$? +testit "Unknown RID from primary domain returns a mapping" test $ret -eq 0 || failed=$(expr $failed + 1) + +# +# Test 2: Using bogus SID with bad domain part to check idmap backend does not generate a mapping +# + +SID=S-1-5-21-1111-2222-3333-666 +out="$($wbinfo --sids-to-unix-ids=$SID)" +echo "wbinfo returned: \"$out\", expecting \"$SID -> unmapped\"" +test "$out" = "$SID -> unmapped" +ret=$? +testit "Bogus SID returns unmapped" test $ret -eq 0 || failed=$(expr $failed + 1) + +exit $failed diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh index 1d14ca3..d3e5dc2 100755 --- a/nsswitch/tests/test_wbinfo.sh +++ b/nsswitch/tests/test_wbinfo.sh @@ -82,6 +82,31 @@ else echo "success: wbinfo -s check for sane mapping" fi +while read SID ; do + read NAME + + testit "wbinfo -s $SID against $TARGET" $wbinfo -s $SID || failed=`expr $failed + 1` + + RESOLVED_NAME=`$wbinfo -s $SID | tr a-z A-Z` + echo "$SID resolved to $RESOLVED_NAME" + + echo "test: wbinfo -s $SID against $TARGET" + if test x"$RESOLVED_NAME" != x"$NAME" ; then + echo "$RESOLVED_NAME does not match $NAME" + echo "failure: wbinfo -s $SID against $TARGET" + failed=`expr $failed + 1` + else + echo "success: wbinfo -s $SID against $TARGET" + fi +done <<EOF +S-1-1-0 +/EVERYONE 5 +S-1-3-1 +/CREATOR GROUP 5 +S-1-5-1 +NT AUTHORITY/DIALUP 5 +EOF + testit "wbinfo -n on the returned name against $TARGET" $wbinfo -n $admin_name || failed=`expr $failed + 1` test_sid=`$wbinfo -n $tested_name | cut -d " " -f1` diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build index f286896..ab8f8ea 100644 --- a/nsswitch/wscript_build +++ b/nsswitch/wscript_build @@ -42,7 +42,7 @@ if (Utils.unversioned_sys_platform() == 'linux' or (host_os.rfind('gnu') > -1)): bld.SAMBA3_LIBRARY('nss_wins', keep_underscore=True, source='wins.c', - deps='''wbclient''', + deps='wbclient replace', public_headers=[], public_headers_install=False, pc_files=[], diff --git a/selftest/knownfail b/selftest/knownfail index 7c42777..17667cd 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -22,14 +22,12 @@ ^samba3.raw.samba3hide.samba3hide\((nt4_dc|ad_dc)\) # This test fails against an smbd environment with NT ACLs enabled ^samba3.raw.samba3closeerr.samba3closeerr\(nt4_dc\) # This test fails against an smbd environment with NT ACLs enabled ^samba3.raw.acls nfs4acl_xattr-simple.INHERITFLAGS\(nt4_dc\) # This (and the follow nfs4acl_xattr tests fail because our NFSv4 backend isn't a complete mapping yet. -^samba3.raw.acls nfs4acl_xattr-simple.sd\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-simple.create_file\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-simple.create_dir\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-simple.nulldacl\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-simple.generic\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-simple.inheritance\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-special.INHERITFLAGS\(nt4_dc\) -^samba3.raw.acls nfs4acl_xattr-special.sd\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-special.create_file\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-special.create_dir\(nt4_dc\) ^samba3.raw.acls nfs4acl_xattr-special.nulldacl\(nt4_dc\) @@ -217,10 +215,6 @@ # ^samba4.winbind.struct.domain_info\(s4member:local\) ^samba4.winbind.struct.getdcname\(s4member:local\) -^samba.blackbox.wbinfo\(s4member:local\).wbinfo -r against s4member\(s4member:local\) -^samba.blackbox.wbinfo\(s4member:local\).wbinfo --user-sids against s4member\(s4member:local\) -^samba.wbinfo_simple.\(s4member:local\).--user-groups -^samba.nss.test using winbind\(s4member:local\) # # These fail since ad_dc_ntvfs assigns the local user's uid to SAMBADOMAIN/Administrator # hence we have a duplicate UID in nsswitch. diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index a8f3a9b..fc223bb 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -283,6 +283,7 @@ sub get_interface($) # 11-16 used by selftest.pl for client interfaces + $interfaces{"idmapridmember"} = 20; $interfaces{"localdc"} = 21; $interfaces{"localvampiredc"} = 22; $interfaces{"s4member"} = 23; diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index ce60b52..c574dda 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -541,6 +541,94 @@ sub setup_admember_rfc2307($$$$) return $ret; } +sub setup_ad_member_idmap_rid($$$$) +{ + my ($self, $prefix, $dcvars) = @_; + + # If we didn't build with ADS, pretend this env was never available + if (not $self->have_ads()) { + return "UNKNOWN"; + } + + print "PROVISIONING S3 AD MEMBER WITH idmap_rid config..."; + + my $member_options = " + security = ads + workgroup = $dcvars->{DOMAIN} + realm = $dcvars->{REALM} + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 + idmap config $dcvars->{DOMAIN} : backend = rid + idmap config $dcvars->{DOMAIN} : range = 2000000-2999999 +"; + + my $ret = $self->provision($prefix, + "IDMAPRIDMEMBER", + "loCalMemberPass", + $member_options, + $dcvars->{SERVER_IP}, + $dcvars->{SERVER_IPV6}); + + $ret or return undef; + + close(USERMAP); + $ret->{DOMAIN} = $dcvars->{DOMAIN}; + $ret->{REALM} = $dcvars->{REALM}; + + my $ctx; + my $prefix_abs = abs_path($prefix); + $ctx = {}; + $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf"; + $ctx->{domain} = $dcvars->{DOMAIN}; + $ctx->{realm} = $dcvars->{REALM}; + $ctx->{dnsname} = lc($dcvars->{REALM}); + $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP}; + $ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6}; + $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}"; + Samba::mk_krb5_conf($ctx, ""); + + $ret->{KRB5_CONFIG} = $ctx->{krb5_conf}; + + my $net = Samba::bindir_path($self, "net"); + my $cmd = ""; + $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" "; + if (defined($ret->{RESOLV_WRAPPER_CONF})) { + $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" "; + } else { + $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" "; + } + $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" "; + $cmd .= "$net join $ret->{CONFIGURATION}"; + $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}"; + + if (system($cmd) != 0) { + warn("Join failed\n$cmd"); + return undef; + } + + # We need world access to this share, as otherwise the domain + # administrator from the AD domain provided by Samba4 can't + # access the share for tests. + chmod 0777, "$prefix/share"; + + if (not $self->check_or_start($ret, "yes", "yes", "yes")) { + return undef; + } + + $ret->{DC_SERVER} = $dcvars->{SERVER}; + $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP}; + $ret->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6}; + $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; + $ret->{DC_USERNAME} = $dcvars->{USERNAME}; + $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; + + # Special case, this is called from Samba4.pm but needs to use the Samba3 check_env and get_log_env + $ret->{target} = $self; + + return $ret; +} + sub setup_simpleserver($$) { my ($self, $path) = @_; diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index f1de4b9..5956010 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -2002,6 +2002,12 @@ sub setup_env($$$) } return $target3->setup_admember_rfc2307("$path/ad_member_rfc2307", $self->{vars}->{ad_dc_ntvfs}, 34); + } elsif ($envname eq "ad_member_idmap_rid") { + if (not defined($self->{vars}->{ad_dc})) { + $self->setup_ad_dc("$path/ad_dc"); + } + return $target3->setup_ad_member_idmap_rid("$path/ad_member_idmap_rid", + $self->{vars}->{ad_dc}); } elsif ($envname eq "none") { return $self->setup_none("$path/none"); } else { diff --git a/source3/include/lsa.h b/source3/include/lsa.h index 7681aed..c23e942 100644 --- a/source3/include/lsa.h +++ b/source3/include/lsa.h @@ -22,4 +22,8 @@ int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx, const char *dom_name, struct dom_sid *dom_sid); +#define NT_STATUS_LOOKUP_ERR(status) \ + (!NT_STATUS_IS_OK(status) && \ + !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) && \ + !NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) #endif diff --git a/source3/lib/system.c b/source3/lib/system.c index 3d3eeed..99462b6 100644 --- a/source3/lib/system.c +++ b/source3/lib/system.c @@ -790,12 +790,11 @@ int groups_max(void) static int sys_broken_getgroups(int setlen, gid_t *gidset) { - GID_T gid; GID_T *group_list; int i, ngroups; if(setlen == 0) { - return getgroups(setlen, &gid); + return getgroups(0, NULL); } /* @@ -808,9 +807,6 @@ static int sys_broken_getgroups(int setlen, gid_t *gidset) return -1; } - if (setlen == 0) - setlen = groups_max(); - if((group_list = SMB_MALLOC_ARRAY(GID_T, setlen)) == NULL) { DEBUG(0,("sys_getgroups: Malloc fail.\n")); return -1; @@ -823,6 +819,12 @@ static int sys_broken_getgroups(int setlen, gid_t *gidset) return -1; } + /* + * We're safe here as if ngroups > setlen then + * getgroups *must* return EINVAL. + * pubs.opengroup.org/onlinepubs/009695399/functions/getgroups.html + */ + for(i = 0; i < ngroups; i++) gidset[i] = (gid_t)group_list[i]; diff --git a/source3/modules/vfs_acl_xattr.c b/source3/modules/vfs_acl_xattr.c index e1f90ff..421860b 100644 --- a/source3/modules/vfs_acl_xattr.c +++ b/source3/modules/vfs_acl_xattr.c @@ -37,17 +37,45 @@ Pull a security descriptor into a DATA_BLOB from a xattr. *******************************************************************/ +static ssize_t getxattr_do(vfs_handle_struct *handle, + files_struct *fsp, + const struct smb_filename *smb_fname, + const char *xattr_name, + uint8_t *val, + size_t size) +{ + ssize_t sizeret; + int saved_errno = 0; + + become_root(); + if (fsp && fsp->fh->fd != -1) { + sizeret = SMB_VFS_FGETXATTR(fsp, xattr_name, val, size); + } else { + sizeret = SMB_VFS_GETXATTR(handle->conn, smb_fname->base_name, + XATTR_NTACL_NAME, val, size); + } + if (sizeret == -1) { + saved_errno = errno; + } + unbecome_root(); + + if (saved_errno != 0) { + errno = saved_errno; + } + + return sizeret; +} + static NTSTATUS get_acl_blob(TALLOC_CTX *ctx, vfs_handle_struct *handle, files_struct *fsp, const struct smb_filename *smb_fname, DATA_BLOB *pblob) { - size_t size = 1024; + size_t size = 4096; uint8_t *val = NULL; uint8_t *tmp; ssize_t sizeret; - int saved_errno = 0; ZERO_STRUCTP(pblob); @@ -60,35 +88,41 @@ static NTSTATUS get_acl_blob(TALLOC_CTX *ctx, } val = tmp; - become_root(); - if (fsp && fsp->fh->fd != -1) { - sizeret = SMB_VFS_FGETXATTR(fsp, XATTR_NTACL_NAME, val, size); - } else { - sizeret = SMB_VFS_GETXATTR(handle->conn, smb_fname->base_name, - XATTR_NTACL_NAME, val, size); + sizeret = + getxattr_do(handle, fsp, smb_fname, XATTR_NTACL_NAME, val, size); + + if (sizeret >= 0) { + pblob->data = val; + pblob->length = sizeret; + return NT_STATUS_OK; } - if (sizeret == -1) { - saved_errno = errno; + + if (errno != ERANGE) { + goto err; } - unbecome_root(); - /* Max ACL size is 65536 bytes. */ - if (sizeret == -1) { - errno = saved_errno; - if ((errno == ERANGE) && (size != 65536)) { - /* Too small, try again. */ - size = 65536; - goto again; - } + /* Too small, try again. */ + sizeret = + getxattr_do(handle, fsp, smb_fname, XATTR_NTACL_NAME, NULL, 0); + if (sizeret < 0) { + goto err; + } - /* Real error - exit here. */ - TALLOC_FREE(val); - return map_nt_error_from_unix(errno); + if (size < sizeret) { + size = sizeret; } - pblob->data = val; - pblob->length = sizeret; - return NT_STATUS_OK; + if (size > 65536) { + /* Max ACL size is 65536 bytes. */ + errno = ERANGE; + goto err; + } + + goto again; + err: + /* Real error - exit here. */ + TALLOC_FREE(val); + return map_nt_error_from_unix(errno); } /******************************************************************* diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 3f3f8c0..4437d45 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -2955,6 +2955,20 @@ static int fruit_open_rsrc(vfs_handle_struct *handle, SMB_VFS_HANDLE_GET_DATA(handle, config, struct fruit_config_data, return -1); + if (((flags & O_ACCMODE) == O_RDONLY) + && (flags & O_CREAT) + && !VALID_STAT(fsp->fsp_name->st)) + { + /* + * This means the stream doesn't exist. macOS SMB server fails + * this with NT_STATUS_OBJECT_NAME_NOT_FOUND, so must we. Cf bug + * 12565 and the test for this combination in + * test_rfork_create(). + */ + errno = ENOENT; + return -1; -- Samba Shared Repository