The branch, v4-10-test has been updated via 3ad42536f87 s3:libads: Do not turn on canonicalization flag for MIT Kerberos via d533a588b62 lib:krb5_wrap: Do not create a temporary file for MEMORY keytabs via 8939186345f spnego: fix server handling of no optimistic exchange via 68d91436d85 python/tests/gensec: add spnego downgrade python tests via 3a06edfe4fa python/tests/gensec: make it possible to add knownfail tests for gensec.update() via 5c411a2f9f5 selftest: add tests for no optimistic spnego exchange via a403e4d63e0 spnego: add client option to omit sending an optimistic token via 9d2d4cf9c93 selftest: s3: add a test for spnego downgrade from krb5 to ntlm via 24a43d7c742 s3:libsmb: Do not check the SPNEGO neg token for KRB5 via f340056428a spnego: ignore server mech_types list via de0841138e6 testprogs: Add test for 'net ads join createcomputer=' via f65a755bdd1 s3:libads: Just change the machine password if account already exists via 9d984cebde3 s3:libnet: Improve debug messages via 1e384434960 s3:libads: Fix creating machine account using LDAP via ac8c51fbb56 s3:libads: Don't set supported encryption types during account creation via f5216b70c37 s3:libads: Fix detection if acount already exists in ads_find_machine_count() via 60c5d1d3de6 s3:libads: Use a talloc_asprintf in ads_find_machine_acct() via ddd4a6af621 s3:libads: Cleanup error code paths in ads_create_machine_acct() via 39959813881 s3:libnet: Require sealed LDAP SASL connections for joining via 377483859c0 s3:libads: Use ldap_add_ext_s() in ads_gen_add() via c68763bff35 testprogs: Fix failure count in test_net_ads.sh via eafb3a20b9d s3: smbclient: Stop an SMB2-connection from blundering into SMB1-specific calls. via 59c3bd1b15d ctdb-vacuum: Process all records not deleted on a remote node via fc89f8f54ba s3:libsmb: Link libsmb against pthread via 0fe766a4f62 nsswitch: Link stress-nss-libwbclient against pthread via 308c2c9cd48 waf:replace: Do not link against libpthread if not necessary via cade53a1558 third_party: Link uid_wrapper against pthread via e405ed01b02 third_party: Link nss_wrapper against pthread via 171ff620cd0 third_party: Only link cmocka against librt if really needed via 93ab3efe769 pthreadpool: Only link pthreadpool against librt if we have to via a1309d360b9 replace: Only link against librt if really needed via b0362fd07f8 s3:waf: Do not check for nanosleep() as we don't use it anywhere from 1ad8c6f4b08 winbind: provide passwd struct for group sid with ID_TYPE_BOTH mapping (again)
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-test - Log ----------------------------------------------------------------- commit 3ad42536f873f21cc2db774ca3ea694ca7142253 Author: Andreas Schneider <a...@samba.org> Date: Wed Oct 9 16:32:47 2019 +0200 s3:libads: Do not turn on canonicalization flag for MIT Kerberos This partially reverts 303b7e59a286896888ee2473995fc50bb2b5ce5e. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155 Pair-Programmed-With: Isaac Boukris <ibouk...@redhat.com> Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Isaac Boukris <ibouk...@redhat.com> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 123584294cfd153acc2d9a5be9d71c395c847a25) Autobuild-User(v4-10-test): Stefan Metzmacher <me...@samba.org> Autobuild-Date(v4-10-test): Wed Oct 16 16:43:59 UTC 2019 on sn-devel-144 commit d533a588b62829688824824da681cb360a399651 Author: Andreas Schneider <a...@samba.org> Date: Wed Oct 9 20:11:03 2019 +0200 lib:krb5_wrap: Do not create a temporary file for MEMORY keytabs The autobuild cleanup script fails with: The tree has 3 new uncommitted files!!! git clean -n Would remove MEMORY:tmp_smb_creds_SK98Lv Would remove MEMORY:tmp_smb_creds_kornU6 Would remove MEMORY:tmp_smb_creds_ljR828 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit d888655244b4d8ec7a69a042e0ff3c074585b0de) commit 8939186345ff9da6f96b5a244bcd44f098d5b60c Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed Sep 4 17:04:12 2019 +0300 spnego: fix server handling of no optimistic exchange BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <ibouk...@redhat.com> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184 commit 68d91436d854306a1a6577b121248ef7c0bdb588 Author: Isaac Boukris <ibouk...@gmail.com> Date: Fri Oct 11 00:20:16 2019 +0300 python/tests/gensec: add spnego downgrade python tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Isaac Boukris <ibouk...@gmail.com> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 3a06edfe4fa267152b72b87d37e6256d56a8aaa6 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Oct 11 13:23:17 2019 +0200 python/tests/gensec: make it possible to add knownfail tests for gensec.update() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 5c411a2f9f534ce034aa346f634d3ac2747c1552 Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed Sep 4 16:39:43 2019 +0300 selftest: add tests for no optimistic spnego exchange BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <ibouk...@redhat.com> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit a403e4d63e0de5cdd9fd13643835e050dae6b736 Author: Isaac Boukris <ibouk...@gmail.com> Date: Wed Sep 4 16:31:21 2019 +0300 spnego: add client option to omit sending an optimistic token BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <ibouk...@redhat.com> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 9d2d4cf9c93684ddb0dda0ed51febc6a2a2132c4 Author: Isaac Boukris <ibouk...@gmail.com> Date: Mon Oct 7 23:51:19 2019 +0300 selftest: s3: add a test for spnego downgrade from krb5 to ntlm BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <ibouk...@redhat.com> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 24a43d7c7429fd89938bed410d2a433c61c5f9d7 Author: Andreas Schneider <a...@samba.org> Date: Thu Oct 10 16:18:21 2019 +0200 s3:libsmb: Do not check the SPNEGO neg token for KRB5 The list is not protected and this could be a downgrade attack. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Pair-Programmed-With: Isaac Boukris <ibouk...@redhat.com> Reviewed-by: Andreas Schneider <a...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Isaac Boukris <ibouk...@redhat.com> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit f340056428a6bbae2ebe245af3bbd7a44c1c50c9 Author: Isaac Boukris <ibouk...@gmail.com> Date: Thu Oct 3 13:09:29 2019 +0300 spnego: ignore server mech_types list We should not use the mech list sent by the server in the last 'negotiate' packet in CIFS protocol, as it is not protected and may be subject to downgrade attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 Signed-off-by: Isaac Boukris <ibouk...@redhat.com> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit de0841138e6def10a370e6b0630a9ca36a4870c4 Author: Andreas Schneider <a...@samba.org> Date: Thu Aug 22 16:31:30 2019 +0200 testprogs: Add test for 'net ads join createcomputer=' Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Wed Oct 9 08:26:17 UTC 2019 on sn-devel-184 (cherry picked from commit 459b43e5776180dc1540cd845b72ff78747ecd6f) commit f65a755bdd16527dd84708fa77199f6162b19584 Author: Andreas Schneider <a...@samba.org> Date: Thu Aug 8 14:40:04 2019 +0200 s3:libads: Just change the machine password if account already exists BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 Pair-Programmed-With: Guenther Deschner <g...@samba.org> Signed-off-by: Guenther Deschner <g...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 14f320fa1e40ecc3a43dabb0cecd57430270a521) commit 9d984cebde3516a42173b77664c5d79b96ad3bbc Author: Andreas Schneider <a...@samba.org> Date: Wed Aug 14 10:15:19 2019 +0200 s3:libnet: Improve debug messages Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 39b8c8b30a5d5bd70f8da3a02cf77f7592788b94) commit 1e38443496098a94f405d2a8c346428d0c378bbd Author: Andreas Schneider <a...@samba.org> Date: Tue Aug 13 16:34:34 2019 +0200 s3:libads: Fix creating machine account using LDAP This implements the same behaviour as Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 Pair-Programmed-With: Guenther Deschner <g...@samba.org> Signed-off-by: Guenther Deschner <g...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit ce7762935051c862ecdd3e82d93096aac61dd292) commit ac8c51fbb5611d5bd2c34cb5693a32238ef64cac Author: Andreas Schneider <a...@samba.org> Date: Wed Aug 14 12:17:20 2019 +0200 s3:libads: Don't set supported encryption types during account creation This is already handled by libnet_join_post_processing_ads_modify() which calls libnet_join_set_etypes() if encrytion types should be set. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit b755a6438022579dab1a403c81d60b1ed7efca38) commit f5216b70c373e3acffc1d75f6efa3e8d273a41fe Author: Andreas Schneider <a...@samba.org> Date: Wed Aug 14 13:01:19 2019 +0200 s3:libads: Fix detection if acount already exists in ads_find_machine_count() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 4f389c1f78cdc2424795e3b2a1ce43818c400c2d) commit 60c5d1d3de6c8a44f716349805a8ac0dc935d97d Author: Andreas Schneider <a...@samba.org> Date: Wed Aug 21 12:22:32 2019 +0200 s3:libads: Use a talloc_asprintf in ads_find_machine_acct() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 35f3e4aed1f1c2ba1c8dc50921f238937f343357) commit ddd4a6af621799c4d7e38373733ec1bb1c168a9e Author: Andreas Schneider <a...@samba.org> Date: Tue Aug 13 16:30:07 2019 +0200 s3:libads: Cleanup error code paths in ads_create_machine_acct() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 8ed993789f93624b7b60dd5314fe5472e69e903a) commit 399598138815c38ea992c97a3a65b82fb849c6f4 Author: Andreas Schneider <a...@samba.org> Date: Tue Aug 13 17:41:40 2019 +0200 s3:libnet: Require sealed LDAP SASL connections for joining Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit b84abb3a46211dc84e52ef95750627e4dd081f2f) commit 377483859c0c3b9543262471c2487c0ea35c4c82 Author: Andreas Schneider <a...@samba.org> Date: Tue Aug 13 17:06:58 2019 +0200 s3:libads: Use ldap_add_ext_s() in ads_gen_add() ldap_add_s() is marked as deprecated. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 456322a61319a10aaedda5244488ea4e5aa5cb64) commit c68763bff350765ca90382e8d9d6c21911e54e22 Author: Andreas Schneider <a...@samba.org> Date: Thu Aug 8 14:35:38 2019 +0200 testprogs: Fix failure count in test_net_ads.sh There are missing ` at the end of the line. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 320b5be4dce95d8dac4b3c0847faf5b730754a37) commit eafb3a20b9df8ecc208ba6f37c24873da68077e1 Author: Jeremy Allison <j...@samba.org> Date: Thu Oct 3 14:02:13 2019 -0700 s3: smbclient: Stop an SMB2-connection from blundering into SMB1-specific calls. Fix in the same way this was done in SMBC_opendir_ctx() for libsmbclient. This fix means the admin no longer has to remember to set 'min client protocol =' when connecting to an SMB2-only server (MacOSX for example) and trying to list shares. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14152 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit ea82bca8cef0d736305a7a40b3198fc55ea66af8) commit 59c3bd1b15dad8de86748456a8671ff4fd1a06eb Author: Amitay Isaacs <ami...@gmail.com> Date: Mon Sep 30 16:34:35 2019 +1000 ctdb-vacuum: Process all records not deleted on a remote node This currently skips the last record. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14147 RN: Avoid potential data loss during recovery after vacuuming error Signed-off-by: Amitay Isaacs <ami...@gmail.com> Reviewed-by: Martin Schwenke <mar...@meltin.net> (cherry picked from commit 33f1c9d9654fbdcb99c23f9d23c4bbe2cc596b98) commit fc89f8f54ba07a36ca8193f3ec7b51eede9f9728 Author: Isaac Boukris <ibouk...@gmail.com> Date: Tue Oct 15 17:01:48 2019 +0300 s3:libsmb: Link libsmb against pthread BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140 Signed-off-by: Isaac Boukris <ibouk...@gmail.com> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 7259197bf716f8b81dea74beefe6ee3b1239f172) commit 0fe766a4f62959c18b1acabfc7de3ece31ccb860 Author: Isaac Boukris <ibouk...@gmail.com> Date: Tue Oct 15 13:52:42 2019 +0300 nsswitch: Link stress-nss-libwbclient against pthread BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140 Signed-off-by: Isaac Boukris <ibouk...@gmail.com> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit d473f1e38c2822746030516269b4d70032cf9b2e) commit 308c2c9cd48f6ff9dfae71ee4c2525f68e227aea Author: Andreas Schneider <a...@samba.org> Date: Mon Sep 23 16:53:12 2019 +0200 waf:replace: Do not link against libpthread if not necessary On Linux we should avoid linking everything against libpthread. Symbols used my most application are provided by glibc and code which deals with threads has to explicitly link against libpthread. This avoids setting LDFLAGS=-pthread globally. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140 Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Isaac Boukris <ibouk...@gmail.com> Pair-Programmed-With: Isaac Boukris <ibouk...@gmail.com> Reviewed-by: Matthias Dieter Wallnöfer <m...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 9499db075b72b147e2ff9bb78e9d5edbaac14e69) commit cade53a155838d85999efeb3da6525674977e2f8 Author: Andreas Schneider <a...@samba.org> Date: Mon Sep 23 17:40:13 2019 +0200 third_party: Link uid_wrapper against pthread uid_wrapper uses pthread_atfork() which is only provided by libpthread. │···················· So we need an explicit dependency. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140 Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Isaac Boukris <ibouk...@gmail.com> Pair-Programmed-With: Isaac Boukris <ibouk...@gmail.com> Reviewed-by: Matthias Dieter Wallnöfer <m...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit bd0cd8e13234d684da77a65f6fdaea2572625369) commit e405ed01b02cc10838c4a9828d43fc99eaeb50c9 Author: Andreas Schneider <a...@samba.org> Date: Mon Sep 23 17:39:29 2019 +0200 third_party: Link nss_wrapper against pthread nss_wrapper uses pthread_atfork() which is only provided by libpthread. So we need an explicit dependency. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140 Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Isaac Boukris <ibouk...@gmail.com> Pair-Programmed-With: Isaac Boukris <ibouk...@gmail.com> Reviewed-by: Matthias Dieter Wallnöfer <m...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 68d8a02ef57cce29e4ff3ef1b792adfc10d0b916) commit 171ff620cd0fd29e15585b137ef03d1b7af988ba Author: Andreas Schneider <a...@samba.org> Date: Mon Sep 23 17:04:57 2019 +0200 third_party: Only link cmocka against librt if really needed cmocka also uses clock_gettime(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140 Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Isaac Boukris <ibouk...@gmail.com> Pair-Programmed-With: Isaac Boukris <ibouk...@gmail.com> Reviewed-by: Matthias Dieter Wallnöfer <m...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 36e8d715bc8dc1e8466f5a5c9798df76310b7572) commit 93ab3efe7697669e9a551a5f8aec9bd4b27ff970 Author: Andreas Schneider <a...@samba.org> Date: Mon Sep 23 16:10:35 2019 +0200 pthreadpool: Only link pthreadpool against librt if we have to This calls clock_gettime() which is available in glibc on Linux. If the wscript in libreplace detected that librt is needed for clock_gettime() we have to link against it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140 Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Isaac Boukris <ibouk...@gmail.com> Pair-Programmed-With: Isaac Boukris <ibouk...@gmail.com> Reviewed-by: Matthias Dieter Wallnöfer <m...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 4b28239d13b17e42eb5aa4b405342f46347f3de4) commit a1309d360b9aef76c4dede9be6a0343874577a4e Author: Andreas Schneider <a...@samba.org> Date: Mon Sep 23 15:14:24 2019 +0200 replace: Only link against librt if really needed fdatasync() and clock_gettime() are provided by glibc on Linux, so there is no need to link against librt. Checks have been added so if there are platforms which require it are still functional. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140 Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Isaac Boukris <ibouk...@gmail.com> Pair-Programmed-With: Isaac Boukris <ibouk...@gmail.com> Reviewed-by: Matthias Dieter Wallnöfer <m...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 480152dd6729d4c58faca6f3e4fa91ff4614c272) commit b0362fd07f87080f29ffee15874e381bc4481fe2 Author: Andreas Schneider <a...@samba.org> Date: Mon Sep 23 15:18:55 2019 +0200 s3:waf: Do not check for nanosleep() as we don't use it anywhere We use usleep() in the meantime. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140 Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Isaac Boukris <ibouk...@gmail.com> Pair-Programmed-With: Isaac Boukris <ibouk...@gmail.com> Reviewed-by: Matthias Dieter Wallnöfer <m...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> (cherry picked from commit 952e1812fa9bdc1bac2a7ae5ebb5532f1ea31447) ----------------------------------------------------------------------- Summary of changes: auth/gensec/spnego.c | 55 ++++- ctdb/server/ctdb_vacuum.c | 2 +- lib/krb5_wrap/krb5_samba.c | 16 +- lib/pthreadpool/wscript_build | 7 +- lib/replace/wscript | 34 ++- libgpo/pygpo.c | 2 +- nsswitch/wscript_build | 2 +- python/samba/tests/gensec.py | 34 ++- selftest/target/Samba3.pm | 9 + source3/client/client.c | 4 + source3/lib/netapi/joindomain.c | 5 +- source3/libads/ads_proto.h | 13 +- source3/libads/ads_struct.c | 14 +- source3/libads/krb5_setpw.c | 15 ++ source3/libads/ldap.c | 339 +++++++++++++++++++++++++----- source3/libnet/libnet_join.c | 31 ++- source3/libsmb/cliconnect.c | 50 ----- source3/libsmb/namequery_dc.c | 2 +- source3/libsmb/wscript | 1 + source3/printing/nt_printing_ads.c | 6 +- source3/script/tests/test_smbd_no_krb5.sh | 46 ++++ source3/selftest/tests.py | 4 + source3/utils/net_ads.c | 13 +- source3/winbindd/winbindd_ads.c | 5 +- source3/winbindd/winbindd_cm.c | 5 +- source3/wscript | 1 - source4/selftest/tests.py | 4 + testprogs/blackbox/test_net_ads.sh | 36 +++- third_party/cmocka/wscript | 7 +- third_party/nss_wrapper/wscript | 2 +- third_party/uid_wrapper/wscript | 2 +- 31 files changed, 604 insertions(+), 162 deletions(-) create mode 100755 source3/script/tests/test_smbd_no_krb5.sh Changeset truncated at 500 lines: diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 0b3fbdce7ac..ddbe03c5d6b 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -136,6 +136,7 @@ struct spnego_state { bool done_mic_check; bool simulate_w2k; + bool no_optimistic; /* * The following is used to implement @@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, "spnego", "simulate_w2k", false); + spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings, + "spnego", + "client_no_optimistic", + false); gensec_security->private_data = spnego_state; return NT_STATUS_OK; @@ -511,7 +516,11 @@ static NTSTATUS gensec_spnego_client_negTokenInit_start( } n->mech_idx = 0; - n->mech_types = spnego_in->negTokenInit.mechTypes; + + /* Do not use server mech list as it isn't protected. Instead, get all + * supported mechs (excluding SPNEGO). */ + n->mech_types = gensec_security_oids(gensec_security, n, + GENSEC_OID_SPNEGO); if (n->mech_types == NULL) { return NT_STATUS_INVALID_PARAMETER; } @@ -658,13 +667,30 @@ static NTSTATUS gensec_spnego_client_negTokenInit_finish( DATA_BLOB *out) { struct spnego_data spnego_out; - const char *my_mechs[] = {NULL, NULL}; + const char * const *mech_types = NULL; bool ok; - my_mechs[0] = spnego_state->neg_oid; + if (n->mech_types == NULL) { + DBG_WARNING("No mech_types list\n"); + return NT_STATUS_INVALID_PARAMETER; + } + + for (mech_types = n->mech_types; *mech_types != NULL; mech_types++) { + int cmp = strcmp(*mech_types, spnego_state->neg_oid); + + if (cmp == 0) { + break; + } + } + + if (*mech_types == NULL) { + DBG_ERR("Can't find selected sub mechanism in mech_types\n"); + return NT_STATUS_INVALID_PARAMETER; + } + /* compose reply */ spnego_out.type = SPNEGO_NEG_TOKEN_INIT; - spnego_out.negTokenInit.mechTypes = my_mechs; + spnego_out.negTokenInit.mechTypes = mech_types; spnego_out.negTokenInit.reqFlags = data_blob_null; spnego_out.negTokenInit.reqFlagsPadding = 0; spnego_out.negTokenInit.mechListMIC = data_blob_null; @@ -676,7 +702,7 @@ static NTSTATUS gensec_spnego_client_negTokenInit_finish( } ok = spnego_write_mech_types(spnego_state, - my_mechs, + mech_types, &spnego_state->mech_types); if (!ok) { DBG_ERR("failed to write mechTypes\n"); @@ -1295,6 +1321,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step( spnego_state->mic_requested = true; } + if (sub_in.length == 0) { + spnego_state->no_optimistic = true; + } + /* * Note that 'cur_sec' is temporary memory, but * cur_sec->oid points to a const string in the @@ -1923,6 +1953,21 @@ static void gensec_spnego_update_pre(struct tevent_req *req) * blob and NT_STATUS_OK. */ state->sub.status = NT_STATUS_OK; + } else if (spnego_state->state_position == SPNEGO_CLIENT_START && + spnego_state->no_optimistic) { + /* + * Skip optimistic token per conf. + */ + state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; + } else if (spnego_state->state_position == SPNEGO_SERVER_START && + state->sub.in.length == 0 && spnego_state->no_optimistic) { + /* + * If we didn't like the mechanism for which the client sent us + * an optimistic token, or if he didn't send any, don't call + * the sub mechanism just yet. + */ + state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; + spnego_state->no_optimistic = false; } else { /* * MORE_PROCESSING_REQUIRED => diff --git a/ctdb/server/ctdb_vacuum.c b/ctdb/server/ctdb_vacuum.c index 9d086917f3c..04a4cf08977 100644 --- a/ctdb/server/ctdb_vacuum.c +++ b/ctdb/server/ctdb_vacuum.c @@ -814,7 +814,7 @@ static void ctdb_process_delete_list(struct ctdb_db_context *ctdb_db, */ records = (struct ctdb_marshall_buffer *)outdata.dptr; rec = (struct ctdb_rec_data_old *)&records->data[0]; - while (records->count-- > 1) { + while (records->count-- > 0) { TDB_DATA reckey, recdata; struct ctdb_ltdb_header *rechdr; struct delete_record_data *dd; diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index abdcb308728..6ce1d09952e 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -2002,21 +2002,21 @@ krb5_error_code smb_krb5_kinit_keyblock_ccache(krb5_context ctx, krb_options); #elif defined(HAVE_KRB5_GET_INIT_CREDS_KEYTAB) { -#define SMB_CREDS_KEYTAB "MEMORY:tmp_smb_creds_XXXXXX" - char tmp_name[sizeof(SMB_CREDS_KEYTAB)]; +#define SMB_CREDS_KEYTAB "MEMORY:tmp_kinit_keyblock_ccache" + char tmp_name[64] = {0}; krb5_keytab_entry entry; krb5_keytab keytab; - mode_t mask; + int rc; memset(&entry, 0, sizeof(entry)); entry.principal = principal; *(KRB5_KT_KEY(&entry)) = *keyblock; - memcpy(tmp_name, SMB_CREDS_KEYTAB, sizeof(SMB_CREDS_KEYTAB)); - mask = umask(S_IRWXO | S_IRWXG); - mktemp(tmp_name); - umask(mask); - if (tmp_name[0] == 0) { + rc = snprintf(tmp_name, sizeof(tmp_name), + "%s-%p", + SMB_CREDS_KEYTAB, + &my_creds); + if (rc < 0) { return KRB5_KT_BADNAME; } code = krb5_kt_resolve(ctx, tmp_name, &keytab); diff --git a/lib/pthreadpool/wscript_build b/lib/pthreadpool/wscript_build index 57df25548b1..70aa7cbf041 100644 --- a/lib/pthreadpool/wscript_build +++ b/lib/pthreadpool/wscript_build @@ -1,12 +1,17 @@ #!/usr/bin/env python if bld.env.WITH_PTHREADPOOL: + extra_libs='' + + # Link to librt if needed for clock_gettime() + if bld.CONFIG_SET('HAVE_LIBRT'): extra_libs += ' rt' + bld.SAMBA_SUBSYSTEM('PTHREADPOOL', source='''pthreadpool.c pthreadpool_pipe.c pthreadpool_tevent.c ''', - deps='pthread rt replace tevent-util') + deps='pthread replace tevent-util' + extra_libs) else: bld.SAMBA_SUBSYSTEM('PTHREADPOOL', source='''pthreadpool_sync.c diff --git a/lib/replace/wscript b/lib/replace/wscript index a7fd25d15bc..b5919835c0b 100644 --- a/lib/replace/wscript +++ b/lib/replace/wscript @@ -457,11 +457,28 @@ def configure(conf): conf.CHECK_C_PROTOTYPE('dlopen', 'void *dlopen(const char* filename, unsigned int flags)', define='DLOPEN_TAKES_UNSIGNED_FLAGS', headers='dlfcn.h dl.h') - if conf.CHECK_FUNCS_IN('fdatasync', 'rt', checklibc=True): + # + # Check for clock_gettime and fdatasync + # + # First check libc to avoid linking libreplace against librt. + # + if conf.CHECK_FUNCS('fdatasync'): # some systems are missing the declaration conf.CHECK_DECLS('fdatasync') + else: + if conf.CHECK_FUNCS_IN('fdatasync', 'rt'): + # some systems are missing the declaration + conf.CHECK_DECLS('fdatasync') + + has_clock_gettime = False + if conf.CHECK_FUNCS('clock_gettime'): + has_clock_gettime = True - if conf.CHECK_FUNCS_IN('clock_gettime', 'rt', checklibc=True): + if not has_clock_gettime: + if conf.CHECK_FUNCS_IN('clock_gettime', 'rt', checklibc=True): + has_clock_gettime = True + + if has_clock_gettime: for c in ['CLOCK_MONOTONIC', 'CLOCK_PROCESS_CPUTIME_ID', 'CLOCK_REALTIME']: conf.CHECK_CODE(''' #if TIME_WITH_SYS_TIME @@ -534,6 +551,11 @@ def configure(conf): PTHREAD_CFLAGS='error' PTHREAD_LDFLAGS='error' + if PTHREAD_LDFLAGS == 'error': + # Check if pthread_attr_init() is provided by libc first! + if conf.CHECK_FUNCS('pthread_attr_init'): + PTHREAD_CFLAGS='-D_REENTRANT' + PTHREAD_LDFLAGS='' if PTHREAD_LDFLAGS == 'error': if conf.CHECK_FUNCS_IN('pthread_attr_init', 'pthread'): PTHREAD_CFLAGS='-D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS' @@ -546,10 +568,7 @@ def configure(conf): if conf.CHECK_FUNCS_IN('pthread_attr_init', 'c_r'): PTHREAD_CFLAGS='-D_THREAD_SAFE -pthread' PTHREAD_LDFLAGS='-pthread' - if PTHREAD_LDFLAGS == 'error': - if conf.CHECK_FUNCS('pthread_attr_init'): - PTHREAD_CFLAGS='-D_REENTRANT' - PTHREAD_LDFLAGS='-lpthread' + # especially for HP-UX, where the CHECK_FUNC macro fails to test for # pthread_attr_init. On pthread_mutex_lock it works there... if PTHREAD_LDFLAGS == 'error': @@ -815,6 +834,7 @@ def build(bld): extra_libs = '' if bld.CONFIG_SET('HAVE_LIBBSD'): extra_libs += ' bsd' + if bld.CONFIG_SET('HAVE_LIBRT'): extra_libs += ' rt' bld.SAMBA_SUBSYSTEM('LIBREPLACE_HOSTCC', REPLACE_HOSTCC_SOURCE, @@ -855,7 +875,7 @@ def build(bld): # at the moment: # hide_symbols=bld.BUILTIN_LIBRARY('replace'), private_library=True, - deps='crypt dl nsl socket rt attr' + extra_libs) + deps='crypt dl nsl socket attr' + extra_libs) replace_test_cflags = '' if bld.CONFIG_SET('HAVE_WNO_FORMAT_TRUNCATION'): diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index cd107318860..4db8cad7ca4 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -212,7 +212,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds) return -1; } - self->ads_ptr = ads_init(realm, workgroup, ldap_server); + self->ads_ptr = ads_init(realm, workgroup, ldap_server, ADS_SASL_PLAIN); if (self->ads_ptr == NULL) { return -1; } diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build index 6acc4a19b9b..861ed2f23bf 100644 --- a/nsswitch/wscript_build +++ b/nsswitch/wscript_build @@ -20,7 +20,7 @@ bld.SAMBA_BINARY('nsstest', if bld.CONFIG_SET('HAVE_PTHREAD'): bld.SAMBA_BINARY('stress-nss-libwbclient', source='stress-nss-libwbclient.c', - deps='wbclient', + deps='wbclient pthread', install=False ) diff --git a/python/samba/tests/gensec.py b/python/samba/tests/gensec.py index b5ce51de756..47bb6c82a01 100644 --- a/python/samba/tests/gensec.py +++ b/python/samba/tests/gensec.py @@ -47,11 +47,17 @@ class GensecTests(samba.tests.TestCase): def test_info_uninitialized(self): self.assertRaises(RuntimeError, self.gensec.session_info) - def _test_update(self, mech, client_mech=None): + def _test_update(self, mech, client_mech=None, client_only_opt=None): """Test GENSEC by doing an exchange with ourselves using GSSAPI against a KDC""" """Start up a client and server GENSEC instance to test things with""" + if client_only_opt: + orig_client_opt = self.lp_ctx.get(client_only_opt) + if not orig_client_opt: + orig_client_opt = '' + self.lp_ctx.set(client_only_opt, "yes") + self.gensec_client = gensec.Security.start_client(self.settings) self.gensec_client.set_credentials(self.get_credentials()) self.gensec_client.want_feature(gensec.FEATURE_SEAL) @@ -60,6 +66,9 @@ class GensecTests(samba.tests.TestCase): else: self.gensec_client.start_mech_by_sasl_name(mech) + if client_only_opt: + self.lp_ctx.set(client_only_opt, "no") + self.gensec_server = gensec.Security.start_server(settings=self.settings, auth_context=auth.AuthContext(lp_ctx=self.lp_ctx)) creds = Credentials() @@ -78,15 +87,28 @@ class GensecTests(samba.tests.TestCase): """Run the actual call loop""" while True: if not client_finished: + if client_only_opt: + self.lp_ctx.set(client_only_opt, "yes") print("running client gensec_update") - (client_finished, client_to_server) = self.gensec_client.update(server_to_client) + try: + (client_finished, client_to_server) = self.gensec_client.update(server_to_client) + except samba.NTSTATUSError as nt: + raise AssertionError(nt) + if client_only_opt: + self.lp_ctx.set(client_only_opt, "no") if not server_finished: print("running server gensec_update") - (server_finished, server_to_client) = self.gensec_server.update(client_to_server) + try: + (server_finished, server_to_client) = self.gensec_server.update(client_to_server) + except samba.NTSTATUSError as nt: + raise AssertionError(nt) if client_finished and server_finished: break + if client_only_opt: + self.lp_ctx.set(client_only_opt, orig_client_opt) + self.assertTrue(server_finished) self.assertTrue(client_finished) @@ -115,6 +137,12 @@ class GensecTests(samba.tests.TestCase): def test_update_spnego(self): self._test_update("GSS-SPNEGO") + def test_update_spnego_downgrade(self): + self._test_update("GSS-SPNEGO", "spnego", "gensec:gssapi_krb5") + + def test_update_no_optimistic_spnego(self): + self._test_update("GSS-SPNEGO", "spnego", "spnego:client_no_optimistic") + def test_update_w2k_spnego_client(self): self.lp_ctx.set("spnego:simulate_w2k", "yes") diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 70f535e1a49..75960dbc790 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1679,6 +1679,7 @@ sub provision($$$$$$$$$) my $dfqconffile="$libdir/dfq.conf"; my $errorinjectconf="$libdir/error_inject.conf"; my $delayinjectconf="$libdir/delay_inject.conf"; + my $globalinjectconf="$libdir/global_inject.conf"; my $nss_wrapper_pl = "$ENV{PERL} $self->{srcdir}/third_party/nss_wrapper/nss_wrapper.pl"; my $nss_wrapper_passwd = "$privatedir/passwd"; @@ -1860,6 +1861,8 @@ sub provision($$$$$$$$$) #it just means we ALLOW one to be configured. allow insecure wide links = yes + include = $globalinjectconf + # Begin extra options $extra_options # End extra options @@ -2358,6 +2361,12 @@ sub provision($$$$$$$$$) } close(DFQCONF); + unless (open(DELAYCONF, ">$globalinjectconf")) { + warn("Unable to open $globalinjectconf"); + return undef; + } + close(DELAYCONF); + ## ## create a test account ## diff --git a/source3/client/client.c b/source3/client/client.c index 3a31463cdbb..701cd4e7d96 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -4916,6 +4916,10 @@ static bool browse_host(bool sort) return false; } + if (smbXcli_conn_protocol(cli->conn) > PROTOCOL_NT1) { + return false; + } + ret = cli_RNetShareEnum(cli, browse_fn, NULL); if (ret == -1) { NTSTATUS status = cli_nt_error(cli); diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c index ff2154ba803..8d0752f4531 100644 --- a/source3/lib/netapi/joindomain.c +++ b/source3/lib/netapi/joindomain.c @@ -411,7 +411,10 @@ WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx, dc = strip_hostname(info->dc_unc); - ads = ads_init(info->domain_name, info->domain_name, dc); + ads = ads_init(info->domain_name, + info->domain_name, + dc, + ADS_SASL_PLAIN); if (!ads) { return WERR_GEN_FAILURE; } diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h index 154bf67f964..495ef5d3325 100644 --- a/source3/libads/ads_proto.h +++ b/source3/libads/ads_proto.h @@ -32,6 +32,12 @@ #ifndef _LIBADS_ADS_PROTO_H_ #define _LIBADS_ADS_PROTO_H_ +enum ads_sasl_state_e { + ADS_SASL_PLAIN = 0, + ADS_SASL_SIGN, + ADS_SASL_SEAL, +}; + /* The following definitions come from libads/ads_struct.c */ char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse); @@ -39,7 +45,8 @@ char *ads_build_dn(const char *realm); char *ads_build_domain(const char *dn); ADS_STRUCT *ads_init(const char *realm, const char *workgroup, - const char *ldap_server); + const char *ldap_server, + enum ads_sasl_state_e sasl_state); bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags); void ads_destroy(ADS_STRUCT **ads); @@ -107,8 +114,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, const char *machine_ const char **spns); ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, + const char *machine_password, const char *org_unit, - uint32_t etype_list); + uint32_t etype_list, + const char *dns_domain_name); ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name, const char *org_unit, bool *moved); int ads_count_replies(ADS_STRUCT *ads, void *res); diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c index 3ab682c0e38..043a1b21247 100644 --- a/source3/libads/ads_struct.c +++ b/source3/libads/ads_struct.c @@ -132,7 +132,8 @@ char *ads_build_domain(const char *dn) */ ADS_STRUCT *ads_init(const char *realm, const char *workgroup, - const char *ldap_server) + const char *ldap_server, + enum ads_sasl_state_e sasl_state) { ADS_STRUCT *ads; int wrap_flags; @@ -152,6 +153,17 @@ ADS_STRUCT *ads_init(const char *realm, wrap_flags = 0; } + switch (sasl_state) { + case ADS_SASL_PLAIN: + break; + case ADS_SASL_SIGN: + wrap_flags |= ADS_AUTH_SASL_SIGN; + break; + case ADS_SASL_SEAL: + wrap_flags |= ADS_AUTH_SASL_SEAL; + break; + } + ads->auth.flags = wrap_flags; /* Start with the configured page size when the connection is new, diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c index 67bc2f4640d..028b0dcfa65 100644 --- a/source3/libads/krb5_setpw.c -- Samba Shared Repository