The branch, v4-21-stable has been updated via 1c7d4b5b388 VERSION: Disable GIT_SNAPSHOT for the 4.21.0 release. via 1bb2ce3b2d7 WHATSNEW: Add release notes for Samba 4.21.0. via 6071ea83333 vfs_ceph_new: handle case of readlinkat with empty name string via 06cf7b7b6f9 vfs_ceph_new: add missing newline in debug-logging via 83a0898447c WHATSNEW: updated name via 99e23f6746a WHATSNEW: command line secret redaction via b904a17d8a9 WHATSNEW: more deterministic builds via b76a5d99262 WHATSNEW: build option changes via 9a042a5d9e7 WHATSNEW: Functional level 2012R2 via 9c92d2b5199 WHATSNEW: samba-tool authentication policy command restructure via 3f9b358fdaf WHATSNEW: PKINIT freshness in heimdal via acf8afd4246 WHATSNEW: samba-tool domain kds via 8423ea48ea9 WHATSNEW: group managed service accounts via 66ae6948f72 WHATSNEW: LDB unicode changes via b2ce6308c19 smb2_ioctl: fix truncated FSCTL_QUERY_ALLOCATED_RANGES responses via d231f0c8ee1 s4:torture/smb2: test FSCTL_QUERY_ALLOCATED_RANGES truncation via 1bddcb304b0 Revert "s4:torture/smb2: test FSCTL_QUERY_ALLOCATED_RANGES truncation" via c9bc91504ae Revert "smb2_ioctl: fix truncated FSCTL_QUERY_ALLOCATED_RANGES responses" via 10dddd55152 smb2_ioctl: fix truncated FSCTL_QUERY_ALLOCATED_RANGES responses via b6ebcd635a0 s4:torture/smb2: test FSCTL_QUERY_ALLOCATED_RANGES truncation via eed4dfe3a47 libcli/smb: Fix failure of Smb3UnixTests.test_create_context_reparse via d7f49d90b2f VERSION: Bump version up to Samba 4.21.0rc5... from 5bb01bb65c3 VERSION: Disable GIT_SNAPSHOT for the 4.21.0rc4 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 176 +++++++++++++++++++++++++++++++++++--- libcli/smb/py_reparse_symlink.c | 2 +- source3/modules/vfs_ceph_new.c | 35 +++++--- source3/smbd/smb2_ioctl.c | 4 +- source3/smbd/smb2_ioctl_filesys.c | 54 +++++++----- source4/libcli/smb2/ioctl.c | 3 +- source4/torture/smb2/ioctl.c | 149 +++++++++++++++++++++++++++++++- 8 files changed, 374 insertions(+), 51 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 77c8124b889..f1ea62151ca 100644 --- a/VERSION +++ b/VERSION @@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # ######################################################## -SAMBA_VERSION_RC_RELEASE=4 +SAMBA_VERSION_RC_RELEASE= ######################################################## # To mark SVN snapshots this should be set to 'yes' # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 84677c8af53..1e921100f80 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,16 +1,10 @@ -Release Announcements -===================== + ============================== + Release Notes for Samba 4.21.0 + September 02, 2024 + ============================== -This is the fourth release candidate of Samba 4.21. This is *not* -intended for production environments and is designed for testing -purposes only. Please report any defects via the Samba bug reporting -system at https://bugzilla.samba.org/. - -Samba 4.21 will be the next version of the Samba suite. - - -UPGRADING -========= +This is the first stable release of the Samba 4.21 release series. +Please read the release notes carefully before upgrading. Hardening of "valid users", "invalid users", "read list" and "write list" ------------------------------------------------------------------------- @@ -80,6 +74,27 @@ never took into account later changes, and so has not worked for a number of years. Samba 4.21 and LDB 2.10 removes this unused and broken feature. +Changes in LDB handling of Unicode +---------------------------------- + +Developers using LDB up to version 2.9 could call ldb_set_utf8_fns() +to determine how LDB handled casefolding. This is used internally by +string comparison functions. In LDB 2.10 this function is deprecated, +and ldb_set_utf8_functions() is preferred. The new function allows a +direct comparison function to be set as well as a casefold function. +This improves performance and allows for more robust handling of +degenerate cases. The function should be called just after ldb_init(), +with the following arguments: + + ldb_set_utf8_functions(ldb, /* the struct ldb_ctx LDB object */ + context_variable /* possibly NULL */ + casefold_function, + case_insensitive_comparison_function); + +The default behaviour of LDB remains to perform ASCII casefolding +only, as if in the "C" locale. Recent versions have become +increasingly consistent in this. + Some Samba public libraries made private by default --------------------------------------------------- @@ -248,6 +263,127 @@ Configuration is identical to existing module, but using 'ceph_new' instead of 'ceph' for the relevant smb.conf entries. This new module is expected to deprecate and replace the old one in next major release. +Group Managed Service Accounts +------------------------------ +Samba 4.21 adds support for gMSAs (Group Managed Service Accounts), +completing support for Functional Level 2012. + +The purpose of a gMSA is to allow a single host, or a cluster of +hosts, to share access to an automatically rotating password, avoiding +the weak static service passwords that are often the entrypoint of +attackers to AD domains. Each server has a strong and regularly +rotated password, which is used to access the gMSA account of (e.g.) +the database server. + +Samba provides management and client tools, allowing services on Unix +hosts to access the current and next gMSA passwords, as well as obtain +a credentials cache. + +Samba 4.20 announced the client-side tools for this feature. To avoid +duplication and provide consistency, the existing commands for +password viewing have been extended, so these commands operate both on +a gMSA (with credentials, over LDAP, specify -H) and locally for +accounts that have a compatible password (e.g. plaintext via GPG, +compatible hash) + + samba-tool user getpassword + samba-tool user get-kerberos-ticket + samba-tool domain exportkeytab + +An example command, which gets the NT hash for use with NTLM, is + + samba-tool user getpassword -H ldap://server --machine-pass \ + TestUser1 --attributes=unicodePwd + +Kerberos is a better choice (gMSA accounts should not use LDAP simple +binds, for reasons of both security and compatibility). Use + + samba-tool user get-kerberos-ticket -H ldap://server --machine-pass \ + TestUser1 --output-krb5-ccache=/srv/service/krb5_ccache + +gMSAs disclose a current and previous password. To access the previous +NT hash, use: + + samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \ + --attrs=unicodePwd;previous=1 + +To access the previous password as UTF8, use: + + samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \ + --attributes=pwdLastSet,virtualClearTextUTF8;previous=1 + +However, Windows tools for dealing with gMSAs tend to use Active +Directory Web Services (ADWS) from Powershell for setting up the +accounts, and this separate protocol is not supported by Samba 4.21. + +Samba-tool commands for handling gMSA (KDS) root keys +----------------------------------------------------- +Group managed service accounts rotate passwords based on root keys, +which can be managed using samba-tool, with commands such as + + samba-tool domain kds root_key create + samba-tool domain kds root_key list + +Samba will create a new root key for new domains at provision time, +but users of gMSA accounts on upgraded domains will need to first +create a root key. + +RFC 8070 PKINIT "Freshness extension" supported in the Heimdal KDC +------------------------------------------------------------------ +The Heimdal KDC will recognise when a client provides proof that they +hold the hardware token used for smart-card authentication 'now' and +has not used a saved future-dated reply. Samba 4.21 now matches +Windows and will assign an extra SID to the user in this case, +allowing sensitive resources to be additionally protected. + +Only Windows clients are known to support the client side of this +feature at this time. + +New samba-tool Authentication Policy management command structure +----------------------------------------------------------------- +As foreshadowed in the Samba 4.20 release notes, the "samba-tool +domain auth policy" commands have been reworked to be more intuitive +based on user feedback and reflection. + +Support for key features of AD Domain/Forest Functional Level 2012R2 +-------------------------------------------------------------------- +Combined with other changes in recent versions (such as claims support +in 4.20), Samba can now claim Functional Level 2012R2 support. + +Build system +------------ +In previous versions of Samba, packagers of Samba would set their +package-specific version strings using a patch to the +SAMBA_VERSION_VENDOR_SUFFIX line in the ./VERSION file. Now that is +achieved by using --vendor-suffix (at configure time), allowing this +to be more easily scripted. Vendors are encouraged to include their +name and full package version to assist with upstream debugging. + +More deterministic builds +------------------------- +Samba builds are now more reproducible, providing better assurance +that the Samba binaries you run are the same as what is expected from +the source code. If locale settings are not changed, the same objects +will be produced from each compilation run. If Samba is built in a +different path, the object code will remain the same, but DWARF +debugging sections will change (while remaining functionally +equivalent). + +See https://reproducible-builds.org/ for more information on this +industry-wide effort and +https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/samba.html +for the status in Debian. + +Improved command-line redaction +------------------------------- +There are several options that can be used with Samba tools for +specifying secrets. Although this is best avoided, when these options +are used, Samba will redact the secrets in /proc, so that they won't +be seen in ps or top. This is now carried out more thoroughly, +redacting more options. There is a race inherent in this, and the +passwords will be visible for a short time. The secrets are also not +removed from .bash_history and similar files. + REMOVED FEATURES ================ @@ -280,6 +416,20 @@ smb.conf changes sync machine password script script +CHANGES SINCE 4.21.0rc4 +======================= + +o David Disseldorp <dd...@samba.org> + * BUG 15699: Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated. + +o Noel Power <noel.po...@suse.com> + * BUG 15702: Bad variable definition for ParseTuple causing test failure for + Smb3UnixTests.test_create_context_reparse. + +o Shachar Sharon <ssha...@redhat.com> + * BUG 15686: Add new vfs_ceph module (based on low level API). + + CHANGES SINCE 4.21.0rc3 ======================= @@ -319,7 +469,7 @@ o Douglas Bagnall <douglas.bagn...@catalyst.net.nz> * BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters. -o Jo Sutton <josut...@catalyst.net.nz> +o Jennifer Sutton <jennifersut...@catalyst.net.nz> * BUG 15690: ldb_version.h is missing from ldb public library o Pavel Filipenský <pfilipen...@samba.org> diff --git a/libcli/smb/py_reparse_symlink.c b/libcli/smb/py_reparse_symlink.c index d28a8fd8b93..5e2e961ef01 100644 --- a/libcli/smb/py_reparse_symlink.c +++ b/libcli/smb/py_reparse_symlink.c @@ -30,7 +30,7 @@ static PyObject *py_reparse_put(PyObject *module, PyObject *args) char *reparse = NULL; Py_ssize_t reparse_len; unsigned long long tag = 0; - unsigned reserved = 0; + unsigned long reserved = 0; uint8_t *buf = NULL; ssize_t buflen; PyObject *result = NULL; diff --git a/source3/modules/vfs_ceph_new.c b/source3/modules/vfs_ceph_new.c index 25e78444fb5..8d4866e054b 100644 --- a/source3/modules/vfs_ceph_new.c +++ b/source3/modules/vfs_ceph_new.c @@ -730,7 +730,7 @@ static int vfs_ceph_ll_lookup(const struct vfs_handle_struct *handle, struct UserPerm *uperm = NULL; int ret = -1; - DBG_DEBUG("[ceph] ceph_ll_lookup: parent-ino=%" PRIu64 " name=%s", + DBG_DEBUG("[ceph] ceph_ll_lookup: parent-ino=%" PRIu64 " name=%s\n", parent->ino, name); uperm = vfs_ceph_userperm_new(handle); @@ -2455,7 +2455,6 @@ static int vfs_ceph_readlinkat(struct vfs_handle_struct *handle, size_t bufsiz) { int result = -1; - struct vfs_ceph_iref iref = {0}; struct vfs_ceph_fh *dircfh = NULL; DBG_DEBUG("[CEPH] readlinkat(%p, %s, %p, %llu)\n", @@ -2468,17 +2467,29 @@ static int vfs_ceph_readlinkat(struct vfs_handle_struct *handle, if (result != 0) { goto out; } - result = vfs_ceph_ll_lookupat(handle, - dircfh, - smb_fname->base_name, - &iref); - if (result != 0) { - goto out; - } - - result = vfs_ceph_ll_readlinkat(handle, dircfh, &iref, buf, bufsiz); + if (strcmp(smb_fname->base_name, "") != 0) { + struct vfs_ceph_iref iref = {0}; - vfs_ceph_iput(handle, &iref); + result = vfs_ceph_ll_lookupat(handle, + dircfh, + smb_fname->base_name, + &iref); + if (result != 0) { + goto out; + } + result = vfs_ceph_ll_readlinkat(handle, + dircfh, + &iref, + buf, + bufsiz); + vfs_ceph_iput(handle, &iref); + } else { + result = vfs_ceph_ll_readlinkat(handle, + dircfh, + &dircfh->iref, + buf, + bufsiz); + } out: DBG_DEBUG("[CEPH] readlinkat(...) = %d\n", result); return status_code(result); diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c index 7d0f11df1ad..e31627126f4 100644 --- a/source3/smbd/smb2_ioctl.c +++ b/source3/smbd/smb2_ioctl.c @@ -268,7 +268,8 @@ static bool smbd_smb2_ioctl_is_failure(uint32_t ctl_code, NTSTATUS status, if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW) && ((ctl_code == FSCTL_PIPE_TRANSCEIVE) || (ctl_code == FSCTL_PIPE_PEEK) - || (ctl_code == FSCTL_DFS_GET_REFERRALS))) { + || (ctl_code == FSCTL_DFS_GET_REFERRALS) + || (ctl_code == FSCTL_QUERY_ALLOCATED_RANGES))) { return false; } @@ -344,6 +345,7 @@ static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq) * in: * - fsctl_dfs_get_refers() * - smbd_smb2_ioctl_pipe_read_done() + * - fsctl_qar() */ status = NT_STATUS_BUFFER_TOO_SMALL; } diff --git a/source3/smbd/smb2_ioctl_filesys.c b/source3/smbd/smb2_ioctl_filesys.c index 6cc53d4828e..1a8d1c2affa 100644 --- a/source3/smbd/smb2_ioctl_filesys.c +++ b/source3/smbd/smb2_ioctl_filesys.c @@ -3,7 +3,7 @@ Core SMB2 server Copyright (C) Stefan Metzmacher 2009 - Copyright (C) David Disseldorp 2013-2015 + Copyright (C) David Disseldorp 2013-2024 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -538,6 +538,7 @@ static NTSTATUS fsctl_qar_seek_fill(TALLOC_CTX *mem_ctx, struct files_struct *fsp, off_t curr_off, off_t max_off, + size_t in_max_output, DATA_BLOB *qar_array_blob) { NTSTATUS status = NT_STATUS_NOT_SUPPORTED; @@ -578,6 +579,17 @@ static NTSTATUS fsctl_qar_seek_fill(TALLOC_CTX *mem_ctx, return NT_STATUS_INTERNAL_ERROR; } + if (qar_array_blob->length + sizeof(qar_buf) > in_max_output) { + /* + * Earlier check ensures space for one range or more. + * Subsequent overflow results in a truncated response. + */ + DBG_NOTICE("truncated QAR output: need > %zu, max %zu\n", + qar_array_blob->length + sizeof(qar_buf), + in_max_output); + return STATUS_BUFFER_OVERFLOW; + } + qar_buf.file_off = data_off; /* + 1 to convert maximum offset to length */ qar_buf.len = MIN(hole_off, max_off + 1) - data_off; @@ -652,6 +664,13 @@ static NTSTATUS fsctl_qar(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } + /* must have enough space for at least one range */ + if (in_max_output < sizeof(struct file_alloced_range_buf)) { + DEBUG(2, ("QAR max %lu insufficient for one range\n", + (unsigned long)in_max_output)); + return NT_STATUS_BUFFER_TOO_SMALL; + } + /* * Maximum offset is either the last valid offset _before_ EOF, or the * last byte offset within the requested range. -1 converts length to @@ -687,31 +706,24 @@ static NTSTATUS fsctl_qar(TALLOC_CTX *mem_ctx, status = fsctl_qar_buf_push(mem_ctx, &qar_buf, &qar_array_blob); } else { status = fsctl_qar_seek_fill(mem_ctx, fsp, qar_req.buf.file_off, - max_off, &qar_array_blob); - } - if (!NT_STATUS_IS_OK(status)) { - return status; + max_off, in_max_output, + &qar_array_blob); } - /* marshall response buffer. */ - qar_rsp.far_buf_array = qar_array_blob; + if (NT_STATUS_IS_OK(status) + || NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) { + /* marshall response. STATUS_BUFFER_OVERFLOW=truncated */ + qar_rsp.far_buf_array = qar_array_blob; - ndr_ret = ndr_push_struct_blob(out_output, mem_ctx, &qar_rsp, - (ndr_push_flags_fn_t)ndr_push_fsctl_query_alloced_ranges_rsp); - if (ndr_ret != NDR_ERR_SUCCESS) { - DEBUG(0, ("failed to marshall QAR rsp\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - if (out_output->length > in_max_output) { - DEBUG(2, ("QAR output len %lu exceeds max %lu\n", - (unsigned long)out_output->length, - (unsigned long)in_max_output)); - data_blob_free(out_output); - return NT_STATUS_BUFFER_TOO_SMALL; + ndr_ret = ndr_push_struct_blob(out_output, mem_ctx, &qar_rsp, + (ndr_push_flags_fn_t)ndr_push_fsctl_query_alloced_ranges_rsp); + if (ndr_ret != NDR_ERR_SUCCESS) { + DEBUG(0, ("failed to marshall QAR rsp\n")); + return NT_STATUS_INVALID_PARAMETER; + } } - return NT_STATUS_OK; + return status; } static void smb2_ioctl_filesys_dup_extents_done(struct tevent_req *subreq); diff --git a/source4/libcli/smb2/ioctl.c b/source4/libcli/smb2/ioctl.c index fe74dfecd8e..94962691810 100644 --- a/source4/libcli/smb2/ioctl.c +++ b/source4/libcli/smb2/ioctl.c @@ -86,7 +86,8 @@ static bool smb2_ioctl_is_failure(uint32_t ctl_code, NTSTATUS status, if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW) && ((ctl_code == FSCTL_PIPE_TRANSCEIVE) || (ctl_code == FSCTL_PIPE_PEEK) - || (ctl_code == FSCTL_DFS_GET_REFERRALS))) { + || (ctl_code == FSCTL_DFS_GET_REFERRALS) + || (ctl_code == FSCTL_QUERY_ALLOCATED_RANGES))) { return false; } diff --git a/source4/torture/smb2/ioctl.c b/source4/torture/smb2/ioctl.c index beceaa5c551..7979e129ba7 100644 --- a/source4/torture/smb2/ioctl.c +++ b/source4/torture/smb2/ioctl.c @@ -3,7 +3,7 @@ test suite for SMB2 ioctl operations - Copyright (C) David Disseldorp 2011-2016 + Copyright (C) David Disseldorp 2011-2024 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -3838,6 +3838,151 @@ static bool test_ioctl_sparse_qar_malformed(struct torture_context *torture, return true; } +static bool test_ioctl_sparse_qar_truncated(struct torture_context *torture, + struct smb2_tree *tree) +{ + struct smb2_handle fh; + union smb_ioctl ioctl; + struct file_alloced_range_buf far_buf; + NTSTATUS status; + enum ndr_err_code ndr_ret; + TALLOC_CTX *tmp_ctx = talloc_new(tree); + bool ok; + struct file_alloced_range_buf far_rsp; + + ok = test_setup_create_fill(torture, tree, tmp_ctx, + FNAME, &fh, 0, SEC_RIGHTS_FILE_ALL, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + + status = test_ioctl_fs_supported(torture, tree, tmp_ctx, &fh, + FILE_SUPPORTS_SPARSE_FILES, &ok); + torture_assert_ntstatus_ok(torture, status, "SMB2_GETINFO_FS"); + if (!ok) { + smb2_util_close(tree, fh); + torture_skip(torture, "Sparse files not supported\n"); + } + + status = test_ioctl_sparse_req(torture, tmp_ctx, tree, fh, true); + torture_assert_ntstatus_ok(torture, status, "FSCTL_SET_SPARSE"); + + /* + * Write 0 and 1M offsets as (hopefully) two separate extents. + * XXX this test assumes that these ranges will be recorded as separate + * FSCTL_QUERY_ALLOCATED_RANGES extents, which isn't strictly required: + * the spec basically says the FS can do what it wants as long as + * non-zeroed data ranges aren't reported as sparse holes. + */ + ok = write_pattern(torture, tree, tmp_ctx, fh, + 0, /* off */ + 1024, /* len */ + 0); /* pattern offset */ + torture_assert(torture, ok, "write pattern"); + ok = write_pattern(torture, tree, tmp_ctx, fh, + 1024 * 1024, /* off */ + 1024, /* len */ + 0); /* pattern offset */ + torture_assert(torture, ok, "write pattern"); + + /* qar max output enough to carry one range, should be truncated */ + ZERO_STRUCT(ioctl); + ioctl.smb2.level = RAW_IOCTL_SMB2; -- Samba Shared Repository