The branch, v4-20-test has been updated
       via  9d80c928b01 s4:nbt_server: simulate nmbd and provide unexpected 
handling
       via  6a673a35ea0 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw 
blobs
       via  82f73dc2312 s4:libcli/dgram: make use of socket_address_copy()
       via  40fe6480d0d s4:libcli/dgram: let the generic incoming handler also 
get unexpected mailslot messages
       via  cf37f9f5272 libcli/nbt: add nbt_name_send_raw()
       via  b440c11ea0f s3:libsmb/dsgetdcname: use 
NETLOGON_NT_VERSION_AVOID_NT4EMUL
       via  b0c2389c886 s3:libsmb/unexpected: pass nmbd_socket_dir from the 
callers of nb_packet_{server_create,reader_send}()
       via  234df77ae0a s3:libsmb/unexpected: don't use talloc_tos() in async 
code
       via  2f73d251e0c s3:wscript: LIBNMB requires lp_ functions
       via  27e4297f4c7 s3:include: split out fstring.h
       via  260d1bbacf8 s3:include: let nameserv.h be useable on its own
       via  4257e3b8fef s3:libads: avoid changing ADS->server.workgroup
       via  ba361b11d2e s3:libsmb: allow store_cldap_reply() to work with a 
ipv6 response
       via  0d0fbf2bb86 s4:dsdb/repl: let drepl_out_helpers.c always go via 
dreplsrv_out_drsuapi_send()
       via  2954489bd56 s3:utils: let smbstatus report anonymous 
signing/encryption explicitly
       via  9530c418a38 s3:smbd: allow anonymous encryption after one 
authenticated session setup
       via  610e11af858 s3:utils: let smbstatus also report partial tcon 
signing/encryption
       via  6fbf5deb559 s3:utils: let smbstatus also report AES-256 encryption 
types for tcons
       via  c547e0c0ff7 s3:utils: let connections_forall_read() report if the 
session was authenticated
       via  fe91ed785ed s3:lib: let sessionid_traverse_read() report if the 
session was authenticated
       via  716a0443c9f s3:utils: remove unused signing_flags in 
connections_forall()
       via  cd05e7ed937 s4:torture/smb2: add 
smb2.session.anon-{encryption{1,2,},signing{1,2}}
       via  b945f645732 s4:libcli/smb2: add hack to test anonymous signing and 
encryption
       via  b7606714959 smbXcli_base: add hacks to test anonymous signing and 
encryption
       via  dfcbd88504d tests/ntacls: unblock failing gitlab pipelines because 
test_setntacl_forcenative
       via  1b21c09d513 .gitlab-ci-main.yml: debug kernel details of the 
current runner
       via  d5638013962 .gitlab-ci: Remove tags no longer provided by gitlab.com
      from  9b6bc91254c VERSION: Bump version up to Samba 4.20.2...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -----------------------------------------------------------------
commit 9d80c928b0196839035c0272c0945aad8a3b461a
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed Feb 14 12:34:48 2024 +0100

    s4:nbt_server: simulate nmbd and provide unexpected handling
    
    This is needed in order to let nbt_getdc() work against
    another AD DC and get back a modern response with
    DNS based names. Instead of falling back to
    the ugly name_status_find() that simulates just
    an NETLOGON_SAM_LOGON_RESPONSE_NT40 response.
    
    This way dsgetdcname() can work with just the netbios
    domain name given and still return an active directory
    response.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 796f33c05a0ca337b675b5d4d127f7c53b22528f)
    
    Autobuild-User(v4-20-test): Stefan Metzmacher <me...@samba.org>
    Autobuild-Date(v4-20-test): Thu May 30 10:57:04 UTC 2024 on atb-devel-224

commit 6a673a35ea0a5d79526b96ed462cd7d0d916abbb
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed Feb 14 13:49:21 2024 +0100

    s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit bfb10774b65af65f9c438a5d3e87529b1fcf46a1)

commit 82f73dc23127c033346604fdfc94d5bf94295375
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Feb 15 17:47:45 2024 +0100

    s4:libcli/dgram: make use of socket_address_copy()
    
    This avoids talloc_reference...
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 77f4f1c7dbaa2bb04d59d908923f6d11fd514da2)

commit 40fe6480d0d4c0dc00b05e8c52b234243c4e652b
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Feb 15 16:42:16 2024 +0100

    s4:libcli/dgram: let the generic incoming handler also get unexpected 
mailslot messages
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 11861bcfc3054894bc445e631ae03befb4865db8)

commit cf37f9f527269ac2d76577dc0df53f1d369f1817
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Feb 15 17:47:13 2024 +0100

    libcli/nbt: add nbt_name_send_raw()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit cca373b806e01fc57bd5316d3f8a17578b4b6531)

commit b440c11ea0f770623f67f8e1f6e8f3fee0cf15f9
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Feb 15 17:29:46 2024 +0100

    s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL
    
    In 2024 we always want an active directory response...
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 2b66663c75cdb3bc1b6bc5b1736dd9d35b094b42)

commit b0c2389c886673451f48a1be9ca51415b44314fb
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed Feb 14 11:38:19 2024 +0100

    s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of 
nb_packet_{server_create,reader_send}()
    
    This will allow source4/nbt_server to make use of
    nb_packet_server_create().
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 696505a1efbcc9803a287d8c267fed9d04bf8885)

commit 234df77ae0a50b3471cc28209ec1e523a198838d
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed Feb 14 13:49:43 2024 +0100

    s3:libsmb/unexpected: don't use talloc_tos() in async code
    
    It's not needed and it requires the caller to setup a
    stackframe...
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit f90cf0822d6e66426d72f92bd585119066e2a9c3)

commit 2f73d251e0c23973d649ac32f30d6539df8fd950
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Feb 15 16:37:34 2024 +0100

    s3:wscript: LIBNMB requires lp_ functions
    
    We need to make this explicit in order to let LIBNMB be used
    in source4 code.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 011f68ae5ddc3fae8b453744aeb95766d885915e)

commit 27e4297f4c767612917905246598a564a95b0b82
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Feb 15 16:53:29 2024 +0100

    s3:include: split out fstring.h
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 105247c90007474947e2314b63be72fb21f09811)

commit 260d1bbacf874254762825a6da398952cea61499
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed Feb 14 14:15:47 2024 +0100

    s3:include: let nameserv.h be useable on its own
    
    A lot of stuff is private to nmbd and can
    be moved from nameserv.h.
    
    This allows move required types from smb.h to
    nameserv.h, so that this can be standalone.
    Including it from smb.h is not a huge problem
    as nmbd internals are gone from nameserv.h.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 7f96c21029e3b94d38bd871c79cabf872ad77fae)

commit 4257e3b8fef705216a630320e0743a0ab6ed43bb
Author: Stefan Metzmacher <me...@samba.org>
Date:   Fri Oct 15 03:34:11 2021 +0200

    s3:libads: avoid changing ADS->server.workgroup
    
    ads_find_dc() uses c_domain = ads->server.workgroup and
    don't expect it to get out of scope deep in resolve_and_ping_dns().
    
    The result are corrupted domain values in the debug output.
    
    Valgrind shows this:
    
     Invalid read of size 1
        at 0x483EF46: strlen (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
        by 0x608BE94: __vfprintf_internal (vfprintf-internal.c:1688)
        by 0x609ED49: __vasprintf_internal (vasprintf.c:57)
        by 0x5D2EC0F: __dbgtext_va (debug.c:1860)
        by 0x5D2ED3F: dbgtext (debug.c:1881)
        by 0x4BFFB50: ads_find_dc (ldap.c:570)
        by 0x4C001F4: ads_connect (ldap.c:704)
        by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
      Address 0xb69f6f0 is 0 bytes inside a block of size 11 free'd
        at 0x483CA3F: free (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
        by 0x4BFF0AF: ads_try_connect (ldap.c:299)
        by 0x4BFF40E: cldap_ping_list (ldap.c:367)
        by 0x4BFF75F: resolve_and_ping_dns (ldap.c:468)
        by 0x4BFFA91: ads_find_dc (ldap.c:556)
        by 0x4C001F4: ads_connect (ldap.c:704)
        by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
      Block was alloc'd at
        at 0x483B7F3: malloc (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
        by 0x60B250E: strdup (strdup.c:42)
        by 0x4FF1492: smb_xstrdup (util.c:743)
        by 0x4C10E62: ads_init (ads_struct.c:148)
        by 0x4C1DB68: ads_dc_name (namequery_dc.c:73)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit ca859e55d28f421196bc2660cfa84595ec5b57c6)

commit ba361b11d2e664f4d84718af71118bcdb31fc1f0
Author: Stefan Metzmacher <me...@samba.org>
Date:   Tue May 7 14:53:24 2024 +0000

    s3:libsmb: allow store_cldap_reply() to work with a ipv6 response
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
    Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224
    
    (cherry picked from commit 712ffbffc03c7dcd551c1e22815ebe7c0b9b45d2)

commit 0d0fbf2bb860f3cbc29c74b4ff8c9b3f65778152
Author: Stefan Metzmacher <me...@samba.org>
Date:   Tue Feb 6 21:09:58 2024 +0100

    s4:dsdb/repl: let drepl_out_helpers.c always go via 
dreplsrv_out_drsuapi_send()
    
    I have customer backtraces showing that 'drsuapi' is NULL in
    dreplsrv_op_pull_source_get_changes_trigger() called from the
    WERR_DS_DRA_SCHEMA_MISMATCH retry case of
    dreplsrv_op_pull_source_apply_changes_trigger(), while 'drsuapi' was
    a valid pointer there.
    
    From reading the code I don't understand how this can happen,
    but it does very often on RODCs. And this fix prevents the problem.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15573
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 83030780285290ecf64b57c1744634379b68ea01)

commit 2954489bd56914a16efab2d3239d54b450c97982
Author: Stefan Metzmacher <me...@samba.org>
Date:   Mon Jul 3 15:14:38 2023 +0200

    s3:utils: let smbstatus report anonymous signing/encryption explicitly
    
    We should mark sessions/tcons with anonymous encryption or signing
    in a special way, as the value of it is void, all based on a
    session key with 16 zero bytes.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    Reviewed-by: Günther Deschner <g...@samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
    Autobuild-Date(master): Thu May 23 13:37:09 UTC 2024 on atb-devel-224
    
    (cherry picked from commit 5a54c9b28abb1464c84cb4be15a49718d8ae6795)

commit 9530c418a38fae94ae0b0222a267fb429fa7de40
Author: Stefan Metzmacher <me...@samba.org>
Date:   Fri Jun 30 18:05:51 2023 +0200

    s3:smbd: allow anonymous encryption after one authenticated session setup
    
    I have captures where a client tries smb3 encryption on an anonymous 
session,
    we used to allow that before commit da7dcc443f45d07d9963df9daae458fbdd991a47
    was released with samba-4.15.0rc1.
    
    Testing against Windows Server 2022 revealed that anonymous signing is 
always
    allowed (with the session key derived from 16 zero bytes) and
    anonymous encryption is allowed after one authenticated session setup on
    the tcp connection.
    
    https://bugzilla.samba.org/show_bug.cgi?id=15412
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    Reviewed-by: Günther Deschner <g...@samba.org>
    (cherry picked from commit f3ddfb828e66738ca461c3284c423defb774547c)

commit 610e11af858982d8ba81933f9cf8cb9d5217a14a
Author: Stefan Metzmacher <me...@samba.org>
Date:   Mon Jul 3 15:12:38 2023 +0200

    s3:utils: let smbstatus also report partial tcon signing/encryption
    
    We already do that for sessions and also for the json output,
    but it was missing in the non-json output for tcons.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    Reviewed-by: Günther Deschner <g...@samba.org>
    (cherry picked from commit 551756abd2c9e4922075bc3037db645355542363)

commit 6fbf5deb559286a0b943bcb53eb371b805a96ad8
Author: Stefan Metzmacher <me...@samba.org>
Date:   Mon Jul 3 15:12:38 2023 +0200

    s3:utils: let smbstatus also report AES-256 encryption types for tcons
    
    We already do that for sessions.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    Reviewed-by: Günther Deschner <g...@samba.org>
    (cherry picked from commit 8119fd6d6a49b869bd9e8ff653b500e194b070de)

commit c547e0c0ff7508eb972143b4de27ecf716d85585
Author: Stefan Metzmacher <me...@samba.org>
Date:   Mon Jul 3 15:10:08 2023 +0200

    s3:utils: let connections_forall_read() report if the session was 
authenticated
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    Reviewed-by: Günther Deschner <g...@samba.org>
    (cherry picked from commit 5089d8550640f72b1e0373f8ac321378ccaa8bd5)

commit fe91ed785edc68b5e2dfb2471ffcaa7ca5ea970e
Author: Stefan Metzmacher <me...@samba.org>
Date:   Mon Jul 3 15:08:31 2023 +0200

    s3:lib: let sessionid_traverse_read() report if the session was 
authenticated
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    Reviewed-by: Günther Deschner <g...@samba.org>
    (cherry picked from commit 596a10d1079f5c4a954108c81efc862c22a11f28)

commit 716a0443c9fea779b456fcd25e6d74617800aaa6
Author: Stefan Metzmacher <me...@samba.org>
Date:   Mon Jul 3 15:05:59 2023 +0200

    s3:utils: remove unused signing_flags in connections_forall()
    
    We never use the signing flags from the session, as the tcon
    has its own signing flags.
    
    https://bugzilla.samba.org/show_bug.cgi?id=15412
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    Reviewed-by: Günther Deschner <g...@samba.org>
    (cherry picked from commit a9f84593f44f15a19c4cdde1e7ad53cd5e03b4d9)

commit cd05e7ed9377abc6fdb72b3951e0dffa8ed84e55
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed May 15 10:02:00 2024 +0200

    s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}}
    
    These demonstrate how anonymous encryption and signing work.
    They pass against Windows 2022 as ad dc.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    Reviewed-by: Günther Deschner <g...@samba.org>
    (cherry picked from commit 6c5781b5f154857f1454f41133687fba8c4c9df9)

commit b945f645732a3545fdbc9d410c8ddda1bcbb3e29
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed May 15 10:51:42 2024 +0200

    s4:libcli/smb2: add hack to test anonymous signing and encryption
    
    This will be used in torture tests.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    Reviewed-by: Günther Deschner <g...@samba.org>
    (cherry picked from commit 6a89615d78119c0bff2fb07bd0c62e4c31ea8441)

commit b7606714959a5d0ca31e3e805b9a0f9aab13682a
Author: Stefan Metzmacher <me...@samba.org>
Date:   Tue May 14 18:21:33 2024 +0200

    smbXcli_base: add hacks to test anonymous signing and encryption
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    Reviewed-by: Günther Deschner <g...@samba.org>
    (cherry picked from commit 14d6e2672126adee85997dc3d3c64607c987e8b9)

commit dfcbd88504d0b8b4d48931f61d4a050807a27050
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed May 8 18:03:54 2024 +0200

    tests/ntacls: unblock failing gitlab pipelines because 
test_setntacl_forcenative
    
    This expects PermissionError: [Errno 1] Operation not permitted,
    but it seems that setxattr() for security.NTACL works on gitlab
    runners without being root.
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 237d9d0228cfed6d2e08b41b888d30aac5ab89e3)

commit 1b21c09d5132d6d60951ef192c72a9bac4158d99
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed May 8 16:12:06 2024 +0200

    .gitlab-ci-main.yml: debug kernel details of the current runner
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 380d9c5a7392741ff2134ef1e83df45a29293db3)

commit d5638013962fb9a8343ef7bf25ccb45a4fcd25dd
Author: Andrew Bartlett <abart...@samba.org>
Date:   Tue May 7 22:32:08 2024 +1200

    .gitlab-ci: Remove tags no longer provided by gitlab.com
    
    GitLab.com removed a number of tags from their hosted
    runners and this meant our CI was being redirected to
    our private runners at a larger cost to the Samba Team.
    
    The new infrastructure is much larger than when we last
    selected runners so we can just use the default, even for
    the code coverage build.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15638
    
    Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
    
    Signed-off-by: Andrew Bartlett <abart...@samba.org>
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andreas Schneider <a...@samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
    Autobuild-Date(master): Tue May  7 13:40:55 UTC 2024 on atb-devel-224
    
    (cherry picked from commit d58a72c572f63619111f43f6ea39ff84ae0df16e)

-----------------------------------------------------------------------

Summary of changes:
 .gitlab-ci-coverage-runners.yml                    |   8 +-
 .gitlab-ci-default-runners.yml                     |  44 +-
 .gitlab-ci-main.yml                                |   6 +
 libcli/nbt/libnbt.h                                |   3 +
 libcli/nbt/nbtsocket.c                             |  44 ++
 libcli/smb/smbXcli_base.c                          | 104 +++-
 libcli/smb/smbXcli_base.h                          |   5 +
 python/samba/tests/ntacls.py                       |   2 +-
 selftest/flapping.d/gitlab-setxattr-security       |  18 +
 selftest/target/Samba4.pm                          |   2 +
 lib/util/unix_match.h => source3/include/fstring.h |  14 +-
 source3/include/includes.h                         |   5 +-
 source3/include/nameserv.h                         | 380 +------------
 source3/include/session.h                          |   1 +
 source3/include/smb.h                              |  26 +-
 source3/lib/sessionid_tdb.c                        |   8 +
 source3/libads/ldap.c                              |  16 +-
 source3/librpc/idl/ads.idl                         |   1 +
 source3/libsmb/clidgram.c                          |   6 +-
 source3/libsmb/dsgetdcname.c                       |  29 +-
 source3/libsmb/namequery.c                         |   7 +-
 source3/libsmb/nmblib.c                            |   6 +
 source3/libsmb/nmblib.h                            |   2 +
 source3/libsmb/unexpected.c                        |  18 +-
 source3/libsmb/unexpected.h                        |   2 +
 source3/nmbd/nmbd.h                                | 382 +++++++++++++
 source3/nmbd/nmbd_packets.c                        |   1 +
 source3/smbd/globals.h                             |   5 +
 source3/smbd/smb2_server.c                         |  11 +
 source3/smbd/smb2_sesssetup.c                      |  18 +-
 source3/smbd/smb2_tcon.c                           |   4 +
 source3/utils/conn_tdb.c                           |  12 +-
 source3/utils/conn_tdb.h                           |   1 +
 source3/utils/net_ads.c                            |   6 +
 source3/utils/status.c                             |  82 ++-
 source3/utils/status.h                             |   1 +
 source3/utils/status_json.c                        |   2 +
 source3/wscript_build                              |   1 +
 source4/dsdb/repl/drepl_out_helpers.c              |  26 +-
 source4/libcli/dgram/dgramsocket.c                 |  40 +-
 source4/libcli/dgram/libdgram.h                    |   3 +
 source4/libcli/smb2/session.c                      |  16 +-
 source4/libcli/smb2/smb2.h                         |   2 +
 source4/nbt_server/dgram/request.c                 |  56 +-
 source4/nbt_server/interfaces.c                    |  29 +
 source4/nbt_server/nbt_server.c                    | 143 +++++
 source4/nbt_server/nbt_server.h                    |   2 +
 source4/nbt_server/wscript_build                   |   2 +-
 source4/torture/smb2/session.c                     | 629 +++++++++++++++++++++
 49 files changed, 1743 insertions(+), 488 deletions(-)
 create mode 100644 selftest/flapping.d/gitlab-setxattr-security
 copy lib/util/unix_match.h => source3/include/fstring.h (76%)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-coverage-runners.yml b/.gitlab-ci-coverage-runners.yml
index 0f6b2ec1581..331c5d2399c 100644
--- a/.gitlab-ci-coverage-runners.yml
+++ b/.gitlab-ci-coverage-runners.yml
@@ -1,10 +1,4 @@
 include:
   - /.gitlab-ci-default-runners.yml
 
-.shared_runner_test:
-  # We need the more powerful n1-standard-2 runners
-  # in order to handle the lcov overhead.
-  #
-  # See .gitlab-ci-default-runners.yml for more details
-  tags:
-    - gitlab-org-docker
+# Currently we're happy with the defaults
diff --git a/.gitlab-ci-default-runners.yml b/.gitlab-ci-default-runners.yml
index f73f868d39c..bdc504aff21 100644
--- a/.gitlab-ci-default-runners.yml
+++ b/.gitlab-ci-default-runners.yml
@@ -1,48 +1,26 @@
-# From https://docs.gitlab.com/ee/user/gitlab_com/#shared-runners:
+# From https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html
 #
 #   ...
 #
-#   All your CI/CD jobs run on n1-standard-1 instances with 3.75GB of RAM, 
CoreOS
-#   and the latest Docker Engine installed. Instances provide 1 vCPU and 25GB 
of
-#   HDD disk space. The default region of the VMs is US East1. Each instance is
-#   used only for one job, this ensures any sensitive data left on the system 
can’t
-#   be accessed by other people their CI jobs.
-#
-#   The gitlab-shared-runners-manager-X.gitlab.com fleet of runners are 
dedicated
-#   for GitLab projects as well as community forks of them. They use a slightly
-#   larger machine type (n1-standard-2) and have a bigger SSD disk size. They 
don’t
-#   run untagged jobs and unlike the general fleet of shared runners, the 
instances
-#   are re-used up to 40 times.
-#
-#   ...
-#
-# The n1-standard-1 runners seem to be tagged with 'docker' together with 
'gce'.
-#
-# The more powerful n1-standard-2 runners seem to be tagged with
-# 'gitlab-org-docker' or some with just 'gitlab-org'.
-#
+#   Runner Tag              vCPUs   Memory   Storage
+#   saas-linux-small-amd64  2       8 GB     25 GB
 #
 # Our current private runner 'docker', 'samba-ci-private', 'shared' and
 # 'ubuntu2204'. It runs with an ubuntu2204 kernel (5.15) and provides an
-# ext4 filesystem and similar RAM as the n1-standard-2 runners.
+# ext4 filesystem, 2 CPU and 4 GB (shared tag) 8G (samba-ci-private tag) RAM.
 #
 
 .shared_runner_build:
-  # We use n1-standard-1 shared runners by default.
-  #
-  # There are currently 5 shared runners with 'docker' and 'gce',
-  # while there are only 2 provising 'docker' together with 'shared'.
+  # We use saas-linux-small-amd64 shared runners by default.
+  # We avoid adding explicit tags for them in order
+  # to work with potential changes in future
   #
-  # We used to fallback to our private runner if the docker+shared runners
-  # were busy, but now that we use the 5 docker+gce runners, we try to only
-  # use shared runners without a fallback to our private runner!
-  # Lets see how that will work out.
-  tags:
-    - docker
-    - gce
+  # In order to generate valid yaml, we define a dummy variable...
+  variables:
+    SAMBA_SHARED_RUNNER_BUILD_DUMMY_VARIABLE: shared_runner_build
 
 .shared_runner_test:
-  # Currently we're fine using the n1-standard-1 runners also for testing
+  # We use saas-linux-small-amd64 shared runners by default.
   extends: .shared_runner_build
 
 .private_runner_test:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index add5f323ec4..26cf07d6fce 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -112,8 +112,14 @@ include:
 
   before_script:
     - uname -a
+    - ls -l /sys/module/
+    - ls -l /sys/kernel/security/
+    - if [ -e /sys/kernel/security/lsm ]; then cat /sys/kernel/security/lsm ; 
echo; fi
+    - if [ -e /proc/config.gz ]; then sudo zcat /proc/config.gz; echo; fi
     - lsb_release -a
     - cat /etc/os-release
+    - id
+    - cat /proc/self/status
     - lscpu
     - cat /proc/cpuinfo
     - mount
diff --git a/libcli/nbt/libnbt.h b/libcli/nbt/libnbt.h
index 204484be73f..6a30c9fedb5 100644
--- a/libcli/nbt/libnbt.h
+++ b/libcli/nbt/libnbt.h
@@ -331,6 +331,9 @@ NTSTATUS nbt_set_unexpected_handler(struct nbt_name_socket 
*nbtsock,
                                    void (*handler)(struct nbt_name_socket *, 
struct nbt_name_packet *,
                                                    struct socket_address *),
                                    void *private_data);
+NTSTATUS nbt_name_send_raw(struct nbt_name_socket *nbtsock,
+                          struct socket_address *dest,
+                          const DATA_BLOB pkt_blob);
 NTSTATUS nbt_name_reply_send(struct nbt_name_socket *nbtsock,
                             struct socket_address *dest,
                             struct nbt_name_packet *request);
diff --git a/libcli/nbt/nbtsocket.c b/libcli/nbt/nbtsocket.c
index 47e73cf2e8d..b2945ad912f 100644
--- a/libcli/nbt/nbtsocket.c
+++ b/libcli/nbt/nbtsocket.c
@@ -448,6 +448,50 @@ failed:
        return NULL;
 }
 
+/*
+  send off a nbt name packet
+*/
+_PUBLIC_ NTSTATUS nbt_name_send_raw(struct nbt_name_socket *nbtsock,
+                                   struct socket_address *dest,
+                                   const DATA_BLOB pkt_blob)
+{
+       struct nbt_name_request *req;
+
+       req = talloc_zero(nbtsock, struct nbt_name_request);
+       NT_STATUS_HAVE_NO_MEMORY(req);
+
+       req->nbtsock = nbtsock;
+       req->dest = socket_address_copy(req, dest);
+       if (req->dest == NULL) {
+               goto failed;
+       }
+       req->state = NBT_REQUEST_SEND;
+       /*
+        * We don't expect a response so
+        * just pretent it is a request,
+        * but we really don't care about the
+        * content.
+        */
+       req->is_reply = true;
+
+       req->encoded = data_blob_dup_talloc(req, pkt_blob);
+       if (req->encoded.length != pkt_blob.length) {
+               goto failed;
+       }
+
+       talloc_set_destructor(req, nbt_name_request_destructor);
+
+       DLIST_ADD_END(nbtsock->send_queue, req);
+
+       TEVENT_FD_WRITEABLE(nbtsock->fde);
+
+       return NT_STATUS_OK;
+
+failed:
+       talloc_free(req);
+       return NT_STATUS_NO_MEMORY;
+}
+
 
 /*
   send off a nbt name reply
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index a52a615857f..87acddfc94f 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -166,6 +166,13 @@ struct smb2cli_session {
        uint16_t channel_sequence;
        bool replay_active;
        bool require_signed_response;
+
+       /*
+        * The following are just for torture tests
+        */
+       bool anonymous_signing;
+       bool anonymous_encryption;
+       bool no_signing_disconnect;
 };
 
 struct smbXcli_session {
@@ -3999,6 +4006,9 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct 
smbXcli_conn *conn,
 
                if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_NAME_DELETED) ||
                    NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED) ||
+                   (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
+                    session != NULL &&
+                    session->smb2->no_signing_disconnect) ||
                    NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
                        /*
                         * if the server returns
@@ -4042,8 +4052,29 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct 
smbXcli_conn *conn,
                                /*
                                 * If the signing check fails, we disconnect
                                 * the connection.
+                                *
+                                * Unless
+                                * smb2cli_session_torture_no_signing_disconnect
+                                * was called in torture tests
                                 */
-                               return signing_status;
+
+                               if (!NT_STATUS_EQUAL(status, 
NT_STATUS_ACCESS_DENIED)) {
+                                       return signing_status;
+                               }
+
+                               if (!NT_STATUS_EQUAL(status, signing_status)) {
+                                       return signing_status;
+                               }
+
+                               if (session == NULL) {
+                                       return signing_status;
+                               }
+
+                               if (!session->smb2->no_signing_disconnect) {
+                                       return signing_status;
+                               }
+
+                               state->smb2.signing_skipped = true;
                        }
                }
 
@@ -6332,6 +6363,23 @@ void smb2cli_session_require_signed_response(struct 
smbXcli_session *session,
        session->smb2->require_signed_response = require_signed_response;
 }
 
+void smb2cli_session_torture_anonymous_signing(struct smbXcli_session *session,
+                                              bool anonymous_signing)
+{
+       session->smb2->anonymous_signing = anonymous_signing;
+}
+
+void smb2cli_session_torture_anonymous_encryption(struct smbXcli_session 
*session,
+                                                 bool anonymous_encryption)
+{
+       session->smb2->anonymous_encryption = anonymous_encryption;
+}
+
+void smb2cli_session_torture_no_signing_disconnect(struct smbXcli_session 
*session)
+{
+       session->smb2->no_signing_disconnect = true;
+}
+
 NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
                                        const struct iovec *iov)
 {
@@ -6432,6 +6480,10 @@ NTSTATUS smb2cli_session_set_session_key(struct 
smbXcli_session *session,
                                                  conn->protocol,
                                                  preauth_hash);
 
+       if (session->smb2->anonymous_encryption) {
+               goto skip_signing_key;
+       }
+
        status = smb2_signing_key_sign_create(session->smb2,
                                              conn->smb2.server.sign_algo,
                                              &_session_key,
@@ -6441,6 +6493,15 @@ NTSTATUS smb2cli_session_set_session_key(struct 
smbXcli_session *session,
                return status;
        }
 
+       if (session->smb2->anonymous_signing) {
+               /*
+                * skip encryption and application keys
+                */
+               goto skip_application_key;
+       }
+
+skip_signing_key:
+
        status = smb2_signing_key_cipher_create(session->smb2,
                                                conn->smb2.server.cipher,
                                                &_session_key,
@@ -6459,6 +6520,10 @@ NTSTATUS smb2cli_session_set_session_key(struct 
smbXcli_session *session,
                return status;
        }
 
+       if (session->smb2->anonymous_encryption) {
+               goto skip_application_key;
+       }
+
        status = smb2_signing_key_sign_create(session->smb2,
                                              conn->smb2.server.sign_algo,
                                              &_session_key,
@@ -6468,6 +6533,8 @@ NTSTATUS smb2cli_session_set_session_key(struct 
smbXcli_session *session,
                return status;
        }
 
+skip_application_key:
+
        status = smb2_signing_key_copy(session,
                                       session->smb2->signing_key,
                                       &session->smb2_channel.signing_key);
@@ -6477,6 +6544,18 @@ NTSTATUS smb2cli_session_set_session_key(struct 
smbXcli_session *session,
 
        check_signature = conn->mandatory_signing;
 
+       if (conn->protocol >= PROTOCOL_SMB3_11) {
+               check_signature = true;
+       }
+
+       if (session->smb2->anonymous_signing) {
+               check_signature = false;
+       }
+
+       if (session->smb2->anonymous_encryption) {
+               check_signature = false;
+       }
+
        hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS);
        if (hdr_flags & SMB2_HDR_FLAG_SIGNED) {
                /*
@@ -6492,10 +6571,6 @@ NTSTATUS smb2cli_session_set_session_key(struct 
smbXcli_session *session,
                check_signature = true;
        }
 
-       if (conn->protocol >= PROTOCOL_SMB3_11) {
-               check_signature = true;
-       }
-
        if (check_signature) {
                status = 
smb2_signing_check_pdu(session->smb2_channel.signing_key,
                                                recv_iov, 3);
@@ -6527,6 +6602,15 @@ NTSTATUS smb2cli_session_set_session_key(struct 
smbXcli_session *session,
                session->smb2->should_encrypt = false;
        }
 
+       if (session->smb2->anonymous_signing) {
+               session->smb2->should_sign = true;
+       }
+
+       if (session->smb2->anonymous_encryption) {
+               session->smb2->should_encrypt = true;
+               session->smb2->should_sign = false;
+       }
+
        /*
         * CCM and GCM algorithms must never have their
         * nonce wrap, or the security of the whole
@@ -6698,6 +6782,16 @@ NTSTATUS smb2cli_session_set_channel_key(struct 
smbXcli_session *session,
 
 NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session)
 {
+       if (session->smb2->anonymous_signing) {
+               return NT_STATUS_INVALID_PARAMETER_MIX;
+       }
+
+       if (session->smb2->anonymous_encryption) {
+               SMB_ASSERT(session->smb2->should_encrypt);
+               SMB_ASSERT(!session->smb2->should_sign);
+               return NT_STATUS_OK;
+       }
+
        if (!session->smb2->should_sign) {
                /*
                 * We need required signing on the session
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index 25ccd84b336..69fa131a31d 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -535,6 +535,11 @@ void smb2cli_session_start_replay(struct smbXcli_session 
*session);
 void smb2cli_session_stop_replay(struct smbXcli_session *session);
 void smb2cli_session_require_signed_response(struct smbXcli_session *session,
                                             bool require_signed_response);
+void smb2cli_session_torture_anonymous_signing(struct smbXcli_session *session,
+                                              bool anonymous_signing);
+void smb2cli_session_torture_anonymous_encryption(struct smbXcli_session 
*session,
+                                                 bool anonymous_encryption);
+void smb2cli_session_torture_no_signing_disconnect(struct smbXcli_session 
*session);
 NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
                                        const struct iovec *iov);
 NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
diff --git a/python/samba/tests/ntacls.py b/python/samba/tests/ntacls.py
index 0b7963d902e..6e2adda6a0d 100644
--- a/python/samba/tests/ntacls.py
+++ b/python/samba/tests/ntacls.py
@@ -83,5 +83,5 @@ class NtaclsTests(TestCaseInTempDir):
         lp = LoadParm()
         open(self.tempf, 'w').write("empty")
         lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
-        self.assertRaises(Exception, setntacl, lp, self.tempf, NTACL_SDDL,
+        self.assertRaises(PermissionError, setntacl, lp, self.tempf, 
NTACL_SDDL,
                           DOMAIN_SID, self.session_info, "native")
diff --git a/selftest/flapping.d/gitlab-setxattr-security 
b/selftest/flapping.d/gitlab-setxattr-security
new file mode 100644
index 00000000000..d7d24032450
--- /dev/null
+++ b/selftest/flapping.d/gitlab-setxattr-security
@@ -0,0 +1,18 @@
+# gitlab runners with kernel 5.15.109+
+# allow setxattr() on security.NTACL
+#
+# It's not clear in detail why there's a difference
+# between various systems, one reason could be that
+# with selinux inode_owner_or_capable() is used to check
+# setxattr() permissions:
+# it checks for the fileowner too, as well as CAP_FOWNER.
+# Otherwise cap_inode_setxattr() is used, which checks for
+# CAP_SYS_ADMIN.
+#
+# But the kernel doesn't have selinux only apparmor...
+#
+# test_setntacl_forcenative expects
+# PermissionError: [Errno 1] Operation not permitted
+#
+# So for now we allow this to fail...
+^samba.tests.ntacls.samba.tests.ntacls.NtaclsTests.test_setntacl_forcenative.none
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 2d449e4a652..f2b84b4f9b7 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -618,6 +618,7 @@ sub provision_raw_prepare($$$$$$$$$$$$$$)
        $ctx->{statedir} = "$prefix_abs/statedir";
        $ctx->{cachedir} = "$prefix_abs/cachedir";
        $ctx->{winbindd_socket_dir} = "$prefix_abs/wbsock";
+       $ctx->{nmbd_socket_dir} = "$prefix_abs/nmbsock";
        $ctx->{ntp_signd_socket_dir} = "$prefix_abs/ntp_signd_socket";
        $ctx->{nsswrap_passwd} = "$ctx->{etcdir}/passwd";
        $ctx->{nsswrap_group} = "$ctx->{etcdir}/group";
@@ -774,6 +775,7 @@ sub provision_raw_step1($$)
        state directory = $ctx->{statedir}
        cache directory = $ctx->{cachedir}
        winbindd socket directory = $ctx->{winbindd_socket_dir}
+       nmbd:socket dir = $ctx->{nmbd_socket_dir}
        ntp signd socket directory = $ctx->{ntp_signd_socket_dir}
        winbind separator = /
        interfaces = $interfaces
diff --git a/lib/util/unix_match.h b/source3/include/fstring.h
similarity index 76%
copy from lib/util/unix_match.h
copy to source3/include/fstring.h
index a7b693500b2..dfc8f17a8f3 100644
--- a/lib/util/unix_match.h
+++ b/source3/include/fstring.h
@@ -1,7 +1,6 @@
 /*
    Unix SMB/CIFS implementation.
-   Utility functions for Samba
-   Copyright (C) Jeremy Allison 2001
+   Copyright (C) 2002 by Martin Pool <m...@samba.org>
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -17,9 +16,12 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#ifndef _UNIX_MASK_H_
-#define _UNIX_MASK_H_
-
-bool unix_wild_match(const char *pattern, const char *string);
+#ifndef _SAMBA_FSTRING_H
+#define _SAMBA_FSTRING_H
 
+#ifndef FSTRING_LEN
+#define FSTRING_LEN 256
+typedef char fstring[FSTRING_LEN];
 #endif
+
+#endif /* _SAMBA_FSTRING_H */
diff --git a/source3/include/includes.h b/source3/include/includes.h
index 1e7b79ba0a9..ee05b93c07d 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -237,10 +237,7 @@ enum timestamp_set_resolution {
    _________)/\\_//(\/(/\)/\//\/\///|_)_______
 */
 
-#ifndef FSTRING_LEN
-#define FSTRING_LEN 256
-typedef char fstring[FSTRING_LEN];
-#endif
+#include "fstring.h"
 
 /* debug.h need to be included before samba_util.h for the macro SMB_ASSERT */
 #include "../lib/util/debug.h"
diff --git a/source3/include/nameserv.h b/source3/include/nameserv.h
index 8fbe5a33a29..51efe82d061 100644
--- a/source3/include/nameserv.h
+++ b/source3/include/nameserv.h
@@ -20,18 +20,6 @@
    
 */
 
-#define INFO_VERSION   "INFO/version"
-#define INFO_COUNT     "INFO/num_entries"
-#define INFO_ID_HIGH   "INFO/id_high"
-#define INFO_ID_LOW    "INFO/id_low"
-#define ENTRY_PREFIX   "ENTRY/"
-
-#define PERMANENT_TTL 0
-
-/* NTAS uses 2, NT uses 1, WfWg uses 0 */
-#define MAINTAIN_LIST    2
-#define ELECTION_VERSION 1


-- 
Samba Shared Repository


Reply via email to